CoCalc -- pam.c

GitHub Repository: sudo-project/sudo
Path: blob/main/plugins/sudoers/auth/pam.c
¹⁵³² views
1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 1999-2005, 2007-2020 Todd C. Miller <[email protected]>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 *
18
 * Sponsored in part by the Defense Advanced Research Projects
19
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
20
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
21
 */
22

23
#include <config.h>
24

25
#ifdef HAVE_PAM
26

27
#include <sys/types.h>
28
#include <stdio.h>
29
#include <stdlib.h>
30
#include <string.h>
31
#include <unistd.h>
32
#include <pwd.h>
33
#include <errno.h>
34

35
#ifdef HAVE_PAM_PAM_APPL_H
36
# include <pam/pam_appl.h>
37
#else
38
# include <security/pam_appl.h>
39
#endif
40

41
#ifdef __hpux
42
# include <nl_types.h>
43
#endif
44

45
#ifdef HAVE_LIBINTL_H
46
# if defined(__LINUX_PAM__)
47
#  define PAM_TEXT_DOMAIN	"Linux-PAM"
48
# elif defined(__sun__)
49
#  define PAM_TEXT_DOMAIN	"SUNW_OST_SYSOSPAM"
50
# endif
51
#endif
52

53
/* We don't want to translate the strings in the calls to dgt(). */
54
#ifdef PAM_TEXT_DOMAIN
55
# define dgt(d, t)	dgettext(d, t)
56
#endif
57

58
#include <sudoers.h>
59
#include "sudo_auth.h"
60

61
/* Only OpenPAM and Linux PAM use const qualifiers. */
62
#ifdef PAM_SUN_CODEBASE
63
# define PAM_CONST
64
#else
65
# define PAM_CONST	const
66
#endif
67

68
/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
69
#ifdef PAM_SUN_CODEBASE
70
# define PAM_MSG_GET(msg, n) (*(msg) + (n))
71
#else
72
# define PAM_MSG_GET(msg, n) ((msg)[(n)])
73
#endif
74

75
#ifndef PAM_DATA_SILENT
76
#define PAM_DATA_SILENT	0
77
#endif
78

79
struct sudo_pam_closure {
80
    const struct sudoers_context *ctx;
81
    struct sudo_conv_callback *callback;
82
};
83

84
struct conv_filter {
85
    char *msg;
86
    size_t msglen;
87
};
88

89
static int converse(int, PAM_CONST struct pam_message **,
90
		    struct pam_response **, void *);
91
static struct sudo_pam_closure pam_closure;
92
static struct pam_conv pam_conv = { converse, &pam_closure };
93
static const char *def_prompt = PASSPROMPT;
94
static bool getpass_error;
95
static bool noninteractive;
96
static pam_handle_t *pamh;
97
static struct conv_filter *conv_filter;
98

99
static void
100
conv_filter_init(const struct sudoers_context *ctx)
101
{
102
    debug_decl(conv_filter_init, SUDOERS_DEBUG_AUTH);
103

104
#ifdef __hpux
105
    /*
106
     * HP-UX displays last login information as part of either account
107
     * management (in trusted mode) or session management (regular mode).
108
     * Filter those out in the conversation function unless running a shell.
109
     */
110
    if (!ISSET(ctx->mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
111
	int i, nfilt = 0, maxfilters = 0;
112
	struct conv_filter *newfilt;
113
	nl_catd catd;
114
	char *msg;
115

