1 /* $NetBSD: pam_unix.c,v 1.19 2022/10/26 22:09:37 andvar Exp $ */
2
3 /*-
4 * Copyright 1998 Juniper Networks, Inc.
5 * All rights reserved.
6 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
7 * All rights reserved.
8 *
9 * Portions of this software was developed for the FreeBSD Project by
10 * ThinkSec AS and NAI Labs, the Security Research Division of Network
11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
12 * ("CBOSS"), as part of the DARPA CHATS research program.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * 3. The name of the author may not be used to endorse or promote
23 * products derived from this software without specific prior written
24 * permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 */
38
39 #include <sys/cdefs.h>
40 #ifdef __FreeBSD__
41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $");
42 #else
43 __RCSID("$NetBSD: pam_unix.c,v 1.19 2022/10/26 22:09:37 andvar Exp $");
44 #endif
45
46
47 #include <sys/types.h>
48
49 #include <ctype.h>
50 #include <errno.h>
51 #include <fcntl.h>
52 #include <pwd.h>
53 #include <grp.h>
54 #include <limits.h>
55 #include <stdlib.h>
56 #include <string.h>
57 #include <stdio.h>
58 #include <login_cap.h>
59 #include <time.h>
60 #include <tzfile.h>
61 #include <unistd.h>
62
63 #include <util.h>
64
65 #ifdef YP
66 #include <rpc/rpc.h>
67 #include <rpcsvc/ypclnt.h>
68 #include <rpcsvc/yppasswd.h>
69 #endif
70
71 #define PAM_SM_AUTH
72 #define PAM_SM_ACCOUNT
73 #define PAM_SM_PASSWORD
74
75 #include <security/pam_appl.h>
76 #include <security/pam_modules.h>
77 #include <security/pam_mod_misc.h>
78
79 /*
80 * authentication management
81 */
82 PAM_EXTERN int
83 /*ARGSUSED*/
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)84 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
85 int argc __unused, const char *argv[] __unused)
86 {
87 login_cap_t *lc;
88 struct passwd *pwd, pwres;
89 int retval;
90 const char *pass, *user, *realpw;
91 char pwbuf[1024];
92
93 pwd = NULL;
94 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
95 (void) getpwnam_r(getlogin(), &pwres, pwbuf, sizeof(pwbuf),
96 &pwd);
97 } else {
98 retval = pam_get_user(pamh, &user, NULL);
99 if (retval != PAM_SUCCESS)
100 return (retval);
101 PAM_LOG("Got user: %s", user);
102 (void) getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd);
103 }
104
105 if (pwd != NULL) {
106 PAM_LOG("Doing real authentication");
107 realpw = pwd->pw_passwd;
108 if (realpw[0] == '\0') {
109 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
110 openpam_get_option(pamh, PAM_OPT_NULLOK))
111 return (PAM_SUCCESS);
112 realpw = "*";
113 }
114 } else {
115 PAM_LOG("Doing dummy authentication");
116 realpw = "*";
117 }
118 lc = login_getpwclass(pwd);
119 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
120 login_close(lc);
121 if (retval != PAM_SUCCESS)
122 return (retval);
123 PAM_LOG("Got password");
124 if (strcmp(crypt(pass, realpw), realpw) == 0)
125 return (PAM_SUCCESS);
126
127 PAM_VERBOSE_ERROR("UNIX authentication refused");
128 return (PAM_AUTH_ERR);
129 }
130
131 PAM_EXTERN int
132 /*ARGSUSED*/
pam_sm_setcred(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)133 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
134 int argc __unused, const char *argv[] __unused)
135 {
136
137 return (PAM_SUCCESS);
138 }
139
140 /*
141 * account management
142 */
143 PAM_EXTERN int
144 /*ARGSUSED*/
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)145 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
146 int argc __unused, const char *argv[] __unused)
147 {
148 struct passwd *pwd, pwres;
149 struct timeval now;
150 login_cap_t *lc;
151 time_t warntime;
152 int retval;
153 const char *user;
154 char pwbuf[1024];
155
156 retval = pam_get_user(pamh, &user, NULL);
157 if (retval != PAM_SUCCESS)
158 return (retval);
159
160 if (user == NULL ||
161 getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
162 pwd == NULL)
163 return (PAM_SERVICE_ERR);
164
165 PAM_LOG("Got user: %s", user);
166
167 if (*pwd->pw_passwd == '\0' &&
168 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
169 return (PAM_NEW_AUTHTOK_REQD);
170
171 lc = login_getpwclass(pwd);
172 if (lc == NULL) {
173 PAM_LOG("Unable to get login class for user %s", user);
174 return (PAM_SERVICE_ERR);
175 }
176
177 PAM_LOG("Got login_cap");
178
179 if (pwd->pw_change || pwd->pw_expire)
180 (void) gettimeofday(&now, NULL);
181
182 warntime = (time_t)login_getcaptime(lc, "password-warn",
183 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY),
184 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY));
185
186 /*
187 * Check pw_expire before pw_change - no point in letting the
188 * user change the password on an expired account.
