eaiovnaovbqoebvqoeavibavo pam_filter.h000064400000002101150231720340007026 0ustar00/* * $Id$ * * this file is associated with the Linux-PAM filter module. * it was written by Andrew G. Morgan * */ #ifndef PAM_FILTER_H #define PAM_FILTER_H #include /* * this will fail if there is some problem with these file descriptors * being allocated by the pam_filter Linux-PAM module. The numbers * here are thought safe, but the filter developer should use the * macros, as these numbers are subject to change. * * The APPXXX_FILENO file descriptors are the STDIN/OUT/ERR_FILENO of the * application. The filter uses the STDIN/OUT/ERR_FILENO's to converse * with the user, passes (modified) user input to the application via * APPIN_FILENO, and receives application output from APPOUT_FILENO/ERR. */ #define APPIN_FILENO 3 /* write here to give application input */ #define APPOUT_FILENO 4 /* read here to get application output */ #define APPERR_FILENO 5 /* read here to get application errors */ #define APPTOP_FILE 6 /* used by select */ #endif pam_appl.h000064400000006341150231720410006505 0ustar00/* * * * This header file collects definitions for the PAM API --- that is, * public interface between the PAM library and an application program * that wishes to use it. * * Note, the copyright information is at end of file. */ #ifndef _SECURITY_PAM_APPL_H #define _SECURITY_PAM_APPL_H #ifdef __cplusplus extern "C" { #endif #include /* Linux-PAM common defined types */ /* -------------- The Linux-PAM Framework layer API ------------- */ extern int PAM_NONNULL((1,3,4)) pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh); extern int PAM_NONNULL((1)) pam_end(pam_handle_t *pamh, int pam_status); /* Authentication API's */ extern int PAM_NONNULL((1)) pam_authenticate(pam_handle_t *pamh, int flags); extern int PAM_NONNULL((1)) pam_setcred(pam_handle_t *pamh, int flags); /* Account Management API's */ extern int PAM_NONNULL((1)) pam_acct_mgmt(pam_handle_t *pamh, int flags); /* Session Management API's */ extern int PAM_NONNULL((1)) pam_open_session(pam_handle_t *pamh, int flags); extern int PAM_NONNULL((1)) pam_close_session(pam_handle_t *pamh, int flags); /* Password Management API's */ extern int PAM_NONNULL((1)) pam_chauthtok(pam_handle_t *pamh, int flags); /* take care of any compatibility issues */ #include #ifdef __cplusplus } #endif /* * Copyright Theodore Ts'o, 1996. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _SECURITY_PAM_APPL_H */ _pam_compat.h000064400000005634150231720410007177 0ustar00#ifndef _PAM_COMPAT_H #define _PAM_COMPAT_H /* * This file was contributed by Derrick J Brashear * slight modification by Brad M. Garcia * * A number of operating systems have started to implement PAM. * unfortunately, they have a different set of numeric values for * certain constants. This file is included for compatibility's sake. */ /* Solaris uses different constants. We redefine to those here */ #if defined(solaris) || (defined(__SVR4) && defined(sun)) # ifdef _SECURITY_PAM_MODULES_H /* flags for pam_chauthtok() */ # undef PAM_PRELIM_CHECK # define PAM_PRELIM_CHECK 0x1 # undef PAM_UPDATE_AUTHTOK # define PAM_UPDATE_AUTHTOK 0x2 # endif /* _SECURITY_PAM_MODULES_H */ # ifdef _SECURITY__PAM_TYPES_H /* generic for pam_* functions */ # undef PAM_SILENT # define PAM_SILENT 0x80000000 # undef PAM_CHANGE_EXPIRED_AUTHTOK # define PAM_CHANGE_EXPIRED_AUTHTOK 0x4 /* flags for pam_setcred() */ # undef PAM_ESTABLISH_CRED # define PAM_ESTABLISH_CRED 0x1 # undef PAM_DELETE_CRED # define PAM_DELETE_CRED 0x2 # undef PAM_REINITIALIZE_CRED # define PAM_REINITIALIZE_CRED 0x4 # undef PAM_REFRESH_CRED # define PAM_REFRESH_CRED 0x8 /* another binary incompatibility comes from the return codes! */ # undef PAM_CONV_ERR # define PAM_CONV_ERR 6 # undef PAM_PERM_DENIED # define PAM_PERM_DENIED 7 # undef PAM_MAXTRIES # define PAM_MAXTRIES 8 # undef PAM_AUTH_ERR # define PAM_AUTH_ERR 9 # undef PAM_NEW_AUTHTOK_REQD # define PAM_NEW_AUTHTOK_REQD 10 # undef PAM_CRED_INSUFFICIENT # define PAM_CRED_INSUFFICIENT 11 # undef PAM_AUTHINFO_UNAVAIL # define PAM_AUTHINFO_UNAVAIL 12 # undef