|
Packit |
3a1417 |
/*
|
|
Packit Service |
3d6aa7 |
* Copyright (c) 1999,2007,2019 Andrew G. Morgan <morgan@kernel.org>
|
|
Packit |
3a1417 |
*
|
|
Packit Service |
3d6aa7 |
* The purpose of this module is to enforce inheritable, bounding and
|
|
Packit Service |
3d6aa7 |
* ambient capability sets for a specified user.
|
|
Packit |
3a1417 |
*/
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
/* #define DEBUG */
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
#include <errno.h>
|
|
Packit Service |
3d6aa7 |
#include <grp.h>
|
|
Packit Service |
3d6aa7 |
#include <limits.h>
|
|
Packit Service |
3d6aa7 |
#include <pwd.h>
|
|
Packit |
3a1417 |
#include <stdarg.h>
|
|
Packit |
3a1417 |
#include <stdlib.h>
|
|
Packit Service |
3d6aa7 |
#include <stdio.h>
|
|
Packit Service |
3d6aa7 |
#include <string.h>
|
|
Packit |
3a1417 |
#include <syslog.h>
|
|
Packit |
3a1417 |
#include <sys/capability.h>
|
|
Packit Service |
3d6aa7 |
#include <sys/types.h>
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
#include <security/pam_modules.h>
|
|
Packit |
3a1417 |
#include <security/_pam_macros.h>
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
#define USER_CAP_FILE "/etc/security/capability.conf"
|
|
Packit |
3a1417 |
#define CAP_FILE_BUFFER_SIZE 4096
|
|
Packit |
3a1417 |
#define CAP_FILE_DELIMITERS " \t\n"
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
struct pam_cap_s {
|
|
Packit |
3a1417 |
int debug;
|
|
Packit |
3a1417 |
const char *user;
|
|
Packit |
3a1417 |
const char *conf_filename;
|
|
Packit |
3a1417 |
};
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* load_groups obtains the list all of the groups associated with the
|
|
Packit Service |
3d6aa7 |
* requested user: gid & supplemental groups.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit Service |
3d6aa7 |
static int load_groups(const char *user, char ***groups, int *groups_n) {
|
|
Packit Service |
3d6aa7 |
struct passwd *pwd;
|
|
Packit Service |
3d6aa7 |
gid_t grps[NGROUPS_MAX];
|
|
Packit Service |
3d6aa7 |
int ngrps = NGROUPS_MAX;
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
*groups = NULL;
|
|
Packit Service |
3d6aa7 |
*groups_n = 0;
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
pwd = getpwnam(user);
|
|
Packit Service |
3d6aa7 |
if (pwd == NULL) {
|
|
Packit Service |
3d6aa7 |
return -1;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
/* must include at least pwd->pw_gid, hence < 1 test. */
|
|
Packit Service |
3d6aa7 |
if (getgrouplist(user, pwd->pw_gid, grps, &ngrps) < 1) {
|
|
Packit Service |
3d6aa7 |
return -1;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
*groups = calloc(ngrps, sizeof(char *));
|
|
Packit Service |
3d6aa7 |
int g_n = 0;
|
|
Packit Service |
3d6aa7 |
for (int i = 0; i < ngrps; i++) {
|
|
Packit Service |
3d6aa7 |
const struct group *g = getgrgid(grps[i]);
|
|
Packit Service |
3d6aa7 |
if (g == NULL) {
|
|
Packit Service |
3d6aa7 |
continue;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
D(("noting [%s] is a member of [%s]", user, g->gr_name));
|
|
Packit Service |
3d6aa7 |
(*groups)[g_n++] = strdup(g->gr_name);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
*groups_n = g_n;
|
|
Packit Service |
3d6aa7 |
return 0;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit |
3a1417 |
/* obtain the inheritable capabilities for the current user */
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
static char *read_capabilities_for_user(const char *user, const char *source)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
char *cap_string = NULL;
|
|
Packit |
3a1417 |
char buffer[CAP_FILE_BUFFER_SIZE], *line;
|
|
Packit Service |
3d6aa7 |
char **groups;
|
|
Packit Service |
3d6aa7 |
int groups_n;
|
|
Packit |
3a1417 |
