From b01e1a5e2c27d6c642c72e79a326d37803827a78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 10:11:02 +0200
Subject: [PATCH 39/47] pam_sss: make flags public
To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d33a8bed5aad9135426c9ebdf101cf600685ab81)
---
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
src/sss_client/sss_cli.h | 9 ++++++
2 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59081cc675e5f466de42872ea9ce539c6df7ff79..b336d1f6197b09c062dd4ece836e088e52fe7393 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,15 +52,6 @@
#include <libintl.h>
#define _(STRING) dgettext (PACKAGE, STRING)
-#define FLAGS_USE_FIRST_PASS (1 << 0)
-#define FLAGS_FORWARD_PASS (1 << 1)
-#define FLAGS_USE_AUTHTOK (1 << 2)
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-#define FLAGS_USE_2FA (1 << 5)
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
-
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->pam_service_size=strlen(pi->pam_service)+1;
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
pi->pam_user = "";
ret = PAM_SUCCESS;
}
if (ret != PAM_SUCCESS) return ret;
if (pi->pam_user == NULL) {
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
pi->pam_user = "";
} else {
D(("No user found, aborting."));
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
for (; argc-- > 0; ++argv) {
if (strcmp(*argv, "forward_pass") == 0) {
- *flags |= FLAGS_FORWARD_PASS;
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
} else if (strcmp(*argv, "use_first_pass") == 0) {
- *flags |= FLAGS_USE_FIRST_PASS;
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
} else if (strcmp(*argv, "use_authtok") == 0) {
- *flags |= FLAGS_USE_AUTHTOK;
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
logger(pamh, LOG_ERR, "Missing argument to option domains.");
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
} else if (strcmp(*argv, "quiet") == 0) {
*quiet_mode = true;
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
} else if (strcmp(*argv, "use_2fa") == 0) {
- *flags |= FLAGS_USE_2FA;
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
} else if (strcmp(*argv, "allow_missing_name") == 0) {
- *flags |= FLAGS_ALLOW_MISSING_NAME;
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
- *flags |= FLAGS_PROMPT_ALWAYS;
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
{
int ret;
- if ((flags & FLAGS_USE_FIRST_PASS)
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|| ( pi->pamstack_authtok != NULL
&& *(pi->pamstack_authtok) != '\0'
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_authtok = strdup(pi->pamstack_authtok);
if (pi->pam_authtok == NULL) {
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- if (flags & FLAGS_USE_2FA
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
- if (flags & FLAGS_USE_2FA
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
}
}
- if (flags & FLAGS_USE_AUTHTOK) {
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
if (pi->pam_newauthtok == NULL) {
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, flags, &pi);
if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret)));
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
ret = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& ret == PAM_AUTHINFO_UNAVAIL) {
ret = PAM_IGNORE;
}
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
case SSS_PAM_AUTHENTICATE:
/*
* Only do preauth if
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
- if ( !(flags & FLAGS_USE_FIRST_PASS)
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
* The means the preauth step has to be done here as well but
* only if
* - PAM_PRELIM_CHECK is set
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
if ( (pam_flags & PAM_PRELIM_CHECK)
- && !(flags & FLAGS_USE_FIRST_PASS)
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
&& pam_status == PAM_USER_UNKNOWN) {
pam_status = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
pam_status = PAM_IGNORE;
}
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
retry = true;
retries--;
- flags &= ~FLAGS_USE_FIRST_PASS;
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 24d28ed4b0acdd627067250970d91a0cb5cb05a0..3404715d811332e9013f3f88cb733c62147fb502 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -365,6 +365,15 @@ enum pam_item_type {
SSS_PAM_ITEM_REQUESTED_DOMAINS,
};
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
--
2.14.4