Bugzilla – Attachment 870 Details for
Bug 7124
no error to user or in log file for pamtester errors
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
pam_tester module to inject messages and error codes for testing
pam_tester.c (text/x-csrc), 7.48 KB, created by
Henrik Andersson
on 2018-06-04 14:27:09 CEST
(
hide
)
Description:
pam_tester module to inject messages and error codes for testing
Filename:
MIME Type:
Creator:
Henrik Andersson
Created:
2018-06-04 14:27:09 CEST
Size:
7.48 KB
patch
obsolete
>/* PAM tester module > * > * Copyright 2018 Henrik Andersson <hean01@cendio.com> > * > * This PAM module is used to inject different kind of errors in > * the following services; password, auth, account > * > * # Installation > * > * Install pam-devel package and build using following command line: > * > * gcc -o pam_tester.so -fPIC pam_tester.c > * > * Copy pam_tester.so into /lib64/security/ and make sure correct SE > * Linux context is assigned. > * > * > * # Usage > * > * Module options: > * > * -s Do not report errors via pam_conv > * > * -r <error> An error specific for the service that is tested > * > * > * Let say that you want to expire an account with no output to > * stderr, then add following line: > * > * account required pam_tester.so -s -e PAM_ACCT_EXPIRED > * > * In front of all account lines in selected PAM service. > * > * If no error is specified using '-e' the default PAM_SUCCESS will be > * returned for the module. > * > */ > >#include <stdio.h> >#include <stdlib.h> >#include <stdbool.h> >#include <string.h> >#include <getopt.h> >#include <security/pam_modules.h> >#include <security/pam_appl.h> > >static char ** >_getoptify_argv(int argc, const char **argv) >{ > void *data; > data = malloc(sizeof(char *) * (argc + 1)); > memcpy(data + (sizeof(char *)), argv, sizeof(char *) * argc); > return (char **)data; >} > >static void >_parse_arguments(int argc, const char **argv, bool *silent, char **error) >{ > int opt; > int myargc; > char **myargv; > > myargv = _getoptify_argv(argc, argv); > myargc = argc + 1; > > while ((opt = getopt(myargc, myargv, "se:")) != -1) > { > switch (opt) > { > case 'e': > *error = strdup(optarg); > break; > case 's': > *silent = true; > break; > } > } > > free(myargv); >} > >static int >_result(pam_handle_t *pam,const char *service, int result, bool silent) >{ > const char *message; > > message = NULL; > > switch(result) > { > /* Service password */ > case PAM_AUTHTOK_ERR: > message = "The module was unable to obtain the new authentication token."; > break; > case PAM_AUTHTOK_RECOVERY_ERR: > message = "The module was unable to obtain the old authentication token."; > break; > case PAM_AUTHTOK_LOCK_BUSY: > message = "Cannot change the authentication token since it is currently locked."; > break; > case PAM_AUTHTOK_DISABLE_AGING: > message = "Authentication token aging has been disabled."; > break; > case PAM_TRY_AGAIN: > message = "Preliminary check was unsuccessful. Signals an immediate return to the application is desired."; > break; > > /* Service authentication */ > case PAM_CRED_INSUFFICIENT: > message = "For some reason the application does not have sufficient credentials to authenticate the user."; > break; > case PAM_AUTHINFO_UNAVAIL: > message = "The modules were not able to access the authentication information. This might be due to a network or hardware failure etc."; > break; > case PAM_MAXTRIES: > message = "One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again."; > break; > > /* Service account */ > case PAM_ACCT_EXPIRED: > message = "User account has expired."; > break; > case PAM_NEW_AUTHTOK_REQD: > message = "The user's authentication token has expired. Before calling this function again the application will arrange for a new one to be given. This will likely result in a call to pam_sm_chauthtok()."; > break; > > /* Shared error messages between services */ > case PAM_SUCCESS: > message = "The authentication token was successfully updated."; > break; > case PAM_USER_UNKNOWN: > message = "User unknown to service."; > break; > case PAM_AUTH_ERR: > message = "Authentication failure."; > break; > case PAM_PERM_DENIED: > message = "Permission denied."; > break; > default: > message = "Unhandled error code"; > break; > } > > if (silent == false) > { > static char buffer[4096]; > struct pam_message pmsg; > const struct pam_message *pmsgs[1]; > > struct pam_response *presp; > struct pam_conv *pch = NULL; > > > if (pam_get_item(pam, PAM_CONV, (const void**)&pch) == PAM_SUCCESS) > { > sprintf(buffer, "pam_tester<%s>: %s", service, message); > > pmsgs[0] = &pmsg; > pmsg.msg_style = PAM_ERROR_MSG; > pmsg.msg = buffer; > > if (pch->conv(1, pmsgs, &presp, pch->appdata_ptr) != PAM_SUCCESS) > { > fprintf(stderr, "pam_tester: call to pam_conv() failed.\n"); > } > > } > else > fprintf(stderr, "pam_tester: call to pam_get_item() failed.\n"); > } > > return result; >} > >static int >_error_string_to_result(const char *service, const char *error_str) >{ > if (error_str == NULL) > return PAM_SUCCESS; > > /* password service errors */ > if (strcmp(service, "password") == 0) > { > if (strcmp(error_str, "PAM_AUTHTOK_ERR") == 0) return PAM_AUTHTOK_ERR; > else if (strcmp(error_str, "PAM_AUTHTOK_RECOVERY_ERR") == 0) return PAM_AUTHTOK_RECOVERY_ERR; > else if (strcmp(error_str, "PAM_AUTHTOK_LOCK_BUSY") == 0) return PAM_AUTHTOK_LOCK_BUSY; > else if (strcmp(error_str, "PAM_AUTHTOK_DISABLE_AGING") == 0) return PAM_AUTHTOK_DISABLE_AGING; > else if (strcmp(error_str, "PAM_PERM_DENIED") == 0) return PAM_PERM_DENIED; > else if (strcmp(error_str, "PAM_TRY_AGAIN") == 0) return PAM_TRY_AGAIN; > else if (strcmp(error_str, "PAM_USER_UNKNOWN") == 0) return PAM_USER_UNKNOWN; > } > else if (strcmp(service, "auth") == 0) > { > if (strcmp(error_str, "PAM_AUTH_ERR") == 0) return PAM_AUTH_ERR; > else if (strcmp(error_str, "PAM_CRED_INSUFFICIENT") == 0) return PAM_CRED_INSUFFICIENT; > else if (strcmp(error_str, "PAM_AUTHINFO_UNAVAIL") == 0) return PAM_AUTHINFO_UNAVAIL; > else if (strcmp(error_str, "PAM_MAXTRIES") == 0) return PAM_MAXTRIES; > else if (strcmp(error_str, "PAM_USER_UNKNOWN") == 0) return PAM_USER_UNKNOWN; > } > else if (strcmp(service, "account") == 0) > { > if (strcmp(error_str, "PAM_ACCT_EXPIRED") == 0) return PAM_ACCT_EXPIRED; > else if (strcmp(error_str, "PAM_AUTH_ERR") == 0) return PAM_AUTH_ERR; > else if (strcmp(error_str, "PAM_NEW_AUTHTOK_REQD") == 0) return PAM_NEW_AUTHTOK_REQD; > else if (strcmp(error_str, "PAM_PERM_DENIED") == 0) return PAM_PERM_DENIED; > else if (strcmp(error_str, "PAM_USER_UNKNOWN") == 0) return PAM_USER_UNKNOWN; > } > else > { > fprintf(stderr, "pam_tester: Unhandled service name '%s'.\n", service); > return PAM_SUCCESS; > } > > return PAM_SUCCESS; >} > >PAM_EXTERN int >pam_sm_setcred(pam_handle_t *pam, int flags, int argc, const char **argv) >{ > return PAM_SUCCESS; >} > >PAM_EXTERN int >pam_sm_chauthtok(pam_handle_t *pam, int flags, int argc, const char **argv) >{ > int res; > bool silent = false; > char *error = NULL; > const char *service = "password"; > > _parse_arguments(argc, argv, &silent, &error); > res = _error_string_to_result(service, error); > > if (error) > free(error); > > return _result(pam, service, res, silent); >} > >PAM_EXTERN int >pam_sm_acct_mgmt(pam_handle_t *pam, int flags, int argc, const char **argv) >{ > int res; > bool silent = false; > char *error = NULL; > const char *service = "account"; > > _parse_arguments(argc, argv, &silent, &error); > res = _error_string_to_result(service, error); > > if (error) > free(error); > > return _result(pam, service, res, silent); >} > >PAM_EXTERN int >pam_sm_authenticate(pam_handle_t *pam, int flags, int argc, const char **argv) >{ > int res; > bool silent = false; > char *error = NULL; > const char *service = "auth"; > > _parse_arguments(argc, argv, &silent, &error); > res = _error_string_to_result(service, error); > > if (error) > free(error); > > return _result(pam, service, res, silent); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=870">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7124
: 870
