4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
25 #include <nss_dbdefs.h>
31 #include <auth_attr.h>
35 #include <user_attr.h>
43 #include <bsm/adt_event.h> /* adt_get_auid() */
45 #include <security/pam_appl.h>
46 #include <security/pam_modules.h>
47 #include <security/pam_impl.h>
49 #define PROJECT "project="
50 #define PROJSZ (sizeof (PROJECT) - 1)
53 * unix_cred - PAM auth modules must contain both pam_sm_authenticate
54 * and pam_sm_setcred. Some other auth module is responsible
55 * for authentication (e.g., pam_unix_auth.so), this module
56 * only implements pam_sm_setcred so that the authentication
57 * can be separated without knowledge of the Solaris Unix style
59 * Solaris Unix style credential setting includes initializing
60 * the audit characteristics if not already initialized and
61 * setting the user's default and limit privileges.
65 * unix_cred - pam_sm_authenticate
72 pam_sm_authenticate(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
78 * Set the privilege set. The attributes are enumerated by _enum_attrs,
79 * including the attribues user_attr, prof_attr and policy.conf
82 getset(char *str
, priv_set_t
**res
)
91 len
= strlen(str
) + 1;
93 (void) memset(badp
, '\0', len
);
96 tmp
= priv_str_to_set(str
, ",", &endp
);
101 /* Now remove the bad privilege endp points to */
102 q
= strchr(endp
, ',');
104 q
= endp
+ strlen(endp
);
107 (void) strlcat(badp
, ",", len
);
108 /* Memset above guarantees NUL termination */
110 (void) strncat(badp
, endp
, q
- endp
);
111 /* excise bad privilege; strtok ignores 2x sep */
112 (void) memmove((void *)endp
, q
, strlen(q
) + 1);
114 } while (tmp
== NULL
&& *str
!= '\0');
117 syslog(LOG_AUTH
|LOG_ERR
,
118 "pam_setcred: can't parse privilege specification: %m\n");
120 } else if (*badp
!= '\0') {
121 syslog(LOG_AUTH
|LOG_DEBUG
,
122 "pam_setcred: unrecognized privilege(s): %s\n", badp
);
128 typedef struct deflim
{
135 finddeflim(const char *name
, kva_t
*kva
, void *ctxt
, void *pres
)
137 deflim_t
*pdef
= pres
;
140 if (pdef
->def
== NULL
) {
141 val
= kva_match(kva
, USERATTR_DFLTPRIV_KW
);
143 pdef
->def
= strdup(val
);
145 if (pdef
->lim
== NULL
) {
146 val
= kva_match(kva
, USERATTR_LIMPRIV_KW
);
148 pdef
->lim
= strdup(val
);
150 return (pdef
->lim
!= NULL
&& pdef
->def
!= NULL
);
154 * unix_cred - pam_sm_setcred
156 * Entry flags = PAM_ESTABLISH_CRED, set up Solaris Unix cred.
157 * PAM_DELETE_CRED, NOP, return PAM_SUCCESS.
158 * PAM_REINITIALIZE_CRED, set up Solaris Unix cred,
159 * or merge the current context with the new
161 * PAM_REFRESH_CRED, set up Solaris Unix cred.
162 * PAM_SILENT, print no messages to user.
164 * Returns PAM_SUCCESS, if all successful.
165 * PAM_CRED_ERR, if unable to set credentials.
166 * PAM_USER_UNKNOWN, if PAM_USER not set, or unable to find
168 * PAM_SYSTEM_ERR, if no valid flag, or unable to get/set
169 * user's audit state.
