1 /*
2 * Copyright (c) 2000 Markus Friedl. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24 /*
25 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
26 * Use is subject to license terms.
27 */
28
29 #include "includes.h"
30 RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
31
32 #ifdef HAVE_LOGIN_H
33 #include <login.h>
34 #endif
35 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
36 #include <shadow.h>
37 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
38
39 #ifdef HAVE_LIBGEN_H
40 #include <libgen.h>
41 #endif
42
43 #include "xmalloc.h"
44 #include "match.h"
45 #include "groupaccess.h"
46 #include "log.h"
47 #include "buffer.h"
48 #include "servconf.h"
49 #include "auth.h"
50 #include "auth-options.h"
51 #include "canohost.h"
52 #include "bufaux.h"
53 #include "uidswap.h"
54 #include "tildexpand.h"
55 #include "misc.h"
56 #include "bufaux.h"
57 #include "packet.h"
58 #include "channels.h"
59 #include "session.h"
60
61 #ifdef HAVE_BSM
62 #include "bsmaudit.h"
63 #include <bsm/adt.h>
64 #endif /* HAVE_BSM */
65
66 /* import */
67 extern ServerOptions options;
68
69 /* Debugging messages */
70 Buffer auth_debug;
71 int auth_debug_init;
72
73 /*
74 * Check if the user is allowed to log in via ssh. If user is listed
75 * in DenyUsers or one of user's groups is listed in DenyGroups, false
76 * will be returned. If AllowUsers isn't empty and user isn't listed
77 * there, or if AllowGroups isn't empty and one of user's groups isn't
78 * listed there, false will be returned.
79 * If the user's shell is not executable, false will be returned.
80 * Otherwise true is returned.
81 */
82 int
allowed_user(struct passwd * pw)83 allowed_user(struct passwd * pw)
84 {
85 struct stat st;
86 const char *hostname = NULL, *ipaddr = NULL;
87 char *shell;
88 int i;
89 #ifdef WITH_AIXAUTHENTICATE
90 char *loginmsg;
91 #endif /* WITH_AIXAUTHENTICATE */
92 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
93 !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
94 struct spwd *spw;
95
96 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
97 if (!pw || !pw->pw_name)
98 return 0;
99
100 #define DAY (24L * 60 * 60) /* 1 day in seconds */
101 spw = getspnam(pw->pw_name);
102 if (spw != NULL) {
103 time_t today = time(NULL) / DAY;
104 debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
105 " sp_max %d", (int)today, (int)spw->sp_expire,
106 (int)spw->sp_lstchg, (int)spw->sp_max);
107
108 /*
109 * We assume account and password expiration occurs the
110 * day after the day specified.
111 */
112 if (spw->sp_expire != -1 && today > spw->sp_expire) {
113 log("Account %.100s has expired", pw->pw_name);
114 return 0;
115 }
116
117 if (spw->sp_lstchg == 0) {
118 log("User %.100s password has expired (root forced)",
119 pw->pw_name);
120 return 0;
121 }
122
123 if (spw->sp_max != -1 &&
124 today > spw->sp_lstchg + spw->sp_max) {
125 log("User %.100s password has expired (password aged)",
126 pw->pw_name);
127 return 0;
128 }
129 }
130 #else
131 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
132 if (!pw || !pw->pw_name)
133 return 0;
134 #endif
135
136 /*
137 * Get the shell from the password data. An empty shell field is
138 * legal, and means /bin/sh.
