isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

On AIX use the value of auth_type in /etc/security/login.cfg to

Browse Source 
determine whether to use LAM or PAM unless the user specified the
--with-pam or --with-aixauth configure flags.
This commit is contained in:
Todd C. Miller
2015-02-23 11:12:43 -07:00
parent 1ce9dd5e07
commit e11f32fd42
7 changed files with 168 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
INSTALL
View File

@@ -381,10 +381,11 @@ Authentication options:
link without it. link without it.
--with-aixauth --with-aixauth
Enable support for the AIX 4.x general authentication function. Enable support for the AIX general authentication function.
This will use the authentication scheme specified for the user This will use the authentication scheme specified for the
on the machine. It is on by default for AIX systems that user on the machine. By default, sudo will use either AIX
support it. authentication or PAM depending on the value of the auth_type
setting in the /etc/security/login.cfg file.
--with-bsdauth --with-bsdauth
Enable support for BSD authentication. This is the default Enable support for BSD authentication. This is the default

4
NEWS
View File

@@ -24,6 +24,10 @@ What's new in Sudo 1.8.13
use passwd (or shadow) file authentication on systems where the use passwd (or shadow) file authentication on systems where the
crypt() function returns NULL for invalid salts. crypt() function returns NULL for invalid salts.
* On AIX, sudo now uses the value of the auth_type setting in
/etc/security/login.cfg to determine whether to use LAM or PAM
for user authentication.
What's new in Sudo 1.8.12 What's new in Sudo 1.8.12
* The embedded copy of zlib has been upgraded to version 1.2.8 and * The embedded copy of zlib has been upgraded to version 1.2.8 and

41
configure vendored
View File

@@ -14514,25 +14514,11 @@ done
OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT" OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp" SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
# On AIX 6 and higher default to PAM, else default to LAM # For AIX we build in support for both LAM and PAM
if test $OSMAJOR -ge 6; then # and choose which to use based on auth_type in
if test X"$with_pam" = X""; then # /etc/security/login.cfg
AUTH_EXCL_DEF="PAM" if test X"${with_pam}${with_aixauth}" = X""; then
fi AUTH_EXCL_DEF="AIX_AUTH PAM"
else
if test X"$with_aixauth" = X""; then
for ac_func in authenticate
do :
ac_fn_c_check_func "$LINENO" "authenticate" "ac_cv_func_authenticate"
if test "x$ac_cv_func_authenticate" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_AUTHENTICATE 1
_ACEOF
AUTH_EXCL_DEF="AIX_AUTH"
fi
done
fi
fi fi
# AIX analog of nsswitch.conf, enabled by default # AIX analog of nsswitch.conf, enabled by default
@@ -15210,10 +15196,6 @@ fi
AUTH_REG=${AUTH_REG# } AUTH_REG=${AUTH_REG# }
AUTH_EXCL=${AUTH_EXCL# } AUTH_EXCL=${AUTH_EXCL# }
if test -n "$AUTH_EXCL"; then if test -n "$AUTH_EXCL"; then
set -- $AUTH_EXCL
if test $# != 1; then
as_fn_error $? "More than one mutually exclusive authentication method specified: $AUTH_EXCL" "$LINENO" 5
fi
if test -n "$AUTH_REG"; then if test -n "$AUTH_REG"; then
as_fn_error $? "Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods" "$LINENO" 5 as_fn_error $? "Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods" "$LINENO" 5
fi fi
@@ -21693,7 +21675,18 @@ fi
fi fi
if test ${with_aixauth-'no'} != "no"; then if test ${with_aixauth-'no'} != "no"; then
if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then for ac_func in authenticate
do :
ac_fn_c_check_func "$LINENO" "authenticate" "ac_cv_func_authenticate"
if test "x$ac_cv_func_authenticate" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_AUTHENTICATE 1
_ACEOF
with_aixauth=yes
fi
done
if test "${with_aixauth}" = "yes"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: using AIX general authentication" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: using AIX general authentication" >&5
$as_echo "$as_me: using AIX general authentication" >&6;} $as_echo "$as_me: using AIX general authentication" >&6;}
$as_echo "#define HAVE_AIXAUTH 1" >>confdefs.h $as_echo "#define HAVE_AIXAUTH 1" >>confdefs.h

24
configure.ac
View File

@@ -1680,15 +1680,11 @@ case "$host" in
OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT" OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp" SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
# On AIX 6 and higher default to PAM, else default to LAM # For AIX we build in support for both LAM and PAM
if test $OSMAJOR -ge 6; then # and choose which to use based on auth_type in
if test X"$with_pam" = X""; then # /etc/security/login.cfg
AUTH_EXCL_DEF="PAM" if test X"${with_pam}${with_aixauth}" = X""; then
fi AUTH_EXCL_DEF="AIX_AUTH PAM"
else
if test X"$with_aixauth" = X""; then
AC_CHECK_FUNCS([authenticate], [AUTH_EXCL_DEF="AIX_AUTH"])
fi
fi fi
# AIX analog of nsswitch.conf, enabled by default # AIX analog of nsswitch.conf, enabled by default
@@ -2104,10 +2100,6 @@ dnl
AUTH_REG=${AUTH_REG# } AUTH_REG=${AUTH_REG# }
AUTH_EXCL=${AUTH_EXCL# } AUTH_EXCL=${AUTH_EXCL# }
if test -n "$AUTH_EXCL"; then if test -n "$AUTH_EXCL"; then
set -- $AUTH_EXCL
if test $# != 1; then
AC_MSG_ERROR([More than one mutually exclusive authentication method specified: $AUTH_EXCL])
fi
if test -n "$AUTH_REG"; then if test -n "$AUTH_REG"; then
AC_MSG_ERROR([Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods]) AC_MSG_ERROR([Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods])
fi fi
@@ -3222,10 +3214,12 @@ fi
dnl dnl
dnl AIX general authentication dnl AIX general authentication
dnl If set to "maybe" only enable if no other exclusive method in use. dnl We may build in support for both AIX LAM and PAM and select
dnl which one to use at run-time.
dnl dnl
if test ${with_aixauth-'no'} != "no"; then if test ${with_aixauth-'no'} != "no"; then
if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then AC_CHECK_FUNCS([authenticate], [with_aixauth=yes])
if test "${with_aixauth}" = "yes"; then
AC_MSG_NOTICE([using AIX general authentication]) AC_MSG_NOTICE([using AIX general authentication])
AC_DEFINE(HAVE_AIXAUTH) AC_DEFINE(HAVE_AIXAUTH)
AUTH_OBJS="$AUTH_OBJS aix_auth.lo"; AUTH_OBJS="$AUTH_OBJS aix_auth.lo";

85
plugins/sudoers/auth/aix_auth.c
View File

@@ -39,6 +39,7 @@
#ifdef HAVE_UNISTD_H #ifdef HAVE_UNISTD_H
# include <unistd.h> # include <unistd.h>
#endif /* HAVE_UNISTD_H */ #endif /* HAVE_UNISTD_H */
#include <ctype.h>
#include <pwd.h> #include <pwd.h>
#include <usersec.h> #include <usersec.h>
@@ -49,6 +50,90 @@
* For a description of the AIX authentication API, see * For a description of the AIX authentication API, see
* http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm
*/ */
#define AIX_AUTH_UNKNOWN 0
#define AIX_AUTH_STD 1
#define AIX_AUTH_PAM 2
static int
sudo_aix_authtype(void)
{
size_t linesize = 0;
ssize_t len;
char *cp, *line = NULL;
bool in_stanza = false;
int authtype = AIX_AUTH_UNKNOWN;
FILE *fp;
debug_decl(sudo_aix_authtype, SUDOERS_DEBUG_AUTH)
if ((fp = fopen("/etc/security/login.cfg", "r")) != NULL) {
while (authtype == AIX_AUTH_UNKNOWN && (len = getline(&line, &linesize, fp)) != -1) {
/* First remove comments. */
if ((cp = strchr(line, '#')) != NULL) {
*cp = '\0';
len = (ssize_t)(cp - line);
}
/* Next remove trailing newlines and whitespace. */
while (len > 0 && isspace((unsigned char)line[len - 1]))
line[--len] = '\0';
/* Skip blank lines. */
if (len == 0)
continue;
/* Match start of the usw stanza. */
if (!in_stanza) {
if (strncmp(line, "usw:", 4) == 0)
in_stanza = true;
continue;
}
/* Check for end of the usw stanza. */
if (!isblank((unsigned char)line[0])) {
in_stanza = false;
break;
}
/* Skip leading blanks. */
cp = line;
do {
cp++;
} while (isblank((unsigned char)*cp));
/* Match "auth_type = (PAM_AUTH|STD_AUTH)". */
if (strncmp(cp, "auth_type", 9) != 0)
continue;
cp += 9;
while (isblank((unsigned char)*cp))
cp++;
if (*cp++ != '=')
continue;
while (isblank((unsigned char)*cp))
cp++;
if (strcmp(cp, "PAM_AUTH") == 0)
authtype = AIX_AUTH_PAM;
else if (strcmp(cp, "STD_AUTH") == 0)
authtype = AIX_AUTH_STD;
}
free(line);
fclose(fp);
}
debug_return_int(authtype);
}
int
sudo_aix_init(struct passwd *pw, sudo_auth *auth)
{
debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH)
/* Check auth_type in /etc/security/login.cfg. */
if (sudo_aix_authtype() == AIX_AUTH_PAM)
debug_return_int(AUTH_FAILURE);
debug_return_int(AUTH_SUCCESS);
}
int int
sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth) sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
{ {

64
plugins/sudoers/auth/sudo_auth.c
View File

@@ -49,6 +49,9 @@
static sudo_auth auth_switch[] = { static sudo_auth auth_switch[] = {
/* Standalone entries first */ /* Standalone entries first */
#ifdef HAVE_AIXAUTH
AUTH_ENTRY("aixauth", FLAG_STANDALONE, sudo_aix_init, NULL, sudo_aix_verify, sudo_aix_cleanup, NULL, NULL)
#endif
#ifdef HAVE_PAM #ifdef HAVE_PAM
AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session) AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)
#endif #endif
@@ -58,9 +61,6 @@ static sudo_auth auth_switch[] = {
#ifdef HAVE_SIA_SES_INIT #ifdef HAVE_SIA_SES_INIT
AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, NULL, NULL) AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, NULL, NULL)
#endif #endif
#ifdef HAVE_AIXAUTH
AUTH_ENTRY("aixauth", FLAG_STANDALONE, NULL, NULL, sudo_aix_verify, sudo_aix_cleanup, NULL, NULL)
#endif
#ifdef HAVE_FWTK #ifdef HAVE_FWTK
AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL) AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL)
#endif #endif
@@ -109,20 +109,6 @@ sudo_auth_init(struct passwd *pw)
if (auth_switch[0].name == NULL) if (auth_switch[0].name == NULL)
debug_return_int(0); debug_return_int(0);
/* Make sure we haven't mixed standalone and shared auth methods. */
standalone = IS_STANDALONE(&auth_switch[0]);
if (standalone && auth_switch[1].name != NULL) {
audit_failure(NewArgc, NewArgv, N_("invalid authentication methods"));
log_warningx(SLOG_SEND_MAIL,
N_("Invalid authentication methods compiled into sudo! "
"You may not mix standalone and non-standalone authentication."));
debug_return_int(-1);
}
/* Set FLAG_ONEANDONLY if there is only one auth method. */
if (auth_switch[1].name == NULL)
SET(auth_switch[0].flags, FLAG_ONEANDONLY);
/* Initialize auth methods and unconfigure the method if necessary. */ /* Initialize auth methods and unconfigure the method if necessary. */
for (auth = auth_switch; auth->name; auth++) { for (auth = auth_switch; auth->name; auth++) {
if (auth->init && !IS_DISABLED(auth)) { if (auth->init && !IS_DISABLED(auth)) {
@@ -134,6 +120,50 @@ sudo_auth_init(struct passwd *pw)
break; /* assume error msg already printed */ break; /* assume error msg already printed */
} }
} }
/*
* Make sure we haven't mixed standalone and shared auth methods.
* If there are multiple standalone methods, only use the first one.
*/
if ((standalone = IS_STANDALONE(&auth_switch[0]))) {
bool found = false;
for (auth = auth_switch; auth->name; auth++) {
if (IS_DISABLED(auth))
continue;
if (!IS_STANDALONE(auth)) {
audit_failure(NewArgc, NewArgv,
N_("invalid authentication methods"));
log_warningx(SLOG_SEND_MAIL,
N_("Invalid authentication methods compiled into sudo! "
"You may not mix standalone and non-standalone authentication."));
debug_return_int(-1);
}
if (!found) {
/* Found first standalone method. */
found = true;
continue;
}
/* Disable other standalone methods. */
SET(auth->flags, FLAG_DISABLED);
}
}
/* Set FLAG_ONEANDONLY if there is only one auth method. */
for (auth = auth_switch; auth->name; auth++) {
/* Find first enabled auth method. */
if (!IS_DISABLED(auth)) {
sudo_auth *first = auth;
/* Check for others. */
for (; auth->name; auth++) {
if (!IS_DISABLED(auth))
break;
}
if (auth->name == NULL)
SET(first->flags, FLAG_ONEANDONLY);
break;
}
}
debug_return_int(status == AUTH_FATAL ? -1 : 0); debug_return_int(status == AUTH_FATAL ? -1 : 0);
} }

1
plugins/sudoers/auth/sudo_auth.h
View File

@@ -56,6 +56,7 @@ extern sudo_conv_t sudo_conv;
int bsdauth_init(struct passwd *pw, sudo_auth *auth); int bsdauth_init(struct passwd *pw, sudo_auth *auth);
int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth); int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth);
int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth); int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth); int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int sudo_aix_cleanup(struct passwd *pw, sudo_auth *auth); int sudo_aix_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_fwtk_init(struct passwd *pw, sudo_auth *auth); int sudo_fwtk_init(struct passwd *pw, sudo_auth *auth);