FILE *cap_file;
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (load_groups(user, &groups, &groups_n)) {
|
|
Packit Service |
3d6aa7 |
D(("unknown user [%s]", user));
|
|
Packit Service |
3d6aa7 |
return NULL;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit |
3a1417 |
cap_file = fopen(source, "r");
|
|
Packit |
3a1417 |
if (cap_file == NULL) {
|
|
Packit |
3a1417 |
D(("failed to open capability file"));
|
|
Packit Service |
3d6aa7 |
goto defer;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
int found_one = 0;
|
|
Packit Service |
3d6aa7 |
while (!found_one &&
|
|
Packit Service |
3d6aa7 |
(line = fgets(buffer, CAP_FILE_BUFFER_SIZE, cap_file))) {
|
|
Packit |
3a1417 |
const char *cap_text;
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
char *next = NULL;
|
|
Packit Service |
3d6aa7 |
cap_text = strtok_r(line, CAP_FILE_DELIMITERS, &next;;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
if (cap_text == NULL) {
|
|
Packit |
3a1417 |
D(("empty line"));
|
|
Packit |
3a1417 |
continue;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
if (*cap_text == '#') {
|
|
Packit |
3a1417 |
D(("comment line"));
|
|
Packit |
3a1417 |
continue;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* Explore whether any of the ids are a match for the current
|
|
Packit Service |
3d6aa7 |
* user.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit Service |
3d6aa7 |
while ((line = strtok_r(next, CAP_FILE_DELIMITERS, &next))) {
|
|
Packit |
3a1417 |
if (strcmp("*", line) == 0) {
|
|
Packit |
3a1417 |
D(("wildcard matched"));
|
|
Packit |
3a1417 |
found_one = 1;
|
|
Packit |
3a1417 |
break;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
if (strcmp(user, line) == 0) {
|
|
Packit |
3a1417 |
D(("exact match for user"));
|
|
Packit |
3a1417 |
found_one = 1;
|
|
Packit |
3a1417 |
break;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (line[0] != '@') {
|
|
Packit Service |
3d6aa7 |
D(("user [%s] is not [%s] - skipping", user, line));
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
for (int i=0; i < groups_n; i++) {
|
|
Packit Service |
3d6aa7 |
if (!strcmp(groups[i], line+1)) {
|
|
Packit Service |
3d6aa7 |
D(("user group matched [%s]", line));
|
|
Packit Service |
3d6aa7 |
found_one = 1;
|
|
Packit Service |
3d6aa7 |
break;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (found_one) {
|
|
Packit Service |
3d6aa7 |
break;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
4c1496 |
|
|
Packit |
3a1417 |
if (found_one) {
|
|
Packit Service |
3d6aa7 |
cap_string = strdup(cap_text);
|
|
Packit |
3a1417 |
D(("user [%s] matched - caps are [%s]", user, cap_string));
|
|
Packit |
3a1417 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
cap_text = NULL;
|
|
Packit Service |
3d6aa7 |
line = NULL;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
fclose(cap_file);
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
defer:
|
|
Packit |
3a1417 |
memset(buffer, 0, CAP_FILE_BUFFER_SIZE);
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
for (int i = 0; i < groups_n; i++) {
|
|
Packit Service |
3d6aa7 |
char *g = groups[i];
|
|
Packit Service |
3d6aa7 |
_pam_overwrite(g);
|
|
Packit Service |
3d6aa7 |
_pam_drop(g);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (groups != NULL) {
|
|
Packit Service |
3d6aa7 |
memset(groups, 0, groups_n * sizeof(char *));
|
|
Packit Service |
3d6aa7 |
_pam_drop(groups);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit |
3a1417 |
return cap_string;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
/*
|
|
Packit |
3a1417 |
* Set capabilities for current process to match the current
|
|
Packit |
3a1417 |
* permitted+executable sets combined with the configured inheritable
|
|
Packit |
3a1417 |
* set.
