Date: Thu, 9 Nov 2006 01:10:18 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: freebsd-hackers@FreeBSD.org Subject: Re: RFC: pam_krb5: minimum_[ug]id options Message-ID: <20061108221018.GB55351@rambler-co.ru> In-Reply-To: <20061108212829.GA2738@charon.picobyte.net> References: <20061108212829.GA2738@charon.picobyte.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--7ZAtKRhVyVSsbBD2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Nov 08, 2006 at 09:28:30PM +0000, Shaun Amott wrote:
> While fiddling with PAM, it came to my attention that the pam_krb5
> module in some other (Linux?) PAM implementations supports, amongst
> other things, a minimum_uid option. This makes it possible to skip over
> Kerberos authentication for local system accounts, like so:
>=20
> auth required pam_krb5.so no_warn minimum_uid=3D1000
> auth required pam_unix.so no_warn try_first_pass
>=20
> I think it'd a nice addition to our pam_krb5 at least.
>=20
> I've attached an initial patch. Comments/review welcome.
>=20
OK.
> Index: pam_krb5.8
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
> retrieving revision 1.6
> diff -u -r1.6 pam_krb5.8
> --- pam_krb5.8 24 Nov 2001 23:41:32 -0000 1.6
> +++ pam_krb5.8 8 Nov 2006 20:50:35 -0000
> @@ -108,6 +108,13 @@
> .Ql %p ,
> to designate the current process ID; can be used in
> .Ar name .
> +.It Cm minimum_uid Ns =3D Ns Ar id
> +Do not attempt to authenticate users with a uid below
^^^ UID
> +.Ar id .
> +Instead, simply return; thus allowing a later module to authenticate
> +the user.
> +.It Cm minimum_gid Ns =3D Ns Ar id
> +As above, but specifies a minimum group.
^^^^^ "group ID" or GID
Also, it could be explicit about this being a primary GID.
> .El
> .Ss Kerberos 5 Account Management Module
> The Kerberos 5 account management component
>=20
Document date should be bumped (the .Dd macro).
> Index: pam_krb5.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
> retrieving revision 1.23
> diff -u -r1.23 pam_krb5.c
> --- pam_krb5.c 7 Jul 2005 14:16:38 -0000 1.23
> +++ pam_krb5.c 8 Nov 2006 20:50:36 -0000
> @@ -90,6 +90,8 @@
> #define PAM_OPT_FORWARDABLE "forwardable"
> #define PAM_OPT_NO_CCACHE "no_ccache"
> #define PAM_OPT_REUSE_CCACHE "reuse_ccache"
> +#define PAM_OPT_MINIMUM_UID "minimum_uid"
> +#define PAM_OPT_MINIMUM_GID "minimum_gid"
> =20
Defines were sorted alphabetically by a defined name.
> /*
> * authentication management
> @@ -110,6 +112,9 @@
> const char *user, *pass;
> const void *sourceuser, *service;
> char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
> + const char *retstr;
> + uid_t minuid =3D 0;
> + gid_t mingid =3D 0;
> =20
> retval =3D pam_get_user(pamh, &user, USER_PROMPT);
> if (retval !=3D PAM_SUCCESS)
> @@ -222,6 +227,21 @@
> =20
> PAM_LOG("Done getpwnam()");
> =20
> + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
> +
Extraneous empty line.
> + if (retstr)
^ missing "!=3D NULL"
> + minuid =3D (uid_t)strtoul(retstr, NULL, 10);
>=20
Errors are silently ignored; limit (UID_MAX) isn't checked.
> +
> + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
> +
> + if (retstr)
> + mingid =3D (gid_t)strtoul(retstr, NULL, 10);
> +
>=20
Ditto but s/UID_MAX/GID_MAX/.
> + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
> + return (PAM_IGNORE);
> +
> + PAM_LOG("Checked uid and gid bounds");
> +
> /* Get a TGT */
> memset(&creds, 0, sizeof(krb5_creds));
> krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ,
> @@ -349,6 +369,9 @@
> const void *user;
> void *cache_data;
> char *cache_name_buf =3D NULL, *p;
> + const char *retstr;
> + uid_t minuid =3D 0;
> + gid_t mingid =3D 0;
> =20
> uid_t euid;
> gid_t egid;
> @@ -391,6 +414,30 @@
> =20
> PAM_LOG("Got euid, egid: %d %d", euid, egid);
> =20
> + /* Get the uid. This should exist. */
> + pwd =3D getpwnam(user);
> + if (pwd =3D=3D NULL) {
> + retval =3D PAM_USER_UNKNOWN;
> + goto cleanup3;
> + }
> +
> + PAM_LOG("Done getpwnam()");
> +
> + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
> +
> + if (retstr)
> + minuid =3D (uid_t)strtoul(retstr, NULL, 10);
> +
> + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
> +
> + if (retstr)
> + mingid =3D (gid_t)strtoul(retstr, NULL, 10);
> +
> + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
> + return (PAM_IGNORE);
> +
> + PAM_LOG("Checked uid and gid bounds");
> +
> /* Retrieve the temporary cache */
> retval =3D pam_get_data(pamh, "ccache", &cache_data);
> if (retval !=3D PAM_SUCCESS) {
> @@ -405,15 +452,6 @@
> goto cleanup3;
> }
> =20
> - /* Get the uid. This should exist. */
> - pwd =3D getpwnam(user);
> - if (pwd =3D=3D NULL) {
> - retval =3D PAM_USER_UNKNOWN;
> - goto cleanup3;
> - }
> -
> - PAM_LOG("Done getpwnam()");
> -
> /* Avoid following a symlink as root */
> if (setegid(pwd->pw_gid)) {
> retval =3D PAM_SERVICE_ERR;
Cheers,
--=20
Ruslan Ermilov
ru@FreeBSD.org
FreeBSD committer
--7ZAtKRhVyVSsbBD2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQFFUlXKqRfpzJluFF4RAn5UAJ4sE9S9lXf7/sj13NGD4xR6jSlbBQCfeh+8
9YO7dLFxPG/xiRzUwRDMWf8=
=E7l2
-----END PGP SIGNATURE-----
--7ZAtKRhVyVSsbBD2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061108221018.GB55351>