VirtualBox

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.c@ 35263

Last change on this file since 35263 was 29060, checked in by vboxsync, 14 years ago

pam: nits
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 9.8 KB
Line 
1/* $Id: pam_vbox.c 29060 2010-05-05 09:14:49Z vboxsync $ */
2/** @file
3 * pam_vbox - PAM module for auto logons.
4 */
5
6/*
7 * Copyright (C) 2008-2010 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18/*******************************************************************************
19* Header Files *
20*******************************************************************************/
21#define PAM_SM_AUTH
22#define PAM_SM_ACCOUNT
23#define PAM_SM_PASSWORD
24#define PAM_SM_SESSION
25
26#ifdef _DEBUG
27# define PAM_DEBUG
28#endif
29
30#ifdef RT_OS_SOLARIS
31# include <security/pam_appl.h>
32#endif
33#include <security/pam_modules.h>
34#include <security/pam_appl.h>
35#ifdef RT_OS_LINUX
36# include <security/_pam_macros.h>
37#endif
38
39#include <pwd.h>
40#include <syslog.h>
41
42#include <iprt/env.h>
43#include <iprt/stream.h>
44#include <iprt/initterm.h>
45#include <iprt/string.h>
46#include <iprt/assert.h>
47#include <VBox/log.h>
48
49#include <VBox/VBoxGuestLib.h>
50
51#define VBOX_MODULE_NAME "pam_vbox"
52
53/** For debugging. */
54#ifdef _DEBUG
55static pam_handle_t *g_pam_handle;
56static int g_verbosity = 99;
57#else
58static int g_verbosity = 0;
59#endif
60
61/**
62 * Write to system log.
63 *
64 * @param pszBuf Buffer to write to the log (NULL-terminated)
65 */
66static void pam_vbox_writesyslog(char *pszBuf)
67{
68#ifdef RT_OS_LINUX
69 openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
70 syslog(LOG_ERR, pszBuf);
71 closelog();
72#elif defined(RT_OS_SOLARIS)
73 syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
74#endif
75}
76
77
78/**
79 * Displays an error message.
80 *
81 * @param pszFormat The message text.
82 * @param ... Format arguments.
83 */
84static void pam_vbox_error(pam_handle_t *h, const char *pszFormat, ...)
85{
86 va_list va;
87 char *buf;
88 va_start(va, pszFormat);
89 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
90 {
91 LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
92 pam_vbox_writesyslog(buf);
93 RTStrFree(buf);
94 }
95 va_end(va);
96}
97
98
99/**
100 * Displays a debug message.
101 *
102 * @param pszFormat The message text.
103 * @param ... Format arguments.
104 */
105static void pam_vbox_log(pam_handle_t *h, const char *pszFormat, ...)
106{
107 if (g_verbosity)
108 {
109 va_list va;
110 char *buf;
111 va_start(va, pszFormat);
112 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
113 {
114 /* Only do normal logging in debug mode; could contain
115 * sensitive data! */
116 LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
117 /* Log to syslog */
118 pam_vbox_writesyslog(buf);
119 RTStrFree(buf);
120 }
121 va_end(va);
122 }
123}
124
125
126static int pam_vbox_do_check(pam_handle_t *h)
127{
128 int rc;
129 int pamrc;
130
131#ifdef _DEBUG
132 g_pam_handle = h; /* hack for getting assertion text */
133#endif
134
135 /* Don't make assertions panic because the PAM stack +
136 * the current logon module won't work anymore (or just restart).
137 * This could result in not able to log into the system anymore. */
138 RTAssertSetMayPanic(false);
139
140 rc = RTR3Init();
141 if (RT_FAILURE(rc))
142 {
143 pam_vbox_error(h, "pam_vbox_do_check: could not init runtime! rc=%Rrc. Aborting.\n", rc);
144 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
145 }
146
147 pam_vbox_log(h, "pam_vbox_do_check: runtime initialized.\n");
148 if (RT_SUCCESS(rc))
149 {
150 rc = VbglR3InitUser();
151 if (RT_FAILURE(rc))
152 {
153 switch(rc)
154 {
155 case VERR_ACCESS_DENIED:
156 pam_vbox_error(h, "pam_vbox_do_check: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting.\n");
157 break;
158
159 case VERR_FILE_NOT_FOUND:
160 pam_vbox_error(h, "pam_vbox_do_check: guest driver not found! Guest Additions installed? Aborting.\n");
161 break;
162
163 default:
164 pam_vbox_error(h, "pam_vbox_do_check: could not init VbglR3 library! rc=%Rrc. Aborting.\n", rc);
165 break;
166 }
167 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
168 }
169 pam_vbox_log(h, "pam_vbox_do_check: guest lib initialized.\n");
170 }
171
172 pamrc = PAM_OPEN_ERR; /* The PAM return code; intentionally not used as an exit value below. */
173 if (RT_SUCCESS(rc))
174 {
175 char *rhost = NULL;
176 char *tty = NULL;
177 char *prompt = NULL;
178#ifdef RT_OS_SOLARIS
179 pam_get_item(h, PAM_RHOST, (void**) &rhost);
180 pam_get_item(h, PAM_TTY, (void**) &tty);
181 pam_get_item(h, PAM_USER_PROMPT, (void**) &prompt);
