From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 8 21:28:45 2006 Return-Path: X-Original-To: freebsd-hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EA2416A49E for ; Wed, 8 Nov 2006 21:28:45 +0000 (UTC) (envelope-from shaun@FreeBSD.org) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id 9601643D64 for ; Wed, 8 Nov 2006 21:28:32 +0000 (GMT) (envelope-from shaun@FreeBSD.org) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP for ; Wed, 8 Nov 2006 21:28:30 +0000 (GMT) Date: Wed, 8 Nov 2006 21:28:30 +0000 From: Shaun Amott To: freebsd-hackers@FreeBSD.org Message-ID: <20061108212829.GA2738@charon.picobyte.net> Mail-Followup-To: freebsd-hackers@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline User-Agent: Mutt/1.5.11 (FreeBSD i386) Cc: Subject: RFC: pam_krb5: minimum_[ug]id options X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 21:28:45 -0000 --NMuMz9nt05w80d4+ Content-Type: multipart/mixed; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable While fiddling with PAM, it came to my attention that the pam_krb5 module in some other (Linux?) PAM implementations supports, amongst other things, a minimum_uid option. This makes it possible to skip over Kerberos authentication for local system accounts, like so: auth required pam_krb5.so no_warn minimum_uid=3D1000 auth required pam_unix.so no_warn try_first_pass I think it'd a nice addition to our pam_krb5 at least. I've attached an initial patch. Comments/review welcome. Shaun --=20 Shaun Amott // PGP: 0x6B387A9A "A foolish consistency is the hobgoblin of little minds." - Ralph Waldo Emerson --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="pam_krb5.diff" Content-Transfer-Encoding: quoted-printable Index: pam_krb5.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v retrieving revision 1.6 diff -u -r1.6 pam_krb5.8 --- pam_krb5.8 24 Nov 2001 23:41:32 -0000 1.6 +++ pam_krb5.8 8 Nov 2006 20:50:35 -0000 @@ -108,6 +108,13 @@ .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm minimum_uid Ns =3D Ns Ar id +Do not attempt to authenticate users with a uid below +.Ar id . +Instead, simply return; thus allowing a later module to authenticate +the user. +.It Cm minimum_gid Ns =3D Ns Ar id +As above, but specifies a minimum group. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component Index: pam_krb5.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v retrieving revision 1.23 diff -u -r1.23 pam_krb5.c --- pam_krb5.c 7 Jul 2005 14:16:38 -0000 1.23 +++ pam_krb5.c 8 Nov 2006 20:50:36 -0000 @@ -90,6 +90,8 @@ #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" +#define PAM_OPT_MINIMUM_UID "minimum_uid" +#define PAM_OPT_MINIMUM_GID "minimum_gid" =20 /* * authentication management @@ -110,6 +112,9 @@ const char *user, *pass; const void *sourceuser, *service; char *principal, *princ_name, *ccache_name, luser[32], *srvdup; + const char *retstr; + uid_t minuid =3D 0; + gid_t mingid =3D 0; =20 retval =3D pam_get_user(pamh, &user, USER_PROMPT); if (retval !=3D PAM_SUCCESS) @@ -222,6 +227,21 @@ =20 PAM_LOG("Done getpwnam()"); =20 + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); + + if (retstr) + minuid =3D (uid_t)strtoul(retstr, NULL, 10); + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); + + if (retstr) + mingid =3D (gid_t)strtoul(retstr, NULL, 10); + + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) + return (PAM_IGNORE); + + PAM_LOG("Checked uid and gid bounds"); + /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ, @@ -349,6 +369,9 @@ const void *user; void *cache_data; char *cache_name_buf =3D NULL, *p; + const char *retstr; + uid_t minuid =3D 0; + gid_t mingid =3D 0; =20 uid_t euid; gid_t egid; @@ -391,6 +414,30 @@ =20 PAM_LOG("Got euid, egid: %d %d", euid, egid); =20 + /* Get the uid. This should exist. */ + pwd =3D getpwnam(user); + if (pwd =3D=3D NULL) { + retval =3D PAM_USER_UNKNOWN; + goto cleanup3; + } + + PAM_LOG("Done getpwnam()"); + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); + + if (retstr) + minuid =3D (uid_t)strtoul(retstr, NULL, 10); + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); + + if (retstr) + mingid =3D (gid_t)strtoul(retstr, NULL, 10); + + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) + return (PAM_IGNORE); + + PAM_LOG("Checked uid and gid bounds"); + /* Retrieve the temporary cache */ retval =3D pam_get_data(pamh, "ccache", &cache_data); if (retval !=3D PAM_SUCCESS) { @@ -405,15 +452,6 @@ goto cleanup3; } =20 - /* Get the uid. This should exist. */ - pwd =3D getpwnam(user); - if (pwd =3D=3D NULL) { - retval =3D PAM_USER_UNKNOWN; - goto cleanup3; - } - - PAM_LOG("Done getpwnam()"); - /* Avoid following a symlink as root */ if (setegid(pwd->pw_gid)) { retval =3D PAM_SERVICE_ERR; --XsQoSWH+UP9D9v3l-- --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFFUkv9kmhdCGs4epoRAlqcAKC1j9LENp2RBcNwnBza9z7vPZNovwCfbPkN US0RLNGZCsiYN9JjJOtQ2sQ= =GA2S -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+--