116
	/*
117
	 * Messages from PAM account management when trusted mode is enabled:
118
	 *  1 Last   successful login for %s: %s
119
	 *  2 Last   successful login for %s: %s on %s
120
	 *  3 Last unsuccessful login for %s: %s
121
	 *  4 Last unsuccessful login for %s: %s on %s
122
	 */
123
	if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) {
124
	    maxfilters += 4;
125
	    newfilt = reallocarray(conv_filter, maxfilters + 1,
126
		sizeof(*conv_filter));
127
	    if (newfilt != NULL) {
128
		conv_filter = newfilt;
129
		for (i = 1; i < 5; i++) {
130
		    if ((msg = catgets(catd, 1, i, NULL)) == NULL)
131
			break;
132
		    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
133
			"adding \"%s\" to conversation filter", msg);
134
		    if ((conv_filter[nfilt].msg = strdup(msg)) == NULL)
135
			break;
136
		    conv_filter[nfilt].msglen = strcspn(msg, "%");
137
		    nfilt++;
138
		}
139
	    }
140
	}
141
	/*
142
	 * Messages from PAM session management when trusted mode is disabled:
143
	 *  3 Last successful login:       %s %s %s %s
144
	 *  4 Last authentication failure: %s %s %s %s
145
	 */
146
	if ((catd = catopen("pam_hpsec", NL_CAT_LOCALE)) != -1) {
147
	    maxfilters += 2;
148
	    newfilt = reallocarray(conv_filter, maxfilters + 1,
149
		sizeof(*conv_filter));
150
	    if (newfilt != NULL) {
151
		conv_filter = newfilt;
152
		for (i = 3; i < 5; i++) {
153
		    if ((msg = catgets(catd, 1, i, NULL)) == NULL)
154
			break;
155
		    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
156
			"adding \"%s\" to conversation filter", msg);
157
		    if ((conv_filter[nfilt].msg = strdup(msg)) == NULL)
158
			break;
159
		    conv_filter[nfilt].msglen = strcspn(msg, "%");
160
		    nfilt++;
161
		}
162
	    }
163
	}
164
	if (conv_filter != NULL) {
165
	    conv_filter[nfilt].msg = NULL;
166
	    conv_filter[nfilt].msglen = 0;
167
	}
168
    }
169
#endif /* __hpux */
170
    debug_return;
171
}
172

173
/*
174
 * Like pam_strerror() but never returns NULL and uses strerror(errno)
175
 * for PAM_SYSTEM_ERR.
176
 */
177
static const char *
178
sudo_pam_strerror(pam_handle_t *handle, int errnum)
179
{
180
    const char *errstr;
181
    static char errbuf[32];
182

183
    if (errnum == PAM_SYSTEM_ERR)
184
	return strerror(errno);
185
    if ((errstr = pam_strerror(handle, errnum)) == NULL)
186
	(void)snprintf(errbuf, sizeof(errbuf), "PAM error %d", errnum);
187
    return errstr;
188
}
189

190
static int
191
sudo_pam_init2(const struct sudoers_context *ctx, struct passwd *pw,
192
    sudo_auth *auth, bool quiet)
193
{
194
    static int pam_status = PAM_SUCCESS;
195
    const char *ttypath = ctx->user.ttypath;
196
    const char *errstr, *pam_service;
197
    int rc;
198
    debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH);
199

200
    /* Stash pointer to last pam status. */
201
    auth->data = &pam_status;
202

203
    if (pamh != NULL) {
204
	/* Already initialized (may happen with AIX or with sub-commands). */
205
	debug_return_int(AUTH_SUCCESS);
206
    }
207

208
    /* Stash value of noninteractive flag for conversation function. */
209
    noninteractive = IS_NONINTERACTIVE(auth);
210

211
    /* Store context in closure so converse() has access to it. */
212
    pam_closure.ctx = ctx;
213

214
    /* Initialize PAM. */
215
    if (ISSET(ctx->mode, MODE_ASKPASS) && def_pam_askpass_service != NULL) {
216
	pam_service = def_pam_askpass_service;
217
    } else {
218
	pam_service = ISSET(ctx->mode, MODE_LOGIN_SHELL) ?
219
	    def_pam_login_service : def_pam_service;
220
    }
221
    pam_status = pam_start(pam_service, pw->pw_name, &pam_conv, &pamh);
222
    if (pam_status != PAM_SUCCESS) {
223
	errstr = sudo_pam_strerror(NULL, pam_status);
224
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
225
	    "pam_start(%s, %s, %p, %p): %s", pam_service, pw->pw_name,
226
	    &pam_conv, &pamh, errstr);
227
	if (!quiet)
228
	    log_warningx(ctx, 0, N_("unable to initialize PAM: %s"), errstr);
229
	debug_return_int(AUTH_ERROR);
230
    }
231

232
    /* Initialize conversation function message filter. */
233
    conv_filter_init(ctx);
234