173 pam_sm_setcred(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
177 uint_t nowarn
= flags
& PAM_SILENT
;
178 int ret
= PAM_SUCCESS
;
184 adt_session_data_t
*ah
;
185 adt_termid_t
*termid
= NULL
;
186 priv_set_t
*lim
, *def
, *tset
;
187 char messages
[PAM_MAX_NUM_MSG
][PAM_MAX_MSG_SIZE
];
188 char buf
[PROJECT_BUFSZ
];
189 struct project proj
, *pproj
;
194 char pwbuf
[NSS_BUFLEN_PASSWD
];
197 for (i
= 0; i
< argc
; i
++) {
198 if (strcmp(argv
[i
], "debug") == 0)
200 else if (strcmp(argv
[i
], "nowarn") == 0)
205 syslog(LOG_AUTH
| LOG_DEBUG
,
206 "pam_unix_cred: pam_sm_setcred(flags = %x, argc= %d)",
209 (void) pam_get_item(pamh
, PAM_USER
, (void **)&user
);
211 if (user
== NULL
|| *user
== '\0') {
212 syslog(LOG_AUTH
| LOG_ERR
,
213 "pam_unix_cred: USER NULL or empty!\n");
214 return (PAM_USER_UNKNOWN
);
216 (void) pam_get_item(pamh
, PAM_AUSER
, (void **)&auser
);
217 (void) pam_get_item(pamh
, PAM_RHOST
, (void **)&rhost
);
218 (void) pam_get_item(pamh
, PAM_TTY
, (void **)&tty
);
220 syslog(LOG_AUTH
| LOG_DEBUG
,
221 "pam_unix_cred: user = %s, auser = %s, rhost = %s, "
223 (auser
== NULL
) ? "NULL" : (*auser
== '\0') ? "ZERO" :
225 (rhost
== NULL
) ? "NULL" : (*rhost
== '\0') ? "ZERO" :
227 (tty
== NULL
) ? "NULL" : (*tty
== '\0') ? "ZERO" :
231 switch (flags
& (PAM_ESTABLISH_CRED
| PAM_DELETE_CRED
|
232 PAM_REINITIALIZE_CRED
| PAM_REFRESH_CRED
)) {
234 /* set default flag */
235 flags
|= PAM_ESTABLISH_CRED
;
237 case PAM_ESTABLISH_CRED
:
238 case PAM_REINITIALIZE_CRED
:
239 case PAM_REFRESH_CRED
:
241 case PAM_DELETE_CRED
:
242 return (PAM_SUCCESS
);
244 syslog(LOG_AUTH
| LOG_ERR
,
245 "pam_unix_cred: invalid flags %x", flags
);
246 return (PAM_SYSTEM_ERR
);
250 * if auditing on and process audit state not set,
251 * setup audit context for process.
253 if (adt_start_session(&ah
, NULL
, ADT_USE_PROC_DATA
) != 0) {
254 syslog(LOG_AUTH
| LOG_ERR
,
255 "pam_unix_cred: cannot create start audit session %m");
256 return (PAM_SYSTEM_ERR
);
258 adt_get_auid(ah
, &auid
);
262 if (auditon(A_GETCOND
, (caddr_t
)&auditstate
,
263 sizeof (auditstate
)) != 0) {
264 auditstate
= AUC_DISABLED
;
266 syslog(LOG_AUTH
| LOG_DEBUG
,
267 "pam_unix_cred: state = %d, auid = %d", auditstate
,
270 if (getpwnam_r(user
, &pwd
, pwbuf
, sizeof (pwbuf
)) == NULL
) {
271 syslog(LOG_AUTH
| LOG_ERR
,
272 "pam_unix_cred: cannot get passwd entry for user = %s",
274 ret
= PAM_USER_UNKNOWN
;
278 if ((auid
== AU_NOAUDITID
) &&
279 (flags
& PAM_ESTABLISH_CRED
)) {
281 char apwbuf
[NSS_BUFLEN_PASSWD
];
284 if ((rhost
== NULL
|| *rhost
== '\0')) {
285 if (adt_load_ttyname(tty
, &termid
) != 0) {
286 if (errno
== ENETDOWN
