1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
/* $NetBSD: pam_pwauth_suid.c,v 1.2 2007/09/05 20:29:05 drochner Exp $ */
#include <sys/types.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <unistd.h>
#include <string.h>
#include <sys/wait.h>
#include <errno.h>
#include <signal.h>
static int
askhelper(const char *user, const char *pass)
{
int fd[2];
sigset_t chldsig, omask;
pid_t pid, rpid;
ssize_t res;
size_t pwlen;
int err, s;
if (pipe(fd) < 0)
return errno;
/* make sure only we get the exit status of the helper */
sigemptyset(&chldsig);
sigaddset(&chldsig, SIGCHLD);
if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0)
return errno;
pid = vfork();
switch (pid) {
case -1:
err = errno;
goto error;
case 0: /* child, feed it through its stdin */
(void)dup2(fd[0], STDIN_FILENO);
(void)close(fd[0]);
(void)close(fd[1]);
execl(PATH_HELPER, PATH_HELPER, user, NULL);
_exit(errno);
default: /* parent */
(void)close(fd[0]);
break;
}
pwlen = strlen(pass);
res = write(fd[1], pass, pwlen);
if (res != pwlen) {
err = (res == -1 ? errno : EIO);
goto error;
}
(void)close(fd[1]); /* now child gets an EOF */
rpid = waitpid(pid, &s, 0);
sigprocmask(SIG_SETMASK, &omask, 0);
if (rpid != pid)
return errno;
if (!WIFEXITED(s) || WEXITSTATUS(s))
return EAUTH;
return 0;
error:
sigprocmask(SIG_SETMASK, &omask, 0);
return err;
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
const char *user, *pass;
int res;
res = pam_get_user(pamh, &user, NULL);
if (res != PAM_SUCCESS)
return res;
res = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
if (res != PAM_SUCCESS)
return res;
if (askhelper(user, pass) != 0)
return PAM_AUTH_ERR;
return PAM_SUCCESS;
}
PAM_MODULE_ENTRY("pam_passwdhelper");
|