Blame SOURCES/0039-pam_sss-make-flags-public.patch

71e593
From b01e1a5e2c27d6c642c72e79a326d37803827a78 Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Tue, 18 Sep 2018 10:11:02 +0200
71e593
Subject: [PATCH 39/47] pam_sss: make flags public
71e593
71e593
To allow the PAM responder to act on the config flags set for pam_sss
71e593
the flags have to be made public first.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3650
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
(cherry picked from commit d33a8bed5aad9135426c9ebdf101cf600685ab81)
71e593
---
71e593
 src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
71e593
 src/sss_client/sss_cli.h |  9 ++++++
71e593
 2 files changed, 40 insertions(+), 40 deletions(-)
71e593
71e593
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
71e593
index 59081cc675e5f466de42872ea9ce539c6df7ff79..b336d1f6197b09c062dd4ece836e088e52fe7393 100644
71e593
--- a/src/sss_client/pam_sss.c
71e593
+++ b/src/sss_client/pam_sss.c
71e593
@@ -52,15 +52,6 @@
71e593
 #include <libintl.h>
71e593
 #define _(STRING) dgettext (PACKAGE, STRING)
71e593
 
71e593
-#define FLAGS_USE_FIRST_PASS (1 << 0)
71e593
-#define FLAGS_FORWARD_PASS   (1 << 1)
71e593
-#define FLAGS_USE_AUTHTOK    (1 << 2)
71e593
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
71e593
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
71e593
-#define FLAGS_USE_2FA (1 << 5)
71e593
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
71e593
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
71e593
-
71e593
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
71e593
 #define FD_DESTRUCTOR "pam_sss:fd_destructor"
71e593
 #define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
71e593
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
71e593
     pi->pam_service_size=strlen(pi->pam_service)+1;
71e593
 
71e593
     ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
71e593
-    if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
71e593
+    if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
71e593
         pi->pam_user = "";
71e593
         ret = PAM_SUCCESS;
71e593
     }
71e593
     if (ret != PAM_SUCCESS) return ret;
71e593
     if (pi->pam_user == NULL) {
71e593
-        if (flags & FLAGS_ALLOW_MISSING_NAME) {
71e593
+        if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
71e593
             pi->pam_user = "";
71e593
         } else {
71e593
             D(("No user found, aborting."));
71e593
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
71e593
 
71e593
     for (; argc-- > 0; ++argv) {
71e593
         if (strcmp(*argv, "forward_pass") == 0) {
71e593
-            *flags |= FLAGS_FORWARD_PASS;
71e593
+            *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
71e593
         } else if (strcmp(*argv, "use_first_pass") == 0) {
71e593
-            *flags |= FLAGS_USE_FIRST_PASS;
71e593
+            *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
71e593
         } else if (strcmp(*argv, "use_authtok") == 0) {
71e593
-            *flags |= FLAGS_USE_AUTHTOK;
71e593
+            *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
71e593
         } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
71e593
             if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
71e593
                 logger(pamh, LOG_ERR, "Missing argument to option domains.");
71e593
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
71e593
         } else if (strcmp(*argv, "quiet") == 0) {
71e593
             *quiet_mode = true;
71e593
         } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
71e593
-            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
71e593
+            *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
71e593
         } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
71e593
-            *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
71e593
+            *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
71e593
         } else if (strcmp(*argv, "use_2fa") == 0) {
71e593
-            *flags |= FLAGS_USE_2FA;
71e593
+            *flags |= PAM_CLI_FLAGS_USE_2FA;
71e593
         } else if (strcmp(*argv, "allow_missing_name") == 0) {
71e593
-            *flags |= FLAGS_ALLOW_MISSING_NAME;
71e593
+            *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
71e593
         } else if (strcmp(*argv, "prompt_always") == 0) {
71e593
-            *flags |= FLAGS_PROMPT_ALWAYS;
71e593
+            *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
71e593
         } else {
71e593
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
71e593
         }
71e593
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
71e593
 {
71e593
     int ret;
71e593
 
71e593
-    if ((flags & FLAGS_USE_FIRST_PASS)
71e593
+    if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
71e593
             || ( pi->pamstack_authtok != NULL
71e593
                     && *(pi->pamstack_authtok) != '\0'
71e593
-                    && !(flags & FLAGS_PROMPT_ALWAYS))) {
71e593
+                    && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
71e593
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
71e593
         pi->pam_authtok = strdup(pi->pamstack_authtok);
71e593
         if (pi->pam_authtok == NULL) {
71e593
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
71e593
         }
71e593
         pi->pam_authtok_size = strlen(pi->pam_authtok);
71e593
     } else {
71e593
-        if (flags & FLAGS_USE_2FA
71e593
+        if (flags & PAM_CLI_FLAGS_USE_2FA
71e593
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
71e593
                         && pi->otp_challenge != NULL)) {
71e593
             if (pi->password_prompting) {
71e593
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
71e593
             return ret;
71e593
         }
71e593
 