235
    /*
236
     * Set PAM_RUSER to the invoking user (the "from" user).
237
     * Solaris 7 and below require PAM_RHOST to be set if PAM_RUSER is.
238
     * Note: PAM_RHOST may cause a DNS lookup on Linux in libaudit.
239
     */
240
    if (def_pam_ruser) {
241
	rc = pam_set_item(pamh, PAM_RUSER, ctx->user.name);
242
	if (rc != PAM_SUCCESS) {
243
	    errstr = sudo_pam_strerror(pamh, rc);
244
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
245
		"pam_set_item(pamh, PAM_RUSER, %s): %s", ctx->user.name, errstr);
246
	}
247
    }
248
    if (def_pam_rhost) {
249
	rc = pam_set_item(pamh, PAM_RHOST, ctx->user.host);
250
	if (rc != PAM_SUCCESS) {
251
	    errstr = sudo_pam_strerror(pamh, rc);
252
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
253
		"pam_set_item(pamh, PAM_RHOST, %s): %s", ctx->user.host, errstr);
254
	}
255
    }
256
    if (ttypath != NULL) {
257
	rc = pam_set_item(pamh, PAM_TTY, ttypath);
258
	if (rc != PAM_SUCCESS) {
259
	    errstr = sudo_pam_strerror(pamh, rc);
260
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
261
		"pam_set_item(pamh, PAM_TTY, %s): %s", ttypath, errstr);
262
	}
263
    }
264

265
    /*
266
     * If PAM session and setcred support is disabled we don't
267
     * need to keep a sudo process around to close the session.
268
     */
269
    if (!def_pam_session && !def_pam_setcred)
270
	auth->end_session = NULL;
271

272
    debug_return_int(AUTH_SUCCESS);
273
}
274

275
int
276
sudo_pam_init(const struct sudoers_context *ctx, struct passwd *pw,
277
    sudo_auth *auth)
278
{
279
    return sudo_pam_init2(ctx, pw, auth, false);
280
}
281

282
#ifdef _AIX
283
int
284
sudo_pam_init_quiet(const struct sudoers_context *ctx, struct passwd *pw,
285
    sudo_auth *auth)
286
{
287
    return sudo_pam_init2(ctx, pw, auth, true);
288
}
289
#endif /* _AIX */
290

291
int
292
sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw,
293
    const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
294
{
295
    const char *envccname, *pam_user;
296
    int rc, *pam_status = (int *)auth->data;
297
    debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH);
298

299
    def_prompt = prompt;		/* for converse */
300
    getpass_error = false;		/* set by converse if user presses ^C */
301
    pam_closure.callback = callback;	/* passed to conversation function */
302

303
    /*
304
     * Set KRB5CCNAME from the user environment if not set to propagate this
305
     * information to PAM modules that may use it to authentication.
306
     */
307
    envccname = sudo_getenv("KRB5CCNAME");
308
    if (envccname == NULL && ctx->user.ccname != NULL) {
309
	if (sudo_setenv("KRB5CCNAME", ctx->user.ccname, true) != 0) {
310
	    sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
311
		"unable to set KRB5CCNAME");
312
	    debug_return_int(AUTH_FAILURE);
313
	}
314
    }
315

316
    /* PAM_SILENT prevents the authentication service from generating output. */
317
    *pam_status = pam_authenticate(pamh, def_pam_silent ? PAM_SILENT : 0);
318

319
    /* Restore def_prompt, the passed-in prompt may be freed later. */
320
    def_prompt = PASSPROMPT;
321

322
    /* Restore KRB5CCNAME to its original value. */
323
    if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) {
324
	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
325
	    "unable to restore KRB5CCNAME");
326
	debug_return_int(AUTH_FAILURE);
327
    }
328

329
    if (getpass_error) {
330
	/* error or ^C from tgetpass() or running non-interactive */
331
	debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_INTR);
332
    }
333

