Merge lp:~jeff-apple/openvista-gtm-integration/bug385746 into lp:openvista-gtm-integration
- bug385746
- Merge into mainline
Proposed by
jeff.apple
Status: | Merged |
---|---|
Merged at revision: | not available |
Proposed branch: | lp:~jeff-apple/openvista-gtm-integration/bug385746 |
Merge into: | lp:openvista-gtm-integration |
Diff against target: | None lines |
To merge this branch: | bzr merge lp:~jeff-apple/openvista-gtm-integration/bug385746 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
OpenVista/GT.M Integration Team | Pending | ||
Review via email: mp+7526@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
jeff.apple (jeff-apple) wrote : | # |
Revision history for this message
Jon Tai (jontai) wrote : | # |
In src/libopenvist
In packages/
In src/ovauth/
Finally, should we test this on a LDAP and non-LDAP machine before merging?
- 66. By jeff.apple
-
Change install location of ovauth binary
Make ovauth be in group openvista
Remove PAM library dependency in libopenvista
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'mumps/ZOSVGUX.m' | |||
2 | --- mumps/ZOSVGUX.m 2009-06-11 20:20:10 +0000 | |||
3 | +++ mumps/ZOSVGUX.m 2009-06-16 22:31:04 +0000 | |||
4 | @@ -71,7 +71,14 @@ | |||
5 | 71 | Q 1 ; until we fix this, we're never in application mode | 71 | Q 1 ; until we fix this, we're never in application mode |
6 | 72 | ; | 72 | ; |
7 | 73 | AUTH(USER,PASS) ; | 73 | AUTH(USER,PASS) ; |
9 | 74 | Q $&openvista.dopam($G(USER),$G(PASS),"openvista") | 74 | N DEV,OLDIO,STATUS |
10 | 75 | S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe" | ||
11 | 76 | O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE" | ||
12 | 77 | U DEV W PASS R STATUS | ||
13 | 78 | AUTHDONE | ||
14 | 79 | U OLDIO | ||
15 | 80 | C DEV | ||
16 | 81 | Q STATUS="OK" | ||
17 | 75 | UCI ; | 82 | UCI ; |
18 | 76 | S Y=^%ZOSF("PROD") Q | 83 | S Y=^%ZOSF("PROD") Q |
19 | 77 | ; | 84 | ; |
20 | 78 | 85 | ||
21 | === modified file 'packages/rpm/openvista-libs-5.3003.spec' | |||
22 | --- packages/rpm/openvista-libs-5.3003.spec 2009-06-05 19:50:29 +0000 | |||
23 | +++ packages/rpm/openvista-libs-5.3003.spec 2009-06-16 05:54:58 +0000 | |||
24 | @@ -49,6 +49,11 @@ | |||
25 | 49 | cd src/suidwrapper | 49 | cd src/suidwrapper |
26 | 50 | ./compile.sh | 50 | ./compile.sh |
27 | 51 | 51 | ||
28 | 52 | cd ../../ | ||
29 | 53 | |||
30 | 54 | cd src/ovauth | ||
31 | 55 | ./compile.sh | ||
32 | 56 | |||
33 | 52 | %install | 57 | %install |
34 | 53 | rm -rf %{buildroot} | 58 | rm -rf %{buildroot} |
35 | 54 | 59 | ||
36 | @@ -56,6 +61,7 @@ | |||
37 | 56 | install -m 550 src/libopenvista/libopenvista.so %{buildroot}%{gtm_dist} | 61 | install -m 550 src/libopenvista/libopenvista.so %{buildroot}%{gtm_dist} |
38 | 57 | install -m 440 src/libopenvista/openvista.xc %{buildroot}%{gtm_dist} | 62 | install -m 440 src/libopenvista/openvista.xc %{buildroot}%{gtm_dist} |
39 | 58 | install -m 4550 src/suidwrapper/gtmsignal %{buildroot}%{gtm_dist} | 63 | install -m 4550 src/suidwrapper/gtmsignal %{buildroot}%{gtm_dist} |
40 | 64 | install -m 4550 src/ovauth/ovauth %{buildroot}%{gtm_dist} | ||
41 | 59 | 65 | ||
42 | 60 | %clean | 66 | %clean |
43 | 61 | rm -rf %{buildroot} | 67 | rm -rf %{buildroot} |
44 | @@ -71,6 +77,7 @@ | |||
