pam authentication

us now attempts to verify the authentication using PAM, after three failed
attempts it stops execution
noproxy
Alessandro Mauri 4 years ago
parent e891693f6f
commit 8fef02de37
  1. 1
      makefile
  2. 81
      us.c

@ -1,5 +1,6 @@
CC ?= gcc CC ?= gcc
CFLAGS = -Wall -pedantic --std=c99 -O2 CFLAGS = -Wall -pedantic --std=c99 -O2
LDFLAGS = -lpam -lpam_misc
PREFIX = /usr/local PREFIX = /usr/local
MANPREFIX = ${PREFIX}/share/man MANPREFIX = ${PREFIX}/share/man

81
us.c

@ -6,9 +6,15 @@
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
#include <sys/types.h> #include <sys/types.h>
#include <pwd.h>
#include <security/pam_appl.h>
#include <security/pam_misc.h>
static void usage (void); static void usage (void);
static int perm_set (uid_t); static int perm_set (uid_t, gid_t);
// FIXME: misc_conv is a separate library, should stick to plain PAM
static struct pam_conv conv = {misc_conv, NULL};
int main (int argc, char *argv[]) int main (int argc, char *argv[])
{ {
@ -18,6 +24,42 @@ int main (int argc, char *argv[])
} }
uid_t ruid = getuid(); uid_t ruid = getuid();
gid_t rgid = getgid();
struct passwd *pw = getpwuid(ruid);
if (!pw) {
fprintf(stderr, "getpwid: %s\n", strerror(errno));
exit(errno);
}
const char *uname = pw->pw_name;
pam_handle_t *pamh;
int pam_err, count = 0;
// TODO: Add arguments
// TODO: add PAM authentication
pam_err = pam_start("User Switcher", uname, &conv, &pamh);
if (pam_err != PAM_SUCCESS) {
fprintf(stderr, "pam_start: %s\n", pam_strerror(pamh, pam_err));
exit(pam_err);
}
do {
pam_err = pam_authenticate(pamh, 0);
if (pam_err != PAM_SUCCESS)
printf("Auth failed: %s\n", pam_strerror(pamh, pam_err));
count++;
} while (pam_err != PAM_SUCCESS && count < 4);
if (pam_err != PAM_SUCCESS) {
fprintf(stderr, "better luck next time\n");
pam_end(pamh, pam_err);
exit(pam_err);
}
// FIXME: check again for the validity of the login for more security
// as in: https://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/pam-20/index.html
pam_end(pamh, pam_err);
// TODO: clean up env
// Copy argv and argc // Copy argv and argc
int c_argc = argc - 1; int c_argc = argc - 1;
@ -30,20 +72,31 @@ int main (int argc, char *argv[])
c_argv[i] = strdup(argv[i+1]); c_argv[i] = strdup(argv[i+1]);
c_argc[c_argv] = NULL; c_argc[c_argv] = NULL;
if (perm_set(0) == -1) { // 0 = root errno = 0;
/* Set permissions */
if (perm_set(0, 0) == -1) { // 0 = root
fprintf(stderr, "perm_set: %s\n", strerror(errno)); fprintf(stderr, "perm_set: %s\n", strerror(errno));
goto fail_end; goto fail_end;
} }
/* Execute the command */
if (execvp(*c_argv, c_argv) == -1) // execvp searches in path if (execvp(*c_argv, c_argv) == -1) // execvp searches in path
fprintf(stderr, "execv: %s\n", strerror(errno)); fprintf(stderr, "execv: %s\n", strerror(errno));
// if exec fails reset the permissions
if (perm_set(ruid) == -1) { // 0 = root /* If exec fails reset the permissions */
if (perm_set(ruid, rgid) == -1) { // 0 = root
fprintf(stderr, "perm_set: %s\n", strerror(errno)); fprintf(stderr, "perm_set: %s\n", strerror(errno));
goto fail_end; goto fail_end;
} }
/* Cleanup and return */
fail_end: fail_end:
return 0;
/* Free up the copied argv */
for (int i = 0; i < c_argc; i++)
free(c_argv[i]);
free(c_argv);
return errno;
} }
static inline void usage (void) static inline void usage (void)
@ -51,7 +104,21 @@ static inline void usage (void)
printf("usage: us [command]\n"); printf("usage: us [command]\n");
} }
static inline int perm_set (uid_t id) static int perm_set (uid_t uid, gid_t gid)
{ {
return seteuid(id); // FIXME: This doesn't change the uid and gid, it only changes the
// e(ffective)uid and egid keeping the original gid, uid and groups list
// to make it work like sudo, the uid gid and groups list must be all
// set to 0 (or the corresponding value for other users).
// An option could be to add an argument to keep the groups list,
// another to change only the euid/egid.
// For more information run:
// $ sudo id
// and check the output
int err = 0;
if ((err = seteuid(uid)) == -1)
return err;
else if ((err = setegid(gid)) == -1)
return err;
return err;
} }

Loading…
Cancel
Save