xref: /illumos-gate/usr/src/lib/libpam/pam_impl.h (revision 040524e83cbd2eb410edc795626783c095f877e3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_PAM_IMPL_H
27 #define	_PAM_IMPL_H
28 
29 #ifdef __cplusplus
30 extern "C" {
31 #endif
32 
33 #include <limits.h>
34 #include <shadow.h>
35 #include <sys/types.h>
36 
37 #define	PAMTXD		"SUNW_OST_SYSOSPAM"
38 
39 #define	PAM_CONFIG	"/etc/pam.conf"
40 #define	PAM_ISA		"/$ISA/"
41 #define	PAM_LIB_DIR	"/usr/lib/security/"
42 #ifdef	_LP64
43 #define	PAM_ISA_DIR	"/64/"
44 #else	/* !_LP64 */
45 #define	PAM_ISA_DIR	"/"
46 #endif	/* _LP64 */
47 
48 /* Service Module Types */
49 
50 /*
51  * If new service types are added, they should be named in
52  * pam_framework.c::pam_snames[] as well.
53  */
54 
55 #define	PAM_ACCOUNT_NAME	"account"
56 #define	PAM_AUTH_NAME		"auth"
57 #define	PAM_PASSWORD_NAME	"password"
58 #define	PAM_SESSION_NAME	"session"
59 
60 #define	PAM_ACCOUNT_MODULE	0
61 #define	PAM_AUTH_MODULE		1
62 #define	PAM_PASSWORD_MODULE	2
63 #define	PAM_SESSION_MODULE	3
64 
65 #define	PAM_NUM_MODULE_TYPES	4
66 
67 /* Control Flags */
68 
69 #define	PAM_BINDING_NAME	"binding"
70 #define	PAM_INCLUDE_NAME	"include"
71 #define	PAM_OPTIONAL_NAME	"optional"
72 #define	PAM_REQUIRED_NAME	"required"
73 #define	PAM_REQUISITE_NAME	"requisite"
74 #define	PAM_SUFFICIENT_NAME	"sufficient"
75 
76 #define	PAM_BINDING	0x01
77 #define	PAM_INCLUDE	0x02
78 #define	PAM_OPTIONAL	0x04
79 #define	PAM_REQUIRED	0x08
80 #define	PAM_REQUISITE	0x10
81 #define	PAM_SUFFICIENT	0x20
82 
83 #define	PAM_REQRD_BIND	(PAM_REQUIRED | PAM_BINDING)
84 #define	PAM_SUFFI_BIND	(PAM_SUFFICIENT | PAM_BINDING)
85 
86 /* Function Indicators */
87 
88 #define	PAM_AUTHENTICATE	1
89 #define	PAM_SETCRED		2
90 #define	PAM_ACCT_MGMT		3
91 #define	PAM_OPEN_SESSION	4
92 #define	PAM_CLOSE_SESSION	5
93 #define	PAM_CHAUTHTOK		6
94 
95 /* PAM tracing */
96 
97 #define	PAM_DEBUG	"/etc/pam_debug"
98 #define	LOG_PRIORITY	"log_priority="
99 #define	LOG_FACILITY	"log_facility="
100 #define	DEBUG_FLAGS	"debug_flags="
101 #define	PAM_DEBUG_NONE		0x0000
102 #define	PAM_DEBUG_DEFAULT	0x0001
103 #define	PAM_DEBUG_ITEM		0x0002
104 #define	PAM_DEBUG_MODULE	0x0004
105 #define	PAM_DEBUG_CONF		0x0008
106 #define	PAM_DEBUG_DATA		0x0010
107 #define	PAM_DEBUG_CONV		0x0020
108 #define	PAM_DEBUG_AUTHTOK	0x8000
109 
110 #define	PAM_MAX_ITEMS		64	/* Max number of items */
111 #define	PAM_MAX_INCLUDE		32	/* Max include flag recursions */
112 
113 /* authentication module functions */
114 #define	PAM_SM_AUTHENTICATE	"pam_sm_authenticate"
115 #define	PAM_SM_SETCRED		"pam_sm_setcred"
116 
117 /* session module functions */
118 #define	PAM_SM_OPEN_SESSION	"pam_sm_open_session"
119 #define	PAM_SM_CLOSE_SESSION	"pam_sm_close_session"
120 
121 /* password module functions */
122 #define	PAM_SM_CHAUTHTOK		"pam_sm_chauthtok"
123 
124 /* account module functions */
125 #define	PAM_SM_ACCT_MGMT		"pam_sm_acct_mgmt"
126 
127 /* max # of authentication token attributes */
128 #define	PAM_MAX_NUM_ATTR	10
129 
130 /* max size (in chars) of an authentication token attribute */
131 #define	PAM_MAX_ATTR_SIZE	80
132 
133 /* utility function prototypes */
134 
135 /* source values when calling __pam_get_authtok() */
136 #define	PAM_PROMPT	1	/* prompt user for new password */
137 #define	PAM_HANDLE	2	/* get password from pam handle (item) */
138 
139 #if	PASS_MAX >= PAM_MAX_RESP_SIZE
140 #error	PASS_MAX > PAM_MAX_RESP_SIZE
141 #endif	/* PASS_MAX >= PAM_MAX_RESP_SIZE */
142 
143 extern int
144 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
145     char **authtok);
146 
147 extern int
