1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Thu, 13 May 2010 12:36:26 +0200
Subject: [PATCH 2/3] add minimum_uid option
Closes: #580037
This patch was taken from Debian's libpam-ccreds v10-6 source:
0002-add-minimum_uid-option.patch
Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
---
cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/cc_pam.c b/cc_pam.c
index d096117..56776aa 100644
--- a/cc_pam.c
+++ b/cc_pam.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <limits.h>
#include <syslog.h>
+#include <pwd.h>
#include "cc_private.h"
@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
int flags, int argc, const char **argv);
#endif
+
+/*
+ * Given the PAM arguments and the user we're authenticating, see if we should
+ * ignore that user because they're root or have a low-numbered UID and we
+ * were configured to ignore such users. Returns true if we should ignore
+ * them, false otherwise.
+ */
+static int
+_pamcc_should_ignore(const char *username, int minimum_uid)
+{
+ struct passwd *pwd;
+
+ if (minimum_uid > 0) {
+ pwd = getpwnam(username);
+ if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
+ syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
+ (unsigned long) pwd->pw_uid, minimum_uid);
+ return 1;
+ }
+ }
+ return 0;
+}
+
+
static int _pam_sm_interact(pam_handle_t *pamh,
int flags,
const char **authtok)
@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
unsigned int sm_flags = 0, sm_action = 0;
const char *ccredsfile = NULL;
const char *action = NULL;
+ const char *name = NULL;
int (*selector)(pam_handle_t *, int, unsigned int, const char *);
+ int minimum_uid = 0;
for (i = 0; i < argc; i++) {
if (strcmp(argv[i], "use_first_pass") == 0)
@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
else if (strcmp(argv[i], "service_specific") == 0)
sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
+ else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
+ minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
}
+ rc = pam_get_user(pamh, &name, NULL);
+ if (rc != PAM_SUCCESS || name == NULL) {
+ if (rc == PAM_CONV_AGAIN)
+ return PAM_INCOMPLETE;
+ else
+ return PAM_SERVICE_ERR;
+ }
+ if (_pamcc_should_ignore(name, minimum_uid))
+ return PAM_USER_UNKNOWN;
+
switch (sm_action) {
case SM_ACTION_VALIDATE_CCREDS:
selector = _pam_sm_validate_cached_credentials;
--
2.11.0
|