diff options
| author | Denis Vlasenko <vda.linux@googlemail.com> | 2007-11-07 00:23:47 +0000 |
|---|---|---|
| committer | Denis Vlasenko <vda.linux@googlemail.com> | 2007-11-07 00:23:47 +0000 |
| commit | a29a5e40aeb7af722f5245d5a106a86da5ae0d27 (patch) | |
| tree | 417e0851cd7751bba833280c6a1b38a9de4ecc6f | |
| parent | cb12cb240714f2599addd4ec61ef336ab87482cd (diff) | |
| download | busybox-w32-a29a5e40aeb7af722f5245d5a106a86da5ae0d27.tar.gz busybox-w32-a29a5e40aeb7af722f5245d5a106a86da5ae0d27.tar.bz2 busybox-w32-a29a5e40aeb7af722f5245d5a106a86da5ae0d27.zip | |
login: fix PAM login (was unable to complete Kerberos login)
| -rw-r--r-- | loginutils/login.c | 65 |
1 files changed, 42 insertions, 23 deletions
diff --git a/loginutils/login.c b/loginutils/login.c index c05edde36..ef27c3b4a 100644 --- a/loginutils/login.c +++ b/loginutils/login.c | |||
| @@ -243,9 +243,14 @@ int login_main(int argc, char **argv) | |||
| 243 | char full_tty[TTYNAME_SIZE]; | 243 | char full_tty[TTYNAME_SIZE]; |
| 244 | USE_SELINUX(security_context_t user_sid = NULL;) | 244 | USE_SELINUX(security_context_t user_sid = NULL;) |
| 245 | USE_FEATURE_UTMP(struct utmp utent;) | 245 | USE_FEATURE_UTMP(struct utmp utent;) |
| 246 | USE_PAM(pam_handle_t *pamh;) | 246 | #if ENABLE_PAM |
| 247 | USE_PAM(int pamret;) | 247 | int pamret; |
| 248 | USE_PAM(const char *failed_msg;) | 248 | pam_handle_t *pamh; |
| 249 | const char *pamuser; | ||
| 250 | const char *failed_msg; | ||
| 251 | struct passwd pwdstruct; | ||
| 252 | char pwdbuf[256]; | ||
| 253 | #endif | ||
| 249 | 254 | ||
| 250 | short_tty = full_tty; | 255 | short_tty = full_tty; |
| 251 | username[0] = '\0'; | 256 | username[0] = '\0'; |
| @@ -306,18 +311,18 @@ int login_main(int argc, char **argv) | |||
| 306 | #if ENABLE_PAM | 311 | #if ENABLE_PAM |
| 307 | pamret = pam_start("login", username, &conv, &pamh); | 312 | pamret = pam_start("login", username, &conv, &pamh); |
| 308 | if (pamret != PAM_SUCCESS) { | 313 | if (pamret != PAM_SUCCESS) { |
| 309 | failed_msg = "pam_start"; | 314 | failed_msg = "start"; |
| 310 | goto pam_auth_failed; | 315 | goto pam_auth_failed; |
| 311 | } | 316 | } |
| 312 | /* set TTY (so things like securetty work) */ | 317 | /* set TTY (so things like securetty work) */ |
| 313 | pamret = pam_set_item(pamh, PAM_TTY, short_tty); | 318 | pamret = pam_set_item(pamh, PAM_TTY, short_tty); |
| 314 | if (pamret != PAM_SUCCESS) { | 319 | if (pamret != PAM_SUCCESS) { |
| 315 | failed_msg = "pam_set_item(TTY)"; | 320 | failed_msg = "set_item(TTY)"; |
| 316 | goto pam_auth_failed; | 321 | goto pam_auth_failed; |
| 317 | } | 322 | } |
| 318 | pamret = pam_authenticate(pamh, 0); | 323 | pamret = pam_authenticate(pamh, 0); |
| 319 | if (pamret != PAM_SUCCESS) { | 324 | if (pamret != PAM_SUCCESS) { |
| 320 | failed_msg = "pam_authenticate"; | 325 | failed_msg = "authenticate"; |
| 321 | goto pam_auth_failed; | 326 | goto pam_auth_failed; |
| 322 | /* TODO: or just "goto auth_failed" | 327 | /* TODO: or just "goto auth_failed" |