139 */
140 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
141
142 /* deny if shell does not exists or is not executable */
143 if (stat(shell, &st) != 0) {
144 log("User %.100s not allowed because shell %.100s does not exist",
145 pw->pw_name, shell);
146 return 0;
147 }
148 if (S_ISREG(st.st_mode) == 0 ||
149 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
150 log("User %.100s not allowed because shell %.100s is not executable",
151 pw->pw_name, shell);
152 return 0;
153 }
154
155 if (options.num_deny_users > 0 || options.num_allow_users > 0) {
156 hostname = get_canonical_hostname(options.verify_reverse_mapping);
157 ipaddr = get_remote_ipaddr();
158 }
159
160 /* Return false if user is listed in DenyUsers */
161 if (options.num_deny_users > 0) {
162 for (i = 0; i < options.num_deny_users; i++)
163 if (match_user(pw->pw_name, hostname, ipaddr,
164 options.deny_users[i])) {
165 log("User %.100s not allowed because listed in DenyUsers",
166 pw->pw_name);
167 return 0;
168 }
169 }
170 /* Return false if AllowUsers isn't empty and user isn't listed there */
171 if (options.num_allow_users > 0) {
172 for (i = 0; i < options.num_allow_users; i++)
173 if (match_user(pw->pw_name, hostname, ipaddr,
174 options.allow_users[i]))
175 break;
176 /* i < options.num_allow_users iff we break for loop */
177 if (i >= options.num_allow_users) {
178 log("User %.100s not allowed because not listed in AllowUsers",
179 pw->pw_name);
180 return 0;
181 }
182 }
183 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
184 /* Get the user's group access list (primary and supplementary) */
185 if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
186 log("User %.100s not allowed because not in any group",
187 pw->pw_name);
188 return 0;
189 }
190
191 /* Return false if one of user's groups is listed in DenyGroups */
192 if (options.num_deny_groups > 0)
193 if (ga_match(options.deny_groups,
194 options.num_deny_groups)) {
195 ga_free();
196 log("User %.100s not allowed because a group is listed in DenyGroups",
197 pw->pw_name);
198 return 0;
199 }
200 /*
201 * Return false if AllowGroups isn't empty and one of user's groups
202 * isn't listed there
203 */
204 if (options.num_allow_groups > 0)
205 if (!ga_match(options.allow_groups,
206 options.num_allow_groups)) {
207 ga_free();
208 log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
209 pw->pw_name);
210 return 0;
211 }
212 ga_free();
213 }
214
215 #ifdef WITH_AIXAUTHENTICATE
216 if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
217 if (loginmsg && *loginmsg) {
218 /* Remove embedded newlines (if any) */
219 char *p;
220 for (p = loginmsg; *p; p++) {
221 if (*p == '\n')
222 *p = ' ';
223 }
224 /* Remove trailing newline */
225 *--p = '\0';
226 log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
227 }
228 return 0;
229 }
230 #endif /* WITH_AIXAUTHENTICATE */
231
232 /* We found no reason not to let this user try to log on... */
233 return 1;
234 }
235
236 Authctxt *
authctxt_new(void)237 authctxt_new(void)
238 {
239 Authctxt *authctxt = xmalloc(sizeof(*authctxt));
240 memset(authctxt, 0, sizeof(*authctxt));
241 return authctxt;
242 }
243
244 void
auth_log(Authctxt * authctxt,int authenticated,char * method,char * info)245 auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
246 {
247 void (*authlog) (const char *fmt,...) = verbose;
248 char *authmsg, *user_str;
249
250 if (authctxt == NULL)
251 fatal("%s: INTERNAL ERROR", __func__);
252
253 /* Raise logging level */
254 if (authenticated == 1 || !authctxt->valid)
255 authlog = log;
256 else if (authctxt->failures >= AUTH_FAIL_LOG ||
257 authctxt->attempt >= options.max_auth_tries_log ||
258 authctxt->init_attempt >= options.max_init_auth_tries_log)
259 authlog = notice;
260
261 if (authctxt->method) {
262 authmsg = "Failed";
263 if (authctxt->method->postponed)
264 authmsg = "Postponed"; /* shouldn't happen */
265 if (authctxt->method->abandoned)
266 authmsg = "Abandoned";
267 if (authctxt->method->authenticated) {
268 if (userauth_check_partial_failure(authctxt))
269 authmsg = "Partially accepted";
270 else
271 authmsg = "Accepted";
272 }
273 else
274 authmsg = "Failed";
275 }
276 else {
277 authmsg = authenticated ? "Accepted" : "Failed";
278 }
279
280 if (authctxt->user == NULL || *authctxt->user == '\0')
281 user_str = "<implicit>";
282 else if (!authctxt->valid)
283 user_str = "<invalid username>";
284 else
285 user_str = authctxt->user;
286
287 authlog("%s %s for %s from %.200s port %d%s",
288 authmsg,
289 (method != NULL) ? method : "<unknown authentication method>",
290 user_str,
291 get_remote_ipaddr(),
292 get_remote_port(),
293 info);
294
295 #ifdef WITH_AIXAUTHENTICATE
296 if (authenticated == 0 && strcmp(method, "password") == 0)
297 loginfailed(authctxt->user,
298 get_canonical_hostname(options.verify_reverse_mapping),
299 "ssh");
300 #endif /* WITH_AIXAUTHENTICATE */
301
302 }
303
304 #ifdef HAVE_BSM
305 void
audit_failed_login_cleanup(void * ctxt)306 audit_failed_login_cleanup(void *ctxt)
307 {
308 Authctxt *authctxt = (Authctxt *)ctxt;
309 adt_session_data_t *ah;
310
311 /*
312 * This table lists the different variable combinations evaluated and
313 * what the resulting PAM return value is. As the table shows
314 * authctxt and authctxt->valid need to be checked before either of
315 * the authctxt->pam* variables.
