Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Nov 2006 01:18:44 +0000
From:      Shaun Amott <shaun@FreeBSD.org>
To:        freebsd-hackers@FreeBSD.org
Subject:   Re: RFC: pam_krb5: minimum_[ug]id options
Message-ID:  <20061109011843.GA4880@charon.picobyte.net>
In-Reply-To: <20061108221018.GB55351@rambler-co.ru>
References:  <20061108212829.GA2738@charon.picobyte.net> <20061108221018.GB55351@rambler-co.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--uXxzq0nDebZQVNAZ
Content-Type: multipart/mixed; boundary="24zk1gE8NUlDmwG9"
Content-Disposition: inline


--24zk1gE8NUlDmwG9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thanks for reviewing the patch. Here's an updated version with your
suggestions incorporated.

Shaun

--=20
Shaun Amott // PGP: 0x6B387A9A
"A foolish consistency is the hobgoblin
of little minds." - Ralph Waldo Emerson

--24zk1gE8NUlDmwG9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="pam_krb5.diff"
Content-Transfer-Encoding: quoted-printable

Index: pam_krb5.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -r1.6 pam_krb5.8
--- pam_krb5.8	24 Nov 2001 23:41:32 -0000	1.6
+++ pam_krb5.8	9 Nov 2006 01:14:18 -0000
@@ -1,7 +1,7 @@
 .\"
 .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
 .\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24 =
23:41:32 dd Exp $
-.Dd January 15, 1999
+.Dd Thursday 09, 2006
 .Dt PAM_KRB5 8
 .Os
 .Sh NAME
@@ -108,6 +108,13 @@
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm minimum_uid Ns =3D Ns Ar id
+Do not attempt to authenticate users with a UID below
+.Ar id .
+Instead, simply return; thus allowing a later module to authenticate
+the user.
+.It Cm minimum_gid Ns =3D Ns Ar id
+As above, but specifies a minimum primary GID.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
Index: pam_krb5.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.23
diff -u -r1.23 pam_krb5.c
--- pam_krb5.c	7 Jul 2005 14:16:38 -0000	1.23
+++ pam_krb5.c	9 Nov 2006 01:14:19 -0000
@@ -88,6 +88,8 @@
 #define PAM_OPT_CCACHE		"ccache"
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
+#define PAM_OPT_MINIMUM_GID	"minimum_gid"
+#define PAM_OPT_MINIMUM_UID	"minimum_uid"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
=20
@@ -110,6 +112,9 @@
 	const char *user, *pass;
 	const void *sourceuser, *service;
 	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
+	const char *retstr;
+	uid_t minuid =3D 0;
+	gid_t mingid =3D 0;
=20
 	retval =3D pam_get_user(pamh, &user, USER_PROMPT);
 	if (retval !=3D PAM_SUCCESS)
@@ -222,6 +227,39 @@
=20
 	PAM_LOG("Done getpwnam()");
=20
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+	if (retstr !=3D NULL) {
+		if ((minuid =3D (uid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) {
+			if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) {
+				PAM_LOG("Error in minimum_uid: %s",
+				    strerror(errno));
+				return (PAM_SERVICE_ERR);
+			}
+		} else if (minuid > UID_MAX) {
+			PAM_LOG("Error in minimum_uid: invalid UID");
+			return (PAM_SERVICE_ERR);
+		}
+	}
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+	if (retstr !=3D NULL) {
+		if ((mingid =3D (gid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) {
+			if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) {
+				PAM_LOG("Error in minimum_gid: %s",
+				    strerror(errno));
+				return (PAM_SERVICE_ERR);
+			}
+		} else if (mingid > GID_MAX) {
+			PAM_LOG("Error in minimum_gid: invalid GID");
+			return (PAM_SERVICE_ERR);
+		}
+	}
+
+	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
+		return (PAM_IGNORE);
+
+	PAM_LOG("Checked uid and gid bounds");
+
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -349,6 +387,9 @@
 	const void *user;
 	void *cache_data;
 	char *cache_name_buf =3D NULL, *p;
+	const char *retstr;
+	uid_t minuid =3D 0;
+	gid_t mingid =3D 0;
=20
 	uid_t euid;
 	gid_t egid;
@@ -391,6 +432,48 @@
=20
 	PAM_LOG("Got euid, egid: %d %d", euid, egid);
=20
+	/* Get the uid. This should exist. */
+	pwd =3D getpwnam(user);
+	if (pwd =3D=3D NULL) {
+		retval =3D PAM_USER_UNKNOWN;
+		goto cleanup3;
+	}
+
+	PAM_LOG("Done getpwnam()");
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+	if (retstr !=3D NULL) {
+		if ((minuid =3D (uid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) {
+			if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) {
+				PAM_LOG("Error in minimum_uid: %s",
+				    strerror(errno));
+				return (PAM_SERVICE_ERR);
+			}
+		} else if (minuid > UID_MAX) {
+			PAM_LOG("Error in minimum_uid: invalid UID");
+			return (PAM_SERVICE_ERR);
+		}
+	}
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+	if (retstr !=3D NULL) {
+		if ((mingid =3D (gid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) {
+			if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) {
+				PAM_LOG("Error in minimum_gid: %s",
+				    strerror(errno));
+				return (PAM_SERVICE_ERR);
+			}
+		} else if (mingid > GID_MAX) {
+			PAM_LOG("Error in minimum_gid: invalid GID");
+			return (PAM_SERVICE_ERR);
+		}
+	}
+
+	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
+		return (PAM_IGNORE);
+
+	PAM_LOG("Checked uid and gid bounds");
+
 	/* Retrieve the temporary cache */
 	retval =3D pam_get_data(pamh, "ccache", &cache_data);
 	if (retval !=3D PAM_SUCCESS) {
@@ -405,15 +488,6 @@
 		goto cleanup3;
 	}
=20
-	/* Get the uid. This should exist. */
-	pwd =3D getpwnam(user);
-	if (pwd =3D=3D NULL) {
-		retval =3D PAM_USER_UNKNOWN;
-		goto cleanup3;
-	}
-
-	PAM_LOG("Done getpwnam()");
-
 	/* Avoid following a symlink as root */
 	if (setegid(pwd->pw_gid)) {
 		retval =3D PAM_SERVICE_ERR;

--24zk1gE8NUlDmwG9--

--uXxzq0nDebZQVNAZ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFFUoHzkmhdCGs4epoRApMEAKCo1bX8UqcweNhenc1t2jxA4ZFDrgCdGJob
IUGGkJvv+trpCeT0q8beSys=
=y5km
-----END PGP SIGNATURE-----

--uXxzq0nDebZQVNAZ--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061109011843.GA4880>