) {
288 * tolerate not being able to
289 * translate local hostname
290 * to a termid -- it will be
293 syslog(LOG_AUTH
| LOG_ERR
,
294 "pam_unix_cred: cannot load "
295 "ttyname: %m, continuing.");
297 } else if (errno
!= 0) {
298 syslog(LOG_AUTH
| LOG_ERR
,
299 "pam_unix_cred: cannot load "
302 syslog(LOG_AUTH
| LOG_ERR
,
303 "pam_unix_cred: cannot load "
306 ret
= PAM_SYSTEM_ERR
;
310 if (adt_load_hostname(rhost
, &termid
) != 0) {
312 syslog(LOG_AUTH
| LOG_ERR
,
313 "pam_unix_cred: cannot load "
316 syslog(LOG_AUTH
| LOG_ERR
,
317 "pam_unix_cred: cannot load "
320 ret
= PAM_SYSTEM_ERR
;
325 if ((auser
!= NULL
) && (*auser
!= '\0') &&
326 (getpwnam_r(auser
, &apwd
, apwbuf
,
327 sizeof (apwbuf
)) != NULL
)) {
329 * set up the initial audit for user coming
332 if (adt_set_user(ah
, apwd
.pw_uid
, apwd
.pw_gid
,
333 apwd
.pw_uid
, apwd
.pw_gid
, termid
, ADT_NEW
) != 0) {
334 syslog(LOG_AUTH
| LOG_ERR
,
335 "pam_unix_cred: cannot set auser audit "
337 ret
= PAM_SYSTEM_ERR
;
340 if (adt_set_user(ah
, pwd
.pw_uid
, pwd
.pw_gid
,
341 pwd
.pw_uid
, pwd
.pw_gid
, NULL
,
343 syslog(LOG_AUTH
| LOG_ERR
,
344 "pam_unix_cred: cannot merge user audit "
346 ret
= PAM_SYSTEM_ERR
;
350 syslog(LOG_AUTH
| LOG_DEBUG
,
351 "pam_unix_cred: new audit set for %d:%d",
352 apwd
.pw_uid
, pwd
.pw_uid
);
356 * No authenticated user or authenticated user is
357 * not a local user, no remote attribution, set
358 * up the initial audit as for direct user login
360 if (adt_set_user(ah
, pwd
.pw_uid
, pwd
.pw_gid
,
361 pwd
.pw_uid
, pwd
.pw_gid
, termid
, ADT_NEW
) != 0) {
362 syslog(LOG_AUTH
| LOG_ERR
,
363 "pam_unix_cred: cannot set user audit %m");
364 ret
= PAM_SYSTEM_ERR
;
368 if (adt_set_proc(ah
) != 0) {
369 syslog(LOG_AUTH
| LOG_ERR
,
370 "pam_unix_cred: cannot set process audit %m");
375 syslog(LOG_AUTH
| LOG_DEBUG
,
376 "pam_unix_cred: new audit set for %d",
379 } else if ((auid
!= AU_NOAUDITID
) &&
380 (flags
& PAM_REINITIALIZE_CRED
)) {
381 if (adt_set_user(ah
, pwd
.pw_uid
, pwd
.pw_gid
, pwd
.pw_uid
,
382 pwd
.pw_gid
, NULL
, ADT_UPDATE
) != 0) {
383 syslog(LOG_AUTH
| LOG_ERR
,
384 "pam_unix_cred: cannot set user audit %m");
385 ret
= PAM_SYSTEM_ERR
;
388 if (adt_set_proc(ah
) != 0) {
389 syslog(LOG_AUTH
| LOG_ERR
,
390 "pam_unix_cred: cannot set process audit %m");
395 syslog(LOG_AUTH
| LOG_DEBUG
,
396 "pam_unix_cred: audit merged for %d:%d",
400 syslog(LOG_AUTH
| LOG_DEBUG
,
401 "pam_unix_cred: audit already set for %d", auid
);
406 if (adt_end_session(ah
) != 0) {
407 syslog(LOG_AUTH
| LOG_ERR
,
408 "pam_unix_cred: unable to end audit session");
411 if (ret
!= PAM_SUCCESS
)
414 /* Initialize the user's project */
