Feature request: alternate '/' for pam_unix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

In a cluster environment it'd be quite good if one could specify
alternate passwd/shadow/group files for the pam_unix module.

I know, one could use LDAP, SQL or db files to store the user data, but 
all of them have got some shortcomings: LDAP and SQL can be slow or 
complex to setup in a redundan configuration; db files lack password 
expiration information, etc.

In the patch below I implemented the 'rootdir=directory' option for the 
pam_unix module, by which one can define an alternate root directory when 
looking up the files. So one can store alternate passwd, etc. files with 
the user data on a cluster (shared) filesystem, without the need of 
additional services running.

Example: /etc/pam.d/common-auth

# Check the user in the host-local files
auth	sufficient	pam_unix.so
# Check the user in the cluster files:
#	/gfs/system/etc/passwd, etc
auth	required	pam_unix.so rootdir=/gfs/system

Best regards,
Jozsef Kadlecsik
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

diff -urN pam_unix.orig/pam_unix_passwd.c pam_unix/pam_unix_passwd.c
--- pam_unix.orig/pam_unix_passwd.c	2007-04-30 12:47:30.000000000 +0200
+++ pam_unix/pam_unix_passwd.c	2007-09-28 13:02:42.000000000 +0200
@@ -119,13 +119,9 @@
 #define _UNIX_NEW_AUTHTOK	"-UN*X-NEW-PASS"
 
 #define MAX_PASSWD_TRIES	3
-#define PW_TMPFILE		"/etc/npasswd"
-#define SH_TMPFILE		"/etc/nshadow"
 #ifndef CRACKLIB_DICTS
 #define CRACKLIB_DICTS		NULL
 #endif
-#define OPW_TMPFILE		"/etc/security/nopasswd"
-#define OLD_PASSWORDS_FILE	"/etc/security/opasswd"
 
 /*
  * i64c - convert an integer to a radix 64 character
@@ -247,7 +243,7 @@
         size_t i=0;
         struct rlimit rlim;
 	static char *envp[] = { NULL };
-	char *args[] = { NULL, NULL, NULL, NULL };
+	char *args[] = { NULL, NULL, NULL, NULL, NULL };
 
 	/* XXX - should really tidy up PAM here too */
 
@@ -273,6 +269,8 @@
 	args[0] = x_strdup(CHKPWD_HELPER);
 	args[1] = x_strdup(user);
 	args[2] = x_strdup("shadow");
+	if (strlen(rootdir) > 0)
+		args[3] = x_strdup(rootdir));
 
 	execve(CHKPWD_HELPER, args, envp);
 
@@ -324,7 +322,7 @@
 	int retval = PAM_SUCCESS;
 	FILE *opwfile;
 
-	opwfile = fopen(OLD_PASSWORDS_FILE, "r");
+	opwfile = fopen(unix_filename(OLD_PASSWORDS_FILE), "r");
 	if (opwfile == NULL)
 		return PAM_ABORT;
 
@@ -382,7 +380,7 @@
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t passwd_context=NULL;
-      if (getfilecon("/etc/passwd",&passwd_context)<0) {
+      if (getfilecon(unix_filename(PASSWD_FILE),&passwd_context)<0) {
         return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -397,14 +395,14 @@
       freecon(passwd_context);
     }
 #endif
-    pwfile = fopen(OPW_TMPFILE, "w");
+    pwfile = fopen(unix_filename(OLD_PASSWORDS_TMP_FILE), "w");
     umask(oldmask);
     if (pwfile == NULL) {
       err = 1;
       goto done;
     }
 