45 | 71 | %{gtm_dist}/openvista.xc | 77 | %{gtm_dist}/openvista.xc |
46 | 72 | %defattr(-,root,gtm) | 78 | %defattr(-,root,gtm) |
47 | 73 | %{gtm_dist}/gtmsignal | 79 | %{gtm_dist}/gtmsignal |
48 | 80 | %{gtm_dist}/ovauth | ||
49 | 74 | 81 | ||
50 | 75 | %post | 82 | %post |
51 | 76 | # See http://fedoraproject.org/wiki/PackagingDrafts/SELinux | 83 | # See http://fedoraproject.org/wiki/PackagingDrafts/SELinux |
52 | 77 | 84 | ||
53 | === removed file 'src/libopenvista/authdata.h' | |||
54 | --- src/libopenvista/authdata.h 2009-02-18 07:36:49 +0000 | |||
55 | +++ src/libopenvista/authdata.h 1970-01-01 00:00:00 +0000 | |||
56 | @@ -1,27 +0,0 @@ | |||
57 | 1 | /* | ||
58 | 2 | * Copyright (C) 2009 Medsphere Systems Corporation | ||
59 | 3 | * | ||
60 | 4 | * This program is free software; you can redistribute it and/or modify it | ||
61 | 5 | * solely under the terms of the GNU Affero General Public License version 3 as | ||
62 | 6 | * published by the Free Software Foundation. | ||
63 | 7 | * | ||
64 | 8 | * This program is distributed in the hope that it will be useful, but WITHOUT | ||
65 | 9 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
66 | 10 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License | ||
67 | 11 | * for more details. | ||
68 | 12 | * | ||
69 | 13 | * You should have received a copy of the GNU Affero General Public License | ||
70 | 14 | * along with this program. If not, see <http://www.gnu.org/licenses>. | ||
71 | 15 | * | ||
72 | 16 | * You can contact Medsphere Systems Corporation headquarters at 1917 Palomar | ||
73 | 17 | * Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. | ||
74 | 18 | */ | ||
75 | 19 | #ifndef AUTHDATA_H | ||
76 | 20 | #define AUTHDATA_H | ||
77 | 21 | |||
78 | 22 | typedef struct { | ||
79 | 23 | char *user; | ||
80 | 24 | char *password; | ||
81 | 25 | } authdata; | ||
82 | 26 | |||
83 | 27 | #endif | ||
84 | 28 | 0 | ||
85 | === modified file 'src/libopenvista/compile.sh' | |||
86 | --- src/libopenvista/compile.sh 2009-04-30 06:54:29 +0000 | |||
87 | +++ src/libopenvista/compile.sh 2009-06-16 05:54:58 +0000 | |||
88 | @@ -17,7 +17,5 @@ | |||
89 | 17 | # You can contact Medsphere Systems Corporation headquarters at 1917 Palomar | 17 | # You can contact Medsphere Systems Corporation headquarters at 1917 Palomar |
90 | 18 | # Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. | 18 | # Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. |
91 | 19 | 19 | ||
92 | 20 | gcc -c -FPIC myconv.c | ||
93 | 21 | gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 dopam.c | ||
94 | 22 | gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 gtmserver.c | 20 | gcc -c -FPIC -I /opt/lsb-gtm/V5.3-003_i686 gtmserver.c |
96 | 23 | gcc -o libopenvista.so -shared myconv.o dopam.o gtmserver.o -lpam | 21 | gcc -o libopenvista.so -shared gtmserver.o -lpam |
97 | 24 | 22 | ||
98 | === removed file 'src/libopenvista/dopam.c' | |||
99 | --- src/libopenvista/dopam.c 2009-04-30 06:54:29 +0000 | |||
100 | +++ src/libopenvista/dopam.c 1970-01-01 00:00:00 +0000 | |||
101 | @@ -1,71 +0,0 @@ | |||
102 | 1 | /* | ||
103 | 2 | * Copyright (C) 2009 Medsphere Systems Corporation | ||
104 | 3 | * | ||
105 | 4 | * This program is free software; you can redistribute it and/or modify it | ||