148 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
149     char messages[][PAM_MAX_MSG_SIZE], void *conv_apdp);
150 
151 extern void
152 __pam_log(int priority, const char *format, ...);
153 
154 /* file handle for pam.conf */
155 struct pam_fh {
156 	int	fconfig;	/* file descriptor returned by open() */
157 	char    line[256];
158 	size_t  bufsize;	/* size of the buffer which holds */
159 				/* the content of pam.conf */
160 	char   *bufferp;	/* used to process data	*/
161 	char   *data;		/* contents of pam.conf	*/
162 };
163 
164 /* items that can be set/retrieved thru pam_[sg]et_item() */
165 struct	pam_item {
166 	void	*pi_addr;	/* pointer to item */
167 	int	pi_size;	/* size of item */
168 };
169 
170 /* module specific data stored in the pam handle */
171 struct pam_module_data {
172 	char *module_data_name;		/* unique module data name */
173 	void *data;			/* the module specific data */
174 	void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
175 	struct pam_module_data *next;	/* pointer to next module data */
176 };
177 
178 /* each entry from pam.conf is stored here (in the pam handle) */
179 typedef struct pamtab {
180 	char	*pam_service;	/* PAM service, e.g. login, rlogin */
181 	int	pam_type;	/* AUTH, ACCOUNT, PASSWORD, SESSION */
182 	int	pam_flag;	/* required, optional, sufficient */
183 	int	pam_err;	/* error if line overflow */
184 	char	*module_path;	/* module library */
185 	int	module_argc;	/* module specific options */
186 	char	**module_argv;
187 	void	*function_ptr;	/* pointer to struct holding function ptrs */
188 	struct pamtab *next;
189 } pamtab_t;
190 
191 /* list of open fd's (modules that were dlopen'd) */
192 typedef struct fd_list {
193 	void *mh;		/* module handle */
194 	struct fd_list *next;
195 } fd_list;
196 
197 /* list of PAM environment varialbes */
198 typedef struct env_list {
199 	char *name;
200 	char *value;
201 	struct env_list *next;
202 } env_list;
203 
204 /* pam_inmodule values for pam item checking */
205 #define	RW_OK	0	/* Read Write items OK */
206 #define	RO_OK	1	/* Read Only items OK */
207 #define	WO_OK	2	/* Write Only items/data OK */
208 
209 /* the pam handle */
210 struct pam_handle {
211 	struct  pam_item ps_item[PAM_MAX_ITEMS];	/* array of PAM items */
212 	int	include_depth;
213 	int	pam_inmodule;	/* Protect restricted pam_get_item calls */
214 	char	*pam_conf_name[PAM_MAX_INCLUDE+1];
215 	pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
216 	pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
217 	struct	pam_module_data *ssd;		/* module specific data */
218 	fd_list *fd;				/* module fd's */
219 	env_list *pam_env;			/* environment variables */
220 };
221 
222 /*
223  * the function_ptr field in pamtab_t
224  * will point to one of these modules
225  */
226 struct auth_module {
227 	int	(*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
228 		    const char **argv);
229 	int	(*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
230 		    const char **argv);
231 };
232 
233 struct password_module {
234 	int	(*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
235 		    const char **argv);
236 };
237 
238 struct session_module {
239 	int	(*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
240 		    const char **argv);
241 	int	(*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
242 		    const char **argv);
243 };
244 
245 struct account_module {
246 	int	(*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
247 		    const char **argv);
248 };
249 
250 #ifdef __cplusplus
251 }
252 #endif
253 
254 #endif	/* _PAM_IMPL_H */
255