316 *
317 * authctxt-> authctxt->
318 * authctxt valid authctxt->pam pam_retval PAM rval
319 * -------- ---------- ------------- ------------ --------
320 * NULL ANY ANY ANY PAM_ABORT
321 * OK zero (0) ANY ANY PAM_USER_UNKNOWN
322 * OK one (1) NULL PAM_SUCCESS PAM_PERM_DENIED
323 * OK one (1) NULL !PAM_SUCCESS authctxt->
324 * pam_retval
325 * OK one (1) VALID ANY authctxt->
326 * pam_retval (+)
327 * (+) If not set then default to PAM_PERM_DENIED
328 */
329
330 if (authctxt == NULL) {
331 /* Internal error */
332 audit_sshd_login_failure(&ah, PAM_ABORT, NULL);
333 return;
334 }
335
336 if (authctxt->valid == 0) {
337 audit_sshd_login_failure(&ah, PAM_USER_UNKNOWN, NULL);
338 } else if (authctxt->pam == NULL) {
339 if (authctxt->pam_retval == PAM_SUCCESS) {
340 audit_sshd_login_failure(&ah, PAM_PERM_DENIED,
341 authctxt->user);
342 } else {
343 audit_sshd_login_failure(&ah, authctxt->pam_retval,
344 authctxt->user);
345 }
346 } else {
347 audit_sshd_login_failure(&ah, AUTHPAM_ERROR(authctxt,
348 PAM_PERM_DENIED), authctxt->user);
349 }
350 }
351 #endif /* HAVE_BSM */
352
353 /*
354 * Check whether root logins are disallowed.
355 */
356 int
auth_root_allowed(char * method)357 auth_root_allowed(char *method)
358 {
359 switch (options.permit_root_login) {
360 case PERMIT_YES:
361 return 1;
362 break;
363 case PERMIT_NO_PASSWD:
364 if (strcmp(method, "password") != 0 &&
365 strcmp(method, "keyboard-interactive") != 0)
366 return 1;
367 break;
368 case PERMIT_FORCED_ONLY:
369 if (forced_command) {
370 log("Root login accepted for forced command.");
371 return 1;
372 }
373 break;
374 }
375 log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
376 return 0;
377 }
378
379
380 /*
381 * Given a template and a passwd structure, build a filename
382 * by substituting % tokenised options. Currently, %% becomes '%',
383 * %h becomes the home directory and %u the username.
384 *
385 * This returns a buffer allocated by xmalloc.
386 */
387 char *
expand_filename(const char * filename,struct passwd * pw)388 expand_filename(const char *filename, struct passwd *pw)
389 {
390 Buffer buffer;
391 char *file;
392 const char *cp;
393
394 if (pw == 0)
395 return NULL; /* shouldn't happen */
396 /*
397 * Build the filename string in the buffer by making the appropriate
398 * substitutions to the given file name.