-    opwfile = fopen(OLD_PASSWORDS_FILE, "r");
+    opwfile = fopen(unix_filename(OLD_PASSWORDS_FILE), "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
       err = 1;
@@ -488,7 +486,8 @@
 
 done:
     if (!err) {
-	if (rename(OPW_TMPFILE, OLD_PASSWORDS_FILE))
+	if (rename(unix_filename(OLD_PASSWORDS_TMP_FILE),
+		   unix_filename(OLD_PASSWORDS_FILE)))
 	    err = 1;
     }
 #ifdef WITH_SELINUX
@@ -504,7 +503,7 @@
     if (!err) {
 	return PAM_SUCCESS;
     } else {
-	unlink(OPW_TMPFILE);
+	unlink(unix_filename(OLD_PASSWORDS_TMP_FILE));
 	return PAM_AUTHTOK_ERR;
     }
 }
@@ -522,7 +521,7 @@
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t passwd_context=NULL;
-      if (getfilecon("/etc/passwd",&passwd_context)<0) {
+      if (getfilecon(unix_filename(PASSWD_FILE),&passwd_context)<0) {
 	return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -537,14 +536,14 @@
       freecon(passwd_context);
     }
 #endif
-    pwfile = fopen(PW_TMPFILE, "w");
+    pwfile = fopen(unix_filename(PASSWD_TMP_FILE), "w");
     umask(oldmask);
     if (pwfile == NULL) {
       err = 1;
       goto done;
     }
 
-    opwfile = fopen("/etc/passwd", "r");
+    opwfile = fopen(unix_filename(PASSWD_FILE), "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -600,7 +599,7 @@
 
 done:
     if (!err) {
-	if (!rename(PW_TMPFILE, "/etc/passwd"))
+	if (!rename(unix_filename(PASSWD_TMP_FILE), unix_filename(PASSWD_FILE)))
 	    pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho);
 	else
 	    err = 1;
@@ -618,7 +617,7 @@
     if (!err) {
 	return PAM_SUCCESS;
     } else {
-	unlink(PW_TMPFILE);
+	unlink(unix_filename(PASSWD_TMP_FILE));
 	return PAM_AUTHTOK_ERR;
     }
 }
@@ -640,7 +639,7 @@
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t shadow_context=NULL;
-      if (getfilecon("/etc/shadow",&shadow_context)<0) {
+      if (getfilecon(unix_filename(SHADOW_FILE),&shadow_context)<0) {
 	return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -655,14 +654,14 @@
       freecon(shadow_context);
     }
 #endif
-    pwfile = fopen(SH_TMPFILE, "w");
+    pwfile = fopen(unix_filename(SHADOW_TMP_FILE), "w");
     umask(oldmask);
     if (pwfile == NULL) {
 	err = 1;
 	goto done;
     }
 
-    opwfile = fopen("/etc/shadow", "r");
+    opwfile = fopen(unix_filename(SHADOW_FILE), "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -716,7 +715,7 @@
 
  done:
     if (!err) {
-	if (!rename(SH_TMPFILE, "/etc/shadow"))
+	if (!rename(unix_filename(SHADOW_TMP_FILE), unix_filename(SHADOW_FILE)))
 	    pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho);
 	else
 	    err = 1;
@@ -736,7 +735,7 @@
     if (!err) {
 	return PAM_SUCCESS;
     } else {
-	unlink(SH_TMPFILE);
+	unlink(unix_filename(SHADOW_TMP_FILE));
 	return PAM_AUTHTOK_ERR;
     }
 }
@@ -1003,7 +1002,7 @@
 			  remark = _("Password has been already used. Choose another.");
 			if (retval == PAM_ABORT) {
 				pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
-					OLD_PASSWORDS_FILE);
+					unix_filename(OLD_PASSWORDS_FILE));
 				return retval;
 			}
 		}
@@ -1067,8 +1066,10 @@
 	 */
 	if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) {
 		pam_syslog(pamh, LOG_DEBUG,
-			 "user \"%s\" does not exist in /etc/passwd%s",
-			 user, on(UNIX_NIS, ctrl) ? " or NIS" : "");
+			 "user \"%s\" does not exist in %s%s",
+			 user, 
+			 unix_filename(PASSWD_FILE),
+			 on(UNIX_NIS, ctrl) ? " or NIS" : "");
 		return PAM_USER_UNKNOWN;
 	} else {
 		struct passwd *pwd;
diff -urN pam_unix.orig/support.c pam_unix/support.c
--- pam_unix.orig/support.c	2007-02-06 17:06:45.000000000 +0100
+++ pam_unix/support.c	2007-09-28 13:32:22.000000000 +0200
@@ -36,6 +36,41 @@
 #define SELINUX_ENABLED 0
 #endif
 