182#else
183 pam_get_item(h, PAM_RHOST, (const void**) &rhost);
184 pam_get_item(h, PAM_TTY, (const void**) &tty);
185 pam_get_item(h, PAM_USER_PROMPT, (const void**) &prompt);
186#endif
187 pam_vbox_log(h, "pam_vbox_do_check: rhost=%s, tty=%s, prompt=%s\n",
188 rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
189
190 rc = VbglR3CredentialsQueryAvailability();
191 if (RT_FAILURE(rc))
192 {
193 if (rc == VERR_NOT_FOUND)
194 pam_vbox_log(h, "pam_vbox_do_check: no credentials available.\n");
195 else
196 pam_vbox_error(h, "pam_vbox_do_check: could not query for credentials! rc=%Rrc. Aborting.\n", rc);
197 pamrc = PAM_SUCCESS;
198 }
199 else
200 {
201 char *pszUsername;
202 char *pszPassword;
203 char *pszDomain;
204
205 rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
206 if (RT_FAILURE(rc))
207 {
208 pam_vbox_error(h, "pam_vbox_do_check: could not retrieve credentials! rc=%Rrc. Aborting.\n", rc);
209 }
210 else
211 {
212 pam_vbox_log(h, "pam_vbox_do_check: credentials retrieved: user=%s, password=%s, domain=%s\n",
213 pszUsername, pszPassword, pszDomain);
214 /* Fill credentials into PAM. */
215 pamrc = pam_set_item(h, PAM_USER, pszUsername);
216 if (pamrc != PAM_SUCCESS)
217 {
218 pam_vbox_error(h, "pam_vbox_do_check: could not set user name! pamrc=%d. Aborting.\n", pamrc);
219 }
220 else
221 {
222 pamrc = pam_set_item(h, PAM_AUTHTOK, pszPassword);
223 if (pamrc != PAM_SUCCESS)
224 pam_vbox_error(h, "pam_vbox_do_check: could not set password! pamrc=%d. Aborting.\n", pamrc);
225 }
226 /** @todo Add handling domains as well. */
227
228 VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
229 3 /* Three wipe passes */);
230 }
231 }
232 VbglR3Term();
233 } /* VbglR3 init okay */
234
235#if 0 /** @todo implement RTR3Term, or create some hack to force anything containing RTR3Init to stay loaded. */
236 RTR3Term();
237#endif
238
239 pam_vbox_log(h, "pam_vbox_do_check: returned with pamrc=%d, msg=%s\n",
240 pamrc, pam_strerror(h, pamrc));
241
242 /* Never report an error here because if no credentials from the host are available or something
243 * went wrong we then let do the authentication by the next module in the stack. */
244
245 /* We report success here because this is all we can do right now -- we passed the credentials
246 * to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
247 * password verification to "really" authenticate the user. */
248 return PAM_SUCCESS;
249}
250
251
252/**
253 * Performs authentication within the PAM framework.
254 *
255 * @todo
256 */
257DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *h, int flags,
258 int argc, const char **argv)
259{
260 /* Parse arguments. */
261 int i;
262 for (i = 0; i < argc; i++)
263 {
264 if (!RTStrICmp(argv[i], "debug"))
265 g_verbosity = 1;
266 else
267 pam_vbox_error(h, "pam_sm_authenticate: unknown command line argument \"%s\"\n", argv[i]);
268 }
269 pam_vbox_log(h, "pam_vbox_authenticate called.\n");
270
271 /* Do the actual check. */
272 return pam_vbox_do_check(h);
273}
274
275
276/**
277 * Modifies / deletes user credentials
278 *
279 * @todo
280 */
281DECLEXPORT(int) pam_sm_setcred(pam_handle_t *h, int flags, int argc, const char **argv)
282{
283 pam_vbox_log(h, "pam_vbox_setcred called.\n");
284 return PAM_SUCCESS;
285}
286
287
288DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t *h, int flags, int argc, const char **argv)
289{
290 pam_vbox_log(h, "pam_vbox_acct_mgmt called.\n");
291 return PAM_SUCCESS;
292}
293
294
295DECLEXPORT(int) pam_sm_open_session(pam_handle_t *h, int flags, int argc, const char **argv)
296{
297 pam_vbox_log(h, "pam_vbox_open_session called.\n");
298 RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
299 return PAM_SUCCESS;
300}
301
302
303DECLEXPORT(int) pam_sm_close_session(pam_handle_t *h, int flags, int argc, const char **argv)
304{
305 pam_vbox_log(h, "pam_vbox_close_session called.\n");
306 return PAM_SUCCESS;
307}
308
309DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t *h, int flags, int argc, const char **argv)
310{
311 pam_vbox_log(h, "pam_vbox_sm_chauthtok called.\n");
312 return PAM_SUCCESS;
313}
314
315#ifdef _DEBUG
316DECLEXPORT(void) RTAssertMsg1Weak(const char *pszExpr, unsigned uLine, const char *pszFile, const char *pszFunction)
317{
318 pam_vbox_log(g_pam_handle,
319 "\n!!Assertion Failed!!\n"
320 "Expression: %s\n"
321 "Location : %s(%d) %s\n",
322 pszExpr, pszFile, uLine, pszFunction);
323 RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
324}
325#endif
Note: See TracBrowser for help on using the repository browser.

© 2023 Oracle
ContactPrivacy policyTerms of Use