Date: Fri, 12 Apr 2002 11:28:16 -0700 (PDT) From: Dag-Erling Smorgrav <des@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 9624 for review Message-ID: <200204121828.g3CISGm52424@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=9624 Change 9624 by des@des.at.des.thinksec.com on 2002/04/12 11:27:47 Move the policy-loading code into a separate file. Sponsored by: DARPA, NAI Labs Affected files ... ... //depot/projects/openpam/lib/Makefile#14 edit ... //depot/projects/openpam/lib/openpam_configure.c#1 add ... //depot/projects/openpam/lib/openpam_impl.h#13 edit ... //depot/projects/openpam/lib/pam_start.c#13 edit Differences ... ==== //depot/projects/openpam/lib/Makefile#14 (text+ko) ==== @@ -31,7 +31,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $P4: //depot/projects/openpam/lib/Makefile#13 $ +# $P4: //depot/projects/openpam/lib/Makefile#14 $ # LIB = pam @@ -45,6 +45,7 @@ SRCS = SRCS += openpam_borrow_cred.c +SRCS += openpam_configure.c SRCS += openpam_dispatch.c SRCS += openpam_dynamic.c SRCS += openpam_findenv.c ==== //depot/projects/openpam/lib/openpam_impl.h#13 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_impl.h#12 $ + * $P4: //depot/projects/openpam/lib/openpam_impl.h#13 $ */ #ifndef _OPENPAM_IMPL_H_INCLUDED @@ -105,6 +105,7 @@ #define PAM_OTHER "other" +int openpam_configure(pam_handle_t *, const char *); int openpam_dispatch(pam_handle_t *, int, int); int openpam_findenv(pam_handle_t *, const char *, size_t); int openpam_add_module(pam_handle_t *, int, int, ==== //depot/projects/openpam/lib/pam_start.c#13 (text+ko) ==== @@ -31,21 +31,15 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_start.c#12 $ + * $P4: //depot/projects/openpam/lib/pam_start.c#13 $ */ -#include <ctype.h> -#include <errno.h> -#include <stdio.h> #include <stdlib.h> -#include <string.h> #include <security/pam_appl.h> #include "openpam_impl.h" -static int _pam_configure_service(pam_handle_t *pamh, const char *service); - /* * XSSO 4.2.1 * XSSO 6 page 89 @@ -71,9 +65,9 @@ if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS) goto fail; - if ((r = _pam_configure_service(ph, service)) != PAM_SUCCESS && - r != PAM_BUF_ERR) - r = _pam_configure_service(ph, PAM_OTHER); + r = openpam_configure(ph, service); + if (r != PAM_SUCCESS && r != PAM_BUF_ERR) + r = openpam_configure(ph, PAM_OTHER); if (r != PAM_SUCCESS) goto fail; @@ -86,217 +80,12 @@ return (r); } -#define PAM_CONF_STYLE 0 -#define PAM_D_STYLE 1 -#define MAX_LINE_LEN 1024 -#define MAX_OPTIONS 256 - -static int -_pam_read_policy_file(pam_handle_t *pamh, - const char *service, - const char *filename, - int style) -{ - char buf[MAX_LINE_LEN], *p, *q; - const char *optv[MAX_OPTIONS + 1]; - int ch, chain, flag, line, optc, n, r; - size_t len; - FILE *f; - - n = 0; - - if ((f = fopen(filename, "r")) == NULL) { - openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE, - "%s: %m", filename); - return (0); - } - openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s", - service, filename); - - for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) { - if ((len = strlen(buf)) == 0) - continue; - - /* check for overflow */ - if (buf[--len] != '\n' && !feof(f)) { - openpam_log(PAM_LOG_ERROR, "%s: line %d too long", - filename, line); - openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", - filename, line); - while ((ch = fgetc(f)) != EOF) - if (ch == '\n') - break; - continue; - } - - /* strip comments and trailing whitespace */ - if ((p = strchr(buf, '#')) != NULL) - len = p - buf ? p - buf - 1 : p - buf; - while (len > 0 && isspace(buf[len - 1])) - --len; - if (len == 0) - continue; - buf[len] = '\0'; - p = q = buf; - - /* check service name */ - if (style == PAM_CONF_STYLE) { - for (q = p = buf; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (*q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, service) != 0) - continue; - openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'", - filename, line, service); - } - - - /* get module type */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p || *q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, "auth") == 0) { - chain = PAM_AUTH; - } else if (strcmp(p, "account") == 0) { - chain = PAM_ACCOUNT; - } else if (strcmp(p, "session") == 0) { - chain = PAM_SESSION; - } else if (strcmp(p, "password") == 0) { - chain = PAM_PASSWORD; - } else { - openpam_log(PAM_LOG_ERROR, - "%s: invalid module type on line %d: '%s'", - filename, line, p); - continue; - } - - /* get control flag */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p || *q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, "required") == 0) { - flag = PAM_REQUIRED; - } else if (strcmp(p, "requisite") == 0) { - flag = PAM_REQUISITE; - } else if (strcmp(p, "sufficient") == 0) { - flag = PAM_SUFFICIENT; - } else if (strcmp(p, "optional") == 0) { - flag = PAM_OPTIONAL; - } else { - openpam_log(PAM_LOG_ERROR, - "%s: invalid control flag on line %d: '%s'", - filename, line, p); - continue; - } - - /* get module name */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p) - goto syntax_error; - - /* get options */ - for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) { - *q++ = '\0'; - while (isspace(*q)) - ++q; - optv[optc] = q; - while (*q != '\0' && !isspace(*q)) - ++q; - } - optv[optc] = NULL; - if (*q != '\0') { - *q = '\0'; - openpam_log(PAM_LOG_ERROR, - "%s: too many options on line %d", - filename, line); - } - - /* - * Finally, add the module at the end of the - * appropriate chain and bump the counter. - */ - r = openpam_add_module(pamh, chain, flag, p, optc, optv); - if (r != PAM_SUCCESS) - return (-r); - ++n; - continue; - syntax_error: - openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d", - filename, line); - openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]", - filename, line, q); - openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", - filename, line); - } - - if (ferror(f)) - openpam_log(PAM_LOG_ERROR, "%s: %m", filename); - - fclose(f); - return (n); -} - -static const char *_pam_policy_path[] = { - "/etc/pam.d/", - "/etc/pam.conf", - "/usr/local/etc/pam.d/", - NULL -}; - -static int -_pam_configure_service(pam_handle_t *pamh, - const char *service) -{ - const char **path; - char *filename; - size_t len; - int r; - - for (path = _pam_policy_path; *path != NULL; ++path) { - len = strlen(*path); - if ((*path)[len - 1] == '/') { - filename = malloc(len + strlen(service) + 1); - if (filename == NULL) { - openpam_log(PAM_LOG_ERROR, "malloc(): %m"); - return (PAM_BUF_ERR); - } - strcpy(filename, *path); - strcat(filename, service); - r = _pam_read_policy_file(pamh, - service, filename, PAM_D_STYLE); - free(filename); - } else { - r = _pam_read_policy_file(pamh, - service, *path, PAM_CONF_STYLE); - } - if (r < 0) - return (-r); - if (r > 0) - return (PAM_SUCCESS); - } - - return (PAM_SYSTEM_ERR); -} - /* * Error codes: * + * =openpam_configure * =pam_set_item * !PAM_SYMBOL_ERR - * PAM_SYSTEM_ERR * PAM_BUF_ERR */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204121828.g3CISGm52424>