106 | 5 | * solely under the terms of the GNU Affero General Public License version 3 as | ||
107 | 6 | * published by the Free Software Foundation. | ||
108 | 7 | * | ||
109 | 8 | * This program is distributed in the hope that it will be useful, but WITHOUT | ||
110 | 9 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
111 | 10 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License | ||
112 | 11 | * for more details. | ||
113 | 12 | * | ||
114 | 13 | * You should have received a copy of the GNU Affero General Public License | ||
115 | 14 | * along with this program. If not, see <http://www.gnu.org/licenses>. | ||
116 | 15 | * | ||
117 | 16 | * You can contact Medsphere Systems Corporation headquarters at 1917 Palomar | ||
118 | 17 | * Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. | ||
119 | 18 | */ | ||
120 | 19 | #include <stdio.h> | ||
121 | 20 | |||
122 | 21 | #include <stdlib.h> | ||
123 | 22 | #include <security/pam_appl.h> | ||
124 | 23 | |||
125 | 24 | #include "authdata.h" | ||
126 | 25 | #include "gtmxc_types.h" | ||
127 | 26 | |||
128 | 27 | extern int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data); | ||
129 | 28 | |||
130 | 29 | xc_long_t dopam(int count, char *user, char *password, char *pam_mod) | ||
131 | 30 | { | ||
132 | 31 | int pam_err; | ||
133 | 32 | pam_handle_t *pamh; | ||
134 | 33 | struct pam_conv pamc; | ||
135 | 34 | authdata adata; | ||
136 | 35 | |||
137 | 36 | if (password && *password!='\0') | ||
138 | 37 | adata.password = password; | ||
139 | 38 | else | ||
140 | 39 | return 0; | ||
141 | 40 | |||
142 | 41 | if (user && *user!='\0') | ||
143 | 42 | adata.user = user; | ||
144 | 43 | else | ||
145 | 44 | return 0; | ||
146 | 45 | |||
147 | 46 | if (!pam_mod || *pam_mod=='\0') | ||
148 | 47 | pam_mod = "openvista"; | ||
149 | 48 | |||
150 | 49 | /* initialize PAM */ | ||
151 | 50 | pamc.conv = &myconv; | ||
152 | 51 | pamc.appdata_ptr = &adata; | ||
153 | 52 | pam_start(pam_mod, adata.user, &pamc, &pamh); | ||
154 | 53 | |||
155 | 54 | /* authenticate the applicant */ | ||
156 | 55 | if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS) | ||
157 | 56 | goto pamerr; | ||
158 | 57 | if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) | ||
159 | 58 | goto pamerr; | ||
160 | 59 | |||
161 | 60 | /* establish the requested credentials */ | ||
162 | 61 | if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) | ||
163 | 62 | goto pamerr; | ||
164 | 63 | |||
165 | 64 | pam_end(pamh, pam_err); | ||
166 | 65 | return 1; | ||
167 | 66 | |||
168 | 67 | pamerr: | ||
169 | 68 | pam_end(pamh, pam_err); | ||
170 | 69 | return 0; | ||
171 | 70 | } | ||
172 | 71 | |||
173 | 72 | 0 | ||
174 | === modified file 'src/libopenvista/openvista.xc' | |||
175 | --- src/libopenvista/openvista.xc 2009-04-30 06:48:24 +0000 | |||
176 | +++ src/libopenvista/openvista.xc 2009-06-16 05:54:58 +0000 | |||
177 | @@ -1,3 +1,2 @@ | |||
178 | 1 | /opt/lsb-gtm/V5.3-003_i686/libopenvista.so | 1 | /opt/lsb-gtm/V5.3-003_i686/libopenvista.so |
179 | 2 | dopam: xc_long_t dopam(I:xc_char_t*, I:xc_char_t*, I:xc_char_t*) | ||
180 | 3 | gtmserver: xc_long_t gtmserver(I:xc_long_t, I:xc_char_t*) | 2 | gtmserver: xc_long_t gtmserver(I:xc_long_t, I:xc_char_t*) |