|
|
Packit |
3a1417 |
*/
|
|
Packit |
3a1417 |
static int set_capabilities(struct pam_cap_s *cs)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
cap_t cap_s;
|
|
Packit Service |
3d6aa7 |
char *conf_caps;
|
|
Packit |
3a1417 |
int ok = 0;
|
|
Packit Service |
3d6aa7 |
int has_ambient = 0, has_bound = 0;
|
|
Packit Service |
3d6aa7 |
int *bound = NULL, *ambient = NULL;
|
|
Packit Service |
3d6aa7 |
cap_flag_value_t had_setpcap = 0;
|
|
Packit Service |
3d6aa7 |
cap_value_t max_caps = 0;
|
|
Packit Service |
3d6aa7 |
const cap_value_t wanted_caps[] = { CAP_SETPCAP };
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
cap_s = cap_get_proc();
|
|
Packit |
3a1417 |
if (cap_s == NULL) {
|
|
Packit |
3a1417 |
D(("your kernel is capability challenged - upgrade: %s",
|
|
Packit |
3a1417 |
strerror(errno)));
|
|
Packit |
3a1417 |
return 0;
|
|
Packit |
3a1417 |
}
|
|
Packit Service |
3d6aa7 |
if (cap_get_flag(cap_s, CAP_SETPCAP, CAP_EFFECTIVE, &had_setpcap)) {
|
|
Packit Service |
3d6aa7 |
D(("failed to read a e capability: %s", strerror(errno)));
|
|
Packit Service |
3d6aa7 |
goto cleanup_cap_s;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (cap_set_flag(cap_s, CAP_EFFECTIVE, 1, wanted_caps, CAP_SET) != 0) {
|
|
Packit Service |
3d6aa7 |
D(("unable to raise CAP_SETPCAP: %s", strerrno(errno)));
|
|
Packit Service |
3d6aa7 |
goto cleanup_cap_s;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
conf_caps = read_capabilities_for_user(cs->user,
|
|
Packit Service |
3d6aa7 |
cs->conf_filename
|
|
Packit Service |
3d6aa7 |
? cs->conf_filename:USER_CAP_FILE );
|
|
Packit Service |
3d6aa7 |
if (conf_caps == NULL) {
|
|
Packit |
3a1417 |
D(("no capabilities found for user [%s]", cs->user));
|
|
Packit |
3a1417 |
goto cleanup_cap_s;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
ssize_t conf_caps_length = strlen(conf_caps);
|
|
Packit Service |
3d6aa7 |
if (!strcmp(conf_caps, "all")) {
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* all here is interpreted as no change/pass through, which is
|
|
Packit Service |
3d6aa7 |
* likely to be the same as none for sensible system defaults.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit Service |
3d6aa7 |
ok = 1;
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (cap_set_proc(cap_s) != 0) {
|
|
Packit Service |
3d6aa7 |
D(("unable to use CAP_SETPCAP: %s", strerrno(errno)));
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (cap_reset_ambient() == 0) {
|
|
Packit Service |
3d6aa7 |
// Ambient set fully declared by this config.
|
|
Packit Service |
3d6aa7 |
has_ambient = 1;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (!strcmp(conf_caps, "none")) {
|
|
Packit Service |
3d6aa7 |
/* clearing CAP_INHERITABLE will also clear the ambient caps. */
|
|
Packit Service |
3d6aa7 |
cap_clear_flag(cap_s, CAP_INHERITABLE);
|
|
Packit |
3a1417 |
} else {
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* we know we have to perform some capability operations and
|
|
Packit Service |
3d6aa7 |
* we need to know how many capabilities there are to do it
|
|
Packit Service |
3d6aa7 |
* successfully.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit Service |
3d6aa7 |
while (cap_get_bound(max_caps) >= 0) {
|
|
Packit Service |
3d6aa7 |
max_caps++;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
has_bound = (max_caps != 0);
|
|
Packit Service |
3d6aa7 |
if (has_bound) {
|
|
Packit Service |
3d6aa7 |
bound = calloc(max_caps, sizeof(int));
|
|
Packit Service |
3d6aa7 |
if (has_ambient) {
|
|
Packit Service |
3d6aa7 |
// In kernel lineage, bound came first.
|
|
Packit Service |
3d6aa7 |
ambient = calloc(max_caps, sizeof(int));
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* Scan the configured capability string for:
|
|
Packit Service |
3d6aa7 |
*
|
|
Packit Service |
3d6aa7 |
* cap_name: add to cap_s' inheritable vector
|
|
Packit Service |
3d6aa7 |
* ^cap_name: add to cap_s' inheritable vector and ambient set
|
|
Packit Service |
3d6aa7 |
* !cap_name: drop from bounding set
|
|
Packit Service |
3d6aa7 |
*
|
|
Packit Service |
3d6aa7 |
* Setting ambient capabilities requires that we first enable
|
|
Packit Service |
3d6aa7 |
* the corresponding inheritable capability to set them. So,
|
|
Packit Service |
3d6aa7 |
* there is an order we use: parse the config line, building
|
|
Packit Service |
3d6aa7 |
* the inheritable, ambient and bounding sets in three separate
|
|
Packit Service |
3d6aa7 |
* arrays. Then, set I set A set B. Finally, at the end, we
|
|
Packit Service |
3d6aa7 |
* restore the E value for CAP_SETPCAP.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit Service |
3d6aa7 |
char *token = NULL;
|
|
Packit Service |
3d6aa7 |
char *next = conf_caps;
|
|
Packit Service |
3d6aa7 |
while ((token = strtok_r(next, ",", &next))) {
|
|
Packit Service |
3d6aa7 |
if (strlen(token) < 4) {
|
|
Packit Service |
3d6aa7 |
D(("bogus cap: [%s] - ignored\n", token));
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
int is_a = 0, is_b = 0;
|
|
Packit Service |
3d6aa7 |
if (*token == '^') {
|
|
Packit Service |
3d6aa7 |
if (!has_ambient) {
|
|
Packit Service |
3d6aa7 |
D(("want ambient [%s] but kernel has no support", token));
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
is_a = 1;
|
|
Packit Service |
3d6aa7 |
token++;
|
|
Packit Service |
3d6aa7 |
} else if (*token == '!') {
|
|
Packit Service |
3d6aa7 |
if (!has_bound) {
|
|
Packit Service |
3d6aa7 |
D(("want bound [%s] dropped - no kernel support", token));
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
is_b = 1;
|
|
Packit Service |
3d6aa7 |
token++;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
|
|
Packit Service |
3d6aa7 |
cap_value_t c;
|
|
Packit Service |
3d6aa7 |
if (cap_from_name(token, &c) != 0) {
|
|
Packit Service |
3d6aa7 |
D(("unrecognized name [%s]: %s - ignored", token,
|
|
Packit Service |
3d6aa7 |
strerror(errno)));
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (is_b) {
|
|
Packit Service |
3d6aa7 |
bound[c] = 1;
|
|
Packit Service |
3d6aa7 |
} else {
|
|
Packit Service |
3d6aa7 |
if (cap_set_flag(cap_s, CAP_INHERITABLE, 1, &c, CAP_SET)) {
|
|
Packit Service |
3d6aa7 |
D(("failed to raise inheritable [%s]: %s", token,
|
|
Packit Service |