334
    switch (*pam_status) {
335
    case PAM_SUCCESS:
336
	/* Verify user did not change during PAM transaction. */
337
	rc = pam_get_item(pamh, PAM_USER, (PAM_CONST void **)&pam_user);
338
	if (rc == PAM_SUCCESS &&
339
		(pam_user == NULL || strcmp(pam_user, pw->pw_name) != 0)) {
340
	    sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
341
		"unable to authenticate '%s' as user '%s'",
342
		pw->pw_name, pam_user);
343
	    debug_return_int(AUTH_FAILURE);
344
	}
345
	debug_return_int(AUTH_SUCCESS);
346
    case PAM_AUTH_ERR:
347
    case PAM_AUTHINFO_UNAVAIL:
348
    case PAM_MAXTRIES:
349
    case PAM_PERM_DENIED:
350
	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
351
	    "pam_authenticate: %d", *pam_status);
352
	debug_return_int(AUTH_FAILURE);
353
    default:
354
	log_warningx(ctx, 0, N_("PAM authentication error: %s"),
355
	    sudo_pam_strerror(pamh, *pam_status));
356
	debug_return_int(AUTH_ERROR);
357
    }
358
}
359

360
int
361
sudo_pam_approval(const struct sudoers_context *ctx, struct passwd *pw,
362
    sudo_auth *auth, bool exempt)
363
{
364
    const char *s;
365
    int rc, status = AUTH_SUCCESS;
366
    int *pam_status = (int *) auth->data;
367
    debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH);
368

369
    if (def_pam_acct_mgmt) {
370
	rc = pam_acct_mgmt(pamh, PAM_SILENT);
371
	switch (rc) {
372
	case PAM_SUCCESS:
373
	    break;
374
	case PAM_AUTH_ERR:
375
	    log_warningx(ctx, 0, N_("account validation failure, "
376
		"is your account locked?"));
377
	    status = AUTH_ERROR;
378
	    break;
379
	case PAM_NEW_AUTHTOK_REQD:
380
	    /* Ignore if user is exempt from password restrictions. */
381
	    if (exempt) {
382
		rc = *pam_status;
383
		break;
384
	    }
385
	    /* New password required, try to change it. */
386
	    log_warningx(ctx, 0, N_("Account or password is "
387
		"expired, reset your password and try again"));
388
	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
389
	    if (rc == PAM_SUCCESS)
390
		break;
391
	    s = pam_strerror(pamh, rc);
392
	    log_warningx(ctx, 0,
393
		N_("unable to change expired password: %s"), s);
394
	    status = AUTH_FAILURE;
395
	    break;
396
	case PAM_AUTHTOK_EXPIRED:
397
	    /* Ignore if user is exempt from password restrictions. */
398
	    if (exempt) {
399
		rc = *pam_status;
400
		break;
401
	    }
402
	    /* Password expired, cannot be updated by user. */
403
	    log_warningx(ctx, 0,
404
		N_("Password expired, contact your system administrator"));
405
	    status = AUTH_ERROR;
406
	    break;
407
	case PAM_ACCT_EXPIRED:
408
	    log_warningx(ctx, 0,
409
		N_("Account expired or PAM config lacks an \"account\" "
410
		"section for sudo, contact your system administrator"));
411
	    status = AUTH_ERROR;
412
	    break;
413
	case PAM_AUTHINFO_UNAVAIL:
414
	case PAM_MAXTRIES:
415
	case PAM_PERM_DENIED:
416
	    s = sudo_pam_strerror(pamh, rc);
417
	    log_warningx(ctx, 0, N_("PAM account management error: %s"), s);
418
	    status = AUTH_FAILURE;
419
	    break;
420
	default:
421
	    s = sudo_pam_strerror(pamh, rc);
422
	    log_warningx(ctx, 0, N_("PAM account management error: %s"), s);
423
	    status = AUTH_ERROR;
424
	    break;
425
	}
426
	*pam_status = rc;
427
    }
428
    debug_return_int(status);
429
}
430

431
int
432
sudo_pam_cleanup(const struct sudoers_context *ctx, struct passwd *pw,
433
    sudo_auth *auth, bool force)
434
{
435
    int *pam_status = (int *) auth->data;
436
    debug_decl(sudo_pam_cleanup, SUDOERS_DEBUG_AUTH);
437

438
    /* If successful, we can't close the session until sudo_pam_end_session() */
439
    if (force || *pam_status != PAM_SUCCESS || auth->end_session == NULL) {
440
	*pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
441
	pamh = NULL;
442
    }
443
    debug_return_int(*pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
444
}
445