189 */
190
191 if (pwd->pw_expire) {
192 if (now.tv_sec >= pwd->pw_expire) {
193 login_close(lc);
194 return (PAM_ACCT_EXPIRED);
195 } else if (pwd->pw_expire - now.tv_sec < warntime &&
196 (flags & PAM_SILENT) == 0) {
197 pam_error(pamh, "Warning: your account expires on %s",
198 ctime(&pwd->pw_expire));
199 }
200 }
201
202 if (pwd->pw_change) {
203 /* XXX How to handle _PASSWORD_CHGNOW? --thorpej */
204 if (now.tv_sec >= pwd->pw_change) {
205 login_close(lc);
206 return (PAM_NEW_AUTHTOK_REQD);
207 } else if (pwd->pw_change - now.tv_sec < warntime &&
208 (flags & PAM_SILENT) == 0) {
209 pam_error(pamh, "Warning: your password expires on %s",
210 ctime(&pwd->pw_change));
211 }
212 }
213
214 login_close(lc);
215
216 return (PAM_SUCCESS);
217 }
218
219 #ifdef YP
220 /*
221 * yp_check_user:
222 *
223 * Helper function; check that a user exists in the NIS
224 * password map.
225 */
226 static int
yp_check_user(const char * domain,const char * user)227 yp_check_user(const char *domain, const char *user)
228 {
229 char *val;
230 int reason, vallen;
231
232 val = NULL;
233 reason = yp_match(domain, "passwd.byname", user, (int)strlen(user),
234 &val, &vallen);
235 if (reason != 0) {
236 if (val != NULL)
237 free(val);
238 return (0);
239 }
240 free(val);
241 return (1);
242 }
243
244 static int
245 /*ARGSUSED*/
yp_set_password(pam_handle_t * pamh,struct passwd * opwd,struct passwd * pwd,const char * old_pass,const char * domain)246 yp_set_password(pam_handle_t *pamh, struct passwd *opwd,
247 struct passwd *pwd, const char *old_pass, const char *domain)
248 {
249 char *master;
250 int r, rpcport, status;
251 enum clnt_stat r2;
252 struct yppasswd yppwd;
253 CLIENT *client;
254 uid_t uid;
255 int retval = PAM_SERVICE_ERR;
256 struct timeval tv;
257
258 /*
259 * Find the master for the passwd map; it should be running
260 * rpc.yppasswdd.
261 */
262 if ((r = yp_master(domain, "passwd.byname", &master)) != 0) {
263 pam_error(pamh, "Can't find master NIS server. Reason: %s",
264 yperr_string(r));
265 return (PAM_SERVICE_ERR);
266 }
267
268 /*
269 * Ask the portmapper for the port of rpc.yppasswdd.
270 */
271 if ((rpcport = getrpcport(master, YPPASSWDPROG,
272 YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) {
273 pam_error(pamh,
274 "Master NIS server not running yppasswd daemon.\n\t"
275 "Can't change NIS password.");
276 return (PAM_SERVICE_ERR);
277 }
278
279 /*
280 * Be sure the port is privileged.
