From 2aab0031648306260752991f23882feac4605e08 Mon Sep 17 00:00:00 2001 From: Antoine Jacoutot Date: Wed, 19 Feb 2014 09:11:27 +0100 Subject: [PATCH] add support for BSD authentication OpenBSD does not use PAM nor SHADOW but bsd_auth(3) for authentication. --- configure.ac | 5 + src/polkitagent/Makefile.am | 3 + src/polkitagent/polkitagenthelper-bsdauth.c | 161 ++++++++++++++++++++++++++++ 3 files changed, 169 insertions(+) create mode 100644 src/polkitagent/polkitagenthelper-bsdauth.c diff --git a/configure.ac b/configure.ac index a7b0148..0621d87 100644 --- a/configure.ac +++ b/configure.ac @@ -306,6 +306,11 @@ case $POLKIT_AUTHFW in AC_DEFINE(POLKIT_AUTHFW_SHADOW, 1, [If using the Shadow authentication framework]) ;; + bsdauth) + need_pam=no + AC_DEFINE(POLKIT_AUTHFW_BSDAUTH, 1, [If using the bsd_auth(3) authentication framework]) + ;; + *) AC_MSG_ERROR([Unknown Authentication Framework: $POLKIT_AUTHFW]) ;; diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am index 3bc364e..b1eba28 100644 --- a/src/polkitagent/Makefile.am +++ b/src/polkitagent/Makefile.am @@ -91,6 +91,9 @@ endif if POLKIT_AUTHFW_SHADOW polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c endif +if POLKIT_AUTHFW_BSDAUTH +polkit_agent_helper_1_SOURCES += polkitagenthelper-bsdauth.c +endif polkit_agent_helper_1_CFLAGS = \ -D_POLKIT_COMPILATION \ diff --git a/src/polkitagent/polkitagenthelper-bsdauth.c b/src/polkitagent/polkitagenthelper-bsdauth.c new file mode 100644 index 0000000..86ac613 --- /dev/null +++ b/src/polkitagent/polkitagenthelper-bsdauth.c @@ -0,0 +1,161 @@ +/* + * Copyright (C) 2008 Red Hat, Inc. + * Copyright (C) 2009-2010 Andrew Psaltis + * Copyright (C) 2010 Antoine Jacoutot + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General + * Public License along with this library; if not, write to the + * Free Software Foundation, Inc., 59 Temple Place, Suite 330, + * Boston, MA 02111-1307, USA. + * + * Authors: Andrew Psaltis , based on + * polkitagenthelper.c which was written by + * David Zeuthen + */ + +#include "config.h" +#include "polkitagenthelperprivate.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +static gboolean bsdauth_authenticate (const char *user_to_auth); + +int +main (int argc, char *argv[]) +{ + struct passwd *pw; + const char *user_to_auth; + const char *cookie; +// time_t tm; + + /* clear the entire environment to avoid attacks with + libraries honoring environment variables */ + if (_polkit_clearenv () != 0) + goto error; + + /* set a minimal environment */ + setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); + + /* check that we are setuid root */ + if (geteuid () != 0) + { + fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); + goto error; + } + + openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); + + /* check for correct invocation */ + if (argc != 3) + { + syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); + fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); + goto error; + } + + if (getuid () != 0) + { + /* check we're running with a non-tty stdin */ + if (isatty (STDIN_FILENO) != 0) + { + syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); + fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); + goto error; + } + } + + user_to_auth = argv[1]; + cookie = argv[2]; + +#ifdef PAH_DEBUG + fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); +#endif /* PAH_DEBUG */ + + /* Search the password database for the user requesting authentication */ + if ((pw = getpwnam (user_to_auth)) == NULL) + { + syslog (LOG_NOTICE, "password database information request for user %s [uid=%d] failed", user_to_auth, getuid()); + fprintf(stderr, "polkit-agent-helper-1: could not get user information for '%s'", user_to_auth); + goto error; + } + + /* Check the user's identity */ + if (!bsdauth_authenticate (user_to_auth)) + { + syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth); + fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n"); + goto error; + } + +#ifdef PAH_DEBUG + fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to polkit daemon\n"); +#endif /* PAH_DEBUG */ + + /* now send a D-Bus message to the polkit daemon that + * includes a) the cookie; and b) the user we authenticated + */ + if (!send_dbus_message (cookie, user_to_auth)) + { +#ifdef PAH_DEBUG + fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to polkit daemon\n"); +#endif /* PAH_DEBUG */ + goto error; + } + +#ifdef PAH_DEBUG + fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to polkit daemon\n"); +#endif /* PAH_DEBUG */ + + fprintf (stdout, "SUCCESS\n"); + flush_and_wait (); + return 0; + +error: + fprintf (stdout, "FAILURE\n"); + flush_and_wait (); + return 1; +} + +static gboolean +bsdauth_authenticate (const char *user_to_auth) +{ + char passwd[512]; + + fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n"); + fflush (stdout); + usleep (10 * 1000); /* since fflush(3) seems buggy */ + + if (fgets (passwd, sizeof (passwd), stdin) == NULL) + goto error; + + if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n') + passwd[strlen (passwd) - 1] = '\0'; + + if (auth_userokay((char *)user_to_auth, NULL, "auth-polkit", passwd) == 0) + goto error; + return 1; +error: + return 0; +} -- 1.8.5.3