PAM_USER_UNKNOWN # define PAM_USER_UNKNOWN 13 # undef PAM_CRED_UNAVAIL # define PAM_CRED_UNAVAIL 14 # undef PAM_CRED_EXPIRED # define PAM_CRED_EXPIRED 15 # undef PAM_CRED_ERR # define PAM_CRED_ERR 16 # undef PAM_ACCT_EXPIRED # define PAM_ACCT_EXPIRED 17 # undef PAM_AUTHTOK_EXPIRED # define PAM_AUTHTOK_EXPIRED 18 # undef PAM_SESSION_ERR # define PAM_SESSION_ERR 19 # undef PAM_AUTHTOK_ERR # define PAM_AUTHTOK_ERR 20 # undef PAM_AUTHTOK_RECOVERY_ERR # define PAM_AUTHTOK_RECOVERY_ERR 21 # undef PAM_AUTHTOK_LOCK_BUSY # define PAM_AUTHTOK_LOCK_BUSY 22 # undef PAM_AUTHTOK_DISABLE_AGING # define PAM_AUTHTOK_DISABLE_AGING 23 # undef PAM_NO_MODULE_DATA # define PAM_NO_MODULE_DATA 24 # undef PAM_IGNORE # define PAM_IGNORE 25 # undef PAM_ABORT # define PAM_ABORT 26 # undef PAM_TRY_AGAIN # define PAM_TRY_AGAIN 27 #endif /* _SECURITY__PAM_TYPES_H */ #else /* For compatibility with old Linux-PAM implementations. */ #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif /* defined(solaris) || (defined(__SVR4) && defined(sun)) */ #endif /* _PAM_COMPAT_H */ pam_ext.h000064400000007057150231720410006356 0ustar00/* * Copyright (C) 2005, 2006, 2008, 2009 Thorsten Kukuk. * * * * This header file collects definitions for the extended PAM API. * This is a public interface of the PAM library for PAM modules, * which makes the life of PAM developers easier, but are not documented * in any standard and are not portable between different PAM * implementations. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _SECURITY__PAM_EXT_H_ #define _SECURITY__PAM_EXT_H_ #ifdef __cplusplus extern "C" { #endif #include #include extern void PAM_FORMAT((printf, 3, 0)) PAM_NONNULL((3)) pam_vsyslog (const pam_handle_t *pamh, int priority, const char *fmt, va_list args); extern void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) pam_syslog (const pam_handle_t *pamh, int priority, const char *fmt, ...); extern int PAM_FORMAT((printf, 4, 0)) PAM_NONNULL((1,4)) pam_vprompt (pam_handle_t *pamh, int style, char **response, const char *fmt, va_list args); extern int PAM_FORMAT((printf, 4, 5)) PAM_NONNULL((1,4)) pam_prompt (pam_handle_t *pamh, int style, char **response, const char *fmt, ...); #define pam_error(pamh, fmt...) \ pam_prompt(pamh, PAM_ERROR_MSG, NULL, fmt) #define pam_verror(pamh, fmt, args) \ pam_vprompt(pamh, PAM_ERROR_MSG, NULL, fmt, args) #define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt) #define pam_vinfo(pamh, fmt, args) pam_vprompt(pamh, PAM_TEXT_INFO, NULL, fmt, args) extern int PAM_NONNULL((1,3)) pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, const char *prompt); extern int PAM_NONNULL((1,2)) pam_get_authtok_noverify (pam_handle_t *pamh, const char **authtok, const char *prompt); extern int PAM_NONNULL((1,2)) pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, const char *prompt); #ifdef __cplusplus } #endif #endif _pam_types.h000064400000031150150231720410007050 0ustar00/* * * * This file defines all of the types common to the Linux-PAM library * applications and modules. * * Note, the copyright+license information is at end of file. */ #ifndef _SECURITY__PAM_TYPES_H #define _SECURITY__PAM_TYPES_H /* This is a blind structure; users aren't allowed to see inside a * pam_handle_t, so we don't define struct pam_handle here. This is * defined in a file private to the PAM library. (i.e., it's private * to PAM service modules, too!) */ typedef struct pam_handle pam_handle_t; /* ---------------- The Linux-PAM Version defines ----------------- */ /* Major and minor version number of the Linux-PAM package. Use these macros to test for features in specific releases. */ #define __LINUX_PAM__ 1 #define __LINUX_PAM_MINOR__ 0 /* ----------------- The Linux-PAM return values ------------------ */ #define PAM_SUCCESS 0 /* Successful function return */ #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ /* loading a service module */ #define PAM_SYMBOL_ERR 2 /* Symbol not found */ #define PAM_SERVICE_ERR 3 /* Error in service module */ #define PAM_SYSTEM_ERR 4 /* System error */ #define PAM_BUF_ERR 5 /* Memory buffer error */ #define PAM_PERM_DENIED 6 /* Permission denied */ #define PAM_AUTH_ERR 7 /* Authentication failure */ #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */ /* due to insufficient credentials */ #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */ /* can not retrieve authentication */ /* information */ #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ /* authenticaiton module */ #define PAM_MAXTRIES 11 /* An authentication service has */ /* maintained a retry count which has */ /* been reached. No further retries */ /* should be attempted */ #define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */ /* This is normally returned if the */ /* machine security policies require */ /* that the password should be changed */ /* beccause the password is NULL or it */ /* has aged */ #define PAM_ACCT_EXPIRED 13 /* User account has expired */ #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */ /* the specified session */ #define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */ /* can not retrieve user credentials */ /* unavailable */ #define PAM_CRED_EXPIRED 16 /* User credentials expired */ #define PAM_CRED_ERR 17 /* Failure setting user credentials */ #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */ #define PAM_CONV_ERR 19 /* Conversation error */ #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ #define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */ /* cannot be recovered */ #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */ #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */ #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */ #define PAM_IGNORE 25 /* Ignore underlying account module */ /* regardless of whether the control */ /* flag is required, optional, or sufficient */ #define PAM_ABORT 26 /* Critical error (?module fail now request) */ #define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */ #define PAM_MODULE_UNKNOWN 28 /* module is not known */ #define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */ #define PAM_CONV_AGAIN 30 /* conversation function is event driven and data is not available yet */ #define PAM_INCOMPLETE 31 /* please call this function again to complete authentication stack. Before calling again, verify that conversation is completed */ /* * Add new #define's here - take care to also extend the libpam code: * pam_strerror() and "libpam/pam_tokens.h" . */ #define _PAM_RETURN_VALUES 32 /* this is the number of return values */ /* ---------------------- The Linux-PAM flags -------------------- */ /* Authentication service should not generate any messages */ #define PAM_SILENT 0x8000U /* Note: these flags are used by pam_authenticate{,_secondary}() */ /* The authentication service should return PAM_AUTH_ERROR if the * user has a null authentication token */ #define PAM_DISALLOW_NULL_AUTHTOK 0x0001U /* Note: these flags are used for pam_setcred() */ /* Set user credentials for an authentication service */ #define PAM_ESTABLISH_CRED 0x0002U /* Delete user credentials associated with an authentication service */ #define PAM_DELETE_CRED 0x0004U /* Reinitialize user credentials */ #define PAM_REINITIALIZE_CRED 0x0008U /* Extend lifetime of user credentials */ #define PAM_REFRESH_CRED 0x0010U /* Note: these flags are used by pam_chauthtok */ /* The password service should only update those passwords that have * aged. If this flag is not passed, the password service should * update all passwords. */ #define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U /* ------------------ The Linux-PAM item types ------------------- */ /* These defines are used by pam_set_item() and pam_get_item(). Please check the spec which are allowed for use by applications and which are only allowed for use by modules. */ #define PAM_SERVICE 1 /* The service name */ #define PAM_USER 2 /* The user name */ #define PAM_TTY 3 /* The tty name */ #define PAM_RHOST 4 /* The remote host name */ #define PAM_CONV 5 /* The pam_conv structure */ #define PAM_AUTHTOK 6 /* The authentication token (password) */ #define PAM_OLDAUTHTOK 7 /* The old authentication token */ #define