+/* The actual files we may open under rootdir */
+static char unix_files[UNIX_FILES_MAX][1024+22] = {
+	[PASSWD_FILE]		= "/etc/passwd",
+	[PASSWD_TMP_FILE]	= "/etc/npasswd",
+	[SHADOW_FILE]		= "/etc/shadow",
+	[SHADOW_TMP_FILE]	= "/etc/nshadow",
+	[OLD_PASSWORDS_FILE]	= "/etc/security/opasswd",
+	[OLD_PASSWORDS_TMP_FILE] = "/etc/security/nopasswd",
+};
+char rootdir[1024] = "";
+
+/* Map file type to filename */
+char *unix_filename(unix_file_t type)
+{
+	return unix_files[type];
+}
+
+static void prepend_rootdir(const char *dir)
+{
+	unsigned int i;
+	char filename[1024];
+	size_t len;
+
+	if (strcmp(dir, rootdir) == 0)
+		return;
+	
+	len = strlen(rootdir);
+	strcpy(rootdir, dir);
+	for (i = 0; i < UNIX_FILES_MAX; i++) {
+		strcpy(filename, rootdir);
+		strcat(filename, unix_files[i]+len);
+		strcpy(unix_files[i], filename);
+	}
+}
+
 /* this is a front-end for module-application conversations */
 
 int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -110,6 +145,18 @@
 						*remember = 400;
 				}
 			}
+			if (j == UNIX_ROOTDIR) {
+				char *filename = strchr(*argv, '=');
+				
+				if (filename == NULL)
+					pam_syslog(pamh, LOG_ERR,
+						"invalid rootdir option [%s]", *argv);
+				else if (strlen(filename) > 1024)
+					pam_syslog(pamh, LOG_ERR,
+						"rootdir option too long [%s]", *argv);
+				else
+					prepend_rootdir(++filename);
+			}
 		}
 
 		++argv;		/* step to next argument */
@@ -237,7 +284,7 @@
 
 	if (!matched && files) {
 		int userlen = strlen(name);
-		passwd = fopen("/etc/passwd", "r");
+		passwd = fopen(unix_filename(PASSWD_FILE), "r");
 		if (passwd != NULL) {
 			while (fgets(buf, sizeof(buf), passwd) != NULL) {
 				if ((buf[userlen] == ':') &&
diff -urN pam_unix.orig/support.h pam_unix/support.h
--- pam_unix.orig/support.h	2007-01-23 10:30:23.000000000 +0100
+++ pam_unix/support.h	2007-09-28 13:22:29.000000000 +0200
@@ -84,8 +84,9 @@
 #define UNIX_NOREAP              21     /* don't reap child process */
 #define UNIX_BROKEN_SHADOW       22     /* ignore errors reading password aging
 					 * information during acct management */
+#define UNIX_ROOTDIR		 23	/* Directory instead of '/' to use */
 /* -------------- */
-#define UNIX_CTRLS_              23	/* number of ctrl arguments defined */
+#define UNIX_CTRLS_              24	/* number of ctrl arguments defined */
 
 
 static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
@@ -116,10 +117,24 @@
 /* UNIX_REMEMBER_PASSWD */ {"remember=",       _ALL_ON_,            02000000},
 /* UNIX_NOREAP */          {"noreap",          _ALL_ON_,            04000000},
 /* UNIX_BROKEN_SHADOW */   {"broken_shadow",   _ALL_ON_,           010000000},
+/* UNIX_ROOTDIR */         {"rootdir=",        _ALL_ON_,           020000000},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
 
+/* Files we may open under rootdir */
+typedef enum {
+	PASSWD_FILE = 0,
+	PASSWD_TMP_FILE,
+	SHADOW_FILE,
+	SHADOW_TMP_FILE,
+	OLD_PASSWORDS_FILE,
+	OLD_PASSWORDS_TMP_FILE,
+	UNIX_FILES_MAX,
+} unix_file_t;
+
+extern char *unix_filename(unix_file_t type);
+extern char rootdir[1024];
 
