[OpenAFS-devel] [PATCH]: Some modifications to the pam module
jacobi@de.ibm.com
jacobi@de.ibm.com
Fri, 2 Feb 2001 10:33:42 +0100
--0__=D3P3whbLBQBFy0n6rKEHLzMzz4RMh7w752Sjl7KVk8VkrL1yS2wxVi5L
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
I have played a little with the afs-pam module lately. At our site we are
looking for a
sensible domain environment and an AFS cell may be an option.
What I actually aimed was to provide users a file server on which they can
directly
log on to the Kerberos realm of our AFS cell. Nevertheless, a root log on
to the same
machine is still to be kept local.
So from my point of view it makes sense to set a Nill-Password for all
users with
AFS access in the local /etc/shadow file. Thus, if a user logs in the
pam_unix module
will grant access without prompting for a password, but pam_afs should send
its password
prompt. The pam file (Red-Hat) would look like this:
/etc/pam.d/login
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_afs.so try_first_pass
This setup will work fine for all users with AFS cell access, but won't
grant access for
user "root" ... it would, but "root" does not have an AFS password of
course.
That is the reason, why I included the option "trust_root". The option
should tell pam_afs,
that the access shall be granted as soon as the user "root" is concerned.
The new file looks like this:
/etc/pam.d/login
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_afs.so try_first_pass trust_root
So far the setup works fine, but there was still one shortcoming. When a
user is already logged in,
but she wants to change with "su" to root it is much more difficult to make
the distinction between
"remote user wants to log in as AFS user" or "remote user wants to log in
as root". Maybe I got
it wrong, but for me it seemed as if login is running as "root" (uid=0)
when it is calling the pam module
for authentication whereas "su" is running as the current user id (uid!=0)
when it is calling pam.
The pam_afs module on the other hand relies on the current user id (uid=0)
of the authenticator
to find out the difference between root logins and non root logins. So, I
added even one more option
called "catch_su" that activates one more check (there was no choice but
using strncmp to check
the typed in username to change to). The option also "redisables" the
variable use_first_pass in
afs_setcred.c because in contrast to the login behaviour the super user
shall be prompted for
an AFS password when he wants to change from root to user state (in this
case su runs as uid=0
which is misinterpreted by the afs module as "change to root" instead of
"change from root").
The pam file for su will then look like this:
/etc/pam.d/su
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_afs.so try_first_pass trust_root catch_su
I tried some logins back and forth and so far the setup seems to do what is
supposed to. Anyway,
I would like to have the attached patch included into the pam modules. Or
does somebody have
any doubts? Maybe I left something out (for example a leak) ...
Carsten Jacobi
(See attached file: openafs-1.0.2-pam_trustroot.patch)
--0__=D3P3whbLBQBFy0n6rKEHLzMzz4RMh7w752Sjl7KVk8VkrL1yS2wxVi5L
Content-type: application/octet-stream;
name="openafs-1.0.2-pam_trustroot.patch"
Content-Disposition: attachment; filename="openafs-1.0.2-pam_trustroot.patch"
Content-transfer-encoding: base64
LS0tIHNyYy9wYW0vYWZzX21lc3NhZ2UuaC5vcmlnCVNhdCBOb3YgIDQgMTE6MDU6MTggMjAwMAor
Kysgc3JjL3BhbS9hZnNfbWVzc2FnZS5oCVdlZCBKYW4gMzEgMTY6MDg6MjMgMjAwMQpAQCAtNDUs
NiArNDUsNyBAQAogI2RlZmluZSBQQU1BRlNfUEFTU0VYUEZBSUwJMzIgLyogIkZhaWxlZCB0byBz
ZXQgUEFTU1dPUkRfRVhQSVJFUyIgICovCiAjZGVmaW5lIFBBTUFGU19DSE9XTktSQgkJMzMgLyog
IkZhaWxlZCB0byBjaG93biBrcmIgdGlja2V0ZmlsZSIgICovCiAjZGVmaW5lIFBBTUFGU19LUkJG
QUlMCQkzNCAvKiAiRmFpbGVkIHRvIHNldCBLUkJUS1RGSUxFIiAgICAgICAgKi8KKyNkZWZpbmUg
UEFNQUZTX1RSVVNUUk9PVAkzNSAvKiAiSWdub3Jpbmcgc3VwZXJ1c2VyICVzIgkJKi8KIAogCiBj
aGFyICpwYW1fYWZzX21lc3NhZ2UoaW50IG1zZ251bSwgaW50ICpmcmVlaXQpOwotLS0gc3JjL3Bh
bS9hZnNfbWVzc2FnZS5jLm9yaWcJU2F0IE5vdiAgNCAxMTowNToxOCAyMDAwCisrKyBzcmMvcGFt
L2Fmc19tZXNzYWdlLmMJV2VkIEphbiAzMSAxNjoxMDo1NiAyMDAxCkBAIC02NCw2ICs2NCwxMiBA
QAogICAgICJBRlMgUmVJbml0aWFsaXppbmcgY3JlZHMgZm9yIHVzZXIgJXNcbiIsCS8qIDMxOiBS
RUlOSVRDUkVECSovCiAgICAgIkFGUyBGYWlsZWQgdG8gc2V0IFBBU1NXT1JEX0VYUElSRVMgZm9y
IHVzZXIgJXNcbiIsCiAJCQkJCQkvKiAzMjogUEFTU0VYUEZBSUwgICAgICAqLworICAgICIiLAor
