More tests to avoid Linux security holes.

More logging.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9054 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/auth/pam/pam.c

@@ -60,7 +60,7 @@ RCSID("$Id$");
 #endif
 
 static void
-log_error(int level, const char *format, ...)
+psyslog(int level, const char *format, ...)
 {
   va_list args;
   va_start(args, format);
@@ -115,7 +115,7 @@ parse_ctrl(int argc, const char **argv)
 	  break;
     
       if (j >= KRB4_CTRLS)
-	log_error(LOG_ALERT, "unrecognized option [%s]", *argv);
+	psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
       else
 	ctrl_flags |= krb4_args[j].flag;
     }
@@ -134,7 +134,7 @@ pdeb(const char *format, ...)
   closelog();
 }
 
-#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid())
+#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
 
 static void
 set_tkt_string(uid_t uid)
@@ -182,9 +182,14 @@ verify_pass(pam_handle_t *pamh,
   old_euid = geteuid();
   setreuid(0, 0);
   ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
-  if (setreuid(old_ruid, old_euid) != 0)
+  pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
+       name, inst, realm, krb_verify,
+       krb_get_err_text(ret));
+  if (setreuid(old_ruid, old_euid) != 0
+      ||  getuid() != old_ruid
+      || geteuid() != old_euid)
     {
-      log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+      psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
       exit(1);
     }
     
@@ -220,7 +225,7 @@ krb4_auth(pam_handle_t *pamh,
       ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
       if (ret != PAM_SUCCESS)
         {
-          log_error(LOG_ERR , "pam_get_item returned error to get-password");
+          psyslog(LOG_ERR , "pam_get_item returned error to get-password");
           return ret;
         }
       else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
@@ -271,9 +276,11 @@ pam_sm_authenticate(pam_handle_t *pamh,
   struct passwd *pw;
   uid_t uid = -1;
   const char *name, *inst;
+  char realm[REALM_SZ];
+  realm[0] = 0;
 
-  parse_ctrl(argc, argv);
   ENTRY("pam_sm_authenticate");
+  parse_ctrl(argc, argv);
 
   ret = pam_get_user(pamh, &user, "login: ");
   if (ret != PAM_SUCCESS)
@@ -316,11 +323,9 @@ pam_sm_authenticate(pam_handle_t *pamh,
    */
   if (ret == PAM_SUCCESS && inst[0] != 0)
     {
-      char realm[REALM_SZ];
       uid_t old_euid = geteuid();
       uid_t old_ruid = getuid();
 
-      realm[0] = 0;
       setreuid(0, 0);		/* To read ticket file. */
       if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
 	ret = PAM_SERVICE_ERR;
@@ -334,37 +339,52 @@ pam_sm_authenticate(pam_handle_t *pamh,
       if (ret != PAM_SUCCESS)
 	{
 	  dest_tkt();		/* Passwd known, ok to kill ticket. */
-	  log_error(LOG_NOTICE,
-		    "%s.%s@%s is not allowed to log in as %s",
-		    name, inst, realm, user);
+	  psyslog(LOG_NOTICE,
+		  "%s.%s@%s is not allowed to log in as %s",
+		  name, inst, realm, user);
 	}
 
-      if (setreuid(old_ruid, old_euid) != 0)
+      if (setreuid(old_ruid, old_euid) != 0
+	  ||  getuid() != old_ruid
+	  || geteuid() != old_ruid)
 	{
-	  log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+	  psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
 	  exit(1);
 	}
     }
 
   if (ret == PAM_SUCCESS)
-    chown(tkt_string(), uid, -1);
-
-  /* Sun dtlogin unlock screen does not call any other pam_* funcs. */
-  if (ret == PAM_SUCCESS
-      && ctrl_on(KRB4_REAFSLOG)
-      && k_hasafs()
-      && (pw = getpwnam(user)) != 0)
-    krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir);
+    {
+      psyslog(LOG_INFO,
+	      "%s.%s@%s authenticated as user %s",
+	      name, inst, realm, user);
+      if (chown(tkt_string(), uid, -1) == -1)
+	{
+	  dest_tkt();
+	  psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
+	  exit(1);
+	}
+    }
 
+  /*
+   * Kludge alert!!! Sun dtlogin unlock screen fails to call
+   * pam_setcred(3) with PAM_REFRESH_CRED after a successful
+   * authentication attempt, sic.
+   *
+   * This hack is designed as a workaround to that problem.
+   */
+  if (ctrl_on(KRB4_REAFSLOG))
+    if (ret == PAM_SUCCESS)
+      pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
+  
   return ret;
 }
 
 int 
 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-  parse_ctrl(argc, argv);
   ENTRY("pam_sm_setcred");
-  pdeb("flags = 0x%x", flags);
+  parse_ctrl(argc, argv);
 
   switch (flags & ~PAM_SILENT) {
   case 0:
@@ -393,7 +413,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
       k_unlog();
     break;
   default:
-    log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+    psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
     break;
   }
   
@@ -403,8 +423,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 int
 pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-  parse_ctrl(argc, argv);
   ENTRY("pam_sm_open_session");
+  parse_ctrl(argc, argv);
 
   return PAM_SUCCESS;
 }
@@ -413,13 +433,11 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 int
 pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
 {
-  parse_ctrl(argc, argv);
   ENTRY("pam_sm_close_session");
+  parse_ctrl(argc, argv);
 
   /* This isn't really kosher, but it's handy. */
-  dest_tkt();
-  if (k_hasafs())
-    k_unlog();
+  pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
 
   return PAM_SUCCESS;
 }