| 323 | * since user seems to enter wrong password | 328 | * since user seems to enter wrong password |
| @@ -327,28 +332,42 @@ int login_main(int argc, char **argv) | |||
| 327 | /* check that the account is healthy */ | 332 | /* check that the account is healthy */ |
| 328 | pamret = pam_acct_mgmt(pamh, 0); | 333 | pamret = pam_acct_mgmt(pamh, 0); |
| 329 | if (pamret != PAM_SUCCESS) { | 334 | if (pamret != PAM_SUCCESS) { |
| 330 | failed_msg = "account setup"; | 335 | failed_msg = "acct_mgmt"; |
| 331 | goto pam_auth_failed; | 336 | goto pam_auth_failed; |
| 332 | } | 337 | } |
| 333 | /* read user back */ | 338 | /* read user back */ |
| 334 | { | 339 | pamuser = NULL; |
| 335 | const char *pamuser; | 340 | /* gcc: "dereferencing type-punned pointer breaks aliasing rules..." |
| 336 | /* gcc: "dereferencing type-punned pointer breaks aliasing rules..." | 341 | * thus we cast to (void*) */ |
| 337 | * thus we cast to (void*) */ | 342 | if (pam_get_item(pamh, PAM_USER, (void*)&pamuser) != PAM_SUCCESS) { |
| 338 | if (pam_get_item(pamh, PAM_USER, (void*)&pamuser) != PAM_SUCCESS) { | 343 | failed_msg = "get_item(USER)"; |
| 339 | failed_msg = "pam_get_item(USER)"; | 344 | goto pam_auth_failed; |
| 340 | goto pam_auth_failed; | ||
| 341 | } | ||
| 342 | safe_strncpy(username, pamuser, sizeof(username)); | ||
| 343 | } | 345 | } |
| 344 | /* If we get here, the user was authenticated, and is | 346 | if (!pamuser || !pamuser[0]) |
| 345 | * granted access. */ | 347 | goto auth_failed; |
| 346 | pw = getpwnam(username); | 348 | safe_strncpy(username, pamuser, sizeof(username)); |
| 347 | if (pw) | 349 | /* Don't use "pw = getpwnam(username);", |
| 348 | break; | 350 | * PAM is said to be capable of destroying static storage |
| 349 | goto auth_failed; | 351 | * used by getpwnam(). We are using safe(r) function */ |
| 352 | pw = NULL; | ||
| 353 | getpwnam_r(username, &pwdstruct, pwdbuf, sizeof(pwdbuf), &pw); | ||
| 354 | if (!pw) | ||
| 355 | goto auth_failed; | ||
| 356 | pamret = pam_open_session(pamh, 0); | ||
| 357 | if (pamret != PAM_SUCCESS) { | ||
| 358 | failed_msg = "open_session"; | ||
| 359 | goto pam_auth_failed; | ||
| 360 | } | ||
| 361 | pamret = pam_setcred(pamh, PAM_ESTABLISH_CRED); | ||
| 362 | if (pamret != PAM_SUCCESS) { | ||
| 363 | failed_msg = "setcred"; | ||
| 364 | goto pam_auth_failed; | ||
| 365 | } | ||
| 366 | break; /* success, continue login process */ | ||
| 367 | |||
| 350 | pam_auth_failed: | 368 | pam_auth_failed: |
| 351 | bb_error_msg("%s failed: %s (%d)", failed_msg, pam_strerror(pamh, pamret), pamret); | 369 | bb_error_msg("pam_%s call failed: %s (%d)", failed_msg, |
| 370 | pam_strerror(pamh, pamret), pamret); | ||
| 352 | safe_strncpy(username, "UNKNOWN", sizeof(username)); | 371 | safe_strncpy(username, "UNKNOWN", sizeof(username)); |
| 353 | #else /* not PAM */ | 372 | #else /* not PAM */ |
| 354 | pw = getpwnam(username); | 373 | pw = getpwnam(username); |