CQkJCQkJLyogMzM6ICovCisgICAgIiIsCisJCQkJCQkvKiAzNDogKi8KKyAgICAiQUZTIGJsaW5k
bHkgdHJ1c3RpbmcgdXNlciAlc1xuIiwKKwkJCQkJCS8qIDM1OiBUUlVTVFJPT1QJKi8KIH07CiAK
IHN0YXRpYyBpbnQgbnVtX2ZhbGxiYWNrcyA9IHNpemVvZihmYWxsYmFja19tZXNzYWdlcykvc2l6
ZW9mKGNoYXIgKik7Ci0tLSBzcmMvcGFtL2Fmc19hdXRoLmMub3JpZwlTYXQgTm92ICA0IDExOjA1
OjE4IDIwMDAKKysrIHNyYy9wYW0vYWZzX2F1dGguYwlUaHUgRmViICAxIDE5OjI2OjQ3IDIwMDEK
QEAgLTQyLDYgKzQyLDggQEAKICAgICBpbnQgdXNlX2ZpcnN0X3Bhc3MgPSAwOwogICAgIGludCB0
cnlfZmlyc3RfcGFzcyA9IDA7CiAgICAgaW50IGlnbm9yZV9yb290ID0gMDsKKyAgICBpbnQgdHJ1
c3Rfcm9vdCA9IDA7CisgICAgaW50IGNhdGNoX3N1ID0gMDsKICAgICBpbnQgc2V0X2V4cGlyZXMg
PSAwOyAgLyogVGhpcyBvcHRpb24gaXMgb25seSB1c2VkIGluIHBhbV9zZXRfY3JlZCgpICovCiAg
ICAgaW50IGdvdF9hdXRodG9rID0gMDsJLyogZ290IFBBTV9BVVRIVE9LIHVwb24gZW50cnkgKi8K
ICAgICBpbnQgbm91c2VyID0gMDsKQEAgLTgwLDYgKzgyLDEwIEBACiAJICAgIHRyeV9maXJzdF9w
YXNzID0gMTsKIAl9IGVsc2UgaWYgKHN0cmNhc2VjbXAoYXJndltpXSwgImlnbm9yZV9yb290IiAg
ICkgPT0gMCkgewogCSAgICBpZ25vcmVfcm9vdCA9IDE7CisJfSBlbHNlIGlmIChzdHJjYXNlY21w
KGFyZ3ZbaV0sICJ0cnVzdF9yb290IiAgICkgPT0gMCkgeworCSAgICB0cnVzdF9yb290ID0gMTsK
Kwl9IGVsc2UgaWYgKHN0cmNhc2VjbXAoYXJndltpXSwgImNhdGNoX3N1IiAgICkgPT0gMCkgewor
CSAgICBjYXRjaF9zdSA9IDE7CiAJfSBlbHNlIGlmIChzdHJjYXNlY21wKGFyZ3ZbaV0sICJzZXRl
bnZfcGFzc3dvcmRfZXhwaXJlcyIpID09IDApIHsKICAgICAgICAgICAgIHNldF9leHBpcmVzID0g
MTsKIAl9IGVsc2UgewpAQCAtMTA3LDYgKzExMywxMSBAQAogCVJFVChQQU1fVVNFUl9VTktOT1dO
KTsKICAgICB9CiAKKyAgICBpZiAoKCFzdHJuY21wICgicm9vdCIsIHVzZXIsIDQpKSAmJiB0cnVz
dF9yb290KSB7CisJcGFtX2Fmc19zeXNsb2coTE9HX0lORk8sIFBBTUFGU19UUlVTVFJPT1QsIHVz
ZXIpOworCVJFVChQQU1fU1VDQ0VTUyk7CisgICAgfQorCiAgICAgcGFtX2Fmc19zeXNsb2coTE9H
X0RFQlVHLCBQQU1BRlNfVVNFUk5BTUVERUJVRywgdXNlcik7CiAKICAgICAvKgpAQCAtMTMyLDkg
KzE0MywxNCBAQAogI2Vsc2UKICAgICB1cHdkID0gZ2V0cHduYW1fcih1c2VyLCAmdW5peF9wd2Qs
IHVwd2RfYnVmLCBzaXplb2YodXB3ZF9idWYpKTsKICNlbmRpZgotICAgIGlmIChpZ25vcmVfcm9v
dCAmJiB1cHdkICE9IE5VTEwgJiYgdXB3ZC0+cHdfdWlkID09IDApIHsKLQlwYW1fYWZzX3N5c2xv
ZyhMT0dfSU5GTywgUEFNQUZTX0lHTk9SSU5HUk9PVCwgdXNlcik7Ci0JUkVUKFBBTV9BVVRIX0VS
Uik7CisgICAgaWYgKHVwd2QgIT0gTlVMTCAmJiB1cHdkLT5wd191aWQgPT0gMCkgeworCWlmIChp
Z25vcmVfcm9vdCkgeyAKKwkJcGFtX2Fmc19zeXNsb2coTE9HX0lORk8sIFBBTUFGU19JR05PUklO
