VirtualBox

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 53402

Last change on this file since 53402 was 44528, checked in by vboxsync, 12 years ago

header (C) fixes

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 30.1 KB
Line 
1/* $Id: pam_vbox.cpp 44528 2013-02-04 14:27:54Z vboxsync $ */
2/** @file
3 * pam_vbox - PAM module for auto logons.
4 */
5
6/*
7 * Copyright (C) 2008-2012 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18/*******************************************************************************
19* Header Files *
20*******************************************************************************/
21#define PAM_SM_AUTH
22#define PAM_SM_ACCOUNT
23#define PAM_SM_PASSWORD
24#define PAM_SM_SESSION
25
26#ifdef DEBUG
27# define PAM_DEBUG
28#endif
29
30#include <security/pam_appl.h>
31#ifdef RT_OS_LINUX
32# include <security/_pam_macros.h>
33#endif
34
35#include <pwd.h>
36#include <syslog.h>
37#include <stdlib.h>
38
39#include <iprt/assert.h>
40#include <iprt/buildconfig.h>
41#include <iprt/env.h>
42#include <iprt/initterm.h>
43#include <iprt/mem.h>
44#include <iprt/stream.h>
45#include <iprt/string.h>
46#include <iprt/thread.h>
47#include <iprt/time.h>
48
49#include <VBox/VBoxGuestLib.h>
50
51#include <VBox/log.h>
52#ifdef VBOX_WITH_GUEST_PROPS
53# include <VBox/HostServices/GuestPropertySvc.h>
54 using namespace guestProp;
55#endif
56
57#define VBOX_MODULE_NAME "pam_vbox"
58
59#define VBOX_PAM_FLAG_SILENT "PAM_SILENT"
60#define VBOX_PAM_FLAG_DISALLOW_NULL_AUTHTOK "PAM_DISALLOW_NULL_AUTHTOK"
61#define VBOX_PAM_FLAG_ESTABLISH_CRED "PAM_ESTABLISH_CRED"
62#define VBOX_PAM_FLAG_DELETE_CRED "PAM_DELETE_CRED"
63#define VBOX_PAM_FLAG_REINITIALIZE_CRED "PAM_REINITIALIZE_CRED"
64#define VBOX_PAM_FLAG_REFRESH_CRED "PAM_REFRESH_CRED"
65
66RT_C_DECLS_BEGIN
67RTDECL(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
68RTDECL(int) pam_sm_setcred(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
69RTDECL(int) pam_sm_acct_mgmt(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
70RTDECL(int) pam_sm_open_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
71RTDECL(int) pam_sm_close_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
72RTDECL(int) pam_sm_chauthtok(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
73RT_C_DECLS_END
74
75/** For debugging. */
76#ifdef DEBUG
77static pam_handle_t *g_pam_handle;
78static int g_verbosity = 99;
79#else
80static int g_verbosity = 0;
81#endif
82
83/**
84 * User-provided thread data for the credentials waiting thread.
85 */
86typedef struct PAMVBOXTHREAD
87{
88 /** The PAM handle. */
89 pam_handle_t *hPAM;
90 /** The timeout (in ms) to wait for credentials. */
91 uint32_t uTimeoutMS;
92 /** The overall result of the thread operation. */
93 int rc;
94} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
95
96/**
97 * Write to system log.
98 *
99 * @param pszBuf Buffer to write to the log (NULL-terminated)
100 */
101static void pam_vbox_writesyslog(char *pszBuf)
102{
103#ifdef RT_OS_LINUX
104 openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
105 syslog(LOG_ERR, "%s", pszBuf);
106 closelog();
107#elif defined(RT_OS_SOLARIS)
108 syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
109#endif
110}
111
112
113/**
114 * Displays an error message.
115 *
116 * @param pszFormat The message text.
117 * @param ... Format arguments.
118 */
119static void pam_vbox_error(pam_handle_t *hPAM, const char *pszFormat, ...)
120{
121 va_list va;
122 char *buf;
123 va_start(va, pszFormat);
124 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
125 {
126 LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
127 pam_vbox_writesyslog(buf);
128 RTStrFree(buf);
129 }
130 va_end(va);
131}
132
133
134/**
135 * Displays a debug message.
136 *
137 * @param pszFormat The message text.
138 * @param ... Format arguments.
139 */
140static void pam_vbox_log(pam_handle_t *hPAM, const char *pszFormat, ...)
141{
142 if (g_verbosity)
143 {
144 va_list va;
145 char *buf;
146 va_start(va, pszFormat);
147 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
148 {
149 /* Only do normal logging in debug mode; could contain
150 * sensitive data! */
151 LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
152 /* Log to syslog */
153 pam_vbox_writesyslog(buf);
154 RTStrFree(buf);
155 }
156 va_end(va);
157 }
158}
159
160
161/**
162 * Sets a message using PAM's conversation function.
163 *
164 * @return IPRT status code.
165 * @param hPAM PAM handle.
166 * @param iStyle Style of message (0 = Information, 1 = Prompt
167 * echo off, 2 = Prompt echo on, 3 = Error).
168 * @param pszText Message text to set.
169 */
170static int vbox_set_msg(pam_handle_t *hPAM, int iStyle, const char *pszText)
171{
172 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
173 AssertPtrReturn(pszText, VERR_INVALID_POINTER);
174
175 if (!iStyle)
176 iStyle = PAM_TEXT_INFO;
177
178 int rc = VINF_SUCCESS;
179
180 pam_message msg;
181 msg.msg_style = iStyle;
182#ifdef RT_OS_SOLARIS
183 msg.msg = (char*)pszText;
184#else
185 msg.msg = pszText;
186#endif
187
188#ifdef RT_OS_SOLARIS
189 pam_conv *conv = NULL;
190 int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
191#else
192 const pam_conv *conv = NULL;
193 int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
194#endif
195 if ( pamrc == PAM_SUCCESS
196 && conv)
197 {
198 pam_response *resp = NULL;
199#ifdef RT_OS_SOLARIS
200 pam_message *msg_p = &msg;
201#else
202 const pam_message *msg_p = &msg;
203#endif
204 pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
205
206 pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
207 if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
208 {
209 if (resp->resp)
210 {
211 pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
212 pszText, resp->resp);
213 /** @todo Save response! */
214 free(resp->resp);
215 }
216 free(resp);
217 }
218 }
219 else
220 rc = VERR_NOT_FOUND;
221 return rc;
222}
223
224
225/**
226 * Initializes pam_vbox.
227 *
228 * @return IPRT status code.
229 * @param hPAM PAM handle.
230 */
231static int pam_vbox_init(pam_handle_t *hPAM)
232{
233#ifdef DEBUG
234 g_pam_handle = hPAM; /* hack for getting assertion text */
235#endif
236
237 /* Don't make assertions panic because the PAM stack +
238 * the current logon module won't work anymore (or just restart).
239 * This could result in not able to log into the system anymore. */
240 RTAssertSetMayPanic(false);
241
242 pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
243 RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
244
245 int rc = RTR3InitDll(0);
246 if (RT_FAILURE(rc))
247 {
248 pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
249 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
250 }
251
252 pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
253 if (RT_SUCCESS(rc))
254 {
255 rc = VbglR3InitUser();
256 if (RT_FAILURE(rc))
257 {
258 switch(rc)
259 {
260 case VERR_ACCESS_DENIED:
261 pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
262 break;
263
264 case VERR_FILE_NOT_FOUND:
265 pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
266 break;
267
268 default:
269 pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
270 break;
271 }
272 }
273 pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
274 }
275
276 if (RT_SUCCESS(rc))
277 {
278 char *rhost = NULL;
279 char *tty = NULL;
280 char *prompt = NULL;
281#ifdef RT_OS_SOLARIS
282 pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
283 pam_get_item(hPAM, PAM_TTY, (void**) &tty);
284 pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
285#else
286 pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
287 pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
288 pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
289#endif
290 pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
291 rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
292 }
293
294 return rc;
295}
296
297
298/**
299 * Shuts down pam_vbox.
300 *
301 * @return IPRT status code.
302 * @param hPAM PAM handle.
303 */
304static void pam_vbox_shutdown(pam_handle_t *hPAM)
305{
306 VbglR3Term();
307}
308
309
310/**
311 * Checks for credentials provided by the host / HGCM.
312 *
313 * @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
314 * VINF_SUCCESS on successful retrieval or another IPRT error.
315 * @param hPAM PAM handle.
