Please review my changes for:
PSARC 2005/275 Per-user PAM configuration
which you can see at:
http://cr.opensolaris.org/~nico/pam_user_policy/
Summary of changes:
- PAM config snippets: pam_krb5_{first, only, optional}
- New PAM config snippets:
- pam_unix_only
- pam_unix_or_ldap
- pam_ldap_only
- pam_deny
- New PAM module: pam_user_policy(5)
- The 'All' RBAC profile is changed to specify a default PAM
configuration for all users (pam_unix_only)
- Changes to libpam:
- Added pam_eval()
- Added fields to PAM handle struct
- Modified run_stack() changes for dealing with pam_eval()
- NOTE the use of assert() in run_stack() and pam_eval(); libpam
has not made use of assert() before
- Make pam_get_user() respect PAM_SILENT; this depends on a
side-effect of the pam_eval() implementation: saving the flags
passed to pam_authenticate() and friends in the PAM handle
- Misc style changes (e.g., adding casts of calloc/malloc results,
made no-memory messages more consistent)
How I've tested this:
- I wrote a module for testing pam_eval()
http://cr.opensolaris.org/~nico/pam_user_policy/pam_test.c
- I used an open source PAM test application (pamtester, modified to
sleep(3C) for one second before exiting to make it easier to do
memory leak checking) to test a PAM configuration that used
combination of includes of other config files that also used include,
and all of which used the pam_test module mentioned earlier:
% grep ^test /etc/pam*
/etc/pam.conf:test auth required pam_test.so.1 trace limit=20 depth=8
retval=SUCCESS
/etc/pam.conf:test auth include /etc/pam_test.conf
/etc/pam_test2.conf:test auth required pam_test.so.1 trace conv_info=hello conv
/etc/pam_test2.conf:test auth required pam_test.so.1 getuser trace
/etc/pam_test.conf:test auth required pam_test.so.1 trace limit=20
depth_limit=2 eval=/etc/pam_test.conf
/etc/pam_test.conf:test auth include /etc/pam_test2.conf
%
(I've got to test depth limit checking some more. Checking the logs
to compare the log messages with what is expected is a bit monotonous
and painful.)
- libumem was used to check for memory leaks:
% UMEM_DEBUG=default UMEM_LOGGING=transaction,contents truss -o /dev/null -U
::sleep /tmp/pamtester test "" authenticate
hello
Please enter user name: foo
hello
hello
hello
pamtester: successfully authenticated
% mdb -p $(pgrep pamtester)
Loading modules: [ ld.so.1 libumem.so.1 libc.so.1 ]
> ::findleaks -dv
findleaks: maximum buffers => 135
findleaks: actual buffers => 11
findleaks:
findleaks: potential pointers => 56359
findleaks: dismissals => 43354 (76.9%)
findleaks: misses => 11074 (19.6%)
findleaks: dups => 1920 ( 3.4%)
findleaks: follows => 11 ( 0.0%)
findleaks:
findleaks: peak memory usage => 57 kB
findleaks: elapsed CPU time => 0.0 seconds
findleaks: elapsed wall time => 0.0 seconds
findleaks:
findleaks: no memory leaks detected
> ::cont
mdb: target has terminated
> ^D
%
Nico
--