415 (void) pam_get_item(pamh
, PAM_RESOURCE
, (void **)&kvs
);
417 char *tmp
, *lasts
, *tok
;
419 kvs
= tmp
= strdup(kvs
);
421 return (PAM_BUF_ERR
);
423 while ((tok
= strtok_r(tmp
, ";", &lasts
)) != NULL
) {
424 if (strncmp(tok
, PROJECT
, PROJSZ
) == 0) {
425 projname
= tok
+ PROJSZ
;
434 if (projname
== NULL
|| *projname
== '\0') {
435 pproj
= getdefaultproj(user
, &proj
, (void *)&buf
,
438 pproj
= getprojbyname(projname
, &proj
, (void *)&buf
,
441 /* projname points into kvs, so this is the first opportunity to free */
445 syslog(LOG_AUTH
| LOG_ERR
,
446 "pam_unix_cred: no default project for user %s", user
);
448 (void) snprintf(messages
[0], sizeof (messages
[0]),
449 dgettext(TEXT_DOMAIN
, "No default project!"));
450 (void) __pam_display_msg(pamh
, PAM_ERROR_MSG
,
453 return (PAM_SYSTEM_ERR
);
455 if ((error
= setproject(proj
.pj_name
, user
, TASK_NORMAL
)) != 0) {
459 case SETPROJ_ERR_TASK
:
460 if (errno
== EAGAIN
) {
461 syslog(LOG_AUTH
| LOG_ERR
,
462 "pam_unix_cred: project \"%s\" resource "
463 "control limit has been reached",
465 (void) snprintf(messages
[0],
466 sizeof (messages
[0]), dgettext(
468 "Resource control limit has been "
471 syslog(LOG_AUTH
| LOG_ERR
,
472 "pam_unix_cred: user %s could not join "
473 "project \"%s\": %m", user
, proj
.pj_name
);
474 (void) snprintf(messages
[0],
475 sizeof (messages
[0]), dgettext(
477 "Could not join default project"));
480 (void) __pam_display_msg(pamh
, PAM_ERROR_MSG
, 1,
483 case SETPROJ_ERR_POOL
:
484 (void) snprintf(messages
[0], sizeof (messages
[0]),
485 dgettext(TEXT_DOMAIN
,
486 "Could not bind to resource pool"));
489 syslog(LOG_AUTH
| LOG_ERR
,
490 "pam_unix_cred: project \"%s\" could not "
491 "bind to resource pool: No resource pool "
492 "accepting default bindings exists",
494 (void) snprintf(messages
[1],
495 sizeof (messages
[1]),
496 dgettext(TEXT_DOMAIN
,
497 "No resource pool accepting "
498 "default bindings exists"));
501 syslog(LOG_AUTH
| LOG_ERR
,
502 "pam_unix_cred: project \"%s\" could not "
503 "bind to resource pool: The resource pool "
504 "is unknown", proj
.pj_name
);
505 (void) snprintf(messages
[1],
506 sizeof (messages
[1]),
507 dgettext(TEXT_DOMAIN
,
508 "The specified resource pool "
512 (void) snprintf(messages
[1],
513 sizeof (messages
[1]),
514 dgettext(TEXT_DOMAIN
,
515 "Failure during pool binding"));
516 syslog(LOG_AUTH
| LOG_ERR
,
517 "pam_unix_cred: project \"%s\" could not "
518 "bind to resource pool: %m", proj
.pj_name
);
521 (void) __pam_display_msg(pamh
, PAM_ERROR_MSG
,
526 * Resource control assignment failed. Unlike
527 * newtask(1m), we treat this as an error.
