diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2019-06-30 14:46:15 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2019-06-30 14:46:15 +0000 |
commit | 4d34b914d41cbe654035093e411c2ca68eb1ec82 (patch) | |
tree | ad508ef8ca38a5316dadf91444c0352862fe6040 | |
parent | e1470c8f967a4c40fcd0c2245c3a28c669efb803 (diff) | |
download | src-4d34b914d41cbe654035093e411c2ca68eb1ec82.tar.gz src-4d34b914d41cbe654035093e411c2ca68eb1ec82.zip |
Changes to the expose_password functionality:
- Implement use_first_pass, allowing expose_password to be used by other
service functions than pam_auth() without prompting a second time.
- Don't prompt for a password during pam_setcred().
PR: 238041
MFC after: 3 weeks
Notes
Notes:
svn path=/head/; revision=349556
-rw-r--r-- | lib/libpam/modules/pam_exec/pam_exec.8 | 11 | ||||
-rw-r--r-- | lib/libpam/modules/pam_exec/pam_exec.c | 20 |
2 files changed, 24 insertions, 7 deletions
diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 index a6836a0792c0..dbd7c1e17007 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.8 +++ b/lib/libpam/modules/pam_exec/pam_exec.8 @@ -1,5 +1,5 @@ .\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2017 Dag-Erling Smørgrav +.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav .\" Copyright (c) 2018 Thomas Munro .\" All rights reserved. .\" @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 14, 2018 +.Dd May 24, 2019 .Dt PAM_EXEC 8 .Os .Sh NAME @@ -76,6 +76,13 @@ It must be a valid return value for this function. .It Cm expose_authtok Write the authentication token to the program's standard input stream, followed by a NUL character. +Ignored for +.Fn pam_sm_setcred . +.It Cm use_first_pass +If +.Cm expose_authtok +was specified, do not prompt for an authentication token if one is not +already available. .It Cm -- Stop options parsing; program and its arguments follow. diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c index dc4a47e22c08..cb820fbac3ef 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.c +++ b/lib/libpam/modules/pam_exec/pam_exec.c @@ -2,7 +2,7 @@ * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 2001,2003 Networks Associates Technology, Inc. - * Copyright (c) 2017 Dag-Erling Smørgrav + * Copyright (c) 2017-2019 Dag-Erling Smørgrav * Copyright (c) 2018 Thomas Munro * All rights reserved. * @@ -110,6 +110,7 @@ struct pe_opts { int capture_stdout; int capture_stderr; int expose_authtok; + int use_first_pass; }; static int @@ -139,6 +140,8 @@ parse_options(const char *func, int *argc, const char **argv[], options->return_prog_exit_status = 1; } else if (strcmp((*argv)[i], "expose_authtok") == 0) { options->expose_authtok = 1; + } else if (strcmp((*argv)[i], "use_first_pass") == 0) { + options->use_first_pass = 1; } else { if (strcmp((*argv)[i], "--") == 0) { (*argc)--; @@ -252,13 +255,20 @@ _pam_exec(pam_handle_t *pamh, openpam_log(PAM_LOG_ERROR, "%s: fcntl(): %m", func); OUT(PAM_SYSTEM_ERR); } - rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); + if (options->use_first_pass || + strcmp(func, "pam_sm_setcred") == 0) { + /* don't prompt, only expose existing token */ + rc = pam_get_item(pamh, PAM_AUTHTOK, &item); + authtok = item; + } else { + rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); + } if (rc == PAM_SUCCESS) { - /* We include the trailing NUL-terminator. */ + /* We include the trailing null terminator. */ authtok_size = strlen(authtok) + 1; } else { - openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func, - pam_strerror(pamh, rc)); + openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", + func, pam_strerror(pamh, rc)); OUT(PAM_SYSTEM_ERR); } } |