summaryrefslogtreecommitdiffstats
path: root/libpam/pam_private.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--libpam/pam_private.h351
1 files changed, 351 insertions, 0 deletions
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
new file mode 100644
index 0000000..7ff9f75
--- /dev/null
+++ b/libpam/pam_private.h
@@ -0,0 +1,351 @@
+/*
+ * pam_private.h
+ *
+ * This is the Linux-PAM Library Private Header. It contains things
+ * internal to the Linux-PAM library. Things not needed by either an
+ * application or module.
+ *
+ * Please see end of file for copyright.
+ *
+ * Creator: Marc Ewing.
+ * Maintained: CVS
+ */
+
+#ifndef _PAM_PRIVATE_H
+#define _PAM_PRIVATE_H
+
+#include "config.h"
+
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+
+/* the Linux-PAM configuration file */
+
+#define PAM_CONFIG "/etc/pam.conf"
+#define PAM_CONFIG_D "/etc/pam.d"
+#define PAM_CONFIG_DF "/etc/pam.d/%s"
+#define PAM_CONFIG_DIST_D "/usr/lib/pam.d"
+#define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
+
+#define PAM_DEFAULT_SERVICE "other" /* lower case */
+
+#ifdef PAM_LOCKING
+/*
+ * the Linux-PAM lock file. If it exists Linux-PAM will abort. Use it
+ * to block access to libpam
+ */
+#define PAM_LOCK_FILE "/var/lock/subsys/PAM"
+#endif
+
+/* components of the pam_handle structure */
+
+#define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */
+
+struct handler {
+ int handler_type;
+ int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv);
+ int actions[_PAM_RETURN_VALUES];
+ /* set by authenticate, open_session, chauthtok(1st)
+ consumed by setcred, close_session, chauthtok(2nd) */
+ int cached_retval; int *cached_retval_p;
+ int argc;
+ char **argv;
+ struct handler *next;
+ char *mod_name;
+ int stack_level;
+ int grantor;
+};
+
+#define PAM_HT_MODULE 0
+#define PAM_HT_MUST_FAIL 1
+#define PAM_HT_SUBSTACK 2
+#define PAM_HT_SILENT_MODULE 3
+
+struct loaded_module {
+ char *name;
+ int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */
+ void *dl_handle;
+};
+
+#define PAM_MT_DYNAMIC_MOD 0
+#define PAM_MT_STATIC_MOD 1
+#define PAM_MT_FAULTY_MOD 2
+
+struct handlers {
+ struct handler *authenticate;
+ struct handler *setcred;
+ struct handler *acct_mgmt;
+ struct handler *open_session;
+ struct handler *close_session;
+ struct handler *chauthtok;
+};
+
+struct service {
+ struct loaded_module *module; /* Array of modules */
+ int modules_allocated;
+ int modules_used;
+ int handlers_loaded;
+
+ struct handlers conf; /* the configured handlers */
+ struct handlers other; /* the default handlers */
+};
+
+/*
+ * Environment helper functions
+ */
+
+#define PAM_ENV_CHUNK 10 /* chunks of memory calloc()'d *
+ * at once */
+
+struct pam_environ {
+ int entries; /* the number of pointers available */
+ int requested; /* the number of pointers used: *
+ * 1 <= requested <= entries */
+ char **list; /* the environment storage (a list *
+ * of pointers to malloc() memory) */
+};
+
+#include <sys/time.h>
+
+typedef enum { PAM_FALSE, PAM_TRUE } _pam_boolean;
+
+struct _pam_fail_delay {
+ _pam_boolean set;
+ unsigned int delay;
+ time_t begin;
+ const void *delay_fn_ptr;
+};
+
+/* initial state in substack */
+struct _pam_substack_state {
+ int impression;
+ int status;
+};
+
+struct _pam_former_state {
+/* this is known and set by _pam_dispatch() */
+ int choice; /* which flavor of module function did we call? */
+
+/* state info for the _pam_dispatch_aux() function */
+ int depth; /* how deep in the stack were we? */
+ int impression; /* the impression at that time */
+ int status; /* the status before returning incomplete */
+ struct _pam_substack_state *substates; /* array of initial substack states */
+
+/* state info used by pam_get_user() function */
+ int fail_user;
+ int want_user;
+ char *prompt; /* saved prompt information */
+
+/* state info for the pam_chauthtok() function */
+ _pam_boolean update;
+};
+
+struct pam_handle {
+ char *authtok;
+ unsigned caller_is;
+ struct pam_conv *pam_conversation;
+ char *oldauthtok;
+ char *prompt; /* for use by pam_get_user() */
+ char *service_name;
+ char *user;
+ char *rhost;
+ char *ruser;
+ char *tty;
+ char *xdisplay;
+ char *authtok_type; /* PAM_AUTHTOK_TYPE */
+ struct pam_data *data;
+ struct pam_environ *env; /* structure to maintain environment list */
+ struct _pam_fail_delay fail_delay; /* helper function for easy delays */
+ struct pam_xauth_data xauth; /* auth info for X display */
+ struct service handlers;
+ struct _pam_former_state former; /* library state - support for
+ event driven applications */
+ const char *mod_name; /* Name of the module currently executed */
+ int mod_argc; /* Number of module arguments */