531 * This isn't supposed to happen, but in
532 * case it does, this error message
533 * doesn't use error as an index, like
536 syslog(LOG_AUTH
| LOG_ERR
,
537 "pam_unix_cred: unkwown error joining "
538 "project \"%s\" (%d)", proj
.pj_name
, error
);
539 (void) snprintf(messages
[0],
540 sizeof (messages
[0]),
541 dgettext(TEXT_DOMAIN
,
542 "unkwown error joining project \"%s\""
543 " (%d)"), proj
.pj_name
, error
);
544 } else if ((kv_array
= _str2kva(proj
.pj_attr
, KV_ASSIGN
,
545 KV_DELIMITER
)) != NULL
) {
546 syslog(LOG_AUTH
| LOG_ERR
,
547 "pam_unix_cred: %s resource control "
548 "assignment failed for project \"%s\"",
549 kv_array
->data
[error
- 1].key
,
551 (void) snprintf(messages
[0],
552 sizeof (messages
[0]),
553 dgettext(TEXT_DOMAIN
,
554 "%s resource control assignment failed for "
556 kv_array
->data
[error
- 1].key
,
560 syslog(LOG_AUTH
| LOG_ERR
,
561 "pam_unix_cred: resource control "
562 "assignment failed for project \"%s\""
563 "attribute %d", proj
.pj_name
, error
);
564 (void) snprintf(messages
[0],
565 sizeof (messages
[0]),
566 dgettext(TEXT_DOMAIN
,
567 "resource control assignment failed for "
568 "project \"%s\" attribute %d"),
569 proj
.pj_name
, error
);
572 (void) __pam_display_msg(pamh
, PAM_ERROR_MSG
,
575 return (PAM_SYSTEM_ERR
);
578 tset
= def
= lim
= NULL
;
579 deflim
.def
= deflim
.lim
= NULL
;
581 (void) _enum_attrs(user
, finddeflim
, NULL
, &deflim
);
583 if (getset(deflim
.lim
, &lim
) != 0 || getset(deflim
.def
, &def
) != 0) {
584 ret
= PAM_SYSTEM_ERR
;
589 def
= priv_allocset();
591 ret
= PAM_SYSTEM_ERR
;
596 if ((pathconf("/", _PC_CHOWN_RESTRICTED
) == -1) && (errno
== 0))
597 (void) priv_addset(def
, PRIV_FILE_CHOWN_SELF
);
600 * Silently limit the privileges to those actually available
601 * in the current zone.
603 tset
= priv_allocset();
605 ret
= PAM_SYSTEM_ERR
;
608 if (getppriv(PRIV_PERMITTED
, tset
) != 0) {
609 ret
= PAM_SYSTEM_ERR
;
612 if (!priv_issubset(def
, tset
))
613 priv_intersect(tset
, def
);
615 * We set privilege awareness here so that I gets copied to
616 * P & E when the final setuid(uid) happens.
618 (void) setpflags(PRIV_AWARE
, 1);
619 if (setppriv(PRIV_SET
, PRIV_INHERITABLE
, def
) != 0) {
620 syslog(LOG_AUTH
| LOG_ERR
,
621 "pam_setcred: setppriv(defaultpriv) failed: %m");
627 * Silently limit the privileges to the limit set available.
629 if (getppriv(PRIV_LIMIT
, tset
) != 0) {
630 ret
= PAM_SYSTEM_ERR
;
633 if (!priv_issubset(lim
, tset
))
634 priv_intersect(tset
, lim
);
635 if (setppriv(PRIV_SET
, PRIV_LIMIT
, lim
) != 0) {
636 syslog(LOG_AUTH
| LOG_ERR
,
637 "pam_setcred: setppriv(limitpriv) failed: %m");
642 * In order not to surprise certain applications, we
643 * need to get rid of privilege awareness and thus we must
644 * set this flag which will cause a reset on set*uid().
646 (void) setpflags(PRIV_AWARE_RESET
, 1);
649 * This may fail but we do not care as this will be reset later
650 * when the uids are set to their final values.
652 (void) setpflags(PRIV_AWARE
, 0);
654 * Remove PRIV_PFEXEC; stop running as if we are under a profile
655 * shell. A user with a profile shell will set PRIV_PFEXEC.
657 (void) setpflags(PRIV_PFEXEC
, 0);