181 | 4 | 3 | ||
182 | === added directory 'src/ovauth' | |||
183 | === renamed file 'src/libopenvista/SYSAUTH.m' => 'src/ovauth/SYSAUTH.m' | |||
184 | --- src/libopenvista/SYSAUTH.m 2009-06-11 20:55:44 +0000 | |||
185 | +++ src/ovauth/SYSAUTH.m 2009-06-16 22:31:04 +0000 | |||
186 | @@ -29,6 +29,13 @@ | |||
187 | 29 | X ^%ZOSF("EON") | 29 | X ^%ZOSF("EON") |
188 | 30 | W ! | 30 | W ! |
189 | 31 | Q:PASS="^" 0 | 31 | Q:PASS="^" 0 |
193 | 32 | Q $$AUTH(USER,PASS) | 32 | ; fall through |
194 | 33 | AUTH(USER,PASS,MOD) | 33 | AUTH(USER,PASS) |
195 | 34 | Q $&openvista.dopam($G(USER),$G(PASS),$G(MOD)) | 34 | N DEV,OLDIO,STATUS |
196 | 35 | S DEV="ovauth",OLDIO=$IO,STATUS="Problem opening pipe" | ||
197 | 36 | O DEV:(COMMAND=$ZTRNLNM("gtm_dist")_"/ovauth "_USER:PARSE:INDEPENDENT:EXCEPTION="G AUTHDONE")::"PIPE" | ||
198 | 37 | U DEV W PASS R STATUS | ||
199 | 38 | AUTHDONE | ||
200 | 39 | U OLDIO | ||
201 | 40 | C DEV | ||
202 | 41 | Q STATUS="OK" | ||
203 | 35 | 42 | ||
204 | === added file 'src/ovauth/compile.sh' | |||
205 | --- src/ovauth/compile.sh 1970-01-01 00:00:00 +0000 | |||
206 | +++ src/ovauth/compile.sh 2009-06-16 05:54:58 +0000 | |||
207 | @@ -0,0 +1,3 @@ | |||
208 | 1 | #/bin/sh | ||
209 | 2 | |||
210 | 3 | gcc -O2 ovauth.c -lpam -o ovauth | ||
211 | 0 | 4 | ||
212 | === added file 'src/ovauth/ovauth.c' | |||
213 | --- src/ovauth/ovauth.c 1970-01-01 00:00:00 +0000 | |||
214 | +++ src/ovauth/ovauth.c 2009-06-16 23:01:16 +0000 | |||
215 | @@ -0,0 +1,292 @@ | |||
216 | 1 | /* | ||
217 | 2 | * Copyright (C) 2009 Medsphere Systems Corporation | ||
218 | 3 | * | ||
219 | 4 | * This program is free software; you can redistribute it and/or modify it | ||
220 | 5 | * solely under the terms of the GNU Affero General Public License version 3 as | ||
221 | 6 | * published by the Free Software Foundation. | ||
222 | 7 | * | ||
223 | 8 | * This program is distributed in the hope that it will be useful, but WITHOUT | ||
224 | 9 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
225 | 10 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License | ||
226 | 11 | * for more details. | ||
227 | 12 | * | ||
228 | 13 | * You should have received a copy of the GNU Affero General Public License | ||
229 | 14 | * along with this program. If not, see <http://www.gnu.org/licenses>. | ||
230 | 15 | * | ||
231 | 16 | * You can contact Medsphere Systems Corporation headquarters at 1917 Palomar | ||
232 | 17 | * Oaks Way, Suite 200, Carlsbad, CA 92008 or at legal@medsphere.com. | ||
233 | 18 | */ | ||
234 | 19 | |||
235 | 20 | #include <unistd.h> | ||
236 | 21 | #include <stdio.h> | ||
237 | 22 | #include <stdlib.h> | ||
238 | 23 | #include <string.h> | ||
239 | 24 | #include <grp.h> | ||
240 | 25 | #include <pwd.h> | ||
241 | 26 | #include <security/pam_appl.h> | ||
242 | 27 | #include <syslog.h> | ||
243 | 28 | #include <stdarg.h> | ||
244 | 29 | |||
245 | 30 | #define MAXPASS 200 | ||
246 | 31 | #define OV_GROUP "openvista" | ||
247 | 32 | #define OV_USER "openvista" | ||
248 | 33 | #define OV_PAM_MOD "openvista" | ||
249 | 34 | |||
250 | 35 | typedef struct { | ||
251 | 36 | const char *user; | ||
252 | 37 | const char *password; | ||
253 | 38 | } authdata; | ||
254 | 39 | |||
255 | 40 | /* Log to syslog, and print to stdout */ | ||