 /* use this to free strings. ESPECIALLY password strings */
 
diff -urN pam_unix.orig/unix_chkpwd.c pam_unix/unix_chkpwd.c
--- pam_unix.orig/unix_chkpwd.c	2007-03-12 15:35:14.000000000 +0100
+++ pam_unix/unix_chkpwd.c	2007-09-28 12:58:09.000000000 +0200
@@ -42,6 +42,9 @@
 #include "md5.h"
 #include "bigcrypt.h"
 
+static char shadowfile[1024+12] = "/etc/shadow";
+static char nshadowfile[1024+12] = "/etc/nshadow";
+
 /* syslogging function for errors and other information */
 
 static void _log_err(int err, const char *format,...)
@@ -261,8 +264,7 @@
 	return username;
 }
 
-#define SH_TMPFILE		"/etc/nshadow"
-static int _update_shadow(const char *forwho)
+static int _update_shadow(const char *forwho, const char *rootdir)
 {
     struct spwd *spwdent = NULL, *stmpent = NULL;
     FILE *pwfile, *opwfile;
@@ -273,6 +275,17 @@
     char towhat[MAXPASS + 1];
     int npass=0;
 
+    if (rootdir != NULL) {
+    	if (strlen(rootdir) >= 1024) {
+	  _log_err(LOG_DEBUG, "rootdir argument too long");
+          return PAM_AUTHTOK_ERR;
+        }
+        strcpy(shadowfile, rootdir);
+        strcpy(nshadowfile, rootdir);
+        strcat(shadowfile, "/etc/shadow");
+        strcat(nshadowfile, "/etc/nshadow");
+    }
+    
     /* read the password from stdin (a pipe from the pam_unix module) */
 
     npass = read(STDIN_FILENO, pass, MAXPASS);
@@ -323,7 +336,7 @@
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t shadow_context=NULL;
-      if (getfilecon("/etc/shadow",&shadow_context)<0) {
+      if (getfilecon(shadowfile,&shadow_context)<0) {
 	return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -338,14 +351,14 @@
       freecon(shadow_context);
     }
 #endif
-    pwfile = fopen(SH_TMPFILE, "w");
+    pwfile = fopen(nshadowfile, "w");
     umask(oldmask);
     if (pwfile == NULL) {
 	err = 1;
 	goto done;
     }
 
-    opwfile = fopen("/etc/shadow", "r");
+    opwfile = fopen(shadowfile, "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -399,7 +412,7 @@
 
  done:
     if (!err) {
-	if (rename(SH_TMPFILE, "/etc/shadow"))
+	if (rename(nshadowfile, shadowfile))
 	    err = 1;
     }
 
@@ -417,7 +430,7 @@
     if (!err) {
 	return PAM_SUCCESS;
     } else {
-	unlink(SH_TMPFILE);
+	unlink(nshadowfile);
 	return PAM_AUTHTOK_ERR;
     }
 }
@@ -445,7 +458,7 @@
 	 * account).
 	 */
 
-	if (isatty(STDIN_FILENO) || argc != 3 ) {
+	if (isatty(STDIN_FILENO) || argc < 3 ) {
 		_log_err(LOG_NOTICE
 		      ,"inappropriate use of Unix helper binary [UID=%d]"
 			 ,getuid());
@@ -476,14 +489,14 @@
 
 	option=argv[2];
 
-	if (strncmp(argv[2], "verify", 8) == 0) {
+	if (strncmp(option, "verify", 8) == 0) {
 	  /* Get the account information from the shadow file */
 	  return _verify_account(argv[1]);
 	}
 
 	if (strncmp(option, "shadow", 8) == 0) {
 	  /* Attempting to change the password */
-	  return _update_shadow(argv[1]);
+	  return _update_shadow(argv[1], argc > 3 ? argv[3] : NULL);
 	}
 
 	/* read the nullok/nonull option */

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux