From: Carsten Jacobi Date: Sat, 10 Feb 2001 21:05:33 +0000 (+0000) Subject: pam-afs-trust-root-login-20010210 X-Git-Tag: BP-openafs-devel-autoconf~87 X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=4fb818dbf6f35d91a4828d6f672798d342349358 pam-afs-trust-root-login-20010210 add trust_root option which basically provides a bypass mechanism for root --- diff --git a/src/pam/afs_auth.c b/src/pam/afs_auth.c index f260206..aad7939 100644 --- a/src/pam/afs_auth.c +++ b/src/pam/afs_auth.c @@ -42,6 +42,8 @@ pam_sm_authenticate( int use_first_pass = 0; int try_first_pass = 0; int ignore_root = 0; + int trust_root = 0; + int catch_su = 0; int set_expires = 0; /* This option is only used in pam_set_cred() */ int got_authtok = 0; /* got PAM_AUTHTOK upon entry */ int nouser = 0; @@ -80,6 +82,10 @@ pam_sm_authenticate( try_first_pass = 1; } else if (strcasecmp(argv[i], "ignore_root" ) == 0) { ignore_root = 1; + } else if (strcasecmp(argv[i], "trust_root" ) == 0) { + trust_root = 1; + } else if (strcasecmp(argv[i], "catch_su" ) == 0) { + catch_su = 1; } else if (strcasecmp(argv[i], "setenv_password_expires") == 0) { set_expires = 1; } else { @@ -107,6 +113,11 @@ pam_sm_authenticate( RET(PAM_USER_UNKNOWN); } + if ((!strncmp ("root", user, 4)) && trust_root) { + pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user); + RET(PAM_SUCCESS); + } + pam_afs_syslog(LOG_DEBUG, PAMAFS_USERNAMEDEBUG, user); /* @@ -132,9 +143,14 @@ pam_sm_authenticate( #else upwd = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf)); #endif - if (ignore_root && upwd != NULL && upwd->pw_uid == 0) { - pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user); - RET(PAM_AUTH_ERR); + if (upwd != NULL && upwd->pw_uid == 0) { + if (ignore_root) { + pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user); + RET(PAM_AUTH_ERR); + } else if (trust_root && !catch_su) { + pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user); + RET(PAM_SUCCESS); + } } #endif errcode = pam_get_item(pamh, PAM_AUTHTOK, (void **) &password); diff --git a/src/pam/afs_message.c b/src/pam/afs_message.c index 381054e..0845f9a 100644 --- a/src/pam/afs_message.c +++ b/src/pam/afs_message.c @@ -64,6 +64,12 @@ static char *fallback_messages[] = { "AFS ReInitializing creds for user %s\n", /* 31: REINITCRED */ "AFS Failed to set PASSWORD_EXPIRES for user %s\n", /* 32: PASSEXPFAIL */ + "", + /* 33: */ + "", + /* 34: */ + "AFS blindly trusting user %s\n", + /* 35: TRUSTROOT */ }; static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *); diff --git a/src/pam/afs_message.h b/src/pam/afs_message.h index 46de2c5..6b7ec9b 100644 --- a/src/pam/afs_message.h +++ b/src/pam/afs_message.h @@ -45,6 +45,7 @@ #define PAMAFS_PASSEXPFAIL 32 /* "Failed to set PASSWORD_EXPIRES" */ #define PAMAFS_CHOWNKRB 33 /* "Failed to chown krb ticketfile" */ #define PAMAFS_KRBFAIL 34 /* "Failed to set KRBTKTFILE" */ +#define PAMAFS_TRUSTROOT 35 /* "Ignoring superuser %s" */ char *pam_afs_message(int msgnum, int *freeit); diff --git a/src/pam/afs_setcred.c b/src/pam/afs_setcred.c index e7115c3..daf1781 100644 --- a/src/pam/afs_setcred.c +++ b/src/pam/afs_setcred.c @@ -44,6 +44,7 @@ pam_sm_setcred( int try_first_pass = 0; int got_authtok = 0; int ignore_root = 0; + int trust_root = 0; int set_expires = 0; /* the default is to not to set the env variable */ int i; struct pam_conv *pam_convp = NULL; @@ -79,6 +80,10 @@ pam_sm_setcred( try_first_pass = 1; } else if (strcasecmp(argv[i], "ignore_root" ) == 0) { ignore_root = 1; + } else if (strcasecmp(argv[i], "trust_root" ) == 0) { + trust_root = 1; + } else if (strcasecmp(argv[i], "catch_su" ) == 0) { + use_first_pass = 0; } else if (strcasecmp(argv[i], "setenv_password_expires")==0) { set_expires = 1; } else { @@ -124,9 +129,14 @@ pam_sm_setcred( #else upwd = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf)); #endif - if (ignore_root && upwd != NULL && upwd->pw_uid == 0) { - pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user); - RET(PAM_AUTH_ERR); + if (upwd != NULL && upwd->pw_uid == 0) { + if (ignore_root) { + pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user); + RET(PAM_AUTH_ERR); + } else if (trust_root) { + pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user); + RET(PAM_SUCCESS); + } } #endif