R1JPT1QsIHVzZXIpOworCQlSRVQoUEFNX0FVVEhfRVJSKTsKKwl9IGVsc2UgaWYgKHRydXN0X3Jv
b3QgJiYgIWNhdGNoX3N1KSB7CisJCXBhbV9hZnNfc3lzbG9nKExPR19JTkZPLCBQQU1BRlNfVFJV
U1RST09ULCB1c2VyKTsKKwkJUkVUKFBBTV9TVUNDRVNTKTsKKwl9CiAgICAgfQogI2VuZGlmCiAg
ICAgZXJyY29kZSA9IHBhbV9nZXRfaXRlbShwYW1oLCBQQU1fQVVUSFRPSywgKHZvaWQgKiopICZw
YXNzd29yZCk7Ci0tLSBzcmMvcGFtL2Fmc19zZXRjcmVkLmMub3JpZwlUaHUgRmViICAxIDIwOjI5
OjIzIDIwMDEKKysrIHNyYy9wYW0vYWZzX3NldGNyZWQuYwlUaHUgRmViICAxIDIwOjM0OjA5IDIw
MDEKQEAgLTQ0LDYgKzQ0LDcgQEAKICAgICBpbnQgdHJ5X2ZpcnN0X3Bhc3MgPSAwOwogICAgIGlu
dCBnb3RfYXV0aHRvayA9IDA7CiAgICAgaW50IGlnbm9yZV9yb290ID0gMDsKKyAgICBpbnQgdHJ1
c3Rfcm9vdCA9IDA7CiAgICAgaW50IHNldF9leHBpcmVzID0gMDsgLyogdGhlIGRlZmF1bHQgaXMg
dG8gbm90IHRvIHNldCB0aGUgZW52IHZhcmlhYmxlICovCiAgICAgaW50IGk7CiAgICAgc3RydWN0
IHBhbV9jb252ICpwYW1fY29udnAgPSBOVUxMOwpAQCAtNzksNiArODAsMTAgQEAKIAkgICAgdHJ5
X2ZpcnN0X3Bhc3MgPSAxOwogICAgICAgICB9IGVsc2UgaWYgKHN0cmNhc2VjbXAoYXJndltpXSwg
Imlnbm9yZV9yb290IiAgICkgPT0gMCkgewogICAgICAgICAgICAgaWdub3JlX3Jvb3QgPSAxOwor
ICAgICAgICB9IGVsc2UgaWYgKHN0cmNhc2VjbXAoYXJndltpXSwgInRydXN0X3Jvb3QiICAgKSA9
PSAwKSB7CisgICAgICAgICAgICB0cnVzdF9yb290ID0gMTsKKyAgICAgICAgfSBlbHNlIGlmIChz
dHJjYXNlY21wKGFyZ3ZbaV0sICJjYXRjaF9zdSIgICApID09IDApIHsKKyAgICAgICAgICAgIHVz
ZV9maXJzdF9wYXNzID0gMDsKIAl9IGVsc2UgaWYgKHN0cmNhc2VjbXAoYXJndltpXSwgInNldGVu
dl9wYXNzd29yZF9leHBpcmVzIik9PTApIHsKIAkgICAgc2V0X2V4cGlyZXMgPSAxOwogCX0gZWxz
ZSB7CkBAIC0xMjQsOSArMTI5LDE0IEBACiAjZWxzZQogICAgIHVwd2QgPSBnZXRwd25hbV9yKHVz
ZXIsICZ1bml4X3B3ZCwgdXB3ZF9idWYsIHNpemVvZih1cHdkX2J1ZikpOwogI2VuZGlmCi0gICAg
aWYgKGlnbm9yZV9yb290ICYmIHVwd2QgIT0gTlVMTCAmJiB1cHdkLT5wd191aWQgPT0gMCkgewot
ICAgICAgICBwYW1fYWZzX3N5c2xvZyhMT0dfSU5GTywgUEFNQUZTX0lHTk9SSU5HUk9PVCwgdXNl
cik7Ci0gICAgICAgIFJFVChQQU1fQVVUSF9FUlIpOworICAgIGlmICh1cHdkICE9IE5VTEwgJiYg
dXB3ZC0+cHdfdWlkID09IDApIHsKKwlpZiAoaWdub3JlX3Jvb3QpIHsgCisJCXBhbV9hZnNfc3lz
bG9nKExPR19JTkZPLCBQQU1BRlNfSUdOT1JJTkdST09ULCB1c2VyKTsKKwkJUkVUKFBBTV9BVVRI
X0VSUik7CisJfSBlbHNlIGlmICh0cnVzdF9yb290KSB7CisJCXBhbV9hZnNfc3lzbG9nKExPR19J
TkZPLCBQQU1BRlNfVFJVU1RST09ULCB1c2VyKTsKKwkJUkVUKFBBTV9TVUNDRVNTKTsKKwl9CiAg
ICAgfQogI2VuZGlmCiAK
--0__=D3P3whbLBQBFy0n6rKEHLzMzz4RMh7w752Sjl7KVk8VkrL1yS2wxVi5L--