dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From b01e1a5e2c27d6c642c72e79a326d37803827a78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 10:11:02 +0200
Subject: [PATCH 39/47] pam_sss: make flags public

To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.

Related to https://pagure.io/SSSD/sssd/issue/3650

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d33a8bed5aad9135426c9ebdf101cf600685ab81)
---
 src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
 src/sss_client/sss_cli.h |  9 ++++++
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59081cc675e5f466de42872ea9ce539c6df7ff79..b336d1f6197b09c062dd4ece836e088e52fe7393 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,15 +52,6 @@
 #include <libintl.h>
 #define _(STRING) dgettext (PACKAGE, STRING)
 
-#define FLAGS_USE_FIRST_PASS (1 << 0)
-#define FLAGS_FORWARD_PASS   (1 << 1)
-#define FLAGS_USE_AUTHTOK    (1 << 2)
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-#define FLAGS_USE_2FA (1 << 5)
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
-
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
 #define FD_DESTRUCTOR "pam_sss:fd_destructor"
 #define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
     pi->pam_service_size=strlen(pi->pam_service)+1;
 
     ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
-    if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
+    if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
         pi->pam_user = "";
         ret = PAM_SUCCESS;
     }
     if (ret != PAM_SUCCESS) return ret;
     if (pi->pam_user == NULL) {
-        if (flags & FLAGS_ALLOW_MISSING_NAME) {
+        if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
             pi->pam_user = "";
         } else {
             D(("No user found, aborting."));
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
 
     for (; argc-- > 0; ++argv) {
         if (strcmp(*argv, "forward_pass") == 0) {
-            *flags |= FLAGS_FORWARD_PASS;
+            *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
         } else if (strcmp(*argv, "use_first_pass") == 0) {
-            *flags |= FLAGS_USE_FIRST_PASS;
+            *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
         } else if (strcmp(*argv, "use_authtok") == 0) {
-            *flags |= FLAGS_USE_AUTHTOK;
+            *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
         } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
             if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
                 logger(pamh, LOG_ERR, "Missing argument to option domains.");
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
         } else if (strcmp(*argv, "quiet") == 0) {
             *quiet_mode = true;
         } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
-            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+            *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
         } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
-            *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+            *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
         } else if (strcmp(*argv, "use_2fa") == 0) {
-            *flags |= FLAGS_USE_2FA;
+            *flags |= PAM_CLI_FLAGS_USE_2FA;
         } else if (strcmp(*argv, "allow_missing_name") == 0) {
-            *flags |= FLAGS_ALLOW_MISSING_NAME;
+            *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
         } else if (strcmp(*argv, "prompt_always") == 0) {
-            *flags |= FLAGS_PROMPT_ALWAYS;
+            *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
         } else {
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
         }
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
 {
     int ret;
 
-    if ((flags & FLAGS_USE_FIRST_PASS)
+    if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
             || ( pi->pamstack_authtok != NULL
                     && *(pi->pamstack_authtok) != '\0'
-                    && !(flags & FLAGS_PROMPT_ALWAYS))) {
+                    && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
         pi->pam_authtok = strdup(pi->pamstack_authtok);
         if (pi->pam_authtok == NULL) {
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         }
         pi->pam_authtok_size = strlen(pi->pam_authtok);
     } else {
-        if (flags & FLAGS_USE_2FA
+        if (flags & PAM_CLI_FLAGS_USE_2FA
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                         && pi->otp_challenge != NULL)) {
             if (pi->password_prompting) {
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
             return ret;
         }
 
-        if (flags & FLAGS_FORWARD_PASS) {
+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
             if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
                 ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
             } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
     /* we query for the old password during PAM_PRELIM_CHECK to make
      * pam_sss work e.g. with pam_cracklib */
     if (pam_flags & PAM_PRELIM_CHECK) {
-        if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
-            if (flags & FLAGS_USE_2FA
+        if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
+            if (flags & PAM_CLI_FLAGS_USE_2FA
                     || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                             && pi->otp_challenge != NULL)) {
                 if (pi->password_prompting) {
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
         }
     }
 
-    if (flags & FLAGS_USE_AUTHTOK) {
+    if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
         pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
         pi->pam_newauthtok =  strdup(pi->pamstack_authtok);
         if (pi->pam_newauthtok == NULL) {
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
             return ret;
         }
 
-        if (flags & FLAGS_FORWARD_PASS) {
+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
             ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
             if (ret != PAM_SUCCESS) {
                 D(("Failed to set PAM_AUTHTOK [%s], "
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
     ret = get_pam_items(pamh, flags, &pi);
     if (ret != PAM_SUCCESS) {
         D(("get items returned error: %s", pam_strerror(pamh,ret)));
-        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
             ret = PAM_IGNORE;
         }
-        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
                 && ret == PAM_AUTHINFO_UNAVAIL) {
             ret = PAM_IGNORE;
         }
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
             case SSS_PAM_AUTHENTICATE:
                 /*
                  * Only do preauth if
-                 * - FLAGS_USE_FIRST_PASS is not set
-                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
                  * - preauth indicator file exists.
                  */
-                if ( !(flags & FLAGS_USE_FIRST_PASS)
+                if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
                         && (pi.pam_authtok == NULL
-                                || (flags & FLAGS_PROMPT_ALWAYS))
+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
                                                   quiet_mode);
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                  * The means the preauth step has to be done here as well but
                  * only if
                  * - PAM_PRELIM_CHECK is set
-                 * - FLAGS_USE_FIRST_PASS is not set
-                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
                  * - preauth indicator file exists.
                  */
                 if ( (pam_flags & PAM_PRELIM_CHECK)
-                        && !(flags & FLAGS_USE_FIRST_PASS)
+                        && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
                         && (pi.pam_authtok == NULL
-                                || (flags & FLAGS_PROMPT_ALWAYS))
+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
                                                   quiet_mode);
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 
         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
 
-        if (flags & FLAGS_IGNORE_UNKNOWN_USER
+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
                 && pam_status == PAM_USER_UNKNOWN) {
             pam_status = PAM_IGNORE;
         }
-        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
                 && pam_status == PAM_AUTHINFO_UNAVAIL) {
             pam_status = PAM_IGNORE;
         }
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
             retry = true;
             retries--;
 
-            flags &= ~FLAGS_USE_FIRST_PASS;
+            flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
             ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
             if (ret != PAM_SUCCESS) {
                 D(("Failed to unset PAM_AUTHTOK [%s]",
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 24d28ed4b0acdd627067250970d91a0cb5cb05a0..3404715d811332e9013f3f88cb733c62147fb502 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -365,6 +365,15 @@ enum pam_item_type {
     SSS_PAM_ITEM_REQUESTED_DOMAINS,
 };
 
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
+#define PAM_CLI_FLAGS_FORWARD_PASS   (1 << 1)
+#define PAM_CLI_FLAGS_USE_AUTHTOK    (1 << 2)
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+
 #define SSS_NSS_MAX_ENTRIES 256
 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
 struct sss_cli_req_data {
-- 
2.14.4