xref: /titanic_52/usr/src/lib/libpam/pam_impl.h (revision 8523fda3525b37e02f4d11efc8cf763bf08204ec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_PAM_IMPL_H
27 #define	_PAM_IMPL_H
28 
29 #ifdef __cplusplus
30 extern "C" {
31 #endif
32 
33 #include <limits.h>
34 #include <shadow.h>
35 #include <sys/types.h>
36 
37 #define	PAMTXD		"SUNW_OST_SYSOSPAM"
38 
39 #define	PAM_CONFIG	"/etc/pam.conf"
40 #define	PAM_ISA		"/$ISA/"
41 #define	PAM_LIB_DIR	"/usr/lib/security/"
42 #ifdef	_LP64
43 #define	PAM_ISA_DIR	"/64/"
44 #else	/* !_LP64 */
45 #define	PAM_ISA_DIR	"/"
46 #endif	/* _LP64 */
47 
48 /* Service Module Types */
49 
50 /*
51  * If new service types are added, they should be named in
52  * pam_framework.c::pam_snames[] as well.
53  */
54 
55 #define	PAM_ACCOUNT_NAME	"account"
56 #define	PAM_AUTH_NAME		"auth"
57 #define	PAM_PASSWORD_NAME	"password"
58 #define	PAM_SESSION_NAME	"session"
59 
60 #define	PAM_ACCOUNT_MODULE	0
61 #define	PAM_AUTH_MODULE		1
62 #define	PAM_PASSWORD_MODULE	2
63 #define	PAM_SESSION_MODULE	3
64 
65 #define	PAM_NUM_MODULE_TYPES	4
66 
67 /* Control Flags */
68 
69 #define	PAM_BINDING_NAME	"binding"
70 #define	PAM_INCLUDE_NAME	"include"
71 #define	PAM_OPTIONAL_NAME	"optional"
72 #define	PAM_REQUIRED_NAME	"required"
73 #define	PAM_REQUISITE_NAME	"requisite"
74 #define	PAM_SUFFICIENT_NAME	"sufficient"
75 
76 #define	PAM_BINDING	0x01
77 #define	PAM_INCLUDE	0x02
78 #define	PAM_OPTIONAL	0x04
79 #define	PAM_REQUIRED	0x08
80 #define	PAM_REQUISITE	0x10
81 #define	PAM_SUFFICIENT	0x20
82 
83 #define	PAM_REQRD_BIND	(PAM_REQUIRED | PAM_BINDING)
84 #define	PAM_SUFFI_BIND	(PAM_SUFFICIENT | PAM_BINDING)
85 
86 /* Function Indicators */
87 
88 #define	PAM_AUTHENTICATE	1
89 #define	PAM_SETCRED		2
90 #define	PAM_ACCT_MGMT		3
91 #define	PAM_OPEN_SESSION	4
92 #define	PAM_CLOSE_SESSION	5
93 #define	PAM_CHAUTHTOK		6
94 
95 /* PAM tracing */
96 
97 #define	PAM_DEBUG	"/etc/pam_debug"
98 #define	LOG_PRIORITY	"log_priority="
99 #define	LOG_FACILITY	"log_facility="
100 #define	DEBUG_FLAGS	"debug_flags="
101 #define	PAM_DEBUG_NONE		0x0000
102 #define	PAM_DEBUG_DEFAULT	0x0001
103 #define	PAM_DEBUG_ITEM		0x0002
104 #define	PAM_DEBUG_MODULE	0x0004
105 #define	PAM_DEBUG_CONF		0x0008
106 #define	PAM_DEBUG_DATA		0x0010
107 #define	PAM_DEBUG_CONV		0x0020
108 #define	PAM_DEBUG_AUTHTOK	0x8000
109 
110 #define	PAM_MAX_ITEMS		64	/* Max number of items */
111 #define	PAM_MAX_INCLUDE		32	/* Max include flag recursions */
112 
113 /* authentication module functions */
114 #define	PAM_SM_AUTHENTICATE	"pam_sm_authenticate"
115 #define	PAM_SM_SETCRED		"pam_sm_setcred"
116 
117 /* session module functions */
118 #define	PAM_SM_OPEN_SESSION	"pam_sm_open_session"
119 #define	PAM_SM_CLOSE_SESSION	"pam_sm_close_session"
120 
121 /* password module functions */
122 #define	PAM_SM_CHAUTHTOK		"pam_sm_chauthtok"
123 
124 /* account module functions */
125 #define	PAM_SM_ACCT_MGMT		"pam_sm_acct_mgmt"
126 
127 /*
128  * Definitions shared by passwd.c and the UNIX module
129  */
130 
131 #define	PAM_REP_DEFAULT	0x0
132 #define	PAM_REP_FILES	0x01
133 #define	PAM_REP_NIS	0x02
134 #define	PAM_REP_NISPLUS	0x04
135 #define	PAM_REP_LDAP	0x10
136 #define	PAM_OPWCMD	0x08	/* for nispasswd, yppasswd */
137 
138 /* max # of authentication token attributes */
139 #define	PAM_MAX_NUM_ATTR	10
140 
141 /* max size (in chars) of an authentication token attribute */
142 #define	PAM_MAX_ATTR_SIZE	80
143 
144 /* utility function prototypes */
145 
146 /* source values when calling __pam_get_authtok() */
147 #define	PAM_PROMPT	1	/* prompt user for new password */
148 #define	PAM_HANDLE	2	/* get password from pam handle (item) */
149 
150 #if	PASS_MAX >= PAM_MAX_RESP_SIZE
151 #error	PASS_MAX > PAM_MAX_RESP_SIZE