3d6aa7 |
strerror(errno)));
|
|
Packit Service |
3d6aa7 |
goto cleanup_caps;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (is_a) {
|
|
Packit Service |
3d6aa7 |
ambient[c] = 1;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
#ifdef DEBUG
|
|
Packit Service |
3d6aa7 |
{
|
|
Packit Service |
3d6aa7 |
char *temp = cap_to_text(cap_s, NULL);
|
|
Packit Service |
3d6aa7 |
D(("abbreviated caps for process will be [%s]", temp));
|
|
Packit Service |
3d6aa7 |
cap_free(temp);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
4c1496 |
#endif /* DEBUG */
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (cap_set_proc(cap_s)) {
|
|
Packit Service |
4c1496 |
D(("failed to set specified capabilities: %s", strerror(errno)));
|
|
Packit Service |
3d6aa7 |
} else {
|
|
Packit Service |
3d6aa7 |
for (cap_value_t c = 0; c < max_caps; c++) {
|
|
Packit Service |
3d6aa7 |
if (ambient != NULL && ambient[c]) {
|
|
Packit Service |
3d6aa7 |
cap_set_ambient(c, CAP_SET);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (bound != NULL && bound[c]) {
|
|
Packit Service |
3d6aa7 |
cap_drop_bound(c);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
ok = 1;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
cleanup_caps:
|
|
Packit Service |
3d6aa7 |
if (has_ambient) {
|
|
Packit Service |
3d6aa7 |
memset(ambient, 0, max_caps * sizeof(*ambient));
|
|
Packit Service |
3d6aa7 |
_pam_drop(ambient);
|
|
Packit Service |
3d6aa7 |
ambient = NULL;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
if (has_bound) {
|
|
Packit Service |
3d6aa7 |
memset(bound, 0, max_caps * sizeof(*bound));
|
|
Packit Service |
3d6aa7 |
_pam_drop(bound);
|
|
Packit Service |
3d6aa7 |
bound = NULL;
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
memset(conf_caps, 0, conf_caps_length);
|
|
Packit Service |
3d6aa7 |
_pam_drop(conf_caps);
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
cleanup_cap_s:
|
|
Packit Service |
3d6aa7 |
if (!had_setpcap) {
|
|
Packit Service |
3d6aa7 |
/* Only need to lower if it wasn't raised by caller */
|
|
Packit Service |
3d6aa7 |
if (!cap_set_flag(cap_s, CAP_EFFECTIVE, 1, wanted_caps,
|
|
Packit Service |
3d6aa7 |
CAP_CLEAR)) {
|
|
Packit Service |
3d6aa7 |
cap_set_proc(cap_s);
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit Service |
3d6aa7 |
}
|
|
Packit |
3a1417 |
if (cap_s) {
|
|
Packit |
3a1417 |
cap_free(cap_s);
|
|
Packit |
3a1417 |
cap_s = NULL;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
return ok;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
/* log errors */
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
static void _pam_log(int err, const char *format, ...)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
va_list args;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
va_start(args, format);
|
|
Packit |
3a1417 |
openlog("pam_cap", LOG_CONS|LOG_PID, LOG_AUTH);
|
|
Packit |
3a1417 |
vsyslog(err, format, args);
|
|
Packit |
3a1417 |
va_end(args);
|
|
Packit |
3a1417 |
closelog();
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
static void parse_args(int argc, const char **argv, struct pam_cap_s *pcs)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
/* step through arguments */
|
|
Packit Service |
3d6aa7 |
for (; argc-- > 0; ++argv) {
|
|
Packit |
3a1417 |
if (!strcmp(*argv, "debug")) {
|
|
Packit |
3a1417 |
pcs->debug = 1;
|
|
Packit |
3a1417 |
} else if (!memcmp(*argv, "config=", 7)) {
|
|
Packit |
3a1417 |
pcs->conf_filename = 7 + *argv;
|
|
Packit |
3a1417 |
} else {
|
|
Packit |
3a1417 |
_pam_log(LOG_ERR, "unknown option; %s", *argv);
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* pam_sm_authenticate parses the config file with respect to the user
