2 * Copyright (c) 2001,2003 Networks Associates Technology, Inc.
5 * This software was developed for the FreeBSD Project by ThinkSec AS and
6 * NAI Labs, the Security Research Division of Network Associates, Inc.
7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 * DARPA CHATS research program.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote
19 * products derived from this software without specific prior written
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
38 #include <sys/types.h>
47 #include <security/pam_appl.h>
48 #include <security/pam_modules.h>
49 #include <security/openpam.h>
51 #define ENV_ITEM(n) { (n), #n }
56 ENV_ITEM(PAM_SERVICE),
64 _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
65 int argc, const char *argv[])
67 int envlen, i, nitems, pam_err, status;
68 char *env, **envlist, **tmp;
69 volatile int childerr;
73 return (PAM_SERVICE_ERR);
76 * XXX For additional credit, divert child's stdin/stdout/stderr
77 * to the conversation function.
81 * Set up the child's environment list. It consists of the PAM
82 * environment, plus a few hand-picked PAM items.
84 envlist = pam_getenvlist(pamh);
85 for (envlen = 0; envlist[envlen] != NULL; ++envlen)
87 nitems = sizeof(env_items) / sizeof(*env_items);
88 tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
90 openpam_free_envlist(envlist);
94 for (i = 0; i < nitems; ++i) {
98 pam_err = pam_get_item(pamh, env_items[i].item, &item);
99 if (pam_err != PAM_SUCCESS || item == NULL)
101 asprintf(&envstr, "%s=%s", env_items[i].name, item);
102 if (envstr == NULL) {
103 openpam_free_envlist(envlist);
104 return (PAM_BUF_ERR);
106 envlist[envlen++] = envstr;
107 envlist[envlen] = NULL;
111 * Fork and run the command. By using vfork() instead of fork(),
112 * we can distinguish between an execve() failure and a non-zero
113 * exit code from the command.
116 if ((pid = vfork()) == 0) {
117 execve(argv[0], (char * const *)argv, (char * const *)envlist);
121 openpam_free_envlist(envlist);
123 openpam_log(PAM_LOG_ERROR, "vfork(): %m");
124 return (PAM_SYSTEM_ERR);
126 if (waitpid(pid, &status, 0) == -1) {
127 openpam_log(PAM_LOG_ERROR, "waitpid(): %m");
128 return (PAM_SYSTEM_ERR);
131 openpam_log(PAM_LOG_ERROR, "execve(): %m");
132 return (PAM_SYSTEM_ERR);
134 if (WIFSIGNALED(status)) {
135 openpam_log(PAM_LOG_ERROR, "%s caught signal %d%s",
136 argv[0], WTERMSIG(status),
137 WCOREDUMP(status) ? " (core dumped)" : "");
138 return (PAM_SYSTEM_ERR);
140 if (!WIFEXITED(status)) {
141 openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status);
142 return (PAM_SYSTEM_ERR);
144 if (WEXITSTATUS(status) != 0) {
145 openpam_log(PAM_LOG_ERROR, "%s returned code %d",
146 argv[0], WEXITSTATUS(status));
147 return (PAM_SYSTEM_ERR);
149 return (PAM_SUCCESS);
153 pam_sm_authenticate(pam_handle_t *pamh, int flags,
154 int argc, const char *argv[])
157 return (_pam_exec(pamh, flags, argc, argv));
161 pam_sm_setcred(pam_handle_t *pamh, int flags,
162 int argc, const char *argv[])
165 return (_pam_exec(pamh, flags, argc, argv));
169 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
170 int argc, const char *argv[])
173 return (_pam_exec(pamh, flags, argc, argv));
177 pam_sm_open_session(pam_handle_t *pamh, int flags,
178 int argc, const char *argv[])
181 return (_pam_exec(pamh, flags, argc, argv));
185 pam_sm_close_session(pam_handle_t *pamh, int flags,
186 int argc, const char *argv[])
189 return (_pam_exec(pamh, flags, argc, argv));
193 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
194 int argc, const char *argv[])
197 return (_pam_exec(pamh, flags, argc, argv));
200 PAM_MODULE_ENTRY("pam_exec");