Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 30 Jun 2019 14:46:16 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r349556 - head/lib/libpam/modules/pam_exec
Message-ID:  <201906301446.x5UEkG7Z031657@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Sun Jun 30 14:46:15 2019
New Revision: 349556
URL: https://svnweb.freebsd.org/changeset/base/349556

Log:
  Changes to the expose_password functionality:
  
   - Implement use_first_pass, allowing expose_password to be used by other
     service functions than pam_auth() without prompting a second time.
  
   - Don't prompt for a password during pam_setcred().
  
  PR:		238041
  MFC after:	3 weeks

Modified:
  head/lib/libpam/modules/pam_exec/pam_exec.8
  head/lib/libpam/modules/pam_exec/pam_exec.c

Modified: head/lib/libpam/modules/pam_exec/pam_exec.8
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.8	Sun Jun 30 14:04:30 2019	(r349555)
+++ head/lib/libpam/modules/pam_exec/pam_exec.8	Sun Jun 30 14:46:15 2019	(r349556)
@@ -1,5 +1,5 @@
 .\" Copyright (c) 2001,2003 Networks Associates Technology, Inc.
-.\" Copyright (c) 2017 Dag-Erling Smørgrav
+.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav
 .\" Copyright (c) 2018 Thomas Munro
 .\" All rights reserved.
 .\"
@@ -34,7 +34,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 14, 2018
+.Dd May 24, 2019
 .Dt PAM_EXEC 8
 .Os
 .Sh NAME
@@ -76,6 +76,13 @@ It must be a valid return value for this function.
 .It Cm expose_authtok
 Write the authentication token to the program's standard input stream,
 followed by a NUL character.
+Ignored for
+.Fn pam_sm_setcred .
+.It Cm use_first_pass
+If
+.Cm expose_authtok
+was specified, do not prompt for an authentication token if one is not
+already available.
 .It Cm --
 Stop options parsing;
 program and its arguments follow.

Modified: head/lib/libpam/modules/pam_exec/pam_exec.c
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.c	Sun Jun 30 14:04:30 2019	(r349555)
+++ head/lib/libpam/modules/pam_exec/pam_exec.c	Sun Jun 30 14:46:15 2019	(r349556)
@@ -2,7 +2,7 @@
  * SPDX-License-Identifier: BSD-3-Clause
  *
  * Copyright (c) 2001,2003 Networks Associates Technology, Inc.
- * Copyright (c) 2017 Dag-Erling Smørgrav
+ * Copyright (c) 2017-2019 Dag-Erling Smørgrav
  * Copyright (c) 2018 Thomas Munro
  * All rights reserved.
  *
@@ -110,6 +110,7 @@ struct pe_opts {
 	int	capture_stdout;
 	int	capture_stderr;
 	int	expose_authtok;
+	int	use_first_pass;
 };
 
 static int
@@ -139,6 +140,8 @@ parse_options(const char *func, int *argc, const char 
 			options->return_prog_exit_status = 1;
 		} else if (strcmp((*argv)[i], "expose_authtok") == 0) {
 			options->expose_authtok = 1;
+		} else if (strcmp((*argv)[i], "use_first_pass") == 0) {
+			options->use_first_pass = 1;
 		} else {
 			if (strcmp((*argv)[i], "--") == 0) {
 				(*argc)--;
@@ -252,13 +255,20 @@ _pam_exec(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR, "%s: fcntl(): %m", func);
 			OUT(PAM_SYSTEM_ERR);
 		}
-		rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
+		if (options->use_first_pass ||
+		    strcmp(func, "pam_sm_setcred") == 0) {
+			/* don't prompt, only expose existing token */
+			rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
+			authtok = item;
+		} else {
+			rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
+		}
 		if (rc == PAM_SUCCESS) {
-			/* We include the trailing NUL-terminator. */
+			/* We include the trailing null terminator. */
 			authtok_size = strlen(authtok) + 1;
 		} else {
-			openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func,
-						pam_strerror(pamh, rc));
+			openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s",
+			    func, pam_strerror(pamh, rc));
 			OUT(PAM_SYSTEM_ERR);
 		}
 	}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906301446.x5UEkG7Z031657>