[
https://issues.apache.org/jira/browse/RANGER-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15620995#comment-15620995
]
Jiahao Niu commented on RANGER-1187:
------------------------------------
The lifecycle of a typical PAM transaction is described below. Note that if any
of these steps fails, the server should report a suitable error message to the
client and abort the transaction.
If necessary, the server obtains arbitrator credentials through a mechanism
independent of PAM—most commonly by virtue of having been started by root, or
of being setuid root.
The server calls pam_start(3) to initialize the PAM library and specify its
service name and the target account, and register a suitable conversation
function.
The server obtains various information relating to the transaction (such as
the applicant's user name and the name of the host the client runs on) and
submits it to PAM using pam_set_item(3).
The server calls pam_authenticate(3) to authenticate the applicant.
The server calls pam_acct_mgmt(3) to verify that the requested account is
available and valid. If the password is correct but has expired,
pam_acct_mgmt(3) will return PAM_NEW_AUTHTOK_REQD instead of PAM_SUCCESS.
If the previous step returned PAM_NEW_AUTHTOK_REQD, the server now calls
pam_chauthtok(3) to force the client to change the authentication token for the
requested account.
Now that the applicant has been properly authenticated, the server calls
pam_setcred(3) to establish the credentials of the requested account. It is
able to do this because it acts on behalf of the arbitrator, and holds the
arbitrator's credentials.
Once the correct credentials have been established, the server calls
pam_open_session(3) to set up the session.
The server now performs whatever service the client requested—for instance,
provide the applicant with a shell.
Once the server is done serving the client, it calls pam_close_session(3)
to tear down the session.
Finally, the server calls pam_end to notify the PAM library that it is done
and that it can release whatever resources it has allocated in the course of
the transaction.
When an exception occurs, the pam_end() needs to be called to stop the pam
transaction.
> In pamCredValidator.c, pam_end() is not called if authentication fails.
> -----------------------------------------------------------------------
>
> Key: RANGER-1187
> URL: https://issues.apache.org/jira/browse/RANGER-1187
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: zhangqiang
> Assignee: Qiang Zhang
> Priority: Minor
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In main method of C file
> "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
> when authentication fails, pam_end() is not called before exit(1),
> which result in PAM transaction is not closed.
> The pam_end() function terminates a PAM transaction and destroys the
> corresponding PAM context, releasing all resources allocated to it.
> int main(int ac, char **av, char **ev)
> {
> char username[64] ;
> char password[64] ;
> char line[512] ;
> int retval;
> pam_handle_t *pamh = NULL;
> fgets(line,512,stdin) ;
> sscanf(line, "LOGIN:%s %s",username,password) ;
> conv.appdata_ptr = (char *) password;
> retval = pam_start("ranger-remote", username, &conv, &pamh);
> if (retval != PAM_SUCCESS) {
> /* why expose this? */
> fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
> exit(1);
> }
> retval = pam_authenticate(pamh, 0);
> if (retval != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: Password did not match.\n") ;
> exit(1);
> }
> /* authorize */
> retval = pam_acct_mgmt(pamh, 0);
> if (retval != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
> exit(1);
> }
> /* establish the requested credentials */
> if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: Error setting credentials for
> [%s].\n", username) ;
> exit(1);
> }
> /* not opening a session, as logout has not been implemented as a
> remote service */
> fprintf(stdout, "OK:\n") ;
> if (pamh) {
> pam_end(pamh, retval);
> }
> exit(0) ;
> }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