+ char **mod_argv; /* module arguments */
+ int choice; /* Which function we call from the module */
+
+#ifdef HAVE_LIBAUDIT
+ int audit_state; /* keep track of reported audit messages */
+#endif
+};
+
+/* Values for select arg to _pam_dispatch() */
+#define PAM_NOT_STACKED 0
+#define PAM_AUTHENTICATE 1
+#define PAM_SETCRED 2
+#define PAM_ACCOUNT 3
+#define PAM_OPEN_SESSION 4
+#define PAM_CLOSE_SESSION 5
+#define PAM_CHAUTHTOK 6
+
+#define _PAM_ACTION_IS_JUMP(x) ((x) > 0)
+#define _PAM_ACTION_IGNORE 0
+#define _PAM_ACTION_OK -1
+#define _PAM_ACTION_DONE -2
+#define _PAM_ACTION_BAD -3
+#define _PAM_ACTION_DIE -4
+#define _PAM_ACTION_RESET -5
+/* Add any new entries here. Will need to change ..._UNDEF and then
+ * need to change pam_tokens.h */
+#define _PAM_ACTION_UNDEF -6 /* this is treated as an error
+ ( = _PAM_ACTION_BAD) */
+
+#define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */
+
+/* character tables for parsing config files */
+extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF];
+extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1];
+
+/*
+ * internally defined functions --- these should not be directly
+ * called by applications or modules
+ */
+int _pam_dispatch(pam_handle_t *pamh, int flags, int choice);
+
+/* Free various allocated structures and dlclose() the libs */
+int _pam_free_handlers(pam_handle_t *pamh);
+
+/* Parse config file, allocate handler structures, dlopen() */
+int _pam_init_handlers(pam_handle_t *pamh);
+
+/* Set all hander stuff to 0/NULL - called once from pam_start() */
+void _pam_start_handlers(pam_handle_t *pamh);
+
+/* environment helper functions */
+
+/* create the environment structure */
+int _pam_make_env(pam_handle_t *pamh);
+
+/* delete the environment structure */
+void _pam_drop_env(pam_handle_t *pamh);
+
+/* these functions deal with failure delays as required by the
+ authentication modules and application. Their *interface* is likely
+ to remain the same although their function is hopefully going to
+ improve */
+
+/* reset the timer to no-delay */
+void _pam_reset_timer(pam_handle_t *pamh);
+
+/* this sets the clock ticking */
+void _pam_start_timer(pam_handle_t *pamh);
+
+/* this waits for the clock to stop ticking if status != PAM_SUCCESS */
+void _pam_await_timer(pam_handle_t *pamh, int status);
+
+typedef void (*voidfunc(void))(void);
+typedef int (*servicefn)(pam_handle_t *, int, int, char **);
+
+void *_pam_dlopen (const char *mod_path);
+servicefn _pam_dlsym (void *handle, const char *symbol);
+void _pam_dlclose (void *handle);
+const char *_pam_dlerror (void);
+
+/* For now we just use a stack and linear search for module data. */
+/* If it becomes apparent that there is a lot of data, it should */
+/* changed to either a sorted list or a hash table. */
+
+struct pam_data {
+ char *name;
+ void *data;
+ void (*cleanup)(pam_handle_t *pamh, void *data, int error_status);
+ struct pam_data *next;
+};
+
+void _pam_free_data(pam_handle_t *pamh, int status);
+
+char *_pam_StrTok(char *from, const char *format, char **next);
+
+char *_pam_strdup(const char *s);
+
+char *_pam_memdup(const char *s, int len);
+
+int _pam_mkargv(char *s, char ***argv, int *argc);
+
+void _pam_sanitize(pam_handle_t *pamh);
+
+void _pam_set_default_control(int *control_array, int default_action);
+
+void _pam_parse_control(int *control_array, char *tok);
+
+#define _PAM_SYSTEM_LOG_PREFIX "PAM"
+
+/*
+ * XXX - Take care with this. It could confuse the logic of a trailing
+ * else
+ */
+
+#define IF_NO_PAMH(X,pamh,ERR) \
+if ((pamh) == NULL) { \
+ syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX " " X ": NULL pam handle passed"); \
+ return ERR; \
+}
+
+/*
+ * include some helpful macros
+ */
+
+#include <security/_pam_macros.h>
+
+/* used to work out where control currently resides (in an application
+ or in a module) */
+
+#define _PAM_CALLED_FROM_MODULE 1
+#define _PAM_CALLED_FROM_APP 2
+
+#define __PAM_FROM_MODULE(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_MODULE)
+#define __PAM_FROM_APP(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_APP)
+#define __PAM_TO_MODULE(pamh) \
+ do { (pamh)->caller_is = _PAM_CALLED_FROM_MODULE; } while (0)
+#define __PAM_TO_APP(pamh) \
+ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
+
+#ifdef HAVE_LIBAUDIT
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
+extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
+#endif
+
+/*
+ * Copyright (C) 1995 by Red Hat Software, Marc Ewing
+ * Copyright (c) 1996-8,2001 by Andrew G. Morgan <morgan@kernel.org>
+ *
+ * All rights reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#endif /* _PAM_PRIVATE_H_ */