sssd/0046-pam_sss-make-flags-public.patch
Michal Židek c0971b7e39 Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
2018-10-24 14:40:58 +02:00

245 lines
11 KiB
Diff

From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 10:11:02 +0200
Subject: [PATCH 61/83] pam_sss: make flags public
To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
src/sss_client/sss_cli.h | 9 ++++++
2 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59081cc..b336d1f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,15 +52,6 @@
#include <libintl.h>
#define _(STRING) dgettext (PACKAGE, STRING)
-#define FLAGS_USE_FIRST_PASS (1 << 0)
-#define FLAGS_FORWARD_PASS (1 << 1)
-#define FLAGS_USE_AUTHTOK (1 << 2)
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-#define FLAGS_USE_2FA (1 << 5)
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
-
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->pam_service_size=strlen(pi->pam_service)+1;
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
pi->pam_user = "";
ret = PAM_SUCCESS;
}
if (ret != PAM_SUCCESS) return ret;
if (pi->pam_user == NULL) {
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
pi->pam_user = "";
} else {
D(("No user found, aborting."));
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
for (; argc-- > 0; ++argv) {
if (strcmp(*argv, "forward_pass") == 0) {
- *flags |= FLAGS_FORWARD_PASS;
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
} else if (strcmp(*argv, "use_first_pass") == 0) {
- *flags |= FLAGS_USE_FIRST_PASS;
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
} else if (strcmp(*argv, "use_authtok") == 0) {
- *flags |= FLAGS_USE_AUTHTOK;
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
logger(pamh, LOG_ERR, "Missing argument to option domains.");
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
} else if (strcmp(*argv, "quiet") == 0) {
*quiet_mode = true;
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
} else if (strcmp(*argv, "use_2fa") == 0) {
- *flags |= FLAGS_USE_2FA;
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
} else if (strcmp(*argv, "allow_missing_name") == 0) {
- *flags |= FLAGS_ALLOW_MISSING_NAME;
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
- *flags |= FLAGS_PROMPT_ALWAYS;
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
{
int ret;
- if ((flags & FLAGS_USE_FIRST_PASS)
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|| ( pi->pamstack_authtok != NULL
&& *(pi->pamstack_authtok) != '\0'
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_authtok = strdup(pi->pamstack_authtok);
if (pi->pam_authtok == NULL) {
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- if (flags & FLAGS_USE_2FA
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
- if (flags & FLAGS_USE_2FA
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
}
}
- if (flags & FLAGS_USE_AUTHTOK) {
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
if (pi->pam_newauthtok == NULL) {
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, flags, &pi);
if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret)));
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
ret = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& ret == PAM_AUTHINFO_UNAVAIL) {
ret = PAM_IGNORE;
}
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
case SSS_PAM_AUTHENTICATE:
/*
* Only do preauth if
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
- if ( !(flags & FLAGS_USE_FIRST_PASS)
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
* The means the preauth step has to be done here as well but
* only if
* - PAM_PRELIM_CHECK is set
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
if ( (pam_flags & PAM_PRELIM_CHECK)
- && !(flags & FLAGS_USE_FIRST_PASS)
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
&& pam_status == PAM_USER_UNKNOWN) {
pam_status = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
pam_status = PAM_IGNORE;
}
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
retry = true;
retries--;
- flags &= ~FLAGS_USE_FIRST_PASS;
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 24d28ed..3404715 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -365,6 +365,15 @@ enum pam_item_type {
SSS_PAM_ITEM_REQUESTED_DOMAINS,
};
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
--
2.9.5