Hi, this is the new version of the cli_pid patch with the missing size added. There are two related patches.
0002 removes the unused client locale. It was added at a time where we talked about generating all messages the client should display on the server side. Based on the previous discussion 0003 makes cli_pid a mandatory item in the pam protocol and increments the protocol version to 3. IMO it is not necessary to push it, but I wouldn't mind if you prefer it this way. bye, Sumit
>From dacbe553befbdc7569369458ba9fa28d015d1d21 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 11 Sep 2009 11:45:19 +0200 Subject: [PATCH 1/3] Let the PAM client send its PID - the client sends the PID as uint32_t and sssd will use uint32_t too - fix a possible type issue where a uint32_t is sent as int32 in internal dbus communication --- server/providers/data_provider.h | 1 + server/providers/dp_auth_util.c | 11 ++++++--- server/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++ sss_client/pam_sss.c | 43 +++++++++++++++++++++++++++++------- sss_client/sss_cli.h | 3 +- 5 files changed, 63 insertions(+), 14 deletions(-) diff --git a/server/providers/data_provider.h b/server/providers/data_provider.h index 1886340..790194c 100644 --- a/server/providers/data_provider.h +++ b/server/providers/data_provider.h @@ -110,6 +110,7 @@ struct pam_data { char *rhost; uint8_t *authtok; uint8_t *newauthtok; + uint32_t cli_pid; int pam_status; int response_delay; diff --git a/server/providers/dp_auth_util.c b/server/providers/dp_auth_util.c index 492ac7c..80e9f16 100644 --- a/server/providers/dp_auth_util.c +++ b/server/providers/dp_auth_util.c @@ -37,6 +37,7 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, ("priv: %d\n", pd->priv)); DEBUG(l, ("pw_uid: %d\n", pd->pw_uid)); DEBUG(l, ("gr_gid: %d\n", pd->gr_gid)); + DEBUG(l, ("cli_pid: %d\n", pd->cli_pid)); } int pam_add_response(struct pam_data *pd, enum response_type type, @@ -76,17 +77,18 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) DBUS_TYPE_STRING, &(pd->tty), DBUS_TYPE_STRING, &(pd->ruser), DBUS_TYPE_STRING, &(pd->rhost), - DBUS_TYPE_INT32, &(pd->authtok_type), + DBUS_TYPE_UINT32, &(pd->authtok_type), DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->authtok), (pd->authtok_size), - DBUS_TYPE_INT32, &(pd->newauthtok_type), + DBUS_TYPE_UINT32, &(pd->newauthtok_type), DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->newauthtok), pd->newauthtok_size, DBUS_TYPE_INT32, &(pd->priv), DBUS_TYPE_INT32, &(pd->pw_uid), DBUS_TYPE_INT32, &(pd->gr_gid), + DBUS_TYPE_UINT32, &(pd->cli_pid), DBUS_TYPE_INVALID); return ret; @@ -104,17 +106,18 @@ bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbu DBUS_TYPE_STRING, &(pd->tty), DBUS_TYPE_STRING, &(pd->ruser), DBUS_TYPE_STRING, &(pd->rhost), - DBUS_TYPE_INT32, &(pd->authtok_type), + DBUS_TYPE_UINT32, &(pd->authtok_type), DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->authtok), &(pd->authtok_size), - DBUS_TYPE_INT32, &(pd->newauthtok_type), + DBUS_TYPE_UINT32, &(pd->newauthtok_type), DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->newauthtok), &(pd->newauthtok_size), DBUS_TYPE_INT32, &(pd->priv), DBUS_TYPE_INT32, &(pd->pw_uid), DBUS_TYPE_INT32, &(pd->gr_gid), + DBUS_TYPE_UINT32, &(pd->cli_pid), DBUS_TYPE_INVALID); return ret; diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 1204e32..62cd2a5 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -71,6 +71,20 @@ static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { return EOK; } +static int extract_uint32_t(uint32_t *var, uint8_t *body, size_t blen, size_t *c) { + uint32_t size; + + if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; + + size = ((uint32_t *)&body[*c])[0]; + *c += sizeof(uint32_t); + + *var = ((uint32_t *)&body[*c])[0]; + *c += sizeof(uint32_t); + + return EOK; +} + static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, struct pam_data *pd, uint8_t *body, size_t blen) @@ -119,6 +133,11 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, ret = extract_string(&pd->rhost, body, blen, &c); if (ret != EOK) return ret; break; + case PAM_ITEM_CLI_PID: + ret = extract_uint32_t(&pd->cli_pid, + body, blen, &c); + if (ret != EOK) return ret; + break; case PAM_ITEM_AUTHTOK: ret = extract_authtok(&pd->authtok_type, &pd->authtok_size, &pd->authtok, body, blen, &c); diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index 3d00e28..41dc32b 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -66,6 +66,7 @@ struct pam_items { size_t pam_newauthtok_size; char *pam_cli_locale; size_t pam_cli_locale_size; + pid_t cli_pid; }; #define DEBUG_MGS_LEN 1024 @@ -124,11 +125,29 @@ static size_t add_authtok_item(enum pam_item_type type, return rp; } + +static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, + uint8_t *buf) { + size_t rp=0; + + + ((uint32_t *)(&buf[rp]))[0] = type; + rp += sizeof(uint32_t); + + ((uint32_t *)(&buf[rp]))[0] = sizeof(uint32_t); + rp += sizeof(uint32_t); + + ((uint32_t *)(&buf[rp]))[0] = val; + rp += sizeof(uint32_t); + + return rp; +} + static size_t add_string_item(enum pam_item_type type, const char *str, const size_t size, uint8_t *buf) { size_t rp=0; - if (*str == '\0') return 0; + if (str == NULL || *str == '\0') return 0; ((uint32_t *)(&buf[rp]))[0] = type; rp += sizeof(uint32_t); @@ -151,20 +170,21 @@ static int pack_message_v2(struct pam_items *pi, size_t *size, len = sizeof(uint32_t) + 2*sizeof(uint32_t) + pi->pam_user_size + sizeof(uint32_t); - len += *pi->pam_service != '\0' ? + len += *pi->pam_service != '\0' ? 2*sizeof(uint32_t) + pi->pam_service_size : 0; - len += *pi->pam_tty != '\0' ? + len += *pi->pam_tty != '\0' ? 2*sizeof(uint32_t) + pi->pam_tty_size : 0; - len += *pi->pam_ruser != '\0' ? + len += *pi->pam_ruser != '\0' ? 2*sizeof(uint32_t) + pi->pam_ruser_size : 0; - len += *pi->pam_rhost != '\0' ? + len += *pi->pam_rhost != '\0' ? 2*sizeof(uint32_t) + pi->pam_rhost_size : 0; - len += *pi->pam_cli_locale != '\0' ? + len += *pi->pam_cli_locale != '\0' ? 2*sizeof(uint32_t) + pi->pam_cli_locale_size : 0; - len += pi->pam_authtok != NULL ? + len += pi->pam_authtok != NULL ? 3*sizeof(uint32_t) + pi->pam_authtok_size : 0; - len += pi->pam_newauthtok != NULL ? + len += pi->pam_newauthtok != NULL ? 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0; + len += 3*sizeof(uint32_t); /* cli_pid */ buf = malloc(len); if (buf == NULL) { @@ -191,9 +211,11 @@ static int pack_message_v2(struct pam_items *pi, size_t *size, rp += add_string_item(PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size, &buf[rp]); - rp += add_string_item(PAM_CLI_LOCALE, pi->pam_cli_locale, + rp += add_string_item(PAM_ITEM_CLI_LOCALE, pi->pam_cli_locale, pi->pam_cli_locale_size, &buf[rp]); + rp += add_uint32_t_item(PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid, &buf[rp]); + rp += add_authtok_item(PAM_ITEM_AUTHTOK, pi->pam_authtok_type, pi->pam_authtok, pi->pam_authtok_size, &buf[rp]); _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size); @@ -486,6 +508,8 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) } pi->pam_cli_locale_size = strlen(pi->pam_cli_locale)+1; + pi->cli_pid = getpid(); + return PAM_SUCCESS; } @@ -505,6 +529,7 @@ static void print_pam_items(struct pam_items *pi) D(("Authtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_authtok))); D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok))); D(("Locale: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_cli_locale))); + D(("Cli_PID: %d", pi->cli_pid)); } static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index 7e0d4db..2b4e502 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -149,7 +149,8 @@ enum pam_item_type { PAM_ITEM_RHOST, PAM_ITEM_AUTHTOK, PAM_ITEM_NEWAUTHTOK, - PAM_CLI_LOCALE, + PAM_ITEM_CLI_LOCALE, + PAM_ITEM_CLI_PID, }; #define SSS_NSS_MAX_ENTRIES 256 -- 1.6.2.5
>From 1799eeb737850133c1959b743880e39fbbb9b394 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 14 Sep 2009 09:38:58 +0200 Subject: [PATCH 2/3] remove unused client locale from PAM protocol --- sss_client/pam_sss.c | 19 ------------------- 1 files changed, 0 insertions(+), 19 deletions(-) diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index 41dc32b..be22fd3 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -28,7 +28,6 @@ #include <stdlib.h> #include <stdint.h> #include <syslog.h> -#include <locale.h> #include <security/pam_modules.h> #include <security/pam_misc.h> @@ -64,8 +63,6 @@ struct pam_items { size_t pam_authtok_size; int pam_newauthtok_type; size_t pam_newauthtok_size; - char *pam_cli_locale; - size_t pam_cli_locale_size; pid_t cli_pid; }; @@ -178,8 +175,6 @@ static int pack_message_v2(struct pam_items *pi, size_t *size, 2*sizeof(uint32_t) + pi->pam_ruser_size : 0; len += *pi->pam_rhost != '\0' ? 2*sizeof(uint32_t) + pi->pam_rhost_size : 0; - len += *pi->pam_cli_locale != '\0' ? - 2*sizeof(uint32_t) + pi->pam_cli_locale_size : 0; len += pi->pam_authtok != NULL ? 