281 */
282 if (rpcport >= IPPORT_RESERVED) {
283 pam_error(pamh, "yppasswd daemon is on an invalid port.");
284 return (PAM_SERVICE_ERR);
285 }
286
287 uid = getuid();
288 if (uid != 0 && uid != pwd->pw_uid) {
289 pam_error(pamh, "You may only change your own password: %s",
290 strerror(EACCES));
291 return (PAM_SERVICE_ERR);
292 }
293
294 /*
295 * Fill in the yppasswd structure for yppasswdd.
296 */
297 memset(&yppwd, 0, sizeof(yppwd));
298 yppwd.oldpass = strdup(old_pass);
299 if ((yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL)
300 goto malloc_failure;
301 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL)
302 goto malloc_failure;
303 yppwd.newpw.pw_uid = (int)pwd->pw_uid;
304 yppwd.newpw.pw_gid = (int)pwd->pw_gid;
305 if ((yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL)
306 goto malloc_failure;
307 if ((yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL)
308 goto malloc_failure;
309 if ((yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL)
310 goto malloc_failure;
311
312 client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
313 if (client == NULL) {
314 pam_error(pamh, "Can't contact yppasswdd on %s: Reason: %s",
315 master, yperr_string(YPERR_YPBIND));
316 goto out;
317 }
318
319 client->cl_auth = authunix_create_default();
320 tv.tv_sec = 2;
321 tv.tv_usec = 0;
322 r2 = clnt_call(client, YPPASSWDPROC_UPDATE,
323 xdr_yppasswd, &yppwd, xdr_int, &status, tv);
324 if (r2 != RPC_SUCCESS)
325 pam_error(pamh, "RPC to yppasswdd failed.");
326 else if (status)
327 pam_error(pamh, "Couldn't change NIS password.");
328 else {
329 pam_info(pamh, "The NIS password has been changed on %s, "
330 "the master NIS passwd server.", master);
331 retval = PAM_SUCCESS;
332 }
333
334 out:
335 if (yppwd.oldpass != NULL)
336 free(yppwd.oldpass);
337 if (yppwd.newpw.pw_passwd != NULL)
338 free(yppwd.newpw.pw_passwd);
339 if (yppwd.newpw.pw_name != NULL)
340 free(yppwd.newpw.pw_name);
341 if (yppwd.newpw.pw_gecos != NULL)
342 free(yppwd.newpw.pw_gecos);
343 if (yppwd.newpw.pw_dir != NULL)
344 free(yppwd.newpw.pw_dir);
345 if (yppwd.newpw.pw_shell != NULL)
346 free(yppwd.newpw.pw_shell);
347 return (retval);
348
349 malloc_failure:
350 pam_error(pamh, "memory allocation failure");
351 goto out;
352 }
353 #endif /* YP */
354
355 static int
local_set_password(pam_handle_t * pamh,struct passwd * opwd,struct passwd * pwd)356 local_set_password(pam_handle_t *pamh, struct passwd *opwd,
357 struct passwd *pwd)
358 {
359 char errbuf[200];
360 int tfd, pfd;
361
362 pw_init();
363 tfd = pw_lock(0);
364 if (tfd < 0) {
365 pam_error(pamh, "The password file is busy, waiting...");
366 tfd = pw_lock(10);
367 if (tfd < 0) {
368 pam_error(pamh, "The password file is still busy, "
369 "try again later.");
370 return (PAM_SERVICE_ERR);
371 }
372 }
373
374 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0);
375 if (pfd < 0) {
376 pam_error(pamh, "%s: %s", _PATH_MASTERPASSWD, strerror(errno));
377 pw_abort();
378 return (PAM_SERVICE_ERR);
379 }
380
381 if (pw_copyx(pfd, tfd, pwd, opwd, errbuf, sizeof(errbuf)) == 0) {
382 pam_error(pamh, "Unable to update password entry: %s",
383 errbuf);
384 pw_abort();
385 return (PAM_SERVICE_ERR);
386 }
387
388 if (pw_mkdb(pwd->pw_name, opwd->pw_change == pwd->pw_change) < 0) {
389 pam_error(pamh, "Unable to rebuild local password database.");
390 pw_abort();
391 return (PAM_SERVICE_ERR);