446
int
447
sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
448
    char **user_envp[], sudo_auth *auth)
449
{
450
    int rc, status = AUTH_SUCCESS;
451
    int *pam_status = (int *) auth->data;
452
    const char *errstr;
453
    debug_decl(sudo_pam_begin_session, SUDOERS_DEBUG_AUTH);
454

455
    /*
456
     * If there is no valid user we cannot open a PAM session.
457
     * This is not an error as sudo can run commands with arbitrary
458
     * uids, it just means we are done from a session management standpoint.
459
     */
460
    if (pw == NULL) {
461
	if (pamh != NULL) {
462
	    rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
463
	    if (rc != PAM_SUCCESS) {
464
		errstr = sudo_pam_strerror(pamh, rc);
465
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
466
		    "pam_end: %s", errstr);
467
	    }
468
	    pamh = NULL;
469
	}
470
	goto done;
471
    }
472

473
    /*
474
     * Update PAM_USER to reference the user we are running the command
475
     * as, as opposed to the user we authenticated as.
476
     */
477
    rc = pam_set_item(pamh, PAM_USER, pw->pw_name);
478
    if (rc != PAM_SUCCESS) {
479
	errstr = sudo_pam_strerror(pamh, rc);
480
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
481
	    "pam_set_item(pamh, PAM_USER, %s): %s", pw->pw_name, errstr);
482
    }
483

484
    /*
485
     * Reinitialize credentials when changing the user.
486
     * We don't worry about a failure from pam_setcred() since with
487
     * stacked PAM auth modules a failure from one module may override
488
     * PAM_SUCCESS from another.  For example, given a non-local user,
489
     * pam_unix will fail but pam_ldap or pam_sss may succeed, but if
490
     * pam_unix is first in the stack, pam_setcred() will fail.
491
     */
492
    if (def_pam_setcred) {
493
	rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
494
	if (rc != PAM_SUCCESS) {
495
	    errstr = sudo_pam_strerror(pamh, rc);
496
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
497
		"pam_setcred: %s", errstr);
498
	    def_pam_setcred = false;
499
	}
500
    }
501

502
    if (def_pam_session) {
503
	/*
504
	 * We use PAM_SILENT to prevent pam_lastlog from printing last login
505
	 * information except when explicitly running a shell.
506
	 */
507
	const bool silent = !ISSET(ctx->mode, MODE_SHELL|MODE_LOGIN_SHELL);
508
	rc = pam_open_session(pamh, silent ? PAM_SILENT : 0);
509
	switch (rc) {
510
	case PAM_SUCCESS:
511
	    break;
512
	case PAM_SESSION_ERR:
513
	    /* Treat PAM_SESSION_ERR as a non-fatal error. */
514
	    errstr = sudo_pam_strerror(pamh, rc);
515
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
516
		"pam_open_session: %s", errstr);
517
	    /* Avoid closing session that was not opened. */
518
	    def_pam_session = false;
519
	    break;
520
	default:
521
	    /* Unexpected session failure, treat as fatal error. */
522
	    *pam_status = rc;
523
	    errstr = sudo_pam_strerror(pamh, rc);
524
	    log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
525
	    rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
526
	    if (rc != PAM_SUCCESS) {
527
		errstr = sudo_pam_strerror(pamh, rc);
528
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
529
		    "pam_end: %s", errstr);
530
	    }
531
	    pamh = NULL;
532
	    status = AUTH_ERROR;
533
	    goto done;
534
	}
535
    }
536

537
#ifdef HAVE_PAM_GETENVLIST
538
    /*
539
     * Update environment based on what is stored in pamh.
540
     * If no authentication is done we will only have environment
541
     * variables if pam_env is called via session.
542
     */
543
    if (user_envp != NULL) {
544
	char **pam_envp = pam_getenvlist(pamh);
545
	if (pam_envp != NULL) {
546
	    /* Merge pam env with user env. */
547
	    if (!env_init(*user_envp) || !env_merge(ctx, pam_envp))
548
		status = AUTH_ERROR;
549
	    *user_envp = env_get();
550
	    free(pam_envp);
551
	    /* XXX - we leak any duplicates that were in pam_envp */
552
	}
553
    }
554
#endif /* HAVE_PAM_GETENVLIST */
555

