Site Navigation

Date:      Wed, 8 Nov 2006 21:28:30 +0000
From:      Shaun Amott <shaun@FreeBSD.org>
To:        freebsd-hackers@FreeBSD.org
Subject:   RFC: pam_krb5: minimum_[ug]id options
Message-ID:  <20061108212829.GA2738@charon.picobyte.net>

---

next in thread | raw e-mail | index | archive | help

---

--NMuMz9nt05w80d4+
Content-Type: multipart/mixed; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline


--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

While fiddling with PAM, it came to my attention that the pam_krb5
module in some other (Linux?) PAM implementations supports, amongst
other things, a minimum_uid option. This makes it possible to skip over
Kerberos authentication for local system accounts, like so:

  auth    required    pam_krb5.so    no_warn minimum_uid=3D1000
  auth    required    pam_unix.so    no_warn try_first_pass

I think it'd a nice addition to our pam_krb5 at least.

I've attached an initial patch. Comments/review welcome.

Shaun

--=20
Shaun Amott // PGP: 0x6B387A9A
"A foolish consistency is the hobgoblin
of little minds." - Ralph Waldo Emerson

--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="pam_krb5.diff"
Content-Transfer-Encoding: quoted-printable

Index: pam_krb5.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -r1.6 pam_krb5.8
--- pam_krb5.8	24 Nov 2001 23:41:32 -0000	1.6
+++ pam_krb5.8	8 Nov 2006 20:50:35 -0000
@@ -108,6 +108,13 @@
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm minimum_uid Ns =3D Ns Ar id
+Do not attempt to authenticate users with a uid below
+.Ar id .
+Instead, simply return; thus allowing a later module to authenticate
+the user.
+.It Cm minimum_gid Ns =3D Ns Ar id
+As above, but specifies a minimum group.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
Index: pam_krb5.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.23
diff -u -r1.23 pam_krb5.c
--- pam_krb5.c	7 Jul 2005 14:16:38 -0000	1.23
+++ pam_krb5.c	8 Nov 2006 20:50:36 -0000
@@ -90,6 +90,8 @@
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
+#define PAM_OPT_MINIMUM_UID	"minimum_uid"
+#define PAM_OPT_MINIMUM_GID	"minimum_gid"
=20
 /*
  * authentication management
@@ -110,6 +112,9 @@
 	const char *user, *pass;
 	const void *sourceuser, *service;
 	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
+	const char *retstr;
+	uid_t minuid =3D 0;
+	gid_t mingid =3D 0;
=20
 	retval =3D pam_get_user(pamh, &user, USER_PROMPT);
 	if (retval !=3D PAM_SUCCESS)
@@ -222,6 +227,21 @@
=20
 	PAM_LOG("Done getpwnam()");
=20
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
+	if (retstr)
+		minuid =3D (uid_t)strtoul(retstr, NULL, 10);
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+	if (retstr)
+		mingid =3D (gid_t)strtoul(retstr, NULL, 10);
+
+	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
+		return (PAM_IGNORE);
+
+	PAM_LOG("Checked uid and gid bounds");
+
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -349,6 +369,9 @@
 	const void *user;
 	void *cache_data;
 	char *cache_name_buf =3D NULL, *p;
+	const char *retstr;
+	uid_t minuid =3D 0;
+	gid_t mingid =3D 0;
=20
 	uid_t euid;
 	gid_t egid;
@@ -391,6 +414,30 @@
=20
 	PAM_LOG("Got euid, egid: %d %d", euid, egid);
=20
+	/* Get the uid. This should exist. */
+	pwd =3D getpwnam(user);
+	if (pwd =3D=3D NULL) {
+		retval =3D PAM_USER_UNKNOWN;
+		goto cleanup3;
+	}
+
+	PAM_LOG("Done getpwnam()");
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
+	if (retstr)
+		minuid =3D (uid_t)strtoul(retstr, NULL, 10);
+
+	retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+	if (retstr)
+		mingid =3D (gid_t)strtoul(retstr, NULL, 10);
+
+	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
+		return (PAM_IGNORE);
+
+	PAM_LOG("Checked uid and gid bounds");
+
 	/* Retrieve the temporary cache */
 	retval =3D pam_get_data(pamh, "ccache", &cache_data);
 	if (retval !=3D PAM_SUCCESS) {
@@ -405,15 +452,6 @@
 		goto cleanup3;
 	}
=20
-	/* Get the uid. This should exist. */
-	pwd =3D getpwnam(user);
-	if (pwd =3D=3D NULL) {
-		retval =3D PAM_USER_UNKNOWN;
-		goto cleanup3;
-	}
-
-	PAM_LOG("Done getpwnam()");
-
 	/* Avoid following a symlink as root */
 	if (setegid(pwd->pw_gid)) {
 		retval =3D PAM_SERVICE_ERR;

--XsQoSWH+UP9D9v3l--

--NMuMz9nt05w80d4+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFFUkv9kmhdCGs4epoRAlqcAKC1j9LENp2RBcNwnBza9z7vPZNovwCfbPkN
US0RLNGZCsiYN9JjJOtQ2sQ=
=GA2S
-----END PGP SIGNATURE-----

--NMuMz9nt05w80d4+--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061108212829.GA2738>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact