diff options
author | Mattias Andrée <maandree@operamail.com> | 2013-11-20 21:02:25 +0100 |
---|---|---|
committer | Mattias Andrée <maandree@operamail.com> | 2013-11-20 21:02:25 +0100 |
commit | 61733cebeb3a752d5fae2b87b605ce82d15ba88f (patch) | |
tree | e6a49822700130f0d17a56c7868ac3f20b7bcc9b | |
parent | only root may use -f (diff) | |
download | libpassphrase-61733cebeb3a752d5fae2b87b605ce82d15ba88f.tar.gz libpassphrase-61733cebeb3a752d5fae2b87b605ce82d15ba88f.tar.bz2 libpassphrase-61733cebeb3a752d5fae2b87b605ce82d15ba88f.tar.xz |
some work on pam usage
Signed-off-by: Mattias Andrée <maandree@operamail.com>
-rw-r--r-- | src/cerberus.c | 19 | ||||
-rw-r--r-- | src/pam.c | 49 | ||||
-rw-r--r-- | src/pam.h | 15 |
3 files changed, 76 insertions, 7 deletions
diff --git a/src/cerberus.c b/src/cerberus.c index 90bab2f..06b83df 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -40,20 +40,22 @@ void do_login(int argc, char** argv); */ int main(int argc, char** argv) { - int _status; - do_login(argc, argv); /* Ignore signals */ signal(SIGQUIT, SIG_IGN); signal(SIGINT, SIG_IGN); - /* Wait for the login shell to exit */ - waitpid(child_pid, &_status, 0); + /* Wait for the login shell and all grandchildren to exit */ + while ((wait(NULL) == -1) && (errno == EINTR)) + ; /* Reset terminal ownership and mode */ chown_tty(0, tty_group, 0); + /* Close login session */ + close_session_pam(); + return 0; } @@ -213,7 +215,7 @@ void do_login(int argc, char** argv) /* TODO verify passphrase */ /* Wipe and free the passphrase from the memory */ - if (skip_auth == 0) + if ((skip_auth == 0) && passphrase) { long i; for (i = 0; *(passphrase + i); i++) @@ -226,12 +228,16 @@ void do_login(int argc, char** argv) reenable_echo(); + /* Verify account, such as that it is enabled */ + verify_account_pam(); + + /* Partial login */ - /* TODO verify that user is enabled */ chown_tty(entry->pw_uid, tty_group, 0); chdir_home(entry); ensure_shell(entry); set_environ(entry, preserve_env); + open_session_pam(); /* Stop signal handling */ @@ -247,6 +253,7 @@ void do_login(int argc, char** argv) if (child_pid == -1) { perror("fork"); + close_session_pam(); sleep(ERROR_SLEEP); _exit(1); } @@ -26,6 +26,9 @@ #include "pam.h" +#define __failed(RC) ((RC) != PAM_SUCCESS) + + /** * The PAM handle */ @@ -44,7 +47,7 @@ static struct pam_conv conv = { misc_conv, NULL }; */ static void do_pam(int rc) { - if (rc != PAM_SUCCESS) + if (__failed(rc)) { const char* msg = pam_strerror(handle, rc); if (msg) @@ -75,3 +78,47 @@ void initialise_pam(char* remote, char* username) do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); } + +/** + * Verify that the account may be used + */ +void verify_account_pam(void) +{ + int rc = pam_acct_mgmt(handle, 0); + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); + do_pam(rc); +} + + +/** + * Open PAM session + */ +void open_session_pam(void) +{ + int rc; + do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); + + if (__failed(rc = pam_open_session(handle, 0))) + { + pam_setcred(handle, PAM_DELETE_CRED); + do_pam(rc); + } + + if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) + { + pam_close_session(handle, 0); + do_pam(rc); + } +} + + +/** + * Close PAM session + */ +void close_session_pam(void) +{ + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); +} + @@ -28,6 +28,21 @@ */ void initialise_pam(char* remote, char* username); +/** + * Verify that the account may be used + */ +void verify_account_pam(void); + +/** + * Open PAM session + */ +void open_session_pam(void); + +/** + * Close PAM session + */ +void close_session_pam(void); + #endif |