pam_vbox.cpp@ 38545

Last change on this file since 38545 was 38545, checked in by vboxsync, 14 years ago
pam_vbox: Implemented threaded waiting without the need to explicitly set a beacon.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 26.5 KB

Line
1	/* $Id: pam_vbox.cpp 38545 2011-08-26 12:32:27Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2011 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18	/*******************************************************************************
19	* Header Files *
20	*******************************************************************************/
21	#define PAM_SM_AUTH
22	#define PAM_SM_ACCOUNT
23	#define PAM_SM_PASSWORD
24	#define PAM_SM_SESSION
25
26	#ifdef DEBUG
27	# define PAM_DEBUG
28	#endif
29
30	#ifdef RT_OS_SOLARIS
31	# include <security/pam_appl.h>
32	#endif
33	#include <security/pam_modules.h>
34	#include <security/pam_appl.h>
35	#ifdef RT_OS_LINUX
36	# include <security/_pam_macros.h>
37	#endif
38
39	#include <pwd.h>
40	#include <syslog.h>
41	#include <stdlib.h>
42
43	#include <iprt/assert.h>
44	#include <iprt/env.h>
45	#include <iprt/initterm.h>
46	#include <iprt/mem.h>
47	#include <iprt/stream.h>
48	#include <iprt/string.h>
49	#include <iprt/thread.h>
50	#include <iprt/time.h>
51
52	#include <VBox/VBoxGuestLib.h>
53
54	#include <VBox/log.h>
55	#ifdef VBOX_WITH_GUEST_PROPS
56	# include <VBox/HostServices/GuestPropertySvc.h>
57	using namespace guestProp;
58	#endif
59
60	#define VBOX_MODULE_NAME "pam_vbox"
61
62	/** For debugging. */
63	#ifdef DEBUG
64	static pam_handle_t *g_pam_handle;
65	static int g_verbosity = 99;
66	#else
67	static int g_verbosity = 0;
68	#endif
69
70	/**
71	* User-provided thread data for the credentials waiting thread.
72	*/
73	typedef struct PAMVBOXTHREAD
74	{
75	/** The PAM handle. */
76	pam_handle_t *hPAM;
77	/** The timeout (in ms) to wait for credentials. */
78	uint32_t uTimeoutMS;
79	/** The overall result of the thread operation. */
80	int rc;
81	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
82
83	/**
84	* Write to system log.
85	*
86	* @param pszBuf Buffer to write to the log (NULL-terminated)
87	*/
88	static void pam_vbox_writesyslog(char *pszBuf)
89	{
90	#ifdef RT_OS_LINUX
91	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
92	syslog(LOG_ERR, "%s", pszBuf);
93	closelog();
94	#elif defined(RT_OS_SOLARIS)
95	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
96	#endif
97	}
98
99
100	/**
101	* Displays an error message.
102	*
103	* @param pszFormat The message text.
104	* @param ... Format arguments.
105	*/
106	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
107	{
108	va_list va;
109	char *buf;
110	va_start(va, pszFormat);
111	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
112	{
113	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
114	pam_vbox_writesyslog(buf);
115	RTStrFree(buf);
116	}
117	va_end(va);
118	}
119
120
121	/**
122	* Displays a debug message.
123	*
124	* @param pszFormat The message text.
125	* @param ... Format arguments.
