opendoas

A portable version of the OpenBSD `doas` command
git clone https://pi.duncano.de/git/opendoas.git
Log | Files | Refs | README | LICENSE

commit e38b848a0e46ec926627ac3d2c43eedcfd5e3d80
parent cbbdf2e13e296a577f0e161999681eec97d61cd9
Author: Nathan Holstein <nathan.holstein@gmail.com>
Date:   Wed,  5 Aug 2015 03:00:56 -0400

Being integration of PAM into auth_userokay().

Diffstat:
Makefile | 1+
libopenbsd/auth_userokay.c | 62+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile @@ -13,6 +13,7 @@ BINMODE=4511 COPTS+= -Wall -Wextra -Werror -pedantic -std=c11 CFLAGS+= -I${CURDIR} -I${CURDIR}/libopenbsd ${COPTS} +LDFLAGS+= -lpam BINDIR?=/usr/bin MANDIR?=/usr/share/man diff --git a/libopenbsd/auth_userokay.c b/libopenbsd/auth_userokay.c @@ -14,22 +14,82 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include <sys/types.h> #include <errno.h> +#include <pwd.h> +#include <readpassphrase.h> #include <stdio.h> #include <stdlib.h> +#include <security/pam_appl.h> + #include "openbsd.h" +#define PAM_SERVICE "sudo" + +#define __UNUSED __attribute__ ((unused)) + +static int +pam_conv(__UNUSED int huh, __UNUSED const struct pam_message **msg, + __UNUSED struct pam_response **rsp, __UNUSED void *ptr) +{ + return 0; +} + +static struct pam_conv conv = { + .conv = pam_conv, + .appdata_ptr = NULL, +}; + +static int +check_pam(const char *user) +{ + fprintf(stderr, "check_pam(%s)\n", user); + + int ret; + pam_handle_t *pamh = NULL; + + ret = pam_start(PAM_SERVICE, user, &conv, &pamh); + if (ret != 0) { + fprintf(stderr, "pam_start(\"%s\", \"%s\", ?, ?): failed\n", + PAM_SERVICE, user); + return -1; + } + + if ((ret = pam_close_session(pamh, 0)) != 0) { + fprintf(stderr, "pam_close_session(): %s\n", pam_strerror(pamh, ret)); + return -1; + } + + return 0; +} + int auth_userokay(char *name, char *style, char *type, char *password) { + if (!name) + return 0; if (style || type || password) { fprintf(stderr, "auth_userokay(name, NULL, NULL, NULL)!\n"); exit(1); } - fprintf(stderr, "failing auth check for %s\n", name); + int ret = check_pam(name); + if (ret != 0) { + fprintf(stderr, "PAM authentication failed\n"); + return 0; + } + + /* + char passbuf[256]; + if (readpassphrase("Password: ", passbuf, sizeof(passbuf), + RPP_REQUIRE_TTY) == NULL) + return 0; + explicit_bzero(passbuf, sizeof(passbuf)); + */ + + fprintf(stderr, "failing auth check for %s\n", name); return 0; }