3*sizeof(uint32_t) + pi->pam_authtok_size : 0; len += pi->pam_newauthtok != NULL ? @@ -211,9 +206,6 @@ static int pack_message_v2(struct pam_items *pi, size_t *size, rp += add_string_item(PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size, &buf[rp]); - rp += add_string_item(PAM_ITEM_CLI_LOCALE, pi->pam_cli_locale, - pi->pam_cli_locale_size, &buf[rp]); - rp += add_uint32_t_item(PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid, &buf[rp]); rp += add_authtok_item(PAM_ITEM_AUTHTOK, pi->pam_authtok_type, @@ -447,7 +439,6 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) { int ret; - char *cli_locale; pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; pi->pam_authtok = NULL; @@ -499,15 +490,6 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) if (ret != PAM_SUCCESS) return ret; if (pi->pamstack_oldauthtok == NULL) pi->pamstack_oldauthtok=""; - cli_locale = setlocale(LC_ALL, NULL); - if (cli_locale == NULL) { - pi->pam_cli_locale = strdup(""); - } else { - pi->pam_cli_locale = strdup(cli_locale); - if (pi->pam_cli_locale == NULL) return PAM_BUF_ERR; - } - pi->pam_cli_locale_size = strlen(pi->pam_cli_locale)+1; - pi->cli_pid = getpid(); return PAM_SUCCESS; @@ -528,7 +510,6 @@ static void print_pam_items(struct pam_items *pi) CHECK_AND_RETURN_PI_STRING(pi->pamstack_oldauthtok))); D(("Authtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_authtok))); D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok))); - D(("Locale: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_cli_locale))); D(("Cli_PID: %d", pi->cli_pid)); } -- 1.6.2.5
>From 6b558a39d09f8cc92c2ed3220b7c067e4092ed33 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 14 Sep 2009 09:55:33 +0200 Subject: [PATCH 3/3] make cli_pid mandatory and increase version number of pam protocol --- server/responder/pam/pamsrv_cmd.c | 26 +++++++++++++++++++++++++- sss_client/pam_sss.c | 4 ++-- sss_client/sss_cli.h | 2 +- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 62cd2a5..671dc08 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -167,6 +167,26 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, } +static int pam_parse_in_data_v3(struct sss_names_ctx *snctx, + struct pam_data *pd, + uint8_t *body, size_t blen) +{ + int ret; + + ret = pam_parse_in_data_v2(snctx, pd, body, blen); + if (ret != EOK) { + DEBUG(1, ("pam_parse_in_data_v2 failed.\n")); + return ret; + } + + if (pd->cli_pid == 0) { + DEBUG(1, ("Missing client PID.\n")); + return EINVAL; + } + + return EOK; +} + static int pam_parse_in_data(struct sss_names_ctx *snctx, struct pam_data *pd, uint8_t *body, size_t blen) @@ -440,6 +460,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) case 2: ret = pam_parse_in_data_v2(cctx->rctx->names, pd, body, blen); break; + case 3: + ret = pam_parse_in_data_v3(cctx->rctx->names, pd, body, blen); + break; default: DEBUG(1, ("Illegal protocol version [%d].\n", cctx->cli_protocol_version->version)); @@ -843,8 +866,9 @@ static int pam_cmd_chauthtok(struct cli_ctx *cctx) { struct cli_protocol_version *register_cli_protocol_version(void) { static struct cli_protocol_version pam_cli_protocol_version[] = { - {1, "2008-09-05", "initial version, \\0 terminated strings"}, + {3, "2009-09-14", "make cli_pid mandatory"}, {2, "2009-05-12", "new format <type><size><data>"}, + {1, "2008-09-05", "initial version, \\0 terminated strings"}, {0, NULL, NULL} }; diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index be22fd3..9a1d441 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -158,7 +158,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str, return rp; } -static int pack_message_v2(struct pam_items *pi, size_t *size, +static int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer) { int len; uint8_t *buf; @@ -526,7 +526,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, print_pam_items(pi); - ret = pack_message_v2(pi, &rd.len, &buf); + ret = pack_message_v3(pi, &rd.len, &buf); if (ret != 0) { D(("pack_message failed.")); pam_status = PAM_SYSTEM_ERR; diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index 2b4e502..b036aec 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -21,7 +21,7 @@ typedef int errno_t; #endif #define SSS_NSS_PROTOCOL_VERSION 1 -#define SSS_PAM_PROTOCOL_VERSION 2 +#define SSS_PAM_PROTOCOL_VERSION 3 enum sss_cli_command { /* null */ -- 1.6.2.5
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
