xref: /freebsd/lib/libpam/modules/pam_ksu/pam_ksu.c (revision 56e53cb8ef000c3ef72337a4095987a932cdedef)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <errno.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <unistd.h>
37 
38 #include <krb5.h>
39 
40 #define PAM_SM_AUTH
41 #define PAM_SM_CRED
42 #include <security/pam_appl.h>
43 #include <security/pam_modules.h>
44 #include <security/pam_mod_misc.h>
45 
46 static const char superuser[] = "root";
47 
48 static long	get_su_principal(krb5_context, const char *, const char *,
49 		    char **, krb5_principal *);
50 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
51 		    krb5_principal);
52 
53 PAM_EXTERN int
54 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
55     int argc __unused, const char *argv[] __unused)
56 {
57 	krb5_context	 context;
58 	krb5_principal	 su_principal;
59 	const char	*user;
60 	const void	*ruser;
61 	char		*su_principal_name;
62 	long		 rv;
63 	int		 pamret;
64 
65 	pamret = pam_get_user(pamh, &user, NULL);
66 	if (pamret != PAM_SUCCESS)
67 		return (pamret);
68 	PAM_LOG("Got user: %s", user);
69 	pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
70 	if (pamret != PAM_SUCCESS)
71 		return (pamret);
72 	PAM_LOG("Got ruser: %s", (const char *)ruser);
73 	rv = krb5_init_context(&context);
74 	if (rv != 0) {
75 		const char *msg = krb5_get_error_message(context, rv);
76 		PAM_LOG("krb5_init_context failed: %s", msg);
77 		krb5_free_error_message(context, msg);
78 		return (PAM_SERVICE_ERR);
79 	}
80 	rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
81 	if (rv != 0)
82 		return (PAM_AUTH_ERR);
83 	PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
84 	rv = krb5_kuserok(context, su_principal, user);
85 	pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
86 	free(su_principal_name);
87 	krb5_free_principal(context, su_principal);
88 	krb5_free_context(context);
89 	return (pamret);
90 }
91 
92 PAM_EXTERN int
93 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
94     int ac __unused, const char *av[] __unused)
95 {
96 
97 	return (PAM_SUCCESS);
98 }
99 
100 /* Authenticate using Kerberos 5.
101  *   pamh              -- The PAM handle.
102  *   context           -- An initialized krb5_context.
103  *   su_principal_name -- The target principal name, used only for password prompts.
104  *              If NULL, the password prompts will not include a principal
105  *              name.
106  *   su_principal      -- The target krb5_principal.
107  * Note that a valid keytab in the default location with a host entry
108  * must be available, and that the PAM application must have sufficient
109  * privileges to access it.
110  * Returns PAM_SUCCESS if authentication was successful, or an appropriate
111  * PAM error code if it was not.
112  */
113 static int
114 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
115     krb5_principal su_principal)
116 {
117 	krb5_creds	 creds;
118 	krb5_get_init_creds_opt *gic_opt;
119 	krb5_verify_init_creds_opt vic_opt;
120 	const char	*pass;
121 	char		*prompt;
122 	long		 rv;
123 	int		 pamret;
124 
125 	prompt = NULL;
126 	krb5_verify_init_creds_opt_init(&vic_opt);
127 	if (su_principal_name != NULL)
128 		(void)asprintf(&prompt, "Password for %s:", su_principal_name);
129 	else
130 		(void)asprintf(&prompt, "Password:");
131 	if (prompt == NULL)
132 		return (PAM_BUF_ERR);
133 	pass = NULL;
134 	pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
135 	free(prompt);
136 	if (pamret != PAM_SUCCESS)
137 		return (pamret);
138 	rv = krb5_get_init_creds_opt_alloc(context, &gic_opt);
139 	if (rv != 0) {
140 		const char *msg = krb5_get_error_message(context, rv);
141 		PAM_LOG("krb5_get_init_creds_opt_alloc: %s", msg);
142 		krb5_free_error_message(context, msg);
143 		return (PAM_AUTH_ERR);
144 	}
145 	rv = krb5_get_init_creds_password(context, &creds, su_principal,
146 	    pass, NULL, NULL, 0, NULL, gic_opt);
147 	krb5_get_init_creds_opt_free(context, gic_opt);
148 	if (rv != 0) {
149 		const char *msg = krb5_get_error_message(context, rv);
150 		PAM_LOG("krb5_get_init_creds_password: %s", msg);
151 		krb5_free_error_message(context, msg);
152 		return (PAM_AUTH_ERR);
153 	}
154 	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
155 	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
156 	    &vic_opt);
157 	krb5_free_cred_contents(context, &creds);
158 	if (rv != 0) {
159 		const char *msg = krb5_get_error_message(context, rv);
160 		PAM_LOG("krb5_verify_init_creds: %s", msg);
161 		krb5_free_error_message(context, msg);
162 		return (PAM_AUTH_ERR);
163 	}
164 	return (PAM_SUCCESS);
165 }
166 
167 /* Determine the target principal given the current user and the target user.
