svn commit: r349556 - head/lib/libpam/modules/pam_exec
Dag-Erling Smørgrav
des at FreeBSD.org
Sun Jun 30 14:46:17 UTC 2019
Author: des
Date: Sun Jun 30 14:46:15 2019
New Revision: 349556
URL: https://svnweb.freebsd.org/changeset/base/349556
Log:
Changes to the expose_password functionality:
- Implement use_first_pass, allowing expose_password to be used by other
service functions than pam_auth() without prompting a second time.
- Don't prompt for a password during pam_setcred().
PR: 238041
MFC after: 3 weeks
Modified:
head/lib/libpam/modules/pam_exec/pam_exec.8
head/lib/libpam/modules/pam_exec/pam_exec.c
Modified: head/lib/libpam/modules/pam_exec/pam_exec.8
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.8 Sun Jun 30 14:04:30 2019 (r349555)
+++ head/lib/libpam/modules/pam_exec/pam_exec.8 Sun Jun 30 14:46:15 2019 (r349556)
@@ -1,5 +1,5 @@
.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc.
-.\" Copyright (c) 2017 Dag-Erling Smørgrav
+.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav
.\" Copyright (c) 2018 Thomas Munro
.\" All rights reserved.
.\"
@@ -34,7 +34,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd August 14, 2018
+.Dd May 24, 2019
.Dt PAM_EXEC 8
.Os
.Sh NAME
@@ -76,6 +76,13 @@ It must be a valid return value for this function.
.It Cm expose_authtok
Write the authentication token to the program's standard input stream,
followed by a NUL character.
+Ignored for
+.Fn pam_sm_setcred .
+.It Cm use_first_pass
+If
+.Cm expose_authtok
+was specified, do not prompt for an authentication token if one is not
+already available.
.It Cm --
Stop options parsing;
program and its arguments follow.
Modified: head/lib/libpam/modules/pam_exec/pam_exec.c
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.c Sun Jun 30 14:04:30 2019 (r349555)
+++ head/lib/libpam/modules/pam_exec/pam_exec.c Sun Jun 30 14:46:15 2019 (r349556)
@@ -2,7 +2,7 @@
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2001,2003 Networks Associates Technology, Inc.
- * Copyright (c) 2017 Dag-Erling Smørgrav
+ * Copyright (c) 2017-2019 Dag-Erling Smørgrav
* Copyright (c) 2018 Thomas Munro
* All rights reserved.
*
@@ -110,6 +110,7 @@ struct pe_opts {
int capture_stdout;
int capture_stderr;
int expose_authtok;
+ int use_first_pass;
};
static int
@@ -139,6 +140,8 @@ parse_options(const char *func, int *argc, const char
options->return_prog_exit_status = 1;
} else if (strcmp((*argv)[i], "expose_authtok") == 0) {
options->expose_authtok = 1;
+ } else if (strcmp((*argv)[i], "use_first_pass") == 0) {
+ options->use_first_pass = 1;
} else {
if (strcmp((*argv)[i], "--") == 0) {
(*argc)--;
@@ -252,13 +255,20 @@ _pam_exec(pam_handle_t *pamh,
openpam_log(PAM_LOG_ERROR, "%s: fcntl(): %m", func);
OUT(PAM_SYSTEM_ERR);
}
- rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
+ if (options->use_first_pass ||
+ strcmp(func, "pam_sm_setcred") == 0) {
+ /* don't prompt, only expose existing token */
+ rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
+ authtok = item;
+ } else {
+ rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
+ }
if (rc == PAM_SUCCESS) {
- /* We include the trailing NUL-terminator. */
+ /* We include the trailing null terminator. */
authtok_size = strlen(authtok) + 1;
} else {
- openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func,
- pam_strerror(pamh, rc));
+ openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s",
+ func, pam_strerror(pamh, rc));
OUT(PAM_SYSTEM_ERR);
}
}
More information about the svn-src-head
mailing list