source: openpam/trunk/lib/openpam_dispatch.c @ 25

Last change on this file since 25 was 25, checked in by Dag-Erling Smørgrav, 19 years ago

Store options, and pass them to modules.

Replace the "dispatching" flag with a pam_chain_t pointer. It is set
to point at the currently executing module right before calling the
module, and cleared right after the module returns. Note that this
isn't intended to prevent reentrancy in multi-threaded applications,
but simply to prevent modules from using the application interface.

When recursion is detected, return PAM_ABORT rather than
PAM_SYSTEM_ERR, since this is a programmatical error rather than
a runtime one.

Sponsored by: DARPA, NAI Labs

  • Property svn:keywords set to Id LastChangedRevision HeadURL LastChangedDate LastChangedBy
File size: 5.5 KB
Line 
1/*-
2 * Copyright (c) 2002 Networks Associates Technologies, Inc.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by ThinkSec AS and
6 * NAI Labs, the Security Research Division of Network Associates, Inc.
7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 * DARPA CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote
19 *    products derived from this software without specific prior written
20 *    permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $Id: openpam_dispatch.c 25 2002-02-04 15:00:16Z des $
35 */
36
37#include <sys/param.h>
38
39#include <security/pam_appl.h>
40
41#include "openpam_impl.h"
42
43#if !defined(OPENPAM_RELAX_CHECKS)
44static void _openpam_check_error_code(int, int);
45#else
46#define _openpam_check_error_code(a, b)
47#endif /* !defined(OPENPAM_RELAX_CHECKS) */
48
49/*
50 * Execute a module chain
51 */
52
53int
54openpam_dispatch(pam_handle_t *pamh,
55        int primitive,
56        int flags)
57{
58        pam_chain_t *module;
59        int err, fail, r;
60
61        if (pamh == NULL)
62                return (PAM_SYSTEM_ERR);
63
64        /* prevent recursion */
65        if (pamh->current != NULL) {
66                openpam_log(PAM_LOG_ERROR, "indirect recursion");
67                return (PAM_ABORT);
68        }
69
70        /* pick a chain */
71        switch (primitive) {
72        case PAM_AUTHENTICATE:
73        case PAM_SETCRED:
74                module = pamh->chains[PAM_AUTH];
75                break;
76        case PAM_ACCT_MGMT:
77                module = pamh->chains[PAM_ACCOUNT];
78                break;
79        case PAM_OPEN_SESSION:
80        case PAM_CLOSE_SESSION:
81                module = pamh->chains[PAM_SESSION];
82                break;
83        case PAM_CHAUTHTOK:
84                module = pamh->chains[PAM_PASSWORD];
85                break;
86        default:
87                return (PAM_SYSTEM_ERR);
88        }
89
90        /* fail if the chain is empty */
91        if (module == NULL)
92                return (PAM_SYSTEM_ERR);
93
94        /* execute */
95        for (err = fail = 0; module != NULL; module = module->next) {
96                if (module->primitive[primitive] == NULL) {
97                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
98                            module->modpath, _pam_sm_func_name[primitive]);
99                        r = PAM_SYMBOL_ERR;
100                } else {
101                        pamh->current = module;
102                        r = (module->primitive[primitive])(pamh, flags,
103                            module->optc, (const char **)module->optv);
104                        pamh->current = NULL;
105                        openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
106                            module->modpath, _pam_sm_func_name[primitive],
107                            pam_strerror(pamh, r));
108                }
109
110                if (r == PAM_IGNORE)
111                        continue;
112                if (r == PAM_SUCCESS) {
113                        /*
114                         * For pam_setcred(), treat "sufficient" as
115                         * "optional".
116                         *
117                         * Note that Solaris libpam does not terminate
118                         * the chain here if a required module has
119                         * previously failed.  I'm not sure why.
120                         */
121                        if (module->flag == PAM_SUFFICIENT &&
122                            primitive != PAM_SETCRED)
123                                break;
124                }
125
126                _openpam_check_error_code(primitive, r);
127
128                /*
129                 * Record the return code from the first module to
130                 * fail.  If a required module fails, record the
131                 * return code from the first required module to fail.
132                 */
133                if (err == 0)
134                        err = r;
135                if (module->flag == PAM_REQUIRED && !fail) {
136                        fail = 1;
137                        err = r;
138                }
139
140                /*
141                 * If a requisite module fails, terminate the chain
142                 * immediately.
143                 */
144                if (module->flag == PAM_REQUISITE) {
145                        fail = 1;
146                        break;
147                }
148        }
149
150        return (fail ? err : PAM_SUCCESS);
151}
152
153#if !defined(OPENPAM_RELAX_CHECKS)
154static void
155_openpam_check_error_code(int primitive, int r)
156{
157        /* common error codes */
158        if (r == PAM_SERVICE_ERR ||
159            r == PAM_BUF_ERR ||
160            r == PAM_BUF_ERR ||
161            r == PAM_CONV_ERR ||
162            r == PAM_PERM_DENIED)
163                return;
164
165        /* specific error codes */
166        switch (primitive) {
167        case PAM_AUTHENTICATE:
168                if (r == PAM_AUTH_ERR ||
169                    r == PAM_CRED_INSUFFICIENT ||
170                    r == PAM_AUTHINFO_UNAVAIL ||
171                    r == PAM_USER_UNKNOWN ||
172                    r == PAM_MAXTRIES)
173                        return;
174                break;
175        case PAM_SETCRED:
176                if (r == PAM_CRED_UNAVAIL ||
177                    r == PAM_CRED_EXPIRED ||
178                    r == PAM_USER_UNKNOWN ||
179                    r == PAM_CRED_ERR)
180                        return;
181                break;
182        case PAM_ACCT_MGMT:
183                if (r == PAM_USER_UNKNOWN ||
184                    r == PAM_AUTH_ERR ||
185                    r == PAM_NEW_AUTHTOK_REQD ||
186                    r == PAM_ACCT_EXPIRED)
187                        return;
188                break;
189        case PAM_OPEN_SESSION:
190        case PAM_CLOSE_SESSION:
191                if (r == PAM_SESSION_ERR)
192                        return;
193                break;
194        case PAM_CHAUTHTOK:
195                if (r == PAM_PERM_DENIED ||
196                    r == PAM_AUTHTOK_ERR ||
197                    r == PAM_AUTHTOK_RECOVERY_ERR ||
198                    r == PAM_AUTHTOK_LOCK_BUSY ||
199                    r == PAM_AUTHTOK_DISABLE_AGING)
200                        return;
201                break;
202        }
203
204        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
205            _pam_sm_func_name[primitive], r);
206}
207#endif /* !defined(OPENPAM_RELAX_CHECKS) */
Note: See TracBrowser for help on using the repository browser.