[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: AFS support for kscreensaver / kcheckpass
From: Christian Esken <c.esken () cityweb ! de>
Date: 2000-12-30 14:52:11
[Download RAW message or body]
Hi,
I received the following patch to support AFS tokens in the KDE
screensaver - without this support users of AFS auth cannot
unlock the screen.
It would be good if somebody could review the patch looking
for security flaws. I especially think of the KDE_PAM_ACTION
environment variable.
I don not see anything bad, but it would be nice if somebody with
PAM or AFS knowledge would review the patch in terms of a
possible compromise of security.
Christian
--
Is Unix ready for the desktop? See http://www.kde.org
The Christian Esken
|/ Desktop KDE Developer
|\ Environment esken@kde.org
KDE - The net transparent free Unix Desktop for everyone
["kdebase-auth.patch" (text/x-c)]
--- kdebase-1.94.orig/kcheckpass/kcheckpass.c Mon Jul 24 10:23:10 2000
+++ kdebase-1.94/kcheckpass/kcheckpass.c Tue Oct 3 09:04:22 2000
@@ -57,14 +57,23 @@
#include <errno.h>
#include <time.h>
+/* Define this if you want the pam service from
+ the environment variable */
+#define ACCEPT_ENV
/* Define this if you want kcheckpass to accept options
* (They don't do anything useful right now) */
#undef ACCEPT_OPTIONS
+#ifdef ACCEPT_OPTIONS
+#ifdef ACCEPT_ENV
+#undef ACCEPT_ENV
+#endif
+#endif
/*****************************************************************
* Set to 1 if stdin is a tty
*****************************************************************/
static int havetty = 0;
+ char caller[20] = "";
#ifdef ACCEPT_OPTIONS
static int debug = 0;
#endif
@@ -114,7 +123,7 @@
" 2 cannot read password database\n"
" Anything else tells you something's badly hosed.\n",
#ifdef ACCEPT_OPTIONS
- " [-dh]"
+ " [-dh] [-c caller]"
#else
""
#endif
@@ -128,12 +137,13 @@
int
main(int argc, char **argv)
{
- char *login, passbuffer[1024], *passwd;
+ char *login, passbuffer[1024], *passwd,*ca;
struct passwd *pw;
int status, c;
uid_t uid;
int passlen;
+
openlog("kcheckpass", LOG_PID, LOG_AUTH);
#ifdef HAVE_OSF_C2_PASSWD
@@ -147,7 +157,7 @@
if ((nfd = open("/dev/null", O_WRONLY)) < 0) {
message("cannot open /dev/null: %s\n", strerror(errno));
- exit(10);
+ exit(10);
}
if (c != nfd) {
dup2(nfd, c);
@@ -159,23 +169,33 @@
havetty = isatty(0);
#ifndef ACCEPT_OPTIONS
- if (argc != 1)
- usage(10);
+ if (argc != 1)
+ usage(10);
#else
- while ((c = getopt(argc, argv, "d")) != -1) {
+ while ((c = getopt(argc, argv, "dc:")) != -1) {
switch (c) {
case 'd':
debug = 1;
break;
+ case 'c':
+ strncpy(caller,optarg,19);
+ caller[19] = '\000'; /* Make sure caller can never be longer than 19 characters */
+ break;
case 'h':
- usage(0);
+ usage(0);
default:
message("Unknown option %c\n", c);
usage(10);
}
}
#endif
-
+#ifdef ACCEPT_ENV
+ ca = getenv("KDE_PAM_ACTION");
+ if (ca) strncpy(caller,ca,19);
+ caller[19] = '\000'; /* Make sure caller can never be longer than 19 characters */
+ unsetenv("KDE_PAM_ACTION");
+#endif
+
uid = getuid();
if (!(pw = getpwuid(uid))) {
message("Unknown user (uid %d)\n", uid);
--- kdebase-1.94.orig/kcheckpass/checkpass_pam.c Sat Mar 6 08:40:48 1999
+++ kdebase-1.94/kcheckpass/checkpass_pam.c Tue Oct 3 09:03:09 2000
@@ -18,6 +18,7 @@
#include "kcheckpass.h"
#ifdef HAVE_PAM
+extern char caller[20];
/*****************************************************************
* This is the authentication code if you use PAM
* Ugly, but proven to work.
@@ -102,17 +103,32 @@
{
pam_handle_t *pamh;
int pam_error;
-
+ const char *tty = ":0.0";
+ char kde_pam[20] = KDE_PAM;
PAM_username = login;
PAM_password = passwd;
-
- pam_error = pam_start(KDE_PAM, login, &PAM_conversation, &pamh);
+
+ /* If the caller is kscreensaver then use the corresponding pam module */
+ if ( ! strncmp(caller,"kscreensaver",19) ) strncpy(kde_pam,"kscreensaver",19);
+
+ pam_error = pam_start(kde_pam, login, &PAM_conversation, &pamh);
+
+
+ pam_error = pam_set_item (pamh, PAM_TTY, strdup(tty));
+ pam_error = pam_authenticate(pamh, 0);
if (pam_error != PAM_SUCCESS
|| (pam_error = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
pam_end(pamh, pam_error);
return 0;
}
-
+ /* Set credentials (You need this e.g. for AFS */
+ pam_error = pam_setcred(pamh, PAM_REFRESH_CRED);
+ if (pam_error != PAM_SUCCESS) {
+ pam_end(pamh, pam_error);
+ return 0;
+ }
+
+
pam_end(pamh, PAM_SUCCESS);
return 1;
}
--- kdebase-1.94.orig/kdesktop/lockeng.cc Wed Aug 16 02:55:22 2000
+++ kdebase-1.94/kdesktop/lockeng.cc Tue Oct 3 09:05:25 2000
@@ -5,7 +5,7 @@
// Copyright (c) 1999 Martin R. Jones <mjones@kde.org>
//
-
+#include <stdlib.h>
#include <qbitmap.h>
#include <qtextstream.h>
@@ -747,6 +747,12 @@
//
// Starts the kcheckpass process to check the user's password.
//
+// Serge Droz <serge.droz@pso.ch> 10.2000
+// Define ACCEPT_ENV if you want to pass an environment variable to
+// kcheckpass. Define ACCEPT_ARGS if you want to pass command line
+// arguments to kcheckpass
+#define ACCEPT_ENV
+//#define ACCEPT_ARGS
void SaverEngine::startCheckPassword()
{
const char *passwd = mPassDlg->password().ascii();
@@ -756,14 +762,22 @@
mPassProc.clearArguments();
mPassProc << kcp_binName;
-
+ #ifdef ACCEPT_ENV
+ setenv("KDE_PAM_ACTION","kscreensaver",1);
+ #elif
+ #ifdef ACCEPT_ARGS
+ mPassProc << "-c" << "kscreensaver";
+ #endif
+ #endif
bool ret = mPassProc.start(KProcess::NotifyOnExit, KProcess::Stdin);
+ #ifndef ACCEPT_ENV
+ unsetenv("KDE_PAM_ACTION");
+ #endif
if (ret == false)
{
kdDebug(1204) << "kcheckpass failed to start" << endl;
return;
}
-
// write Password to stdin
mPassProc.writeStdin(passwd, strlen(passwd));
mPassProc.closeStdin();
diff -Nu kdebase-1.94.orig/kscreensaver.pamd kdebase-1.94/kscreensaver.pamd
--- kdebase-1.94.orig/kscreensaver.pamd Thu Jan 1 01:00:00 1970
+++ kdebase-1.94/kscreensaver.pamd Tue Oct 3 09:03:09 2000
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient /lib/security/pam_linux_afs.so ignore_root
+#auth sufficient /lib/security/pam_linux_afs.so no_unlog ignore_root
+auth required /lib/security/pam_pwdb.so shadow nullok
�
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic