patch for busybox-1.4.2 PAM support

Mon, 28 May 2007 13:27:27 -0700 

Hi folks!

As I need PAM suport on busybox, I made a patch for busybox-1.4.2. It
was based on  patch for busybox-1.2.1 that I found searching in the
archives of this list.

All comments appreciated.

regards,
Anselmo



diff -Naur busybox-1.4.2/loginutils/Config.in busybox-1.4.2-pam/loginutils/Config.in
--- busybox-1.4.2/loginutils/Config.in	2007-03-18 16:59:35.000000000 +0000
+++ busybox-1.4.2-pam/loginutils/Config.in	2007-05-28 15:37:01.000000000 +0000
@@ -111,6 +111,16 @@
 	  Note that Busybox binary must be setuid root for this applet to
 	  work properly.
 
+config PAM
+	bool "Support for PAM (Pluggable Authentication Modules)"
+	default n
+	depends on LOGIN
+	help
+	Include support for PAM in /bin/login.  This will effectively disable
+	Busybox's built-in login, so pam_unix.so should be available if you wish
+	to use /etc/passwd for login.
+
+
 config LOGIN_SCRIPTS
 	bool "Support for login scripts"
 	depends on LOGIN
diff -Naur busybox-1.4.2/loginutils/login.c busybox-1.4.2-pam/loginutils/login.c
--- busybox-1.4.2/loginutils/login.c	2007-03-18 16:59:35.000000000 +0000
+++ busybox-1.4.2-pam/loginutils/login.c	2007-05-28 15:25:38.000000000 +0000
@@ -25,6 +25,17 @@
 static char full_tty[TTYNAME_SIZE];
 static char* short_tty = full_tty;
 
+
+#if ENABLE_PAM
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+static struct pam_conv conv = {
+        misc_conv,
+        NULL
+};
+#endif
+
 #if ENABLE_FEATURE_UTMP
 /* vv  Taken from tinylogin utmp.c  vv */
 /*
@@ -229,6 +240,11 @@
 	char *opt_user = NULL;
 	USE_SELINUX(security_context_t user_sid = NULL;)
 
+#if ENABLE_PAM
+	pam_handle_t *pamh;
+	int pamret;
+#endif
+
 	username[0] = '\0';
 	amroot = (getuid() == 0);
 	signal(SIGALRM, alarm_handler);
@@ -271,15 +287,68 @@
 	openlog(applet_name, LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
 
 	while (1) {
+
+#if ENABLE_PAM
+		pamret = PAM_SUCCESS;
+#endif
+		
 		if (!username[0])
 			get_username_or_die(username, sizeof(username));
 
-		pw = getpwnam(username);
-		if (!pw) {
-			safe_strncpy(username, "UNKNOWN", sizeof(username));
-			goto auth_failed;
-		}
-
+#define PWLOOKUP						\
+	do {							\
+		pw = getpwnam(username);			\
+		if (!pw) {					\
+			safe_strncpy(username, "UNKNOWN", sizeof(username)); \
+			goto auth_failed;				\
+		}							\
+	}								\
+	while(0)
+
+#if ENABLE_PAM
+        pamret = pam_start( "login", username, &conv, &pamh );
+        if (pamret != PAM_SUCCESS) {
+            // pam failed, so abort the login
+            bb_error_msg("PAM initialization failed: %s", pam_strerror(pamh, pamret));
+            goto auth_failed;
+        }
+        else {
+            // continuing with pam authentication
+            // set TTY (so things like securetty work)
+            if((pamret = pam_set_item(pamh, PAM_TTY, short_tty)) != PAM_SUCCESS) {
+                bb_error_msg("Failed to pam_set_item TTY: %s", pam_strerror(pamh, pamret));
+                goto auth_failed;
+            }
+            else if ((pamret = pam_authenticate(pamh, 0)) == PAM_SUCCESS) {
+                // Then check that the account is healthy.
+                if ((pamret = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) // No, it isn't
+                    bb_error_msg("User not allowed access: %s",pam_strerror(pamh, pamret));
+                else {
+                    // read user back
+                    char *pamuser;
+                    if(pam_get_item(pamh, PAM_USER, (const void **) &pamuser)!= PAM_SUCCESS)
+                        bb_error_msg("pam_get_item failed on username");
+                    else
+                        strcpy(username, pamuser);
+                }
+            }
+            // If we get here, the user was authenticated, and is
+            // granted access.
+            if (pam_end(pamh, pamret) != PAM_SUCCESS)
+                bb_error_msg("PAM cleaning up failed");
+
+	    if(pamret != PAM_SUCCESS)
+		goto auth_failed;
+
+	    PWLOOKUP;
+	    break;
+        }
+        // Everything from here to auth_ok: is skipped when running
+        // PAM.  This is all PAM's responsibility anyway.  
+#else
+		PWLOOKUP;
+#endif /* ENABLE_PAM */
+		
 		if (pw->pw_passwd[0] == '!' || pw->pw_passwd[0] == '*')
 			goto auth_failed;
 
diff -Naur busybox-1.4.2/Makefile.flags busybox-1.4.2-pam/Makefile.flags
--- busybox-1.4.2/Makefile.flags	2007-03-18 16:59:38.000000000 +0000
+++ busybox-1.4.2-pam/Makefile.flags	2007-05-28 16:01:20.000000000 +0000
@@ -16,15 +16,22 @@
 	-D"BB_VER=KBUILD_STR($(BB_VER))" -DBB_BT=AUTOCONF_TIMESTAMP
 
 CFLAGS += \
-	-Wall -Wstrict-prototypes -Wshadow -Werror -Wundef \
+	-Wall -Wstrict-prototypes -Wshadow -Wundef \
 	-funsigned-char -fno-builtin-strlen -finline-limit=0 -static-libgcc \
 	-Os -falign-functions=1 -falign-jumps=1 -falign-loops=1 \
 	-fomit-frame-pointer -ffunction-sections -fdata-sections
 
+#	FIXME:
+#	-Werror removed because of loginutils/login.c line 329 (patched)
+
 ifeq ($(CONFIG_DEBUG),y)
 CFLAGS += -g
 endif
 
+ifeq ($(CONFIG_PAM),y)
+    LDFLAGS += -lpam -lpam_misc
+endif
+
 ifeq ($(CONFIG_STATIC),y)
 LDFLAGS += -static
 endif



_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox

Reply via email to