Context Navigation

source: openpam/trunk/lib/openpam_dispatch.c @ 186

Revision 186, 6.1 KB checked in by des, 11 years ago (diff)

Record which primitive is currently executing before calling the
service module. Use that information to generate a much better
error message when indirect recursion is detected.

Instrument openpam_dispatch()'s entry and exit points.

Line
1	/*-
2	* Copyright (c) 2002 Networks Associates Technology, Inc.
3	* All rights reserved.
4	*
5	* This software was developed for the FreeBSD Project by ThinkSec AS and
6	* Network Associates Laboratories, the Security Research Division of
7	* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
8	* ("CBOSS"), as part of the DARPA CHATS research program.
9	*
10	* Redistribution and use in source and binary forms, with or without
11	* modification, are permitted provided that the following conditions
12	* are met:
13	* 1. Redistributions of source code must retain the above copyright
14	* notice, this list of conditions and the following disclaimer.
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in the
17	* documentation and/or other materials provided with the distribution.
18	* 3. The name of the author may not be used to endorse or promote
19	* products derived from this software without specific prior written
20	* permission.
21	*
22	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32	* SUCH DAMAGE.
33	*
34	* $P4: //depot/projects/openpam/lib/openpam_dispatch.c#18 $
35	*/
36
37	#include <sys/param.h>
38
39	#include <security/pam_appl.h>
40
41	#include "openpam_impl.h"
42
43	#if !defined(OPENPAM_RELAX_CHECKS)
44	static void _openpam_check_error_code(int, int);
45	#else
46	#define _openpam_check_error_code(a, b)
47	#endif /* !defined(OPENPAM_RELAX_CHECKS) */
48
49	/*
50	* OpenPAM internal
51	*
52	* Execute a module chain
53	*/
54
55	int
56	openpam_dispatch(pam_handle_t *pamh,
57	int primitive,
58	int flags)
59	{
60	pam_chain_t *chain;
61	int err, fail, r;
62
63	ENTER();
64	if (pamh == NULL)
65	RETURNC(PAM_SYSTEM_ERR);
66
67	/* prevent recursion */
68	if (pamh->current != NULL) {
69	openpam_log(PAM_LOG_ERROR,
70	"%s() called while %s::%s() is in progress",
71	_pam_func_name[primitive],
72	pamh->current->module->path,
73	_pam_sm_func_name[pamh->primitive]);
74	RETURNC(PAM_ABORT);
75	}
76
77	/* pick a chain */
78	switch (primitive) {
79	case PAM_SM_AUTHENTICATE:
80	case PAM_SM_SETCRED:
81	chain = pamh->chains[PAM_AUTH];
82	break;
83	case PAM_SM_ACCT_MGMT:
84	chain = pamh->chains[PAM_ACCOUNT];
85	break;
86	case PAM_SM_OPEN_SESSION:
87	case PAM_SM_CLOSE_SESSION:
88	chain = pamh->chains[PAM_SESSION];
89	break;
90	case PAM_SM_CHAUTHTOK:
91	chain = pamh->chains[PAM_PASSWORD];
92	break;
93	default:
94	RETURNC(PAM_SYSTEM_ERR);
95	}
96
97	/* execute */
98	for (err = fail = 0; chain != NULL; chain = chain->next) {
99	openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
100	_pam_sm_func_name[primitive], chain->module->path);
101	if (chain->module->func[primitive] == NULL) {
102	openpam_log(PAM_LOG_ERROR, "%s: no %s()",
103	chain->module->path, _pam_sm_func_name[primitive]);
104	continue;
105	} else {
