From owner-svn-src-all@freebsd.org Sun Jun 30 14:46:17 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1820115D7B4A; Sun, 30 Jun 2019 14:46:17 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B17D288D0B; Sun, 30 Jun 2019 14:46:16 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 890C926F23; Sun, 30 Jun 2019 14:46:16 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x5UEkGrU031659; Sun, 30 Jun 2019 14:46:16 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x5UEkG7Z031657; Sun, 30 Jun 2019 14:46:16 GMT (envelope-from des@FreeBSD.org) Message-Id: <201906301446.x5UEkG7Z031657@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Sun, 30 Jun 2019 14:46:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349556 - head/lib/libpam/modules/pam_exec X-SVN-Group: head X-SVN-Commit-Author: des X-SVN-Commit-Paths: head/lib/libpam/modules/pam_exec X-SVN-Commit-Revision: 349556 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: B17D288D0B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.969,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2019 14:46:17 -0000 Author: des Date: Sun Jun 30 14:46:15 2019 New Revision: 349556 URL: https://svnweb.freebsd.org/changeset/base/349556 Log: Changes to the expose_password functionality: - Implement use_first_pass, allowing expose_password to be used by other service functions than pam_auth() without prompting a second time. - Don't prompt for a password during pam_setcred(). PR: 238041 MFC after: 3 weeks Modified: head/lib/libpam/modules/pam_exec/pam_exec.8 head/lib/libpam/modules/pam_exec/pam_exec.c Modified: head/lib/libpam/modules/pam_exec/pam_exec.8 ============================================================================== --- head/lib/libpam/modules/pam_exec/pam_exec.8 Sun Jun 30 14:04:30 2019 (r349555) +++ head/lib/libpam/modules/pam_exec/pam_exec.8 Sun Jun 30 14:46:15 2019 (r349556) @@ -1,5 +1,5 @@ .\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2017 Dag-Erling Smørgrav +.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav .\" Copyright (c) 2018 Thomas Munro .\" All rights reserved. .\" @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 14, 2018 +.Dd May 24, 2019 .Dt PAM_EXEC 8 .Os .Sh NAME @@ -76,6 +76,13 @@ It must be a valid return value for this function. .It Cm expose_authtok Write the authentication token to the program's standard input stream, followed by a NUL character. +Ignored for +.Fn pam_sm_setcred . +.It Cm use_first_pass +If +.Cm expose_authtok +was specified, do not prompt for an authentication token if one is not +already available. .It Cm -- Stop options parsing; program and its arguments follow. Modified: head/lib/libpam/modules/pam_exec/pam_exec.c ============================================================================== --- head/lib/libpam/modules/pam_exec/pam_exec.c Sun Jun 30 14:04:30 2019 (r349555) +++ head/lib/libpam/modules/pam_exec/pam_exec.c Sun Jun 30 14:46:15 2019 (r349556) @@ -2,7 +2,7 @@ * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 2001,2003 Networks Associates Technology, Inc. - * Copyright (c) 2017 Dag-Erling Smørgrav + * Copyright (c) 2017-2019 Dag-Erling Smørgrav * Copyright (c) 2018 Thomas Munro * All rights reserved. * @@ -110,6 +110,7 @@ struct pe_opts { int capture_stdout; int capture_stderr; int expose_authtok; + int use_first_pass; }; static int @@ -139,6 +140,8 @@ parse_options(const char *func, int *argc, const char options->return_prog_exit_status = 1; } else if (strcmp((*argv)[i], "expose_authtok") == 0) { options->expose_authtok = 1; + } else if (strcmp((*argv)[i], "use_first_pass") == 0) { + options->use_first_pass = 1; } else { if (strcmp((*argv)[i], "--") == 0) { (*argc)--; @@ -252,13 +255,20 @@ _pam_exec(pam_handle_t *pamh, openpam_log(PAM_LOG_ERROR, "%s: fcntl(): %m", func); OUT(PAM_SYSTEM_ERR); } - rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); + if (options->use_first_pass || + strcmp(func, "pam_sm_setcred") == 0) { + /* don't prompt, only expose existing token */ + rc = pam_get_item(pamh, PAM_AUTHTOK, &item); + authtok = item; + } else { + rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); + } if (rc == PAM_SUCCESS) { - /* We include the trailing NUL-terminator. */ + /* We include the trailing null terminator. */ authtok_size = strlen(authtok) + 1; } else { - openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func, - pam_strerror(pamh, rc)); + openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", + func, pam_strerror(pamh, rc)); OUT(PAM_SYSTEM_ERR); } }