126	*/
127	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
128	{
129	if (g_verbosity)
130	{
131	va_list va;
132	char *buf;
133	va_start(va, pszFormat);
134	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
135	{
136	/* Only do normal logging in debug mode; could contain
137	* sensitive data! */
138	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
139	/* Log to syslog */
140	pam_vbox_writesyslog(buf);
141	RTStrFree(buf);
142	}
143	va_end(va);
144	}
145	}
146
147
148	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
149	{
150	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
151	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
152
153	if (!iStyle)
154	iStyle = PAM_TEXT_INFO;
155
156	int rc = VINF_SUCCESS;
157
158	pam_message msg;
159	msg.msg_style = iStyle;
160	#ifdef RT_OS_SOLARIS
161	msg.msg = (char*)pszText;
162	#else
163	msg.msg = pszText;
164	#endif
165
166	#ifdef RT_OS_SOLARIS
167	pam_conv *conv = NULL;
168	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
169	#else
170	const pam_conv *conv = NULL;
171	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
172	#endif
173	if ( pamrc == PAM_SUCCESS
174	&& conv)
175	{
176	pam_response *resp = NULL;
177	#ifdef RT_OS_SOLARIS
178	pam_message *msg_p = &msg;
179	#else
180	const pam_message *msg_p = &msg;
181	#endif
182	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
183
184	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
185	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
186	{
187	if (resp->resp)
188	{
189	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
190	pszText, resp->resp);
191	/** @todo Save response! */
192	free(resp->resp);
193	}
194	free(resp);
195	}
196	}
197	else
198	rc = VERR_NOT_FOUND;
199	return rc;
200	}
201
202
203	static int pam_vbox_init(pam_handle_t *hPAM)
204	{
205	#ifdef DEBUG
206	g_pam_handle = hPAM; /* hack for getting assertion text */
207	#endif
208
209	/* Don't make assertions panic because the PAM stack +
210	* the current logon module won't work anymore (or just restart).
211	* This could result in not able to log into the system anymore. */
212	RTAssertSetMayPanic(false);
213
214	int rc = RTR3Init();
215	if (RT_FAILURE(rc))
216	{
217	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
218	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
219	}
220
221	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
222	if (RT_SUCCESS(rc))
223	{
224	rc = VbglR3InitUser();
225	if (RT_FAILURE(rc))
226	{
227	switch(rc)
228	{
229	case VERR_ACCESS_DENIED:
230	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
231	break;
232
233	case VERR_FILE_NOT_FOUND:
234	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
235	break;
236
237	default:
238	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
239	break;
240	}
241	}
242	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
243	}
244
245	if (RT_SUCCESS(rc))
246	{
247	char *rhost = NULL;
248	char *tty = NULL;
249	char *prompt = NULL;
250	#ifdef RT_OS_SOLARIS
251	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
252	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
253	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
254	#else
255	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
256	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
257	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
258	#endif
259	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
260	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
261	}
262
263	return rc;
264	}
265
266
267	static void pam_vbox_shutdown(pam_handle_t *hPAM)
268	{
269	VbglR3Term();
270	}
271
272
273	static int pam_vbox_check_creds(pam_handle_t *hPAM)
274	{
275	int rc = VbglR3CredentialsQueryAvailability();
276	if (RT_FAILURE(rc))
277	{
278	if (rc != VERR_NOT_FOUND)
279	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
280	#ifdef DEBUG
281	else
282	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
283	#endif
284	}
285	else
286	{
287	char *pszUsername;
288	char *pszPassword;
289	char *pszDomain;
290
291	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
292	if (RT_FAILURE(rc))
293	{
294	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
295	}
296	else
297	{
298	#ifdef DEBUG
299	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
300	pszUsername, pszPassword, pszDomain);
301	#else
302	/* Don't log passwords in release mode! */
303	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
304	pszUsername, pszDomain);
305	#endif
306	/* Fill credentials into PAM. */
307	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
308	if (pamrc != PAM_SUCCESS)
309	{
310	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
311	pamrc, pam_strerror(hPAM, pamrc));
312	}
313	else
314	{
315	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
316	if (pamrc != PAM_SUCCESS)
317	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
318	pamrc, pam_strerror(hPAM, pamrc));
319
320	}
321	/** @todo Add handling domains as well. */
322	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
323	3 /* Three wipe passes */);
324	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
325	pamrc, pam_strerror(hPAM, pamrc));
326	}
327	}
328
329	#ifdef DEBUG
330	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
331	#endif
332	return rc;
333	}
334
335
336	#ifdef VBOX_WITH_GUEST_PROPS
337	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
338	const char *pszKey, bool fReadOnly,
339	char *pszValue, size_t cbValue)
340	{
341	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
342	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
343	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
344	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
345
346	int rc;
347
348	uint64_t u64Timestamp = 0;
349	char *pszValTemp;
350	char *pszFlags = NULL;
351	/* The buffer for storing the data and its initial size. We leave a bit
352	* of space here in case the maximum values are raised. */
353	void *pvBuf = NULL;
354	uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
355
356	/* Because there is a race condition between our reading the size of a
357	* property and the guest updating it, we loop a few times here and
358	* hope. Actually this should never go wrong, as we are generous
359	* enough with buffer space. */
360	for (unsigned i = 0; i < 10; i++)
361	{
362	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
363	if (pvTmpBuf)
364	{
365	pvBuf = pvTmpBuf;
366	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
367	&pszValTemp, &u64Timestamp, &pszFlags,
368	&cbBuf);
369	}
370	else
371	rc = VERR_NO_MEMORY;
372
373	switch (rc)
374	{
375	case VERR_BUFFER_OVERFLOW:
376	{
377	/* Buffer too small, try it with a bigger one next time. */
378	cbBuf += _1K;
379	continue; /* Try next round. */
380	}
381
382	default:
383	break;
384	}
385
386	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
387	break;
388	}
389
390	if (RT_SUCCESS(rc))
391	{
392	/* Check security bits. */
393	if (pszFlags)
394	{
395	if ( fReadOnly
396	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
397	{
398	/* If we want a property which is read-only on the guest
399	* and it is not marked as such, deny access! */
400	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
401	pszKey);
402	rc = VERR_ACCESS_DENIED;
403	}
404	}
405	else /* No flags, no access! */
406	{
407	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
408	pszKey, pszFlags);
409	rc = VERR_ACCESS_DENIED;
410	}
411
412	if (RT_SUCCESS(rc))
413	{
414	/* If everything went well copy property value to our destination buffer. */
415	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
416	{
417	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
418	pszKey);
419	rc = VERR_INVALID_PARAMETER;
420	}
421	}
422	}
423
424	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\" with rc=%Rrc\n",
425	pszKey, pszValue, rc);
426	return rc;
427	}
428
429
430	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
431	const char *pszKey, uint32_t uTimeoutMS)
432	{
433	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
434	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
435	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
436
437	int rc;
438
439	/* The buffer for storing the data and its initial size. We leave a bit
440	* of space here in case the maximum values are raised. */
441	void *pvBuf = NULL;
442	uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
443
444	for (int i = 0; i < 10; i++)
445	{
446	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
447	if (pvTmpBuf)
448	{
449	char *pszName = NULL;
450	char *pszValue = NULL;
451	uint64_t u64TimestampOut = 0;
452	char *pszFlags = NULL;
453
454	pvBuf = pvTmpBuf;
455	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
456	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
457	&pszName, &pszValue, &u64TimestampOut,
458	&pszFlags, &cbBuf);
459	}
460	else
461	rc = VERR_NO_MEMORY;
462
463	if (rc == VERR_BUFFER_OVERFLOW)
464	{
465	/* Buffer too small, try it with a bigger one next time. */
466	cbBuf += _1K;
467	continue; /* Try next round. */
468	}
469
470	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
471	break;
472	}
473
474	return rc;
475	}
476	#endif
477
478
479	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
480	{
481	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
482	AssertPtr(pUserData);
483
484	int rc = VINF_SUCCESS;
485	/* Get current time stamp to later calculate rest of timeout left. */
486	uint64_t u64StartMS = RTTimeMilliTS();
487
488	#ifdef VBOX_WITH_GUEST_PROPS
489	uint32_t uClientID = 0;
490	rc = VbglR3GuestPropConnect(&uClientID);
491	if (RT_FAILURE(rc))
492	{
493	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
494	}
495	else
496	{
497	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
498	#endif
499	for (;;)
500	{
501	#ifdef VBOX_WITH_GUEST_PROPS
502	if (uClientID)
503	{
504	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
505	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
506	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
507	switch (rc)
508	{
509	case VINF_SUCCESS:
510	/* Somebody (guest/host) wants to abort waiting for credentials. */
511	break;
512
513	case VERR_INTERRUPTED:
514	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
515	break;
516
517	case VERR_TIMEOUT:
518	/* We did not receive an abort message within time. */
519	break;
520
521	case VERR_TOO_MUCH_DATA:
522	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
523	break;
524
525	default:
526	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
527	break;
528	}
529
530	if (RT_SUCCESS(rc)) /* Abort waiting. */
531	{
532	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
533	rc = VERR_CANCELLED;
534	break;
535	}
536	}
537	#endif
538	if ( RT_SUCCESS(rc)
539	\|\| rc == VERR_TIMEOUT)
540	{
541	rc = pam_vbox_check_creds(pUserData->hPAM);
542	if (RT_SUCCESS(rc))
543	{
544	/* Credentials retrieved. */
545	break; /* Thread no longer is required, bail out. */
546	}
547	else if (rc == VERR_NOT_FOUND)
548	{
549	/* No credentials found, but try next round (if there's
550	* time left for) ... */
551	#ifndef VBOX_WITH_GUEST_PROPS
552	RTThreadSleep(500); /* Wait 500 ms. */
553	#endif
554	}
555	else
556	break; /* Something bad happend ... */
557	}
558	else
559	break;
560
561	/* Calculate timeout value left after process has been started. */
562	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
563	/* Is it time to bail out? */
564	if (pUserData->uTimeoutMS < u64Elapsed)
565	{
566	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
567	pUserData->uTimeoutMS);
568	rc = VERR_TIMEOUT;
569	break;
570	}
571	}
572	#ifdef VBOX_WITH_GUEST_PROPS
573	}
574	VbglR3GuestPropDisconnect(uClientID);
575	#endif
576
577	/* Save result. */
578	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
579
580	int rc2 = RTThreadUserSignal(RTThreadSelf());
581	AssertRC(rc2);
582
583	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
584	return rc;
585	}
586
587
588	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
589	{
590	PAMVBOXTHREAD threadData;
591	threadData.hPAM = hPAM;
592	threadData.uTimeoutMS = uTimeoutMS;
593
594	RTTHREAD threadWait;
595	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
596	(void *)&threadData, 0,
597	RTTHREADTYPE_DEFAULT, RTTHREADFLAGS_WAITABLE, "pam_vbox");
598	if (RT_SUCCESS(rc))
599	{
600	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
601	/* Wait for thread to initialize. */
602	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
603	if (RT_SUCCESS(rc))
604	rc = threadData.rc; /* Get back thread result to take further actions. */
605	}
606	else
607	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
608
609	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
610	return rc;
611	}
612
613
614	/**
615	* Performs authentication within the PAM framework.
616	*
617	* @todo
618	*/
619	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
620	int argc, const char **argv)
621	{
622	/* Parse arguments. */
623	int i;
624	for (i = 0; i < argc; i++)
625	{
626	if (!RTStrICmp(argv[i], "debug"))
627	g_verbosity = 1;
628	else
629	pam_vbox_error(hPAM, "pam_sm_authenticate: unknown command line argument \"%s\"\n", argv[i]);
630	}
631	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
632
633	int rc = pam_vbox_init(hPAM);
634	if (RT_FAILURE(rc))
635	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
636
637	bool fFallback = true;
638
639	#ifdef VBOX_WITH_GUEST_PROPS
640	uint32_t uClientId;
641	rc = VbglR3GuestPropConnect(&uClientId);
642	if (RT_SUCCESS(rc))
643	{
644	char szVal[256];
645	rc = pam_vbox_read_prop(hPAM, uClientId,
646	"/VirtualBox/GuestAdd/PAM/CredsWait",
647	true /* Read-only on guest */,
648	szVal, sizeof(szVal));
649	if (RT_SUCCESS(rc))
650	{
651	/* All calls which are checked against rc2 are not critical, e.g. it does
652	* not matter if they succeed or not. */
653	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
654	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
655	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
656	true /* Read-only on guest */,
657	szVal, sizeof(szVal));