71e593
-        if (flags & FLAGS_FORWARD_PASS) {
71e593
+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
71e593
             if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
71e593
                 ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
71e593
             } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
71e593
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
71e593
     /* we query for the old password during PAM_PRELIM_CHECK to make
71e593
      * pam_sss work e.g. with pam_cracklib */
71e593
     if (pam_flags & PAM_PRELIM_CHECK) {
71e593
-        if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
71e593
-            if (flags & FLAGS_USE_2FA
71e593
+        if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
71e593
+            if (flags & PAM_CLI_FLAGS_USE_2FA
71e593
                     || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
71e593
                             && pi->otp_challenge != NULL)) {
71e593
                 if (pi->password_prompting) {
71e593
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
71e593
         }
71e593
     }
71e593
 
71e593
-    if (flags & FLAGS_USE_AUTHTOK) {
71e593
+    if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
71e593
         pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
71e593
         pi->pam_newauthtok =  strdup(pi->pamstack_authtok);
71e593
         if (pi->pam_newauthtok == NULL) {
71e593
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
71e593
             return ret;
71e593
         }
71e593
 
71e593
-        if (flags & FLAGS_FORWARD_PASS) {
71e593
+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
71e593
             ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
71e593
             if (ret != PAM_SUCCESS) {
71e593
                 D(("Failed to set PAM_AUTHTOK [%s], "
71e593
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593
     ret = get_pam_items(pamh, flags, &pi);
71e593
     if (ret != PAM_SUCCESS) {
71e593
         D(("get items returned error: %s", pam_strerror(pamh,ret)));
71e593
-        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
71e593
+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
71e593
             ret = PAM_IGNORE;
71e593
         }
71e593
-        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
71e593
+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
71e593
                 && ret == PAM_AUTHINFO_UNAVAIL) {
71e593
             ret = PAM_IGNORE;
71e593
         }
71e593
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593
             case SSS_PAM_AUTHENTICATE:
71e593
                 /*
71e593
                  * Only do preauth if
71e593
-                 * - FLAGS_USE_FIRST_PASS is not set
71e593
-                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
71e593
+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
71e593
+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
71e593
                  * - preauth indicator file exists.
71e593
                  */
71e593
-                if ( !(flags & FLAGS_USE_FIRST_PASS)
71e593
+                if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
71e593
                         && (pi.pam_authtok == NULL
71e593
-                                || (flags & FLAGS_PROMPT_ALWAYS))
71e593
+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
71e593
                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
71e593
                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
71e593
                                                   quiet_mode);
71e593
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593
                  * The means the preauth step has to be done here as well but
71e593
                  * only if
71e593
                  * - PAM_PRELIM_CHECK is set
71e593
-                 * - FLAGS_USE_FIRST_PASS is not set
71e593
-                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
71e593
+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
71e593
+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
71e593
                  * - preauth indicator file exists.
71e593
                  */
71e593
                 if ( (pam_flags & PAM_PRELIM_CHECK)
71e593
-                        && !(flags & FLAGS_USE_FIRST_PASS)
71e593
+                        && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
71e593
                         && (pi.pam_authtok == NULL
71e593
-                                || (flags & FLAGS_PROMPT_ALWAYS))
71e593
+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
71e593
                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
71e593
                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
71e593
                                                   quiet_mode);
71e593
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593
 
71e593
         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
71e593
 
71e593
-        if (flags & FLAGS_IGNORE_UNKNOWN_USER
71e593
+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
71e593
                 && pam_status == PAM_USER_UNKNOWN) {
71e593
             pam_status = PAM_IGNORE;
71e593
         }
71e593
-        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
71e593
+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
71e593
                 && pam_status == PAM_AUTHINFO_UNAVAIL) {
71e593
             pam_status = PAM_IGNORE;
71e593
         }
71e593
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593
             retry = true;
71e593
             retries--;
71e593
 
71e593
-            flags &= ~FLAGS_USE_FIRST_PASS;
71e593
+            flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
71e593
             ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
71e593
             if (ret != PAM_SUCCESS) {
71e593
                 D(("Failed to unset PAM_AUTHTOK [%s]",
71e593
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
71e593
index 24d28ed4b0acdd627067250970d91a0cb5cb05a0..3404715d811332e9013f3f88cb733c62147fb502 100644
71e593
--- a/src/sss_client/sss_cli.h
71e593
+++ b/src/sss_client/sss_cli.h
71e593
@@ -365,6 +365,15 @@ enum pam_item_type {
71e593
     SSS_PAM_ITEM_REQUESTED_DOMAINS,
71e593
 };
71e593
 
71e593
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
71e593
+#define PAM_CLI_FLAGS_FORWARD_PASS   (1 << 1)
71e593
+#define PAM_CLI_FLAGS_USE_AUTHTOK    (1 << 2)
71e593
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
71e593
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
71e593
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
71e593
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
71e593
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
71e593
+
71e593
 #define SSS_NSS_MAX_ENTRIES 256
71e593
 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
71e593
 struct sss_cli_req_data {
71e593
-- 
71e593
2.14.4
71e593