From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 8 22:11:21 2006 Return-Path: X-Original-To: freebsd-hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B660716A518 for ; Wed, 8 Nov 2006 22:11:21 +0000 (UTC) (envelope-from ru@rambler-co.ru) Received: from relay0.rambler.ru (relay0.rambler.ru [81.19.66.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07E9A43D5F for ; Wed, 8 Nov 2006 22:10:19 +0000 (GMT) (envelope-from ru@rambler-co.ru) Received: from relay0.rambler.ru (localhost [127.0.0.1]) by relay0.rambler.ru (Postfix) with ESMTP id E47FD5DE3 for ; Thu, 9 Nov 2006 01:10:15 +0300 (MSK) Received: from edoofus.park.rambler.ru (unknown [81.19.65.108]) by relay0.rambler.ru (Postfix) with ESMTP id AB7F85DCF for ; Thu, 9 Nov 2006 01:10:15 +0300 (MSK) Received: (from ru@localhost) by edoofus.park.rambler.ru (8.13.8/8.13.8) id kA8MAIWj011886 for freebsd-hackers@FreeBSD.org; Thu, 9 Nov 2006 01:10:18 +0300 (MSK) (envelope-from ru) Date: Thu, 9 Nov 2006 01:10:18 +0300 From: Ruslan Ermilov To: freebsd-hackers@FreeBSD.org Message-ID: <20061108221018.GB55351@rambler-co.ru> References: <20061108212829.GA2738@charon.picobyte.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <20061108212829.GA2738@charon.picobyte.net> User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: No virus found Cc: Subject: Re: RFC: pam_krb5: minimum_[ug]id options X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 22:11:21 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 08, 2006 at 09:28:30PM +0000, Shaun Amott wrote: > While fiddling with PAM, it came to my attention that the pam_krb5 > module in some other (Linux?) PAM implementations supports, amongst > other things, a minimum_uid option. This makes it possible to skip over > Kerberos authentication for local system accounts, like so: >=20 > auth required pam_krb5.so no_warn minimum_uid=3D1000 > auth required pam_unix.so no_warn try_first_pass >=20 > I think it'd a nice addition to our pam_krb5 at least. >=20 > I've attached an initial patch. Comments/review welcome. >=20 OK. > Index: pam_krb5.8 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v > retrieving revision 1.6 > diff -u -r1.6 pam_krb5.8 > --- pam_krb5.8 24 Nov 2001 23:41:32 -0000 1.6 > +++ pam_krb5.8 8 Nov 2006 20:50:35 -0000 > @@ -108,6 +108,13 @@ > .Ql %p , > to designate the current process ID; can be used in > .Ar name . > +.It Cm minimum_uid Ns =3D Ns Ar id > +Do not attempt to authenticate users with a uid below ^^^ UID > +.Ar id . > +Instead, simply return; thus allowing a later module to authenticate > +the user. > +.It Cm minimum_gid Ns =3D Ns Ar id > +As above, but specifies a minimum group. ^^^^^ "group ID" or GID Also, it could be explicit about this being a primary GID. > .El > .Ss Kerberos 5 Account Management Module > The Kerberos 5 account management component >=20 Document date should be bumped (the .Dd macro). > Index: pam_krb5.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v > retrieving revision 1.23 > diff -u -r1.23 pam_krb5.c > --- pam_krb5.c 7 Jul 2005 14:16:38 -0000 1.23 > +++ pam_krb5.c 8 Nov 2006 20:50:36 -0000 > @@ -90,6 +90,8 @@ > #define PAM_OPT_FORWARDABLE "forwardable" > #define PAM_OPT_NO_CCACHE "no_ccache" > #define PAM_OPT_REUSE_CCACHE "reuse_ccache" > +#define PAM_OPT_MINIMUM_UID "minimum_uid" > +#define PAM_OPT_MINIMUM_GID "minimum_gid" > =20 Defines were sorted alphabetically by a defined name. > /* > * authentication management > @@ -110,6 +112,9 @@ > const char *user, *pass; > const void *sourceuser, *service; > char *principal, *princ_name, *ccache_name, luser[32], *srvdup; > + const char *retstr; > + uid_t minuid =3D 0; > + gid_t mingid =3D 0; > =20 > retval =3D pam_get_user(pamh, &user, USER_PROMPT); > if (retval !=3D PAM_SUCCESS) > @@ -222,6 +227,21 @@ > =20 > PAM_LOG("Done getpwnam()"); > =20 > + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); > + Extraneous empty line. > + if (retstr) ^ missing "!=3D NULL" > + minuid =3D (uid_t)strtoul(retstr, NULL, 10); >=20 Errors are silently ignored; limit (UID_MAX) isn't checked. > + > + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); > + > + if (retstr) > + mingid =3D (gid_t)strtoul(retstr, NULL, 10); > + >=20 Ditto but s/UID_MAX/GID_MAX/. > + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) > + return (PAM_IGNORE); > + > + PAM_LOG("Checked uid and gid bounds"); > + > /* Get a TGT */ > memset(&creds, 0, sizeof(krb5_creds)); > krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ, > @@ -349,6 +369,9 @@ > const void *user; > void *cache_data; > char *cache_name_buf =3D NULL, *p; > + const char *retstr; > + uid_t minuid =3D 0; > + gid_t mingid =3D 0; > =20 > uid_t euid; > gid_t egid; > @@ -391,6 +414,30 @@ > =20 > PAM_LOG("Got euid, egid: %d %d", euid, egid); > =20 > + /* Get the uid. This should exist. */ > + pwd =3D getpwnam(user); > + if (pwd =3D=3D NULL) { > + retval =3D PAM_USER_UNKNOWN; > + goto cleanup3; > + } > + > + PAM_LOG("Done getpwnam()"); > + > + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); > + > + if (retstr) > + minuid =3D (uid_t)strtoul(retstr, NULL, 10); > + > + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); > + > + if (retstr) > + mingid =3D (gid_t)strtoul(retstr, NULL, 10); > + > + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) > + return (PAM_IGNORE); > + > + PAM_LOG("Checked uid and gid bounds"); > + > /* Retrieve the temporary cache */ > retval =3D pam_get_data(pamh, "ccache", &cache_data); > if (retval !=3D PAM_SUCCESS) { > @@ -405,15 +452,6 @@ > goto cleanup3; > } > =20 > - /* Get the uid. This should exist. */ > - pwd =3D getpwnam(user); > - if (pwd =3D=3D NULL) { > - retval =3D PAM_USER_UNKNOWN; > - goto cleanup3; > - } > - > - PAM_LOG("Done getpwnam()"); > - > /* Avoid following a symlink as root */ > if (setegid(pwd->pw_gid)) { > retval =3D PAM_SERVICE_ERR; Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFUlXKqRfpzJluFF4RAn5UAJ4sE9S9lXf7/sj13NGD4xR6jSlbBQCfeh+8 9YO7dLFxPG/xiRzUwRDMWf8= =E7l2 -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--