RFC: pam_krb5: minimum_[ug]id options

Ruslan Ermilov ru at FreeBSD.org
Wed Nov 8 22:11:21 UTC 2006 

On Wed, Nov 08, 2006 at 09:28:30PM +0000, Shaun Amott wrote:
> While fiddling with PAM, it came to my attention that the pam_krb5
> module in some other (Linux?) PAM implementations supports, amongst
> other things, a minimum_uid option. This makes it possible to skip over
> Kerberos authentication for local system accounts, like so:
> 
>   auth    required    pam_krb5.so    no_warn minimum_uid=1000
>   auth    required    pam_unix.so    no_warn try_first_pass
> 
> I think it'd a nice addition to our pam_krb5 at least.
> 
> I've attached an initial patch. Comments/review welcome.
> 
OK.

> Index: pam_krb5.8
> ===================================================================
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
> retrieving revision 1.6
> diff -u -r1.6 pam_krb5.8
> --- pam_krb5.8	24 Nov 2001 23:41:32 -0000	1.6
> +++ pam_krb5.8	8 Nov 2006 20:50:35 -0000
> @@ -108,6 +108,13 @@
>  .Ql %p ,
>  to designate the current process ID; can be used in
>  .Ar name .
> +.It Cm minimum_uid Ns = Ns Ar id
> +Do not attempt to authenticate users with a uid below
                                               ^^^ UID
> +.Ar id .
> +Instead, simply return; thus allowing a later module to authenticate
> +the user.
> +.It Cm minimum_gid Ns = Ns Ar id
> +As above, but specifies a minimum group.
                                     ^^^^^ "group ID" or GID

Also, it could be explicit about this being a primary GID.

>  .El
>  .Ss Kerberos 5 Account Management Module
>  The Kerberos 5 account management component
> 
Document date should be bumped (the .Dd macro).

> Index: pam_krb5.c
> ===================================================================
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
> retrieving revision 1.23
> diff -u -r1.23 pam_krb5.c
> --- pam_krb5.c	7 Jul 2005 14:16:38 -0000	1.23
> +++ pam_krb5.c	8 Nov 2006 20:50:36 -0000
> @@ -90,6 +90,8 @@
>  #define PAM_OPT_FORWARDABLE	"forwardable"
>  #define PAM_OPT_NO_CCACHE	"no_ccache"
>  #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
> +#define PAM_OPT_MINIMUM_UID	"minimum_uid"
> +#define PAM_OPT_MINIMUM_GID	"minimum_gid"
>  
Defines were sorted alphabetically by a defined name.

>  /*
>   * authentication management
> @@ -110,6 +112,9 @@
>  	const char *user, *pass;
>  	const void *sourceuser, *service;
>  	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
> +	const char *retstr;
> +	uid_t minuid = 0;
> +	gid_t mingid = 0;
>  
>  	retval = pam_get_user(pamh, &user, USER_PROMPT);
>  	if (retval != PAM_SUCCESS)
> @@ -222,6 +227,21 @@
>  
>  	PAM_LOG("Done getpwnam()");
>  
> +	retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
> +
Extraneous empty line.

> +	if (retstr)
                  ^ missing "!= NULL"

> +		minuid = (uid_t)strtoul(retstr, NULL, 10);
> 
Errors are silently ignored; limit (UID_MAX) isn't checked.

> +
> +	retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
> +
> +	if (retstr)
> +		mingid = (gid_t)strtoul(retstr, NULL, 10);
> +
> 
Ditto but s/UID_MAX/GID_MAX/.

> +	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
> +		return (PAM_IGNORE);
> +
> +	PAM_LOG("Checked uid and gid bounds");
> +
>  	/* Get a TGT */
>  	memset(&creds, 0, sizeof(krb5_creds));
>  	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
> @@ -349,6 +369,9 @@
>  	const void *user;
>  	void *cache_data;
>  	char *cache_name_buf = NULL, *p;
> +	const char *retstr;
> +	uid_t minuid = 0;
> +	gid_t mingid = 0;
>  
>  	uid_t euid;
>  	gid_t egid;
> @@ -391,6 +414,30 @@
>  
>  	PAM_LOG("Got euid, egid: %d %d", euid, egid);
>  
> +	/* Get the uid. This should exist. */
> +	pwd = getpwnam(user);
> +	if (pwd == NULL) {
> +		retval = PAM_USER_UNKNOWN;
> +		goto cleanup3;
> +	}
> +
> +	PAM_LOG("Done getpwnam()");
> +
> +	retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
> +
> +	if (retstr)
> +		minuid = (uid_t)strtoul(retstr, NULL, 10);
> +
> +	retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
> +
> +	if (retstr)
> +		mingid = (gid_t)strtoul(retstr, NULL, 10);
> +
> +	if (pwd->pw_uid < minuid || pwd->pw_gid < mingid)
> +		return (PAM_IGNORE);
> +
> +	PAM_LOG("Checked uid and gid bounds");
> +
>  	/* Retrieve the temporary cache */
>  	retval = pam_get_data(pamh, "ccache", &cache_data);
>  	if (retval != PAM_SUCCESS) {
> @@ -405,15 +452,6 @@
>  		goto cleanup3;
>  	}
>  
> -	/* Get the uid. This should exist. */
> -	pwd = getpwnam(user);
> -	if (pwd == NULL) {
> -		retval = PAM_USER_UNKNOWN;
> -		goto cleanup3;
> -	}
> -
> -	PAM_LOG("Done getpwnam()");
> -
>  	/* Avoid following a symlink as root */
>  	if (setegid(pwd->pw_gid)) {
>  		retval = PAM_SERVICE_ERR;


Cheers,
-- 
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20061108/7a15b99a/attachment.pgp

More information about the freebsd-hackers mailing list