392 }
393
394 return (PAM_SUCCESS);
395 }
396
397 /*
398 * password management
399 *
400 * standard Unix and NIS password changing
401 */
402 PAM_EXTERN int
403 /*ARGSUSED*/
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc __unused,const char * argv[]__unused)404 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
405 int argc __unused, const char *argv[] __unused)
406 {
407 struct passwd *pwd, new_pwd, old_pwd;
408 login_cap_t *lc;
409 const char *user, *passwd_db, *new_pass, *old_pass, *p;
410 int retval, tries, min_pw_len = 0, pw_expiry = 0;
411 char salt[_PASSWORD_LEN+1];
412 char old_pwbuf[1024];
413 #ifdef YP
414 char *domain;
415 int r;
416 #endif
417
418 pwd = NULL;
419 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
420 if ((user = getlogin()) == NULL) {
421 pam_error(pamh, "Unable to determine user.");
422 return (PAM_SERVICE_ERR);
423 }
424 (void) getpwnam_r(user, &old_pwd, old_pwbuf,
425 sizeof(old_pwbuf), &pwd);
426 } else {
427 retval = pam_get_user(pamh, &user, NULL);
428 if (retval != PAM_SUCCESS)
429 return (retval);
430 (void) getpwnam_r(user, &old_pwd, old_pwbuf,
431 sizeof(old_pwbuf), &pwd);
432 }
433
434 if (pwd == NULL)
435 return (PAM_AUTHTOK_RECOVERY_ERR);
436
437 PAM_LOG("Got user: %s", user);
438
439 /*
440 * Determine which password type we're going to change, and
441 * remember it.
442 *
443 * NOTE: domain does not need to be freed; its storage is
444 * allocated statically in libc.
445 */
446 passwd_db = openpam_get_option(pamh, "passwd_db");
447 if (passwd_db == NULL) {
448 #ifdef YP
449 /* Prefer YP, if configured. */
450 if (_yp_check(NULL)) {
451 /* If _yp_check() succeeded, then this must. */
452 if ((r = yp_get_default_domain(&domain)) != 0) {
453 pam_error(pamh,
454 "Unable to get NIS domain, reason: %s",
455 yperr_string(r));
456 return (PAM_SERVICE_ERR);
457 }
458 if (yp_check_user(domain, user))
459 passwd_db = "nis";
460 }
461 #endif
462 /* Otherwise we always use local files. */
463 if (passwd_db == NULL) {
464 /* XXX Any validation to do here? */
465 passwd_db = "files";
466 }
467
468 if ((retval = openpam_set_option(pamh, "passwd_db",
469 passwd_db)) != PAM_SUCCESS) {
470 return (retval);
471 }
472 } else {
473 /* Check to see if the specified password DB is usable. */
474 #ifdef YP
475 if (strcmp(passwd_db, "nis") == 0) {
476 if (_yp_check(NULL) == 0) {
477 pam_error(pamh, "NIS not in use.");
478 return (PAM_SERVICE_ERR);
479 }
480 if ((r = yp_get_default_domain(&domain)) != 0) {
481 pam_error(pamh,
482 "Unable to get NIS domain, reason: %s",
483 yperr_string(r));
484 return (PAM_SERVICE_ERR);
485 }
486 if (yp_check_user(domain, user) == 0) {
487 pam_error(pamh,
488 "User %s does not exist in NIS.", user);
489 return (PAM_USER_UNKNOWN);
490 }
491 goto known_passwd_db;
492 }
493 #endif
494 if (strcmp(passwd_db, "files") == 0) {
495 /* XXX Any validation to do here? */
496 goto known_passwd_db;
497 }
498 pam_error(pamh, "Unknown Unix password DB: %s", passwd_db);
499 return (PAM_SERVICE_ERR);
500 }
501 known_passwd_db:
502
503 if (flags & PAM_PRELIM_CHECK) {
504 PAM_LOG("PRELIM round");
505
506 if (strcmp(passwd_db, "files") == 0) {
507 if (getuid() == 0) {
508 /* Root doesn't need the old password. */
509 return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
510 }
511 /*
512 * Apparently we're not root, so let's forbid editing
513 * root.