106	pamh->primitive = primitive;
107	pamh->current = chain;
108	r = (chain->module->func[primitive])(pamh, flags,
109	chain->optc, (const char **)chain->optv);
110	pamh->current = NULL;
111	openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
112	chain->module->path, _pam_sm_func_name[primitive],
113	pam_strerror(pamh, r));
114	}
115
116	if (r == PAM_IGNORE)
117	continue;
118	if (r == PAM_SUCCESS) {
119	/*
120	* For pam_setcred() and pam_chauthtok() with the
121	* PAM_PRELIM_CHECK flag, treat "sufficient" as
122	* "optional".
123	*/
124	if ((chain->flag == PAM_SUFFICIENT \|\|
125	chain->flag == PAM_BINDING) && !fail &&
126	primitive != PAM_SM_SETCRED &&
127	!(primitive == PAM_SM_CHAUTHTOK &&
128	(flags & PAM_PRELIM_CHECK)))
129	break;
130	continue;
131	}
132
133	_openpam_check_error_code(primitive, r);
134
135	/*
136	* Record the return code from the first module to
137	* fail. If a required module fails, record the
138	* return code from the first required module to fail.
139	*/
140	if (err == 0)
141	err = r;
142	if ((chain->flag == PAM_REQUIRED \|\|
143	chain->flag == PAM_BINDING) && !fail) {
144	openpam_log(PAM_LOG_DEBUG, "required module failed");
145	fail = 1;
146	err = r;
147	}
148
149	/*
150	* If a requisite module fails, terminate the chain
151	* immediately.
152	*/
153	if (chain->flag == PAM_REQUISITE) {
154	openpam_log(PAM_LOG_DEBUG, "requisite module failed");
155	fail = 1;
156	break;
157	}
158	}
159
160	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
161	err = PAM_SUCCESS;
162	RETURNC(err);
163	}
164
165	#if !defined(OPENPAM_RELAX_CHECKS)
166	static void
167	_openpam_check_error_code(int primitive, int r)
168	{
169	/* common error codes */
170	if (r == PAM_SUCCESS \|\|
171	r == PAM_SERVICE_ERR \|\|
172	r == PAM_BUF_ERR \|\|
173	r == PAM_CONV_ERR \|\|
174	r == PAM_PERM_DENIED \|\|
175	r == PAM_ABORT)
176	return;
177
178	/* specific error codes */
179	switch (primitive) {
180	case PAM_SM_AUTHENTICATE:
181	if (r == PAM_AUTH_ERR \|\|
182	r == PAM_CRED_INSUFFICIENT \|\|
183	r == PAM_AUTHINFO_UNAVAIL \|\|
184	r == PAM_USER_UNKNOWN \|\|
185	r == PAM_MAXTRIES)
186	return;
187	break;
188	case PAM_SM_SETCRED:
189	if (r == PAM_CRED_UNAVAIL \|\|
190	r == PAM_CRED_EXPIRED \|\|
191	r == PAM_USER_UNKNOWN \|\|
192	r == PAM_CRED_ERR)
193	return;
194	break;
195	case PAM_SM_ACCT_MGMT:
196	if (r == PAM_USER_UNKNOWN \|\|
197	r == PAM_AUTH_ERR \|\|
198	r == PAM_NEW_AUTHTOK_REQD \|\|
199	r == PAM_ACCT_EXPIRED)
200	return;
201	break;
202	case PAM_SM_OPEN_SESSION:
203	case PAM_SM_CLOSE_SESSION:
204	if (r == PAM_SESSION_ERR)
205	return;
206	break;
207	case PAM_SM_CHAUTHTOK:
208	if (r == PAM_PERM_DENIED \|\|
209	r == PAM_AUTHTOK_ERR \|\|
210	r == PAM_AUTHTOK_RECOVERY_ERR \|\|
211	r == PAM_AUTHTOK_LOCK_BUSY \|\|
212	r == PAM_AUTHTOK_DISABLE_AGING \|\|
213	r == PAM_TRY_AGAIN)
214	return;
215	break;
216	}
217
218	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
219	_pam_sm_func_name[primitive], r);
220	}
221	#endif /* !defined(OPENPAM_RELAX_CHECKS) */
222
223	/*
224	* NODOC
225	*
226	* Error codes:
227	*/

Note: See TracBrowser for help on using the repository browser.

Download in other formats: