bin/76169: [PATCH] Add PAM support to cvs pserver
Dan Nelson
dnelson at allantgroup.com
Wed Jan 12 10:20:22 PST 2005
>Number: 76169
>Category: bin
>Synopsis: [PATCH] Add PAM support to cvs pserver
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 12 18:20:21 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Nelson
>Release: FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dan.emsphone.com 5.3-STABLE FreeBSD 5.3-STABLE #386: Tue Jan 11 12:01:34 CST 2005 zsh at dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386
>Description:
Most of the base services have been PAM-ified, but cvs is a notable
exception. CVS 1.12 will have PAM support, but I don't know when 1.12
will be declared stable. The following patch is based on Steve
McIntyre's 1.11 patch at
http://ccvs.cvshome.org/issues/show_bug.cgi?id=44 .
>How-To-Repeat:
>Fix:
Index: contrib/cvs/src/server.c
===================================================================
RCS file: /home/ncvs/src/contrib/cvs/src/server.c,v
retrieving revision 1.24
diff -u -p -r1.24 server.c
--- contrib/cvs/src/server.c 10 Jun 2004 19:12:50 -0000 1.24
+++ contrib/cvs/src/server.c 5 Jan 2005 18:25:50 -0000
@@ -20,6 +20,13 @@
#include "getline.h"
#include "buffer.h"
+#define HAVE_PAM
+
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+#endif
+
#if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
# ifdef HAVE_GSSAPI
/* This stuff isn't included solely with SERVER_SUPPORT since some of these
@@ -5593,7 +5600,66 @@ check_repository_password (username, pas
return retval;
}
+#ifdef HAVE_PAM
+
+static struct pam_conv conv = {
+ openpam_nullconv,
+ NULL
+};
+
+/* Modelled very closely on the example code in "The Linux-PAM
+ Application Developers' Guide" by Andrew G. Morgan. */
+static int
+check_pam_password (username, password, repository, host_user_ptr)
+ char *username, *password, *repository, **host_user_ptr;
+{
+ pam_handle_t *pamh=NULL;
+ int retval;
+ int rc = 0;
+
+ retval = pam_start("cvs", username, &conv, &pamh);
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_set_item(pamh, PAM_AUTHTOK, password);
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate(pamh, 0); /* is user really user? */
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
+
+ /* This is where we have been authorized or not. */
+
+ switch(retval)
+ {
+ case PAM_SUCCESS:
+ *host_user_ptr = xstrdup(username);
+ rc = 1;
+ break;
+ case PAM_AUTH_ERR:
+ syslog (LOG_DAEMON | LOG_ERR,
+ "some pam function failed: %s ",
+ pam_strerror(pamh, retval));
+ *host_user_ptr = NULL;
+ rc = 2;
+ break;
+ default:
+ syslog (LOG_DAEMON | LOG_ERR,
+ "some pam function failed: %s ",
+ pam_strerror(pamh, retval));
+ *host_user_ptr = NULL;
+ rc = 0;
+ break;
+ }
+
+ if (pam_end(pamh, retval) != PAM_SUCCESS) { /* close PAM */
+ pamh = NULL;
+ fprintf(stderr, "failed to release authenticator\n");
+ }
+ return rc; /* indicate success */
+}
+#endif /* HAVE_PAM */
/* Return a hosting username if password matches, else NULL. */
static char *
@@ -5639,6 +5705,26 @@ check_password (username, password, repo
error_exit ();
}
+
+#ifdef HAVE_PAM
+ rc = check_pam_password (username, password, repository,
+ &host_user);
+ if (rc == 2)
+ {
+ syslog (LOG_NOTICE,
+ "pam auth failed for %s", username);
+ return NULL;
+ }
+
+ /* else */
+
+ if (rc == 1)
+ {
+ /* host_user already set by reference, so just return. */
+ goto handle_return;
+ }
+#else /* HAVE_PAM */
+
/* No cvs password found, so try /etc/passwd. */
#ifdef HAVE_GETSPNAM
@@ -5714,6 +5800,7 @@ error 0 %s: no such user\n", username);
syslog (LOG_AUTHPRIV | LOG_NOTICE,
"login refused for %s: user has no password", username);
#endif
+#endif /* HAVE_PAM */
handle_return:
if (host_user)
Index: gnu/usr.bin/cvs/cvs/Makefile
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/cvs/cvs/Makefile,v
retrieving revision 1.48
diff -u -p -r1.48 Makefile
--- gnu/usr.bin/cvs/cvs/Makefile 6 Aug 2004 07:27:03 -0000 1.48
+++ gnu/usr.bin/cvs/cvs/Makefile 5 Jan 2005 18:25:50 -0000
@@ -31,7 +31,7 @@ CFLAGS+= -I${.CURDIR} -I../lib -DHAVE_CO
-I${CVSDIR}/lib -I${CVSDIR}/diff -I.
DPADD= ${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ}
-LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz
+LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz -lpam
.if !defined(NO_KERBEROS) && !defined(NO_OPENSSL) && !defined(NOCRYPT)
CFLAGS+= -DHAVE_GSSAPI -DHAVE_GSSAPI_H -DENCRYPTION
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list