summaryrefslogtreecommitdiff
path: root/check
diff options
context:
space:
mode:
authorJakob Kaivo <jkk@ung.org>2021-02-01 13:09:18 -0500
committerJakob Kaivo <jkk@ung.org>2021-02-01 13:09:18 -0500
commit56a7bd183c92c4f1b519376ccd6155a24bae970c (patch)
tree5041a2bea9c8cf5e67e4a20b765722948ce8fcde /check
parent7e2116e5b07bd2a065bc9b8f1cbc63f57e41e285 (diff)
implement basic PAM authentication
Diffstat (limited to 'check')
-rw-r--r--check/Makefile7
-rw-r--r--check/check.c7
-rw-r--r--check/check.h7
-rw-r--r--check/pam.c41
4 files changed, 53 insertions, 9 deletions
diff --git a/check/Makefile b/check/Makefile
index 67b3f91..5754474 100644
--- a/check/Makefile
+++ b/check/Makefile
@@ -8,7 +8,7 @@ CC=c99
LD=$(CC)
CFLAGS=-Wall -Wextra -Wpedantic -Werror -g
LDFLAGS=
-LDLIBS=
+LDLIBS=-lpam -lpam_misc
SRCDIR=.
OBJDIR=.
BINDIR=$(OBJDIR)
@@ -23,6 +23,11 @@ $(OBJDIR)/parse.o: $(SRCDIR)/check.h
$(OBJDIR)/parse.o: $(SRCDIR)/parse.c
$(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/parse.c
+$(BINDIR)/check: $(OBJDIR)/pam.o
+$(OBJDIR)/pam.o: $(SRCDIR)/check.h
+$(OBJDIR)/pam.o: $(SRCDIR)/pam.c
+ $(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/pam.c
+
$(BINDIR)/check: $(OBJDIR)/check.o
$(OBJDIR)/check.o: $(SRCDIR)/check.h
$(OBJDIR)/check.o: $(SRCDIR)/check.c
diff --git a/check/check.c b/check/check.c
index e95637a..32cd9c9 100644
--- a/check/check.c
+++ b/check/check.c
@@ -27,13 +27,6 @@ void fatal(int include_errno, char *fmt, ...)
exit(EXIT_FAILURE);
}
-static int authenticate(const char *user)
-{
- printf("need to authenticate\n");
- (void)user;
- return 1;
-}
-
static char *get_username(void)
{
struct passwd *pwd = getpwuid(getuid());
diff --git a/check/check.h b/check/check.h
index 6f2c9fc..e8dac77 100644
--- a/check/check.h
+++ b/check/check.h
@@ -2,12 +2,17 @@
#define PRIVEXEC_CHECK_H
#ifndef CONFIG_PATH
-#define CONFIG_PATH "/etc/privexec.conf"
+#define CONFIG_PATH "/etc/privexec.conf"
+#endif
+
+#ifndef PAM_SERVICE_NAME
+#define PAM_SERVICE_NAME "privexec"
#endif
enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED };
void fatal(int include_errno, char *fmt, ...);
enum permission get_permission(const char *user, const char *group, const char *cmd);
+int authenticate(const char *user);
#endif
diff --git a/check/pam.c b/check/pam.c
new file mode 100644
index 0000000..00e9998
--- /dev/null
+++ b/check/pam.c
@@ -0,0 +1,41 @@
+#include <stdio.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+#include "check.h"
+
+/*
+static int pam_conv_f(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
+{
+ (void)num_msg;
+ (void)msg;
+ printf("msg: %s\n", (*msg)->msg);
+ (void)resp;
+ printf("resp: %s\n", (*resp)->resp);
+ (void)appdata_ptr;
+ return 0;
+}
+*/
+
+int authenticate(const char *user)
+{
+ int ret = 1;
+ pam_handle_t *pamh = NULL;
+ struct pam_conv conv = {
+ .conv = misc_conv,
+ };
+
+ if (pam_start(PAM_SERVICE_NAME, user, &conv, &pamh) != PAM_SUCCESS) {
+ fatal(0, "PAM error");
+ return 1;
+ }
+
+ if (pam_authenticate(pamh, 0) == PAM_SUCCESS) {
+ ret = 0;
+ }
+
+ pam_end(pamh, 0);
+
+ return ret;
+}