diff options
author | Jakob Kaivo <jkk@ung.org> | 2021-02-01 13:09:18 -0500 |
---|---|---|
committer | Jakob Kaivo <jkk@ung.org> | 2021-02-01 13:09:18 -0500 |
commit | 56a7bd183c92c4f1b519376ccd6155a24bae970c (patch) | |
tree | 5041a2bea9c8cf5e67e4a20b765722948ce8fcde | |
parent | 7e2116e5b07bd2a065bc9b8f1cbc63f57e41e285 (diff) |
implement basic PAM authentication
-rw-r--r-- | check/Makefile | 7 | ||||
-rw-r--r-- | check/check.c | 7 | ||||
-rw-r--r-- | check/check.h | 7 | ||||
-rw-r--r-- | check/pam.c | 41 |
4 files changed, 53 insertions, 9 deletions
diff --git a/check/Makefile b/check/Makefile index 67b3f91..5754474 100644 --- a/check/Makefile +++ b/check/Makefile @@ -8,7 +8,7 @@ CC=c99 LD=$(CC) CFLAGS=-Wall -Wextra -Wpedantic -Werror -g LDFLAGS= -LDLIBS= +LDLIBS=-lpam -lpam_misc SRCDIR=. OBJDIR=. BINDIR=$(OBJDIR) @@ -23,6 +23,11 @@ $(OBJDIR)/parse.o: $(SRCDIR)/check.h $(OBJDIR)/parse.o: $(SRCDIR)/parse.c $(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/parse.c +$(BINDIR)/check: $(OBJDIR)/pam.o +$(OBJDIR)/pam.o: $(SRCDIR)/check.h +$(OBJDIR)/pam.o: $(SRCDIR)/pam.c + $(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/pam.c + $(BINDIR)/check: $(OBJDIR)/check.o $(OBJDIR)/check.o: $(SRCDIR)/check.h $(OBJDIR)/check.o: $(SRCDIR)/check.c diff --git a/check/check.c b/check/check.c index e95637a..32cd9c9 100644 --- a/check/check.c +++ b/check/check.c @@ -27,13 +27,6 @@ void fatal(int include_errno, char *fmt, ...) exit(EXIT_FAILURE); } -static int authenticate(const char *user) -{ - printf("need to authenticate\n"); - (void)user; - return 1; -} - static char *get_username(void) { struct passwd *pwd = getpwuid(getuid()); diff --git a/check/check.h b/check/check.h index 6f2c9fc..e8dac77 100644 --- a/check/check.h +++ b/check/check.h @@ -2,12 +2,17 @@ #define PRIVEXEC_CHECK_H #ifndef CONFIG_PATH -#define CONFIG_PATH "/etc/privexec.conf" +#define CONFIG_PATH "/etc/privexec.conf" +#endif + +#ifndef PAM_SERVICE_NAME +#define PAM_SERVICE_NAME "privexec" #endif enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED }; void fatal(int include_errno, char *fmt, ...); enum permission get_permission(const char *user, const char *group, const char *cmd); +int authenticate(const char *user); #endif diff --git a/check/pam.c b/check/pam.c new file mode 100644 index 0000000..00e9998 --- /dev/null +++ b/check/pam.c @@ -0,0 +1,41 @@ +#include <stdio.h> + +#include <security/pam_appl.h> +#include <security/pam_misc.h> + +#include "check.h" + +/* +static int pam_conv_f(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) +{ + (void)num_msg; + (void)msg; + printf("msg: %s\n", (*msg)->msg); + (void)resp; + printf("resp: %s\n", (*resp)->resp); + (void)appdata_ptr; + return 0; +} +*/ + +int authenticate(const char *user) +{ + int ret = 1; + pam_handle_t *pamh = NULL; + struct pam_conv conv = { + .conv = misc_conv, + }; + + if (pam_start(PAM_SERVICE_NAME, user, &conv, &pamh) != PAM_SUCCESS) { + fatal(0, "PAM error"); + return 1; + } + + if (pam_authenticate(pamh, 0) == PAM_SUCCESS) { + ret = 0; + } + + pam_end(pamh, 0); + + return ret; +} |