256 | 41 | static void ov_auth_log(int priority, const char *format, ...) | ||
257 | 42 | { | ||
258 | 43 | va_list args; | ||
259 | 44 | char msg[1000]; | ||
260 | 45 | |||
261 | 46 | /* Print the var args to buffer */ | ||
262 | 47 | va_start(args, format); | ||
263 | 48 | vsnprintf( msg, 1000, format, args ); | ||
264 | 49 | va_end(args); | ||
265 | 50 | |||
266 | 51 | /* Write to syslog */ | ||
267 | 52 | openlog("ovauth", LOG_CONS | LOG_PID, LOG_AUTHPRIV); | ||
268 | 53 | syslog(priority, "%s", msg); | ||
269 | 54 | closelog(); | ||
270 | 55 | |||
271 | 56 | /* Write to stdout and flush */ | ||
272 | 57 | printf( "%s\n", msg ); | ||
273 | 58 | fflush( stdout ); | ||
274 | 59 | } | ||
275 | 60 | |||
276 | 61 | /* PAM conversation function */ | ||
277 | 62 | int myconv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { | ||
278 | 63 | struct pam_response *aresp; | ||
279 | 64 | char buf[PAM_MAX_RESP_SIZE]; | ||
280 | 65 | int i; | ||
281 | 66 | int len; | ||
282 | 67 | int sysretry; | ||
283 | 68 | |||
284 | 69 | authdata *adata = (authdata *) data; | ||
285 | 70 | if (!adata) { | ||
286 | 71 | goto fail; | ||
287 | 72 | } | ||
288 | 73 | |||
289 | 74 | if (n <= 0 || n > PAM_MAX_NUM_MSG) { | ||
290 | 75 | return (PAM_CONV_ERR); | ||
291 | 76 | } | ||
292 | 77 | if ((aresp = calloc(n, sizeof *aresp)) == NULL) { | ||
293 | 78 | return (PAM_BUF_ERR); | ||
294 | 79 | } | ||
295 | 80 | for (i = 0; i < n; ++i) { | ||
296 | 81 | aresp[i].resp_retcode = 0; | ||
297 | 82 | aresp[i].resp = NULL; | ||
298 | 83 | switch (msg[i]->msg_style) { | ||
299 | 84 | case PAM_PROMPT_ECHO_OFF: | ||
300 | 85 | aresp[i].resp = strdup(adata->password); | ||
301 | 86 | if (aresp[i].resp == NULL) | ||
302 | 87 | goto fail; | ||
303 | 88 | break; | ||
304 | 89 | case PAM_PROMPT_ECHO_ON: | ||
305 | 90 | aresp[i].resp = strdup(adata->user); | ||
306 | 91 | if (aresp[i].resp == NULL) | ||
307 | 92 | goto fail; | ||
308 | 93 | break; | ||
309 | 94 | case PAM_ERROR_MSG: | ||
310 | 95 | // fall though | ||
311 | 96 | case PAM_TEXT_INFO: | ||
312 | 97 | // do nothing | ||
313 | 98 | break; | ||
314 | 99 | default: | ||
315 | 100 | goto fail; | ||
316 | 101 | } | ||
317 | 102 | } | ||
318 | 103 | *resp = aresp; | ||
319 | 104 | return (PAM_SUCCESS); | ||
320 | 105 | fail: | ||
321 | 106 | for (i = 0; i < n; ++i) { | ||
322 | 107 | if (aresp[i].resp != NULL) { | ||
323 | 108 | memset(aresp[i].resp, 0, strlen(aresp[i].resp)); | ||
324 | 109 | free(aresp[i].resp); | ||
325 | 110 | } | ||
326 | 111 | } | ||
327 | 112 | memset(aresp, 0, n * sizeof *aresp); | ||
328 | 113 | *resp = NULL; | ||
329 | 114 | return (PAM_CONV_ERR); | ||
330 | 115 | } | ||
331 | 116 | |||
332 | 117 | int using_shadow_pw( struct passwd *pwd ) { | ||
333 | 118 | /* This logic is from the PAM module */ | ||
334 | 119 | char *pass_wd; | ||
335 | 120 | if (strcmp(pwd->pw_passwd, "x") == 0) { | ||
336 | 121 | /* Password is just "x" */ | ||
337 | 122 | return 1; | ||
338 | 123 | } | ||
339 | 124 | pass_wd = pwd->pw_passwd; | ||
340 | 125 | if (*(pass_wd++)=='#' && *(pass_wd++)=='#' && strcmp(pwd->pw_name, pass_wd)==0) { | ||
341 | 126 | /* Password is "##username" */ | ||
342 | 127 | return 1; | ||
343 | 128 | } | ||
344 | 129 | return 0; | ||