658	if (RT_SUCCESS(rc2))
659	{
660	uTimeoutMS = RTStrToUInt32(szVal);
661	if (!uTimeoutMS)
662	{
663	pam_vbox_error(hPAM, "pam_sm_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
664	uTimeoutMS = RT_INDEFINITE_WAIT;
665	}
666	else
667	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
668	}
669
670	rc2 = pam_vbox_read_prop(hPAM, uClientId,
671	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
672	true /* Read-only on guest */,
673	szVal, sizeof(szVal));
674	const char *pszWaitMsg = NULL;
675	if (RT_SUCCESS(rc2))
676	pszWaitMsg = szVal;
677
678	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
679	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
680	if (RT_FAILURE(rc2)) /* Not critical. */
681	pam_vbox_error(hPAM, "pam_sm_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
682
683	if (RT_SUCCESS(rc))
684	{
685	/* Before we actuall wait for credentials just make sure we didn't already get credentials
686	* set so that we can skip waiting for them ... */
687	rc = pam_vbox_check_creds(hPAM);
688	if (rc == VERR_NOT_FOUND)
689	{
690	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
691	if (RT_SUCCESS(rc))
692	{
693	/* Waiting for credentials succeeded, try getting those ... */
694	rc = pam_vbox_check_creds(hPAM);
695	if (RT_FAILURE(rc))
696	pam_vbox_error(hPAM, "pam_sm_authenticate: no credentials given, even when waited for it, rc=%Rrc\n", rc);
697	}
698	else if (rc == VERR_TIMEOUT)
699	{
700	pam_vbox_log(hPAM, "pam_sm_authenticate: no credentials given within time\n");
701
702	rc2 = pam_vbox_read_prop(hPAM, uClientId,
703	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
704	true /* Read-only on guest */,
705	szVal, sizeof(szVal));
706	if (RT_SUCCESS(rc2))
707	{
708	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
709	AssertRC(rc2);
710	}
711	}
712	else if (rc == VERR_CANCELLED)
713	{
714	pam_vbox_log(hPAM, "pam_sm_authenticate: waiting aborted\n");
715
716	rc2 = pam_vbox_read_prop(hPAM, uClientId,
717	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
718	true /* Read-only on guest */,
719	szVal, sizeof(szVal));
720	if (RT_SUCCESS(rc2))
721	{
722	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
723	AssertRC(rc2);
724	}
725	}
726	}
727
728	/* If we got here we don't need the fallback, so just deactivate it. */
729	fFallback = false;
730	}
731	}
732
733	VbglR3GuestPropDisconnect(uClientId);
734	}
735	#endif /* VBOX_WITH_GUEST_PROPS */
736
737	if (fFallback)
738	{
739	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
740
741	/* If anything went wrong in the code above we just do a credentials
742	* check like it was before: Try retrieving the stuff and authenticating. */
743	int rc2 = pam_vbox_check_creds(hPAM);
744	if (RT_SUCCESS(rc))
745	rc = rc2;
746	}
747
748	pam_vbox_shutdown(hPAM);
749
750	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
751
752	/* Never report an error here because if no credentials from the host are available or something
753	* went wrong we then let do the authentication by the next module in the stack. */
754
755	/* We report success here because this is all we can do right now -- we passed the credentials
756	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
757	* password verification to "really" authenticate the user. */
758	return PAM_SUCCESS;
759	}
760
761
762	/**
763	* Modifies / deletes user credentials
764	*
765	* @todo
766	*/
767	DECLEXPORT(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
768	{
769	pam_vbox_log(hPAM, "pam_vbox_setcred called\n");
770	return PAM_SUCCESS;
771	}
772
773
774	DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
775	{
776	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
777	return PAM_SUCCESS;
778	}
779
780
781	DECLEXPORT(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
782	{
783	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
784	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
785	return PAM_SUCCESS;
786	}
787
788
789	DECLEXPORT(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
790	{
791	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
792	return PAM_SUCCESS;
793	}
794
795	DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
796	{
797	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
798	return PAM_SUCCESS;
799	}
800
801	#ifdef DEBUG
802	DECLEXPORT(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
803	{
804	pam_vbox_log(g_pam_handle,
805	"\n!!Assertion Failed!!\n"
806	"Expression: %s\n"
807	"Location : %s(%d) %s\n",
808	pszExpr, pszFile, uLine, pszFunction);
809	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
810	}
811	#endif

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 38545

Download in other formats: