mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-02-20 21:54:16 +01:00
use pam_modutil_getpwnam() if it's available
also refactor to pass in a passwd struct to the util functions
This commit is contained in:
Klas Lindfors
parent
15cab00173
commit
237ed18b9f
@ -49,6 +49,7 @@ AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h security/pam_mod
|
||||
AC_CHECK_LIB([pam], [pam_start], [AC_SUBST([LIBPAM], ["-lpam"])])
|
||||
|
||||
AC_SEARCH_LIBS([pam_modutil_drop_priv], ["pam"], [AC_DEFINE([HAVE_PAM_MODUTIL_DROP_PRIV], [1])])
|
||||
AC_SEARCH_LIBS([pam_modutil_getpwnam], ["pam"], [AC_DEFINE([HAVE_PAM_MODUTIL_GETPWNAM], [1])])
|
||||
|
||||
AC_ARG_WITH([ldap],
|
||||
[AS_HELP_STRING([--without-ldap],
|
||||
|
||||
23
pam_yubico.c
23
pam_yubico.c
@ -158,7 +158,11 @@ authorize_user_token (struct cfg *cfg,
|
||||
struct passwd *p;
|
||||
PAM_MODUTIL_DEF_PRIVS(privs);
|
||||
|
||||
#ifdef HAVE_PAM_MODUTIL_GETPWNAM
|
||||
p = pam_modutil_getpwnam (pamh, username);
|
||||
#else
|
||||
p = getpwnam (username);
|
||||
#endif
|
||||
if (p == NULL) {
|
||||
DBG (("getpwnam: %s", strerror(errno)));
|
||||
return 0;
|
||||
@ -167,7 +171,7 @@ authorize_user_token (struct cfg *cfg,
|
||||
/* Getting file from user home directory
|
||||
..... i.e. ~/.yubico/authorized_yubikeys
|
||||
*/
|
||||
if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) {
|
||||
if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) {
|
||||
D (("Failed figuring out per-user cfgfile"));
|
||||
return 0;
|
||||
}
|
||||
@ -455,20 +459,23 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
|
||||
goto out;
|
||||
}
|
||||
|
||||
#ifdef HAVE_PAM_MODUTIL_GETPWNAM
|
||||
p = pam_modutil_getpwnam (pamh, username);
|
||||
#else
|
||||
p = getpwnam (username);
|
||||
#endif
|
||||
if (p == NULL) {
|
||||
DBG (("getpwnam: %s", strerror(errno)));
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (! get_user_challenge_file (yk, cfg->chalresp_path, username, &userfile)) {
|
||||
if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile)) {
|
||||
DBG(("Failed getting user challenge file for user %s", username));
|
||||
goto out;
|
||||
}
|
||||
|
||||
DBG(("Loading challenge from file %s", userfile));
|
||||
|
||||
p = getpwnam (username);
|
||||
if (p == NULL) {
|
||||
DBG (("getpwnam: %s", strerror(errno)));
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Drop privileges before opening user file. */
|
||||
if (pam_modutil_drop_priv(pamh, &privs, p)) {
|
||||
DBG (("could not drop privileges"));
|
||||
|
||||
@ -36,15 +36,21 @@
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
#include <pwd.h>
|
||||
|
||||
#include "util.h"
|
||||
|
||||
static void test_get_user_cfgfile_path(void) {
|
||||
char *file;
|
||||
int ret = get_user_cfgfile_path("/foo/bar", "test", "root", &file);
|
||||
struct passwd user;
|
||||
int ret;
|
||||
user.pw_name = "root";
|
||||
user.pw_dir = "/root";
|
||||
ret = get_user_cfgfile_path("/foo/bar", "test", &user, &file);
|
||||
assert(ret == 1);
|
||||
assert(strcmp(file, "/foo/bar/test") == 0);
|
||||
free(file);
|
||||
ret = get_user_cfgfile_path(NULL, "test", "root", &file);
|
||||
ret = get_user_cfgfile_path(NULL, "test", &user, &file);
|
||||
assert(ret == 1);
|
||||
assert(strcmp(file, "/root/.yubico/test") == 0);
|
||||
free(file);
|
||||
|
||||
21
util.c
21
util.c
@ -53,14 +53,13 @@
|
||||
#endif /* HAVE_CR */
|
||||
|
||||
int
|
||||
get_user_cfgfile_path(const char *common_path, const char *filename, const char *username, char **fn)
|
||||
get_user_cfgfile_path(const char *common_path, const char *filename, const struct passwd *user, char **fn)
|
||||
{
|
||||
/* Getting file from user home directory, e.g. ~/.yubico/challenge, or
|
||||
* from a system wide directory.