345 | 130 | } | ||
346 | 131 | |||
347 | 132 | int pam_auth(const char *user, const char *pass) { | ||
348 | 133 | int pam_err; | ||
349 | 134 | pam_handle_t *pamh; | ||
350 | 135 | struct pam_conv pamc; | ||
351 | 136 | authdata adata; | ||
352 | 137 | |||
353 | 138 | adata.password = pass; | ||
354 | 139 | adata.user = user; | ||
355 | 140 | |||
356 | 141 | /* initialize PAM */ | ||
357 | 142 | pamc.conv = &myconv; | ||
358 | 143 | pamc.appdata_ptr = &adata; | ||
359 | 144 | pam_start(OV_PAM_MOD, adata.user, &pamc, &pamh); | ||
360 | 145 | |||
361 | 146 | /* authenticate the applicant */ | ||
362 | 147 | if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { | ||
363 | 148 | goto pamerr; | ||
364 | 149 | } | ||
365 | 150 | if ((pam_err = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { | ||
366 | 151 | goto pamerr; | ||
367 | 152 | } | ||
368 | 153 | |||
369 | 154 | /* establish the requested credentials */ | ||
370 | 155 | if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { | ||
371 | 156 | goto pamerr; | ||
372 | 157 | } | ||
373 | 158 | |||
374 | 159 | pam_end(pamh, pam_err); | ||
375 | 160 | return 1; | ||
376 | 161 | |||
377 | 162 | pamerr: | ||
378 | 163 | pam_end(pamh, pam_err); | ||
379 | 164 | return 0; | ||
380 | 165 | } | ||
381 | 166 | |||
382 | 167 | int user_in_ov_group( struct passwd *user_pwd ) { | ||
383 | 168 | gid_t ov_gid; | ||
384 | 169 | gid_t user_gid; | ||
385 | 170 | struct group *group_struct; | ||
386 | 171 | int ngroups; | ||
387 | 172 | gid_t *groups; | ||
388 | 173 | int g_idx; | ||
389 | 174 | int ret_val = 0; | ||
390 | 175 | |||
391 | 176 | /* Get the gid for openvista group */ | ||
392 | 177 | group_struct = getgrnam( OV_GROUP ); | ||
393 | 178 | if (group_struct==0) { | ||
394 | 179 | ov_auth_log( LOG_ALERT, "Group %s was not found", OV_GROUP ); | ||
395 | 180 | return 0; | ||
396 | 181 | } | ||
397 | 182 | ov_gid = group_struct->gr_gid; | ||
398 | 183 | user_gid = user_pwd->pw_gid; | ||
399 | 184 | if (ov_gid == user_gid) { | ||
400 | 185 | return 1; | ||
401 | 186 | } | ||
402 | 187 | |||
403 | 188 | /* Get the groups for this user. Allocate space for 20. */ | ||
404 | 189 | ngroups = 20; | ||
405 | 190 | groups = malloc( ngroups * sizeof(gid_t) ); | ||
406 | 191 | if (-1 == getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups )) { | ||
407 | 192 | /* User was in more than 20 groups, so reallocate and grab them all */ | ||
408 | 193 | groups = realloc( groups, ngroups * sizeof(gid_t) ); | ||
409 | 194 | getgrouplist( user_pwd->pw_name, user_gid, groups, &ngroups ); | ||
410 | 195 | } | ||
411 | 196 | /* Scan for the group we're looking for */ | ||
412 | 197 | for (g_idx=0; g_idx<ngroups; ++g_idx) { | ||
413 | 198 | if (groups[g_idx] == ov_gid) { | ||
414 | 199 | ret_val = 1; | ||
415 | 200 | break; | ||
416 | 201 | } | ||
417 | 202 | } | ||
418 | 203 | free( groups ); | ||
419 | 204 | return ret_val; | ||
420 | 205 | } | ||
421 | 206 | |||
422 | 207 | int check_perms( struct passwd *user_pwd ) { | ||
423 | 208 | struct passwd *pwd = NULL; | ||
424 | 209 | /* Verify that user is openvista */ | ||
425 | 210 | pwd = getpwuid(getuid()); | ||
426 | 211 | if (pwd==0) { | ||
427 | 212 | ov_auth_log( LOG_ALERT, "Can not determine who is logged in" ); | ||