PAM_RUSER 8 /* The remote user name */ #define PAM_USER_PROMPT 9 /* the prompt for getting a username */ /* Linux-PAM extensions */ #define PAM_FAIL_DELAY 10 /* app supplied function to override failure delays */ #define PAM_XDISPLAY 11 /* X display name */ #define PAM_XAUTHDATA 12 /* X server authentication data */ #define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ /* -------------- Special defines used by Linux-PAM -------------- */ #if defined(__GNUC__) && defined(__GNUC_MINOR__) # define PAM_GNUC_PREREQ(maj, min) \ ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) #else # define PAM_GNUC_PREREQ(maj, min) 0 #endif #if PAM_GNUC_PREREQ(2,5) # define PAM_FORMAT(params) __attribute__((__format__ params)) #else # define PAM_FORMAT(params) #endif #if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE) # define PAM_NONNULL(params) __attribute__((__nonnull__ params)) #else # define PAM_NONNULL(params) #endif /* ---------- Common Linux-PAM application/module PI ----------- */ extern int PAM_NONNULL((1)) pam_set_item(pam_handle_t *pamh, int item_type, const void *item); extern int PAM_NONNULL((1)) pam_get_item(const pam_handle_t *pamh, int item_type, const void **item); extern const char * pam_strerror(pam_handle_t *pamh, int errnum); extern int PAM_NONNULL((1,2)) pam_putenv(pam_handle_t *pamh, const char *name_value); extern const char * PAM_NONNULL((1,2)) pam_getenv(pam_handle_t *pamh, const char *name); extern char ** PAM_NONNULL((1)) pam_getenvlist(pam_handle_t *pamh); /* ---------- Common Linux-PAM application/module PI ----------- */ /* * here are some proposed error status definitions for the * 'error_status' argument used by the cleanup function associated * with data items they should be logically OR'd with the error_status * of the latest return from libpam -- new with .52 and positive * impression from Sun although not official as of 1996/9/4 * [generally the other flags are to be found in pam_modules.h] */ #define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */ /* * here we define an externally (by apps or modules) callable function * that primes the libpam library to delay when a stacked set of * modules results in a failure. In the case of PAM_SUCCESS this delay * is ignored. * * Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set * a function pointer which can override the default fail-delay behavior. * This item was added to accommodate event driven programs that need to * manage delays more carefully. The function prototype for this data * item is * void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr); */ #define HAVE_PAM_FAIL_DELAY extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay); /* ------------ The Linux-PAM conversation structures ------------ */ /* Message styles */ #define PAM_PROMPT_ECHO_OFF 1 #define PAM_PROMPT_ECHO_ON 2 #define PAM_ERROR_MSG 3 #define PAM_TEXT_INFO 4 /* Linux-PAM specific types */ #define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */ /* This is for server client non-human interaction.. these are NOT part of the X/Open PAM specification. */ #define PAM_BINARY_PROMPT 7 /* maximum size of messages/responses etc.. (these are mostly arbitrary so Linux-PAM should handle longer values). */ #define PAM_MAX_NUM_MSG 32 #define PAM_MAX_MSG_SIZE 512 #define PAM_MAX_RESP_SIZE 512 /* Used to pass prompting text, error messages, or other informatory * text to the user. This structure is allocated and freed by the PAM * library (or loaded module). */ struct pam_message { int msg_style; const char *msg; }; /* if the pam_message.msg_style = PAM_BINARY_PROMPT the 'pam_message.msg' is a pointer to a 'const *' for the following pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned pam_response.resp pointer points to an object with the following structure: struct { u32 length; # network byte order unsigned char type; unsigned char data[length-5]; }; The 'libpamc' library is designed around this flavor of message and should be used to handle this flavor of msg_style. */ /* Used to return the user's response to the PAM library. This structure is