168  *   context           -- An initialized krb5_context.
169  *   target_user       -- The target username.
170  *   current_user      -- The current username.
171  *   su_principal_name -- (out) The target principal name.
172  *   su_principal      -- (out) The target krb5_principal.
173  * When the target user is `root', the target principal will be a `root
174  * instance', e.g. `luser/root@REA.LM'.  Otherwise, the target principal
175  * will simply be the current user's default principal name.  Note that
176  * in any case, if KRB5CCNAME is set and a credentials cache exists, the
177  * principal name found there will be the `starting point', rather than
178  * the ruser parameter.
179  *
180  * Returns 0 for success, or a com_err error code on failure.
181  */
182 static long
183 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
184     char **su_principal_name, krb5_principal *su_principal)
185 {
186 	krb5_principal	 default_principal;
187 	krb5_ccache	 ccache;
188 	char		*principal_name, *ccname, *p;
189 	long		 rv;
190 	uid_t		 euid, ruid;
191 
192 	*su_principal = NULL;
193 	default_principal = NULL;
194 	/* Unless KRB5CCNAME was explicitly set, we won't really be able
195 	 * to look at the credentials cache since krb5_cc_default will
196 	 * look at getuid().
197 	 */
198 	ruid = getuid();
199 	euid = geteuid();
200 	rv = seteuid(ruid);
201 	if (rv != 0)
202 		return (errno);
203 	p = getenv("KRB5CCNAME");
204 	if (p != NULL)
205 		ccname = strdup(p);
206 	else
207 		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
208 	if (ccname == NULL)
209 		return (errno);
210 	rv = krb5_cc_resolve(context, ccname, &ccache);
211 	free(ccname);
212 	if (rv == 0) {
213 		rv = krb5_cc_get_principal(context, ccache, &default_principal);
214 		krb5_cc_close(context, ccache);
215 		if (rv != 0)
216 			default_principal = NULL; /* just to be safe */
217 	}
218 	rv = seteuid(euid);
219 	if (rv != 0)
220 		return (errno);
221 	if (default_principal == NULL) {
222 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
223 		if (rv != 0) {
224 			PAM_LOG("Could not determine default principal name.");
225 			return (rv);
226 		}
227 	}
228 	/* Now that we have some principal, if the target account is
229 	 * `root', then transform it into a `root' instance, e.g.
230 	 * `user@REA.LM' -> `user/root@REA.LM'.
231 	 */
232 	rv = krb5_unparse_name(context, default_principal, &principal_name);
233 	krb5_free_principal(context, default_principal);
234 	if (rv != 0) {
235 		const char *msg = krb5_get_error_message(context, rv);
236 		PAM_LOG("krb5_unparse_name: %s", msg);
237 		krb5_free_error_message(context, msg);
238 		return (rv);
239 	}
240 	PAM_LOG("Default principal name: %s", principal_name);
241 	if (strcmp(target_user, superuser) == 0) {
242 		p = strrchr(principal_name, '@');
243 		if (p == NULL) {
244 			PAM_LOG("malformed principal name `%s'", principal_name);
245 			free(principal_name);
246 			return (rv);
247 		}
248 		*p++ = '\0';
249 		*su_principal_name = NULL;
250 		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
251 		free(principal_name);
252 	} else
253 		*su_principal_name = principal_name;
254 
255 	if (*su_principal_name == NULL)
256 		return (errno);
257 	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
258 	if (rv != 0) {
259 		const char *msg = krb5_get_error_message(context, rv);
260 		PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, msg);
261 		krb5_free_error_message(context, msg);
262 		free(*su_principal_name);
263 		return (rv);
264 	}
265 	PAM_LOG("Target principal name: %s", *su_principal_name);
266 	*su_principal = default_principal;
267 	return (0);
268 }
269 
270 PAM_MODULE_ENTRY("pam_ksu");
271