428 | 213 | return 0; | ||
429 | 214 | } | ||
430 | 215 | if (strcmp(pwd->pw_name,OV_USER)!=0) { | ||
431 | 216 | ov_auth_log( LOG_NOTICE, "Can not be called by this user (%s)", pwd->pw_name ); | ||
432 | 217 | return 0; | ||
433 | 218 | } | ||
434 | 219 | /* Verify that the user being authenticated is in openvista group */ | ||
435 | 220 | if (!user_in_ov_group( user_pwd )) { | ||
436 | 221 | ov_auth_log( LOG_NOTICE, "User '%s' is not in %s group", user_pwd->pw_name, OV_GROUP ); | ||
437 | 222 | return 0; | ||
438 | 223 | } | ||
439 | 224 | return 1; | ||
440 | 225 | } | ||
441 | 226 | |||
442 | 227 | int main( int argc, char *argv[] ) | ||
443 | 228 | { | ||
444 | 229 | int ret_val; | ||
445 | 230 | char pass[MAXPASS + 1]; | ||
446 | 231 | char *user = argv[1]; | ||
447 | 232 | int npass = 0; | ||
448 | 233 | struct passwd *user_pwd = NULL; | ||
449 | 234 | |||
450 | 235 | /* Make sure we're being run as intended. Provides only a usage guideline, | ||
451 | 236 | * really, not security. | ||
452 | 237 | */ | ||
453 | 238 | if (isatty(STDIN_FILENO) || argc != 2 ) { | ||
454 | 239 | fprintf( stderr, "This program is not run meant to be run this way.\n" ); | ||
455 | 240 | ov_auth_log( LOG_ALERT, "Run with tty stdin" ); | ||
456 | 241 | return 1; | ||
457 | 242 | } | ||
458 | 243 | |||
459 | 244 | /* Read the password from stdin. We have to keep reading an appending if the | ||
460 | 245 | * message is fragmented. | ||
461 | 246 | */ | ||
462 | 247 | memset(pass, '\0', MAXPASS); | ||
463 | 248 | while (1) { | ||
464 | 249 | npass += read(STDIN_FILENO, pass+npass, MAXPASS); | ||
465 | 250 | if (npass < 0) { | ||
466 | 251 | ov_auth_log( LOG_NOTICE, "Password not read" ); | ||
467 | 252 | return 1; | ||
468 | 253 | } else if (npass >= MAXPASS) { | ||
469 | 254 | ov_auth_log( LOG_NOTICE, "Password too long" ); | ||
470 | 255 | return 1; | ||
471 | 256 | } | ||
472 | 257 | if (pass[npass-1]=='\x0a') { | ||
473 | 258 | break; | ||
474 | 259 | } | ||
475 | 260 | } | ||
476 | 261 | pass[npass-1] = '\0'; | ||
477 | 262 | user = argv[1]; | ||
478 | 263 | |||
479 | 264 | /* Get the user's password info */ | ||
480 | 265 | user_pwd = getpwnam( user ); | ||
481 | 266 | if (user_pwd == NULL) { | ||
482 | 267 | ov_auth_log( LOG_NOTICE, "User '%s' not found", user ); | ||
483 | 268 | return 1; | ||
484 | 269 | } | ||
485 | 270 | |||
486 | 271 | /* Verify that the right users are involved */ | ||
487 | 272 | if (!check_perms(user_pwd)) { | ||
488 | 273 | return 1; | ||
489 | 274 | } | ||
490 | 275 | |||
491 | 276 | /* Only elevate privs if the user in question has a shadow password */ | ||
492 | 277 | if (using_shadow_pw(user_pwd)) { | ||
493 | 278 | setuid( 0 ); | ||
494 | 279 | } | ||
495 | 280 | |||
496 | 281 | /* Do the actual PAM authentication */ | ||
497 | 282 | ret_val = pam_auth( user, pass ); | ||
498 | 283 | memset(pass, '\0', MAXPASS); | ||
499 | 284 | if (ret_val==0) { | ||
500 | 285 | printf("Authentication failure\n"); | ||
501 | 286 | } else { | ||
502 | 287 | printf("OK\n"); | ||
503 | 288 | } | ||
504 | 289 | return (ret_val==0); | ||
505 | 290 | } | ||
506 | 291 | |||
507 | 292 |
The packaging parts may not be quite up to snuff. Jon should pay special attention to that.