|
|
Packit Service |
3d6aa7 |
* being authenticated and determines if they are covered by any
|
|
Packit Service |
3d6aa7 |
* capability inheritance rules.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit |
3a1417 |
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|
Packit |
3a1417 |
int argc, const char **argv)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
int retval;
|
|
Packit |
3a1417 |
struct pam_cap_s pcs;
|
|
Packit Service |
3d6aa7 |
char *conf_caps;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
parse_args(argc, argv, &pcs;;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
retval = pam_get_user(pamh, &pcs.user, NULL);
|
|
Packit |
3a1417 |
if (retval == PAM_CONV_AGAIN) {
|
|
Packit |
3a1417 |
D(("user conversation is not available yet"));
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
return PAM_INCOMPLETE;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
if (retval != PAM_SUCCESS) {
|
|
Packit |
3a1417 |
D(("pam_get_user failed: %s", pam_strerror(pamh, retval)));
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
return PAM_AUTH_ERR;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
conf_caps = read_capabilities_for_user(pcs.user,
|
|
Packit Service |
3d6aa7 |
pcs.conf_filename
|
|
Packit Service |
3d6aa7 |
? pcs.conf_filename:USER_CAP_FILE );
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
if (conf_caps) {
|
|
Packit |
3a1417 |
D(("it appears that there are capabilities for this user [%s]",
|
|
Packit Service |
3d6aa7 |
conf_caps));
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
/* We could also store this as a pam_[gs]et_data item for use
|
|
Packit |
3a1417 |
by the setcred call to follow. As it is, there is a small
|
|
Packit |
3a1417 |
race associated with a redundant read. Oh well, if you
|
|
Packit |
3a1417 |
care, send me a patch.. */
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
_pam_overwrite(conf_caps);
|
|
Packit Service |
3d6aa7 |
_pam_drop(conf_caps);
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
return PAM_SUCCESS;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
} else {
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
D(("there are no capabilities restrctions on this user"));
|
|
Packit |
3a1417 |
return PAM_IGNORE;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit Service |
3d6aa7 |
/*
|
|
Packit Service |
3d6aa7 |
* pam_sm_setcred applies inheritable capabilities loaded by the
|
|
Packit Service |
3d6aa7 |
* pam_sm_authenticate pass for the user.
|
|
Packit Service |
3d6aa7 |
*/
|
|
Packit |
3a1417 |
int pam_sm_setcred(pam_handle_t *pamh, int flags,
|
|
Packit |
3a1417 |
int argc, const char **argv)
|
|
Packit |
3a1417 |
{
|
|
Packit |
3a1417 |
int retval;
|
|
Packit |
3a1417 |
struct pam_cap_s pcs;
|
|
Packit |
3a1417 |
|
|
Packit Service |
f468b2 |
if (!(flags & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
|
|
Packit |
3a1417 |
D(("we don't handle much in the way of credentials"));
|
|
Packit |
3a1417 |
return PAM_IGNORE;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
parse_args(argc, argv, &pcs;;
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
retval = pam_get_item(pamh, PAM_USER, (const void **)&pcs.user);
|
|
Packit |
3a1417 |
if ((retval != PAM_SUCCESS) || (pcs.user == NULL) || !(pcs.user[0])) {
|
|
Packit |
3a1417 |
D(("user's name is not set"));
|
|
Packit |
3a1417 |
return PAM_AUTH_ERR;
|
|
Packit |
3a1417 |
}
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
retval = set_capabilities(&pcs;;
|
|
Packit |
3a1417 |
memset(&pcs, 0, sizeof(pcs));
|
|
Packit |
3a1417 |
|
|
Packit |
3a1417 |
return (retval ? PAM_SUCCESS:PAM_IGNORE );
|
|
Packit |
3a1417 |
}
|