399 */
400 buffer_init(&buffer);
401 for (cp = filename; *cp; cp++) {
402 if (cp[0] == '%' && cp[1] == '%') {
403 buffer_append(&buffer, "%", 1);
404 cp++;
405 continue;
406 }
407 if (cp[0] == '%' && cp[1] == 'h') {
408 buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
409 cp++;
410 continue;
411 }
412 if (cp[0] == '%' && cp[1] == 'u') {
413 buffer_append(&buffer, pw->pw_name,
414 strlen(pw->pw_name));
415 cp++;
416 continue;
417 }
418 buffer_append(&buffer, cp, 1);
419 }
420 buffer_append(&buffer, "\0", 1);
421
422 /*
423 * Ensure that filename starts anchored. If not, be backward
424 * compatible and prepend the '%h/'
425 */
426 file = xmalloc(MAXPATHLEN);
427 cp = buffer_ptr(&buffer);
428 if (*cp != '/')
429 snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
430 else
431 strlcpy(file, cp, MAXPATHLEN);
432
433 buffer_free(&buffer);
434 return file;
435 }
436
437 char *
authorized_keys_file(struct passwd * pw)438 authorized_keys_file(struct passwd *pw)
439 {
440 return expand_filename(options.authorized_keys_file, pw);
441 }
442
443 char *
authorized_keys_file2(struct passwd * pw)444 authorized_keys_file2(struct passwd *pw)
445 {
446 return expand_filename(options.authorized_keys_file2, pw);
447 }
448
449 /* return ok if key exists in sysfile or userfile */
450 HostStatus
check_key_in_hostfiles(struct passwd * pw,Key * key,const char * host,const char * sysfile,const char * userfile)451 check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
452 const char *sysfile, const char *userfile)
453 {
454 Key *found;
455 char *user_hostfile;
456 struct stat st;
457 HostStatus host_status;
458
459 /* Check if we know the host and its host key. */
460 found = key_new(key->type);
461 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
462
463 if (host_status != HOST_OK && userfile != NULL) {
464 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
465 if (options.strict_modes &&
466 (stat(user_hostfile, &st) == 0) &&
467 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
468 (st.st_mode & 022) != 0)) {
469 log("Authentication refused for %.100s: "
470 "bad owner or modes for %.200s",
471 pw->pw_name, user_hostfile);
472 } else {
473 temporarily_use_uid(pw);
474 host_status = check_host_in_hostfile(user_hostfile,
475 host, key, found, NULL);
476 restore_uid();
477 }
478 xfree(user_hostfile);
479 }
480 key_free(found);
481
482 debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
483 "ok" : "not found", host);
484 return host_status;
485 }
486
487
488 /*
489 * Check a given file for security. This is defined as all components
490 * of the path to the file must be owned by either the owner of
491 * of the file or root and no directories must be group or world writable.
492 *
493 * XXX Should any specific check be done for sym links ?
494 *
495 * Takes an open file descriptor, the file name, a uid and and
496 * error buffer plus max size as arguments.
497 *
498 * Returns 0 on success and -1 on failure
499 */
500 int
secure_filename(FILE * f,const char * file,struct passwd * pw,char * err,size_t errlen)501 secure_filename(FILE *f, const char *file, struct passwd *pw,
502 char *err, size_t errlen)
503 {
504 uid_t uid;
505 char buf[MAXPATHLEN], homedir[MAXPATHLEN];
506 char *cp;
507 int comparehome = 0;
508 struct stat st;
509
510 if (pw == NULL)
511 return 0;
512
513 uid = pw->pw_uid;
514
515 if (realpath(file, buf) == NULL) {
516 snprintf(err, errlen, "realpath %s failed: %s", file,
517 strerror(errno));
518 return -1;
519 }
520
521 /*
522 * A user is not required to have all the files that are subject to
523 * the strict mode checking in his/her home directory. If the
524 * directory is not present at the moment, which might be the case if
525 * the directory is not mounted until the user is authenticated, do
526 * not perform the home directory check below.