allocated by the application program, and free()'d by the Linux-PAM library (or calling module). */ struct pam_response { char *resp; int resp_retcode; /* currently un-used, zero expected */ }; /* The actual conversation structure itself */ struct pam_conv { int (*conv)(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); void *appdata_ptr; }; /* Used by the PAM_XAUTHDATA pam item. Contains X authentication data used by modules to connect to the user's X display. Note: this structure is intentionally compatible with xcb_auth_info_t. */ struct pam_xauth_data { int namelen; char *name; int datalen; char *data; }; /* ... adapted from the pam_appl.h file created by Theodore Ts'o and * * Copyright Theodore Ts'o, 1996. All rights reserved. * Copyright (c) Andrew G. Morgan , 1996-8 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _SECURITY__PAM_TYPES_H */ pam_modutil.h000064400000012144150231720430007226 0ustar00/* * Copyright (c) 2001-2002 Andrew Morgan * * * * This file is a list of handy libc wrappers that attempt to provide some * thread-safe and other convenient functionality to modules in a common form. * * A number of these functions reserve space in a pam_[sg]et_data item. * In all cases, the name of the item is prefixed with "pam_modutil_*". * * On systems that simply can't support thread safe programming, these * functions don't support it either - sorry. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _SECURITY__PAM_MODUTIL_H #define _SECURITY__PAM_MODUTIL_H #include #include #include #include #ifdef __cplusplus extern "C" { #endif #include extern struct passwd * PAM_NONNULL((1,2)) pam_modutil_getpwnam(pam_handle_t *pamh, const char *user); extern struct passwd * PAM_NONNULL((1)) pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid); extern struct group * PAM_NONNULL((1,2)) pam_modutil_getgrnam(pam_handle_t *pamh, const char *group); extern struct group * PAM_NONNULL((1)) pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid); extern struct spwd * PAM_NONNULL((1,2)) pam_modutil_getspnam(pam_handle_t *pamh, const char *user); extern int PAM_NONNULL((1,2,3)) pam_modutil_user_in_group_nam_nam(pam_handle_t *pamh, const char *user, const char *group); extern int PAM_NONNULL((1,2)) pam_modutil_user_in_group_nam_gid(pam_handle_t *pamh, const char *user, gid_t group); extern int PAM_NONNULL((1,3)) pam_modutil_user_in_group_uid_nam(pam_handle_t *pamh, uid_t user, const char *group); extern int PAM_NONNULL((1)) pam_modutil_user_in_group_uid_gid(pam_handle_t *pamh, uid_t user, gid_t group); extern const char * PAM_NONNULL((1)) pam_modutil_getlogin(pam_handle_t *pamh); extern int pam_modutil_read(int fd, char *buffer, int count); extern int pam_modutil_write(int fd, const char *buffer, int count); extern int PAM_NONNULL((1,3)) pam_modutil_audit_write(pam_handle_t *pamh, int type, const char *message, int retval); struct pam_modutil_privs { gid_t *grplist; int number_of_groups; int allocated; gid_t old_gid; uid_t old_uid; int is_dropped; }; #define PAM_MODUTIL_NGROUPS 64 #define PAM_MODUTIL_DEF_PRIVS(n) \ gid_t n##_grplist[PAM_MODUTIL_NGROUPS]; \ struct pam_modutil_privs n = { n##_grplist, PAM_MODUTIL_NGROUPS, 0, -1, -1, 0 } extern int PAM_NONNULL((1,2,3)) pam_modutil_drop_priv(pam_handle_t *pamh, struct pam_modutil_privs *p, const struct passwd *pw); extern int PAM_NONNULL((1,2)) pam_modutil_regain_priv(pam_handle_t *pamh, struct pam_modutil_privs *p); enum pam_modutil_redirect_fd { PAM_MODUTIL_IGNORE_FD, /* do not redirect */ PAM_MODUTIL_PIPE_FD, /* redirect to a pipe */ PAM_MODUTIL_NULL_FD, /* redirect to /dev/null */ }; /* redirect standard descriptors, close all other descriptors. */ extern int PAM_NONNULL((1)) pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, enum pam_modutil_redirect_fd redirect_stdin, enum pam_modutil_redirect_fd redirect_stdout, enum pam_modutil_redirect_fd redirect_stderr); #ifdef __cplusplus } #endif #endif /* _SECURITY__PAM_MODUTIL_H */ pam_modules.h000064400000011165150231720430007223 0ustar00/* * * * This header file collects definitions for the PAM API --- that is, * public interface