514 * XXX Check for some flag to indicate if this
515 * XXX is the desired behavior.
516 */
517 if (pwd->pw_uid == 0)
518 return (PAM_PERM_DENIED);
519 }
520
521 if (pwd->pw_passwd[0] == '\0') {
522 /*
523 * No password case.
524 * XXX Are we giving too much away by not prompting
525 * XXX for a password?
526 * XXX Check PAM_DISALLOW_NULL_AUTHTOK
527 */
528 return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
529 } else {
530 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK,
531 &old_pass, NULL);
532 if (retval != PAM_SUCCESS)
533 return (retval);
534 if (strcmp(crypt(old_pass, pwd->pw_passwd),
535 pwd->pw_passwd) != 0)
536 return (PAM_PERM_DENIED);
537 return (PAM_SUCCESS);
538 }
539 }
540
541 if (flags & PAM_UPDATE_AUTHTOK) {
542 char option[LINE_MAX], *key, *opt;
543
544 PAM_LOG("UPDATE round");
545
546 if ((lc = login_getpwclass(pwd)) != NULL) {
547 min_pw_len = (int) login_getcapnum(lc,
548 "minpasswordlen", (quad_t)0, (quad_t)0);
549 pw_expiry = (int) login_getcapnum(lc,
550 "passwordtime", (quad_t)0, (quad_t)0);
551 login_close(lc);
552 }
553
554 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &old_pass, NULL);
555 if (retval != PAM_SUCCESS)
556 return (retval);
557
558 /* Get the new password. */
559 for (tries = 0;;) {
560 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass,
561 NULL);
562 if (retval == PAM_TRY_AGAIN) {
563 pam_error(pamh,
564 "Mismatch; try again, EOF to quit.");
565 continue;
566 }
567 if (retval != PAM_SUCCESS) {
568 PAM_VERBOSE_ERROR("Unable to get new password");
569 return (retval);
570 }
571 /* Successfully got new password. */
572 if (new_pass[0] == '\0') {
573 pam_info(pamh, "Password unchanged.");
574 return (PAM_SUCCESS);
575 }
576 if (min_pw_len > 0 && strlen(new_pass) < (size_t)min_pw_len) {
577 pam_error(pamh, "Password is too short.");
578 goto retry;
579 }
580 if (strlen(new_pass) <= 5 && ++tries < 2) {
581 pam_error(pamh,
582 "Please enter a longer password.");
583 goto retry;
584 }
585 for (p = new_pass; *p && islower((unsigned char)*p); ++p);
586 if (!*p && ++tries < 2) {
587 pam_error(pamh,
588 "Please don't use an all-lower case "
589 "password.\nUnusual capitalization, "
590 "control characters or digits are "
591 "suggested.");
592 goto retry;
593 }
594 /* Password is OK. */
595 break;
596 retry:
597 pam_set_item(pamh, PAM_AUTHTOK, NULL);
598 }
599 pw_getpwconf(option, sizeof(option), pwd,
600 #ifdef YP
601 strcmp(passwd_db, "nis") == 0 ? "ypcipher" :
602 #endif
603 "localcipher");
604 opt = option;
605 key = strsep(&opt, ",");
606
607 if (pw_gensalt(salt, _PASSWORD_LEN, key, opt) == -1) {
608 pam_error(pamh, "Couldn't generate salt.");
609 return (PAM_SERVICE_ERR);
610 }
611
612 new_pwd = old_pwd;
613 pwd = &new_pwd;
614 pwd->pw_passwd = crypt(new_pass, salt);
615 pwd->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0;
616
617 retval = PAM_SERVICE_ERR;
618 if (strcmp(passwd_db, "files") == 0)
619 retval = local_set_password(pamh, &old_pwd, pwd);
620 #ifdef YP
621 if (strcmp(passwd_db, "nis") == 0)
622 retval = yp_set_password(pamh, &old_pwd, pwd, old_pass,
623 domain);
624 #endif
625 return (retval);
626 }
627
628 PAM_LOG("Illegal flags argument");
629 return (PAM_ABORT);
630 }
631
632 PAM_MODULE_ENTRY("pam_unix");
633