527 */
528 if (realpath(pw->pw_dir, homedir) != NULL)
529 comparehome = 1;
530
531 /* check the open file to avoid races */
532 if (fstat(fileno(f), &st) < 0 ||
533 (st.st_uid != 0 && st.st_uid != uid) ||
534 (st.st_mode & 022) != 0) {
535 snprintf(err, errlen, "bad ownership or modes for file %s",
536 buf);
537 return -1;
538 }
539
540 /* for each component of the canonical path, walking upwards */
541 for (;;) {
542 if ((cp = dirname(buf)) == NULL) {
543 snprintf(err, errlen, "dirname() failed");
544 return -1;
545 }
546 strlcpy(buf, cp, sizeof(buf));
547
548 debug3("secure_filename: checking '%s'", buf);
549 if (stat(buf, &st) < 0 ||
550 (st.st_uid != 0 && st.st_uid != uid) ||
551 (st.st_mode & 022) != 0) {
552 snprintf(err, errlen,
553 "bad ownership or modes for directory %s", buf);
554 return -1;
555 }
556
557 /* If we passed the homedir then we can stop. */
558 if (comparehome && strcmp(homedir, buf) == 0) {
559 debug3("secure_filename: terminating check at '%s'",
560 buf);
561 break;
562 }
563 /*
564 * dirname should always complete with a "/" path,
565 * but we can be paranoid and check for "." too
566 */
567 if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
568 break;
569 }
570 return 0;
571 }
572
573 struct passwd *
getpwnamallow(const char * user)574 getpwnamallow(const char *user)
575 {
576 #ifdef HAVE_LOGIN_CAP
577 extern login_cap_t *lc;
578 #ifdef BSD_AUTH
579 auth_session_t *as;
580 #endif
581 #endif
582 struct passwd *pw;
583
584 if (user == NULL || *user == '\0')
585 return (NULL); /* implicit user, will be set later */
586
587 parse_server_match_config(&options, user,
588 get_canonical_hostname(options.verify_reverse_mapping), get_remote_ipaddr());
589
590 pw = getpwnam(user);
591 if (pw == NULL) {
592 log("Illegal user %.100s from %.100s",
593 user, get_remote_ipaddr());
594 return (NULL);
595 }
596 if (!allowed_user(pw))
597 return (NULL);
598 #ifdef HAVE_LOGIN_CAP
599 if ((lc = login_getclass(pw->pw_class)) == NULL) {
600 debug("unable to get login class: %s", user);
601 return (NULL);
602 }
603 #ifdef BSD_AUTH
604 if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
605 auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
606 debug("Approval failure for %s", user);
607 pw = NULL;
608 }
609 if (as != NULL)
610 auth_close(as);
611 #endif
612 #endif
613 if (pw != NULL)
614 return (pwcopy(pw));
615 return (NULL);
616 }
617
618
619 /*
620 * The fatal_cleanup method to kill the hook. Since hook has been put into
621 * new process group all descendants will be killed as well.
622 */
623 static void
kill_hook(void * arg)624 kill_hook(void *arg)
625 {
626 pid_t pid;
627
628 pid = *(pid_t*)arg;
629 debug("killing hook and all it's children, process group: %ld", pid);
630 xfree(arg);
631 (void)killpg(pid, SIGTERM);
632 }
633
634 /*
635 * Runs the PreUserauthHook.
636 * Returns -1 on execution error or the exit code of the hook if execution is
637 * successful.
638 */
639 int
run_auth_hook(const char * path,const char * user,const char * method)640 run_auth_hook(const char *path, const char *user, const char *method)
641 {
642 struct stat st;
643 int i, status, ret = 1;
644 u_int envsize, argsize;
645 char buf[256];
646 char **env, **args;
647 pid_t pid, *ppid;
648
649 if (path == NULL || user == NULL || method == NULL) {
650 return (-1);
651 }
652
653 /* Initialize the environment/arguments for the hook. */
654 envsize = 4; /* 3 env vars + EndOfList marker */
655 argsize = 4; /* 2 args + exe name + EndOfList marker */
656 env = xmalloc(envsize * sizeof (char *));
657 args = xmalloc(argsize * sizeof (char *));
658 env[0] = NULL;
659
660 /* we use the SSH env handling scheme */
661 child_set_env_silent(&env, &envsize, "PATH", "/usr/bin:/bin");
662 child_set_env_silent(&env, &envsize, "IFS", " \t\n");
663
664 (void) snprintf(buf, sizeof (buf), "%.50s %d %.50s %d",
665 get_remote_ipaddr(), get_remote_port(),
666 get_local_ipaddr(packet_get_connection_in()), get_local_port());
667 child_set_env_silent(&env, &envsize, "SSH_CONNECTION", buf);
668
669 args[0] = xstrdup(path);
670 args[1] = xstrdup(method);
671 args[2] = xstrdup(user);
672 args[3] = NULL;
673
674 /*
675 * sanity checks
676 * note: the checks do not make sure that the file checked is actually
677 * the same which is executed. However, in this case it shouldn't be a
678 * major issue since the hook is rather static and the worst case would
679 * be an uncorrect message in the log or a hook is run even though the
680 * permissions are not right.