between the PAM library and PAM modules. * * Note, the copyright information is at end of file. */ #ifndef _SECURITY_PAM_MODULES_H #define _SECURITY_PAM_MODULES_H #ifdef __cplusplus extern "C" { #endif #include /* Linux-PAM common defined types */ /* -------------- The Linux-PAM Module PI ------------- */ extern int PAM_NONNULL((1,2)) pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data, void (*cleanup)(pam_handle_t *pamh, void *data, int error_status)); extern int PAM_NONNULL((1,2,3)) pam_get_data(const pam_handle_t *pamh, const char *module_data_name, const void **data); extern int PAM_NONNULL((1,2)) pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt); /* Authentication API's */ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv); int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv); /* Account Management API's */ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv); /* Session Management API's */ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv); int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv); /* Password Management API's */ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv); /* The following two flags are for use across the Linux-PAM/module * interface only. The Application is not permitted to use these * tokens. * * The password service should only perform preliminary checks. No * passwords should be updated. */ #define PAM_PRELIM_CHECK 0x4000 /* The password service should update passwords Note: PAM_PRELIM_CHECK * and PAM_UPDATE_AUTHTOK cannot both be set simultaneously! */ #define PAM_UPDATE_AUTHTOK 0x2000 /* * here are some proposed error status definitions for the * 'error_status' argument used by the cleanup function associated * with data items they should be logically OR'd with the error_status * of the latest return from libpam -- new with .52 and positive * impression from Sun although not official as of 1996/9/4 there are * others in _pam_types.h -- they are for common module/app use. */ #define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */ /* PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it. */ #define PAM_EXTERN extern /* take care of any compatibility issues */ #include #ifdef __cplusplus } #endif /* Copyright (C) Theodore Ts'o, 1996. * Copyright (C) Andrew Morgan, 1996-8. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU General Public License, in which case the provisions of the * GNU GPL are required INSTEAD OF the above restrictions. (This * clause is necessary due to a potential bad interaction between the * GNU GPL and the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _SECURITY_PAM_MODULES_H */ pam_client.h000064400000016107150231720430007032 0ustar00/* * $Id$ * * Copyright (c) 1999 Andrew G. Morgan * * This header file provides the prototypes for the PAM client API */ #ifndef PAM_CLIENT_H #define PAM_CLIENT_H #ifdef __cplusplus extern "C" { #endif /* def __cplusplus */ #include #include #include #include /* opaque agent handling structure */ typedef struct pamc_handle_s *pamc_handle_t; /* binary prompt structure pointer */ typedef struct { u_int32_t length; u_int8_t control; } *pamc_bp_t; /* * functions provided by libpamc */ /* * Initialize the agent abstraction library */ pamc_handle_t pamc_start(void); /* * Terminate the authentication process */ int pamc_end(pamc_handle_t *pch); /* * force the loading of a specified agent */ int pamc_load(pamc_handle_t pch, const char *agent_id); /* * Single conversation interface for binary prompts */ int pamc_converse(pamc_handle_t pch, pamc_bp_t *prompt_p); /* * disable an agent */ int pamc_disable(pamc_handle_t pch, const char *agent_id); /* * obtain a list of available agents */ char **pamc_list_agents(pamc_handle_t pch); /* * PAM_BP_ MACROS for creating, destroying and manipulating binary prompts */ #include #include #include #ifndef PAM_BP_ASSERT # ifdef NDEBUG # define PAM_BP_ASSERT(x) do {} while (0) # else # define PAM_BP_ASSERT(x) do { printf(__FILE__ "(%d): %s\n", \ __LINE__, x) ; exit(1); } while (0) # endif /* NDEBUG */ #endif /* PAM_BP_ASSERT */ #ifndef PAM_BP_CALLOC # define PAM_BP_CALLOC calloc #endif /* PAM_BP_CALLOC */ #ifndef PAM_BP_FREE # define PAM_BP_FREE free #endif /* PAM_BP_FREE */ #define __PAM_BP_WOCTET(x,y) (*((y) + (u_int8_t *)(x))) #define __PAM_BP_ROCTET(x,y) (*((y) + (const u_int8_t *)(x))) #define PAM_BP_MIN_SIZE (sizeof(u_int32_t) + sizeof(u_int8_t)) #define PAM_BP_MAX_LENGTH 0x20000 /* an advisory limit */ #define PAM_BP_WCONTROL(x) (__PAM_BP_WOCTET(x,4)) #define PAM_BP_RCONTROL(x) (__PAM_BP_ROCTET(x,4)) #define PAM_BP_SIZE(x) ((__PAM_BP_ROCTET(x,0)<<24)+ \ (__PAM_BP_ROCTET(x,1)<<16)+ \ (__PAM_BP_ROCTET(x,2)<< 8)+ \ (__PAM_BP_ROCTET(x,3) )) #define PAM_BP_LENGTH(x) (PAM_BP_SIZE(x) - PAM_BP_MIN_SIZE) #define PAM_BP_WDATA(x) (PAM_BP_MIN_SIZE + (u_int8_t *) (x)) #define PAM_BP_RDATA(x) (PAM_BP_MIN_SIZE + (const u_int8_t *) (x)) /* Note, this macro always '\0' terminates renewed packets */ #define PAM_BP_RENEW(old_p, cntrl, data_length) \ do { \ if (old_p) { \ if (*(old_p)) { \ u_int32_t __size; \ __size = PAM_BP_SIZE(*(old_p)); \ memset(*(old_p), 0, __size); \ PAM_BP_FREE(*(old_p)); \ } \ if (cntrl) { \ u_int32_t __size; \ \ __size = PAM_BP_MIN_SIZE + data_length; \ if ((*(old_p) = PAM_BP_CALLOC(1, 1+__size))) { \ __PAM_BP_WOCTET(*(old_p), 3) = __size & 0xFF; \ __PAM_BP_WOCTET(*(old_p), 2) = (__size>>=8) & 0xFF; \ __PAM_BP_WOCTET(*(old_p), 1) = (__size>>=8) & 0xFF; \ __PAM_BP_WOCTET(*(old_p), 0) = (__size>>=8) & 0xFF; \ (*(old_p))->control = cntrl; \ } else { \ PAM_BP_ASSERT("out of memory for binary prompt"); \ } \ } else { \ *old_p = NULL; \ } \ } else { \ PAM_BP_ASSERT("programming error, invalid binary prompt pointer"); \ } \ } while (0) #define PAM_BP_FILL(prmpt, offset, length, data) \ do { \ size_t bp_length; \ u_int8_t *prompt = (u_int8_t *) (prmpt); \ bp_length = PAM_BP_LENGTH(prompt); \ if (bp_length < ((length)+(offset))) { \ PAM_BP_ASSERT("attempt to write over end of prompt"); \ } \ memcpy((offset) + PAM_BP_WDATA(prompt), (data), (length)); \ } while (0) #define PAM_BP_EXTRACT(prmpt, offset, length, data) \ do { \ size_t __bp_length; \ const u_int8_t *__prompt = (const u_int8_t *) (prmpt); \ __bp_length = PAM_BP_LENGTH(__prompt); \ if (((offset) < 0) || (__bp_length < ((length)+(offset))) \ || ((length) < 0)) { \ PAM_BP_ASSERT("invalid extraction from prompt"); \ } \ memcpy((data), (offset) + PAM_BP_RDATA(__prompt), (length)); \ } while (0) /* Control types */ #define PAM_BPC_FALSE 0 #define PAM_BPC_TRUE 1 #define PAM_BPC_OK 0x01 /* continuation packet */ #define PAM_BPC_SELECT 0x02 /* initialization packet */ #define PAM_BPC_DONE 0x03 /* termination packet */ #define PAM_BPC_FAIL 0x04 /* unable to execute */ /* The following control characters are only legal for echanges between an agent and a client (it is the responsibility of the client to enforce this rule in the face of a rogue server): */ #define PAM_BPC_GETENV 0x41 /* obtain client env.var */ #define PAM_BPC_PUTENV 0x42 /* set client env.var */ #define PAM_BPC_TEXT 0x43 /* display message */ #define PAM_BPC_ERROR 0x44 /* display error message */ #define PAM_BPC_PROMPT 0x45 /* echo'd text prompt */ #define PAM_BPC_PASS 0x46 /* non-echo'd text prompt*/ /* quick check for prompts that are legal for the client (by implication the server too) to send to libpamc */ #define PAM_BPC_FOR_CLIENT(/* pamc_bp_t */ prompt) \ (((prompt)->control <= PAM_BPC_FAIL && (prompt)->control >= PAM_BPC_OK) \ ? PAM_BPC_TRUE:PAM_BPC_FALSE) #ifdef __cplusplus } #endif /* def __cplusplus */ #endif /* PAM_CLIENT_H */ _pam_macros.h000064400000013735150231720430007203 0ustar00#ifndef PAM_MACROS_H #define PAM_MACROS_H /* * All kind of macros used by PAM, but usable in some other * programs too. * Organized by Cristian Gafton */ /* a 'safe' version of strdup */ #include #include #define x_strdup(s) ( (s) ? strdup(s):NULL ) /* Good policy to strike out passwords with some characters not just free the memory */ #define _pam_overwrite(x) \ do { \ register char *__xx__; \ if ((__xx__=(x))) \ while (*__xx__) \ *__xx__++ = '\0'; \ } while (0) #define _pam_overwrite_n(x,n) \ do { \ register char *__xx__; \ register unsigned int __i__ = 0; \ if ((__xx__=(x))) \ for (;__i__ */ #include #include #include #include #include #include #include /* * This is for debugging purposes ONLY. DO NOT use on live systems !!! * You have been warned :-) - CG * * to get automated debugging to the log file, it must be created manually. * _PAM_LOGFILE must exist and be writable to the programs you debug. */ #ifndef _PAM_LOGFILE #define _PAM_LOGFILE "/var/run/pam-debug.log" #endif static void _pam_output_debug_info(const char *file, const char *fn , const int line) { FILE *logfile; int must_close = 1, fd; #ifdef O_NOFOLLOW if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { #else if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { #endif if (!(logfile = fdopen(fd,"a"))) { logfile = stderr; must_close = 0; close(fd); } } else { logfile = stderr; must_close = 0; } fprintf(logfile,"[%s:%s(%d)] ",file, fn, line); fflush(logfile); if (must_close) fclose(logfile); } static void _pam_output_debug(const char *format, ...) { va_list args; FILE *logfile; int must_close = 1, fd; va_start(args, format); #ifdef O_NOFOLLOW if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { #else if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { #endif if (!(logfile = fdopen(fd,"a"))) { logfile = stderr; must_close = 0; close(fd); } } else { logfile = stderr; must_close = 0; } vfprintf(logfile, format, args); fprintf(logfile, "\n"); fflush(logfile); if (must_close) fclose(logfile); va_end(args); } #define D(x) do { \ _pam_output_debug_info(__FILE__, __FUNCTION__, __LINE__); \ _pam_output_debug x ; \ } while (0) #define _pam_show_mem(X,XS) do { \ int i; \ register unsigned char *x; \ x = (unsigned char *)X; \ fprintf(stderr, " \n", X); \ for (i = 0; i < XS ; ++x, ++i) { \ fprintf(stderr, " %02X. <%p:%02X>\n", i, x, *x); \ } \ fprintf(stderr, " \n", X, XS); \ } while (0) #define _pam_show_reply(/* struct pam_response * */reply, /* int */replies) \ do { \ int reply_i; \ setbuf(stderr, NULL); \ fprintf(stderr, "array at %p of size %d\n",reply,replies); \ fflush(stderr); \ if (reply) { \ for (reply_i = 0; reply_i < replies; reply_i++) { \ fprintf(stderr, " elem# %d at %p: resp = %p, retcode = %d\n", \ reply_i, reply+reply_i, reply[reply_i].resp, \ reply[reply_i].resp, _retcode); \ fflush(stderr); \ if (reply[reply_i].resp) { \ fprintf(stderr, " resp[%d] = '%s'\n", \ strlen(reply[reply_i].resp), reply[reply_i].resp); \ fflush(stderr); \ } \ } \ } \ fprintf(stderr, "done here\n"); \ fflush(stderr); \ } while (0) #else #define D(x) do { } while (0) #define _pam_show_mem(X,XS) do { } while (0) #define _pam_show_reply(reply, replies) do { } while (0) #endif /* PAM_DEBUG */ #endif /* PAM_MACROS_H */ pam_misc.h000064400000002766150231720430006515 0ustar00/* $Id$ */ #ifndef __PAMMISC_H #define __PAMMISC_H #include #include #ifdef __cplusplus extern "C" { #endif /* __cplusplus */ /* include some useful macros */ #include /* functions defined in pam_misc.* libraries */ extern int misc_conv(int num_msg, const struct pam_message **msgm, struct pam_response **response, void *appdata_ptr); #include extern time_t pam_misc_conv_warn_time; /* time that we should warn user */ extern time_t pam_misc_conv_die_time; /* cut-off time for input */ extern const char *pam_misc_conv_warn_line; /* warning notice */ extern const char *pam_misc_conv_die_line; /* cut-off remark */ extern int pam_misc_conv_died; /* 1 = cut-off time reached (0 not) */ extern int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t *prompt_p); extern void (*pam_binary_handler_free)(void *appdata, pamc_bp_t *prompt_p); /* * Environment helper functions */ /* transcribe given environment (to pam) */ extern int pam_misc_paste_env(pam_handle_t *pamh , const char * const * user_env); /* delete environment as obtained from (pam_getenvlist) */ extern char **pam_misc_drop_env(char **env); /* provide something like the POSIX setenv function for the (Linux-)PAM * environment. */ extern int pam_misc_setenv(pam_handle_t *pamh, const char *name , const char *value, int readonly); #ifdef __cplusplus } #endif /* def __cplusplus */ #endif /* ndef __PAMMISC_H */