152 #endif	/* PASS_MAX >= PAM_MAX_RESP_SIZE */
153 
154 extern int
155 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
156     char **authtok);
157 
158 extern int
159 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
160     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
161 
162 extern void
163 __pam_log(int priority, const char *format, ...);
164 
165 /* file handle for pam.conf */
166 struct pam_fh {
167 	int	fconfig;	/* file descriptor returned by open() */
168 	char    line[256];
169 	size_t  bufsize;	/* size of the buffer which holds */
170 				/* the content of pam.conf */
171 	char   *bufferp;	/* used to process data	*/
172 	char   *data;		/* contents of pam.conf	*/
173 };
174 
175 /* items that can be set/retrieved thru pam_[sg]et_item() */
176 struct	pam_item {
177 	void	*pi_addr;	/* pointer to item */
178 	int	pi_size;	/* size of item */
179 };
180 
181 /* module specific data stored in the pam handle */
182 struct pam_module_data {
183 	char *module_data_name;		/* unique module data name */
184 	void *data;			/* the module specific data */
185 	void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
186 	struct pam_module_data *next;	/* pointer to next module data */
187 };
188 
189 /* each entry from pam.conf is stored here (in the pam handle) */
190 typedef struct pamtab {
191 	char	*pam_service;	/* PAM service, e.g. login, rlogin */
192 	int	pam_type;	/* AUTH, ACCOUNT, PASSWORD, SESSION */
193 	int	pam_flag;	/* required, optional, sufficient */
194 	int	pam_err;	/* error if line overflow */
195 	char	*module_path;	/* module library */
196 	int	module_argc;	/* module specific options */
197 	char	**module_argv;
198 	void	*function_ptr;	/* pointer to struct holding function ptrs */
199 	struct pamtab *next;
200 } pamtab_t;
201 
202 /* list of open fd's (modules that were dlopen'd) */
203 typedef struct fd_list {
204 	void *mh;		/* module handle */
205 	struct fd_list *next;
206 } fd_list;
207 
208 /* list of PAM environment varialbes */
209 typedef struct env_list {
210 	char *name;
211 	char *value;
212 	struct env_list *next;
213 } env_list;
214 
215 /* pam_inmodule values for pam item checking */
216 #define	RW_OK	0	/* Read Write items OK */
217 #define	RO_OK	1	/* Read Only items OK */
218 #define	WO_OK	2	/* Write Only items/data OK */
219 
220 /* the pam handle */
221 struct pam_handle {
222 	struct  pam_item ps_item[PAM_MAX_ITEMS];	/* array of PAM items */
223 	int	include_depth;
224 	int	pam_inmodule;	/* Protect restricted pam_get_item calls */
225 	char	*pam_conf_name[PAM_MAX_INCLUDE+1];
226 	pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
227 	pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
228 	struct	pam_module_data *ssd;		/* module specific data */
229 	fd_list *fd;				/* module fd's */
230 	env_list *pam_env;			/* environment variables */
231 };
232 
233 /*
234  * the function_ptr field in pamtab_t
235  * will point to one of these modules
236  */
237 struct auth_module {
238 	int	(*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
239 		    const char **argv);
240 	int	(*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
241 		    const char **argv);
242 };
243 
244 struct password_module {
245 	int	(*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
246 		    const char **argv);
247 };
248 
249 struct session_module {
250 	int	(*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
251 		    const char **argv);
252 	int	(*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
253 		    const char **argv);
254 };
255 
256 struct account_module {
257 	int	(*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
258 		    const char **argv);
259 };
260 
261 #ifdef __cplusplus
262 }
263 #endif
264 
265 #endif	/* _PAM_IMPL_H */
266