556
done:
557
    debug_return_int(status);
558
}
559

560
int
561
sudo_pam_end_session(sudo_auth *auth)
562
{
563
    int rc, status = AUTH_SUCCESS;
564
    const char *errstr;
565
    debug_decl(sudo_pam_end_session, SUDOERS_DEBUG_AUTH);
566

567
    if (pamh != NULL) {
568
	if (def_pam_session) {
569
	    rc = pam_close_session(pamh, PAM_SILENT);
570
	    if (rc != PAM_SUCCESS) {
571
		errstr = sudo_pam_strerror(pamh, rc);
572
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
573
		    "pam_close_session: %s", errstr);
574
	    }
575
	}
576
	if (def_pam_setcred) {
577
	    rc = pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
578
	    if (rc != PAM_SUCCESS) {
579
		errstr = sudo_pam_strerror(pamh, rc);
580
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
581
		    "pam_setcred: %s", errstr);
582
	    }
583
	}
584
	rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
585
	if (rc != PAM_SUCCESS) {
586
	    errstr = sudo_pam_strerror(pamh, rc);
587
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
588
		"pam_end: %s", errstr);
589
	    status = AUTH_ERROR;
590
	}
591
	pamh = NULL;
592
    }
593

594
    debug_return_int(status);
595
}
596

597
#define PROMPT_IS_PASSWORD(_p) \
598
    (strncmp((_p), "Password:", 9) == 0 && \
599
	((_p)[9] == '\0' || ((_p)[9] == ' ' && (_p)[10] == '\0')))
600

601
#ifdef PAM_TEXT_DOMAIN
602
# define PAM_PROMPT_IS_PASSWORD(_p) \
603
    (strcmp((_p), dgt(PAM_TEXT_DOMAIN, "Password:")) == 0 || \
604
	strcmp((_p), dgt(PAM_TEXT_DOMAIN, "Password: ")) == 0 || \
605
	PROMPT_IS_PASSWORD(_p))
606
#else
607
# define PAM_PROMPT_IS_PASSWORD(_p)	PROMPT_IS_PASSWORD(_p)
608
#endif /* PAM_TEXT_DOMAIN */
609

610
/*
611
 * We use the PAM prompt in preference to sudo's as long
612
 * as passprompt_override is not set and:
613
 *  a) the (translated) sudo prompt matches /^Password: ?/
614
 * or:
615
 *  b) the PAM prompt itself *doesn't* match /^Password: ?/
616
 *     or /^username's Password: ?/
617
 *
618
 * The intent is to use the PAM prompt for things like
619
 * challenge-response, otherwise use sudo's prompt.
620
 * There may also be cases where a localized translation
621
 * of "Password: " exists for PAM but not for sudo.
622
 */
623
static bool
624
use_pam_prompt(const char *pam_prompt)
625
{
626
    size_t user_len;
627
    debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH);
628

629
    /* Always use sudo prompt if passprompt_override is set. */
630
    if (def_passprompt_override)
631
	debug_return_bool(false);
632

633
    /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
634
    if (PROMPT_IS_PASSWORD(def_prompt))
635
	debug_return_bool(true);
636

637
    /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
638
    if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
639
	debug_return_bool(false);
640

641
    /*
642
     * Some PAM modules use "^username's Password: ?$" instead of
643
     * "^Password: ?" so check for that too.
644
     */
645
    if (pam_closure.ctx != NULL) {
646
	const char *user_name = pam_closure.ctx->user.name;
647
	user_len = strlen(user_name);
648
	if (strncmp(pam_prompt, user_name, user_len) == 0) {
649
	    const char *cp = pam_prompt + user_len;
650
	    if (strncmp(cp, "'s Password:", 12) == 0 &&
651
		(cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
652
		debug_return_bool(false);
653
	}
654
    }
655

656
    /* Otherwise, use the PAM prompt. */
657
    debug_return_bool(true);
658
}
659

660
static bool
661
is_filtered(const char *msg)
662
{
663
    bool filtered = false;
664