681 */
682
683 /* check if script does exist */
684 if (stat(path, &st) < 0) {
685 log("Error executing PreUserauthHook \"%s\": %s", path,
686 strerror(errno));
687 goto cleanup;
688 }
689
690 /* Check correct permissions for script (uid of SSHD, mode 500) */
691 if (st.st_uid != getuid() || ((st.st_mode & 0777) != 0500)) {
692 log("PreUserauthHook has invalid permissions (should be 500, is"
693 " %o) or ownership (should be %d, is %d)",
694 (uint) st.st_mode & 0777, getuid(), st.st_uid);
695 goto cleanup;
696 }
697
698 if ((pid = fork()) == 0) {
699 /*
700 * We put the hook and all its (possible) descendants into
701 * a new process group so that in case of a hanging hook
702 * we can wipe out the whole "family".
703 */
704 if (setpgid(0, 0) != 0) {
705 log("setpgid: %s", strerror(errno));
706 _exit(255);
707 }
708 (void) execve(path, args, env);
709 /* child is gone so we shouldn't get here */
710 log("Error executing PreUserauthHook \"%s\": %s", path,
711 strerror(errno));
712 _exit(255);
713 } else if (pid == -1) {
714 log("Error executing PreUserauthHook \"%s\": %s", path,
715 strerror(errno));
716 goto cleanup;
717 }
718
719 /* make preparations to kill hook if it is hanging */
720 ppid = xmalloc(sizeof (pid_t));
721 *ppid = pid;
722 fatal_add_cleanup((void (*)(void *))kill_hook, (void *) ppid);
723
724 if (waitpid(pid, &status, 0) == -1) {
725 log("Error executing PreUserauthHook \"%s\": %s", path,
726 strerror(errno));
727 goto cleanup;
728 }
729
730 ret = WEXITSTATUS(status);
731
732 if (ret == 255) {
733 ret = -1; /* execve() failed, error msg already logged */
734 } else if (ret != 0) {
735 log("PreUserauthHook \"%s\" failed with exit code %d",
736 path, ret);
737 } else {
738 debug("PreUserauthHook \"%s\" finished successfully", path);
739 }
740
741 cleanup:
742 for (i = 0; args[i] != NULL; i++) {
743 xfree(args[i]);
744 }
745 for (i = 0; env[i] != NULL; i++) {
746 xfree(env[i]);
747 }
748 xfree(args);
749 xfree(env);
750
751 fatal_remove_cleanup((void (*)(void *))kill_hook, (void *) ppid);
752
753 return (ret);
754 }
755
756 void
auth_debug_add(const char * fmt,...)757 auth_debug_add(const char *fmt,...)
758 {
759 char buf[1024];
760 va_list args;
761
762 if (!auth_debug_init)
763 return;
764
765 va_start(args, fmt);
766 vsnprintf(buf, sizeof(buf), fmt, args);
767 va_end(args);
768 buffer_put_cstring(&auth_debug, buf);
769 }
770
771 void
auth_debug_send(void)772 auth_debug_send(void)
773 {
774 char *msg;
775
776 if (!auth_debug_init)
777 return;
778 while (buffer_len(&auth_debug)) {
779 msg = buffer_get_string(&auth_debug, NULL);
780 packet_send_debug("%s", msg);
781 xfree(msg);
782 }
783 }
784
785 void
auth_debug_reset(void)786 auth_debug_reset(void)
787 {
788 if (auth_debug_init)
789 buffer_clear(&auth_debug);
790 else {
791 buffer_init(&auth_debug);
792 auth_debug_init = 1;
793 }
794 }
795