|
||||
*
|
||||
* Format is hex(challenge):hex(response):slot num
|
||||
*/
|
||||
struct passwd *p;
|
||||
char *userfile;
|
||||
size_t len;
|
||||
|
||||
@ -76,15 +75,11 @@ get_user_cfgfile_path(const char *common_path, const char *filename, const char
|
||||
|
||||
/* No common path provided. Construct path to user's ~/.yubico/filename */
|
||||
|
||||
p = getpwnam (username);
|
||||
if (!p)
|
||||
return 0;
|
||||
|
||||
len = strlen(p->pw_dir) + 9 + strlen(filename) + 1;
|
||||
len = strlen(user->pw_dir) + 9 + strlen(filename) + 1;
|
||||
if ((userfile = malloc(len)) == NULL) {
|
||||
return 0;
|
||||
}
|
||||
snprintf(userfile, len, "%s/.yubico/%s", p->pw_dir, filename);
|
||||
snprintf(userfile, len, "%s/.yubico/%s", user->pw_dir, filename);
|
||||
*fn = userfile;
|
||||
return 1;
|
||||
}
|
||||
@ -288,7 +283,7 @@ int challenge_response(YK_KEY *yk, int slot,
|
||||
}
|
||||
|
||||
int
|
||||
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn)
|
||||
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn)
|
||||
{
|
||||
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
|
||||
* from a system wide directory.
|
||||
@ -309,13 +304,13 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *usern
|
||||
if (! chalresp_path)
|
||||
filename = "challenge";
|
||||
else
|
||||
filename = username;
|
||||
filename = user->pw_name;
|
||||
} else {
|
||||
/* We have serial number */
|
||||
/* 0xffffffff == 4294967295 == 10 digits */
|
||||
size_t len = strlen(chalresp_path == NULL ? "challenge" : username) + 1 + 10 + 1;
|
||||
size_t len = strlen(chalresp_path == NULL ? "challenge" : user->pw_name) + 1 + 10 + 1;
|
||||
if ((ptr = malloc(len)) != NULL) {
|
||||
int res = snprintf(ptr, len, "%s-%u", chalresp_path == NULL ? "challenge" : username, serial);
|
||||
int res = snprintf(ptr, len, "%s-%u", chalresp_path == NULL ? "challenge" : user->pw_name, serial);
|
||||
filename = ptr;
|
||||
if (res < 0 || (unsigned long)res > len) {
|
||||
/* Not enough space, strangely enough. */
|
||||
@ -328,7 +323,7 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *usern
|
||||
if (filename == NULL)
|
||||
return 0;
|
||||
|
||||
ret = get_user_cfgfile_path (chalresp_path, filename, username, fn);
|
||||
ret = get_user_cfgfile_path (chalresp_path, filename, user, fn);
|
||||
if(ptr) {
|
||||
free(ptr);
|
||||
}
|
||||
|
||||
4
util.h
4
util.h
@ -52,7 +52,7 @@
|
||||
# define D(x)
|
||||
#endif /* DEBUG_PAM */
|
||||
|
||||
int get_user_cfgfile_path(const char *common_path, const char *filename, const char *username, char **fn);
|
||||
int get_user_cfgfile_path(const char *common_path, const char *filename, const struct passwd *user, char **fn);
|
||||
int check_user_token(const char *authfile, const char *username, const char *otp_id, int verbose);
|
||||
|
||||
#if HAVE_CR
|
||||
@ -82,7 +82,7 @@ typedef struct chalresp_state CR_STATE;
|
||||
|
||||
int generate_random(void *buf, int len);
|
||||
|
||||
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn);
|
||||
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn);
|
||||
|
||||
int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose);
|
||||
int write_chalresp_state(FILE *f, CR_STATE *state);
|
||||
|
||||
@ -186,7 +186,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
|
||||
}
|
||||
}
|
||||
|
||||
if (! get_user_challenge_file(yk, output_dir, p->pw_name, &fn)) {
|
||||
if (! get_user_challenge_file(yk, output_dir, p, &fn)) {
|
||||
fprintf (stderr, "Failed getting chalresp state filename\n");
|
||||
goto out;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user