665
    if (conv_filter != NULL) {
666
	struct conv_filter *filt = conv_filter;
667
	while (filt->msg != NULL) {
668
	    if (strncmp(msg, filt->msg, filt->msglen) == 0) {
669
		filtered = true;
670
		break;
671
	    }
672
	    filt++;
673
	}
674
    }
675
    return filtered;
676
}
677

678
/*
679
 * ``Conversation function'' for PAM <-> human interaction.
680
 */
681
static int
682
converse(int num_msg, PAM_CONST struct pam_message **msg,
683
    struct pam_response **reply_out, void *appdata_ptr)
684
{
685
    struct sudo_conv_callback *callback = NULL;
686
    struct sudo_pam_closure *closure = appdata_ptr;
687
    struct pam_response *reply;
688
    const char *prompt;
689
    char *pass;
690
    int n, type;
691
    debug_decl(converse, SUDOERS_DEBUG_AUTH);
692

693
    if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) {
694
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
695
	    "invalid number of PAM messages: %d", num_msg);
696
	debug_return_int(PAM_CONV_ERR);
697
    }
698
    sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
699
	"number of PAM messages: %d", num_msg);
700

701
    reply = calloc((size_t)num_msg, sizeof(struct pam_response));
702
    if (reply == NULL) {
703
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
704
	debug_return_int(PAM_BUF_ERR);
705
    }
706

707
    if (closure != NULL)
708
	callback = closure->callback;
709

710
    for (n = 0; n < num_msg; n++) {
711
	PAM_CONST struct pam_message *pm = PAM_MSG_GET(msg, n);
712

713
	type = SUDO_CONV_PROMPT_ECHO_OFF;
714
	switch (pm->msg_style) {
715
	case PAM_PROMPT_ECHO_ON:
716
	    type = SUDO_CONV_PROMPT_ECHO_ON;
717
	    FALLTHROUGH;
718
	case PAM_PROMPT_ECHO_OFF:
719
	    /* Error out if the last password read was interrupted. */
720
	    if (getpass_error)
721
		goto bad;
722

723
	    /* Treat non-interactive mode as a getpass error. */
724
	    if (noninteractive) {
725
		getpass_error = true;
726
		goto bad;
727
	    }
728

729
	    /* Choose either the sudo prompt or the PAM one. */
730
	    prompt = use_pam_prompt(pm->msg) ? pm->msg : def_prompt;
731

732
	    /* Read the password unless interrupted. */
733
	    pass = auth_getpass(prompt, type, callback);
734
	    if (pass == NULL) {
735
		/* Error (or ^C) reading password, don't try again. */
736
		getpass_error = true;
737
		goto bad;
738
	    }
739
	    if (strlen(pass) >= PAM_MAX_RESP_SIZE) {
740
		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
741
		    "password longer than %d", PAM_MAX_RESP_SIZE);
742
		freezero(pass, strlen(pass));
743
		pass = NULL;
744
		goto bad;
745
	    }
746
	    reply[n].resp = pass;	/* auth_getpass() malloc's a copy */
747
	    break;
748
	case PAM_TEXT_INFO:
749
	    if (pm->msg != NULL && !is_filtered(pm->msg))
750
		sudo_printf(SUDO_CONV_INFO_MSG|SUDO_CONV_PREFER_TTY,
751
		    "%s\n", pm->msg);
752
	    break;
753
	case PAM_ERROR_MSG:
754
	    if (pm->msg != NULL)
755
		sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
756
		    "%s\n", pm->msg);
757
	    break;
758
	default:
759
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
760
		"unsupported message style: %d", pm->msg_style);
761
	    goto bad;
762
	}
763
    }
764

765
    *reply_out = reply;
766
    debug_return_int(PAM_SUCCESS);
767

768
bad:
769
    /* Zero and free allocated memory and return an error. */
770
    for (n = 0; n < num_msg; n++) {
771
	struct pam_response *pr = &reply[n];
772

773
	if (pr->resp != NULL) {
774
	    freezero(pr->resp, strlen(pr->resp));
775
	    pr->resp = NULL;
776
	}
777
    }
778
    free(reply);
779
    debug_return_int(PAM_CONV_ERR);
780
}
781

782
#endif /* HAVE_PAM */
783

784
Product

Resources

Company
