From owner-freebsd-hackers@FreeBSD.ORG Thu Nov 9 01:18:49 2006 Return-Path: X-Original-To: freebsd-hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51CAF16A412 for ; Thu, 9 Nov 2006 01:18:49 +0000 (UTC) (envelope-from shaun@FreeBSD.org) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id 8807043D53 for ; Thu, 9 Nov 2006 01:18:46 +0000 (GMT) (envelope-from shaun@FreeBSD.org) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP for ; Thu, 9 Nov 2006 01:18:44 +0000 (GMT) Date: Thu, 9 Nov 2006 01:18:44 +0000 From: Shaun Amott To: freebsd-hackers@FreeBSD.org Message-ID: <20061109011843.GA4880@charon.picobyte.net> Mail-Followup-To: freebsd-hackers@FreeBSD.org References: <20061108212829.GA2738@charon.picobyte.net> <20061108221018.GB55351@rambler-co.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uXxzq0nDebZQVNAZ" Content-Disposition: inline In-Reply-To: <20061108221018.GB55351@rambler-co.ru> User-Agent: Mutt/1.5.11 (FreeBSD i386) Cc: Subject: Re: RFC: pam_krb5: minimum_[ug]id options X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 01:18:49 -0000 --uXxzq0nDebZQVNAZ Content-Type: multipart/mixed; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thanks for reviewing the patch. Here's an updated version with your suggestions incorporated. Shaun --=20 Shaun Amott // PGP: 0x6B387A9A "A foolish consistency is the hobgoblin of little minds." - Ralph Waldo Emerson --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="pam_krb5.diff" Content-Transfer-Encoding: quoted-printable Index: pam_krb5.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v retrieving revision 1.6 diff -u -r1.6 pam_krb5.8 --- pam_krb5.8 24 Nov 2001 23:41:32 -0000 1.6 +++ pam_krb5.8 9 Nov 2006 01:14:18 -0000 @@ -1,7 +1,7 @@ .\" .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ .\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24 = 23:41:32 dd Exp $ -.Dd January 15, 1999 +.Dd Thursday 09, 2006 .Dt PAM_KRB5 8 .Os .Sh NAME @@ -108,6 +108,13 @@ .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm minimum_uid Ns =3D Ns Ar id +Do not attempt to authenticate users with a UID below +.Ar id . +Instead, simply return; thus allowing a later module to authenticate +the user. +.It Cm minimum_gid Ns =3D Ns Ar id +As above, but specifies a minimum primary GID. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component Index: pam_krb5.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v retrieving revision 1.23 diff -u -r1.23 pam_krb5.c --- pam_krb5.c 7 Jul 2005 14:16:38 -0000 1.23 +++ pam_krb5.c 9 Nov 2006 01:14:19 -0000 @@ -88,6 +88,8 @@ #define PAM_OPT_CCACHE "ccache" #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" +#define PAM_OPT_MINIMUM_GID "minimum_gid" +#define PAM_OPT_MINIMUM_UID "minimum_uid" #define PAM_OPT_NO_CCACHE "no_ccache" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" =20 @@ -110,6 +112,9 @@ const char *user, *pass; const void *sourceuser, *service; char *principal, *princ_name, *ccache_name, luser[32], *srvdup; + const char *retstr; + uid_t minuid =3D 0; + gid_t mingid =3D 0; =20 retval =3D pam_get_user(pamh, &user, USER_PROMPT); if (retval !=3D PAM_SUCCESS) @@ -222,6 +227,39 @@ =20 PAM_LOG("Done getpwnam()"); =20 + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); + if (retstr !=3D NULL) { + if ((minuid =3D (uid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) { + if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) { + PAM_LOG("Error in minimum_uid: %s", + strerror(errno)); + return (PAM_SERVICE_ERR); + } + } else if (minuid > UID_MAX) { + PAM_LOG("Error in minimum_uid: invalid UID"); + return (PAM_SERVICE_ERR); + } + } + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); + if (retstr !=3D NULL) { + if ((mingid =3D (gid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) { + if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) { + PAM_LOG("Error in minimum_gid: %s", + strerror(errno)); + return (PAM_SERVICE_ERR); + } + } else if (mingid > GID_MAX) { + PAM_LOG("Error in minimum_gid: invalid GID"); + return (PAM_SERVICE_ERR); + } + } + + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) + return (PAM_IGNORE); + + PAM_LOG("Checked uid and gid bounds"); + /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret =3D krb5_get_init_creds_password(pam_context, &creds, princ, @@ -349,6 +387,9 @@ const void *user; void *cache_data; char *cache_name_buf =3D NULL, *p; + const char *retstr; + uid_t minuid =3D 0; + gid_t mingid =3D 0; =20 uid_t euid; gid_t egid; @@ -391,6 +432,48 @@ =20 PAM_LOG("Got euid, egid: %d %d", euid, egid); =20 + /* Get the uid. This should exist. */ + pwd =3D getpwnam(user); + if (pwd =3D=3D NULL) { + retval =3D PAM_USER_UNKNOWN; + goto cleanup3; + } + + PAM_LOG("Done getpwnam()"); + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_UID); + if (retstr !=3D NULL) { + if ((minuid =3D (uid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) { + if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) { + PAM_LOG("Error in minimum_uid: %s", + strerror(errno)); + return (PAM_SERVICE_ERR); + } + } else if (minuid > UID_MAX) { + PAM_LOG("Error in minimum_uid: invalid UID"); + return (PAM_SERVICE_ERR); + } + } + + retstr =3D openpam_get_option(pamh, PAM_OPT_MINIMUM_GID); + if (retstr !=3D NULL) { + if ((mingid =3D (gid_t)strtoul(retstr, NULL, 10)) =3D=3D 0) { + if (errno =3D=3D ERANGE || errno =3D=3D EINVAL) { + PAM_LOG("Error in minimum_gid: %s", + strerror(errno)); + return (PAM_SERVICE_ERR); + } + } else if (mingid > GID_MAX) { + PAM_LOG("Error in minimum_gid: invalid GID"); + return (PAM_SERVICE_ERR); + } + } + + if (pwd->pw_uid < minuid || pwd->pw_gid < mingid) + return (PAM_IGNORE); + + PAM_LOG("Checked uid and gid bounds"); + /* Retrieve the temporary cache */ retval =3D pam_get_data(pamh, "ccache", &cache_data); if (retval !=3D PAM_SUCCESS) { @@ -405,15 +488,6 @@ goto cleanup3; } =20 - /* Get the uid. This should exist. */ - pwd =3D getpwnam(user); - if (pwd =3D=3D NULL) { - retval =3D PAM_USER_UNKNOWN; - goto cleanup3; - } - - PAM_LOG("Done getpwnam()"); - /* Avoid following a symlink as root */ if (setegid(pwd->pw_gid)) { retval =3D PAM_SERVICE_ERR; --24zk1gE8NUlDmwG9-- --uXxzq0nDebZQVNAZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFFUoHzkmhdCGs4epoRApMEAKCo1bX8UqcweNhenc1t2jxA4ZFDrgCdGJob IUGGkJvv+trpCeT0q8beSys= =y5km -----END PGP SIGNATURE----- --uXxzq0nDebZQVNAZ--