316 */
317static int pam_vbox_check_creds(pam_handle_t *hPAM)
318{
319 int rc = VbglR3CredentialsQueryAvailability();
320 if (RT_FAILURE(rc))
321 {
322 if (rc != VERR_NOT_FOUND)
323 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
324#ifdef DEBUG
325 else
326 pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
327#endif
328 }
329 else
330 {
331 char *pszUsername;
332 char *pszPassword;
333 char *pszDomain;
334
335 rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
336 if (RT_FAILURE(rc))
337 {
338 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
339 }
340 else
341 {
342#ifdef DEBUG
343 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
344 pszUsername, pszPassword, pszDomain);
345#else
346 /* Don't log passwords in release mode! */
347 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
348 pszUsername, pszDomain);
349#endif
350 /* Fill credentials into PAM. */
351 int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
352 if (pamrc != PAM_SUCCESS)
353 {
354 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
355 pamrc, pam_strerror(hPAM, pamrc));
356 }
357 else
358 {
359 pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
360 if (pamrc != PAM_SUCCESS)
361 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
362 pamrc, pam_strerror(hPAM, pamrc));
363
364 }
365 /** @todo Add handling domains as well. */
366 VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
367 3 /* Three wipe passes */);
368 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
369 pamrc, pam_strerror(hPAM, pamrc));
370 }
371 }
372
373#ifdef DEBUG
374 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
375#endif
376 return rc;
377}
378
379
380#ifdef VBOX_WITH_GUEST_PROPS
381/**
382 * Reads a guest property.
383 *
384 * @return IPRT status code.
385 * @param hPAM PAM handle.
386 * @param uClientID Guest property service client ID.
387 * @param pszKey Key (name) of guest property to read.
388 * @param fReadOnly Indicates whether this key needs to be
389 * checked if it only can be read (and *not* written)
390 * by the guest.
391 * @param pszValue Buffer where to store the key's value.
392 * @param cbValue Size of buffer (in bytes).
393 */
394static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
395 const char *pszKey, bool fReadOnly,
396 char *pszValue, size_t cbValue)
397{
398 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
399 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
400 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
401 AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
402
403 int rc;
404
405 uint64_t u64Timestamp = 0;
406 char *pszValTemp;
407 char *pszFlags = NULL;
408 /* The buffer for storing the data and its initial size. We leave a bit
409 * of space here in case the maximum values are raised. */
410 void *pvBuf = NULL;
411 uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
412
413 /* Because there is a race condition between our reading the size of a
414 * property and the guest updating it, we loop a few times here and
415 * hope. Actually this should never go wrong, as we are generous
416 * enough with buffer space. */
417 for (unsigned i = 0; i < 10; i++)
418 {
419 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
420 if (pvTmpBuf)
421 {
422 pvBuf = pvTmpBuf;
423 rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
424 &pszValTemp, &u64Timestamp, &pszFlags,
425 &cbBuf);
426 }
427 else
428 rc = VERR_NO_MEMORY;
429
430 switch (rc)
431 {
432 case VERR_BUFFER_OVERFLOW:
433 {
434 /* Buffer too small, try it with a bigger one next time. */
435 cbBuf += _1K;
436 continue; /* Try next round. */
437 }
438
439 default:
440 break;
441 }
442
443 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
444 break;
445 }
446
447 if (RT_SUCCESS(rc))
448 {
449 /* Check security bits. */
450 if (pszFlags)
451 {
452 if ( fReadOnly
453 && !RTStrStr(pszFlags, "RDONLYGUEST"))
454 {
455 /* If we want a property which is read-only on the guest
456 * and it is *not* marked as such, deny access! */
457 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
458 pszKey);
459 rc = VERR_ACCESS_DENIED;
460 }
461 }
462 else /* No flags, no access! */
463 {
464 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
465 pszKey, pszFlags);
466 rc = VERR_ACCESS_DENIED;
467 }
468
469 if (RT_SUCCESS(rc))
470 {
471 /* If everything went well copy property value to our destination buffer. */
472 if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
473 {
474 pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
475 pszKey);
476 rc = VERR_INVALID_PARAMETER;
477 }
478
479 if (RT_SUCCESS(rc))
480 pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
481 pszKey, pszValue);
482 }
483 }
484
485 pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
486 pszKey, rc);
487 return rc;
488}
489
490
491/**
492 * Waits for a guest property to be changed.
493 *
494 * @return IPRT status code.
495 * @param hPAM PAM handle.
496 * @param uClientID Guest property service client ID.
497 * @param pszKey Key (name) of guest property to wait for.
498 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
499 * RT_INDEFINITE_WAIT to wait indefinitly.
500 */
501static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
502 const char *pszKey, uint32_t uTimeoutMS)
503{
504 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
505 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
506 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
507
508 int rc;
509
510 /* The buffer for storing the data and its initial size. We leave a bit
511 * of space here in case the maximum values are raised. */
512 void *pvBuf = NULL;
513 uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
514
515 for (int i = 0; i < 10; i++)
516 {
517 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
518 if (pvTmpBuf)
519 {
520 char *pszName = NULL;
521 char *pszValue = NULL;
522 uint64_t u64TimestampOut = 0;
523 char *pszFlags = NULL;
524
525 pvBuf = pvTmpBuf;
526 rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
527 0 /* Last timestamp; just wait for next event */, uTimeoutMS,
528 &pszName, &pszValue, &u64TimestampOut,
529 &pszFlags, &cbBuf);
530 }
531 else
532 rc = VERR_NO_MEMORY;
533
534 if (rc == VERR_BUFFER_OVERFLOW)
535 {
536 /* Buffer too small, try it with a bigger one next time. */
537 cbBuf += _1K;
538 continue; /* Try next round. */
539 }
540
541 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
542 break;
543 }
544
545 return rc;
546}
547#endif
548
549/**
550 * Thread function waiting for credentials to arrive.
551 *
552 * @return IPRT status code.
553 * @param ThreadSelf Thread struct to this thread.
554 * @param pvUser Pointer to a PAMVBOXTHREAD structure providing
555 * required data used / set by the thread.
556 */
557static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
558{
559 PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
560 AssertPtr(pUserData);
561
562 int rc = VINF_SUCCESS;
563 /* Get current time stamp to later calculate rest of timeout left. */
564 uint64_t u64StartMS = RTTimeMilliTS();
565
566#ifdef VBOX_WITH_GUEST_PROPS
567 uint32_t uClientID = 0;
568 rc = VbglR3GuestPropConnect(&uClientID);
569 if (RT_FAILURE(rc))
570 {
571 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
572 }
573 else
574 {
575 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
576#endif
577 for (;;)
578 {
579#ifdef VBOX_WITH_GUEST_PROPS
580 if (uClientID)
581 {
582 rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
583 "/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
584 500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
585 switch (rc)
586 {
587 case VINF_SUCCESS:
588 /* Somebody (guest/host) wants to abort waiting for credentials. */
589 break;
590
591 case VERR_INTERRUPTED:
592 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
593 break;
594
595 case VERR_TIMEOUT:
596 /* We did not receive an abort message within time. */
597 break;
598
599 case VERR_TOO_MUCH_DATA:
600 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
601 break;
602
603 default:
604 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
605 break;
606 }
607
608 if (RT_SUCCESS(rc)) /* Abort waiting. */
609 {
610 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
611 rc = VERR_CANCELLED;
612 break;
613 }
614 }
615#endif
616 if ( RT_SUCCESS(rc)
617 || rc == VERR_TIMEOUT)
618 {
619 rc = pam_vbox_check_creds(pUserData->hPAM);
620 if (RT_SUCCESS(rc))
621 {
622 /* Credentials retrieved. */
623 break; /* Thread no longer is required, bail out. */
624 }
625 else if (rc == VERR_NOT_FOUND)
626 {
627 /* No credentials found, but try next round (if there's
628 * time left for) ... */
629#ifndef VBOX_WITH_GUEST_PROPS
630 RTThreadSleep(500); /* Wait 500 ms. */
631#endif
632 }
633 else
634 break; /* Something bad happend ... */
635 }
636 else
637 break;
638
639 /* Calculate timeout value left after process has been started. */
640 uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
641 /* Is it time to bail out? */
642 if (pUserData->uTimeoutMS < u64Elapsed)
643 {
644 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
645 pUserData->uTimeoutMS);
646 rc = VERR_TIMEOUT;
647 break;
648 }
649 }
650#ifdef VBOX_WITH_GUEST_PROPS
651 }
652 VbglR3GuestPropDisconnect(uClientID);
653#endif
654
655 /* Save result. */
656 pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
657
658 int rc2 = RTThreadUserSignal(RTThreadSelf());
659 AssertRC(rc2);
660
661 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
662 return rc;
663}
664
665
666/**
667 * Waits for credentials to arrive by creating and waiting for a thread.
668 *
669 * @return IPRT status code.
670 * @param hPAM PAM handle.
671 * @param uClientID Guest property service client ID.
672 * @param pszKey Key (name) of guest property to wait for.
673 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
674 * RT_INDEFINITE_WAIT to wait indefinitly.
675 */
676static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
677{
678 PAMVBOXTHREAD threadData;
679 threadData.hPAM = hPAM;
680 threadData.uTimeoutMS = uTimeoutMS;
681
682 RTTHREAD threadWait;
683 int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
684 (void *)&threadData, 0,
685 RTTHREADTYPE_DEFAULT, 0 /* Flags */, "pam_vbox");
686 if (RT_SUCCESS(rc))
687 {
688 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
689 /* Wait for thread to initialize. */
690 /** @todo We can do something else here in the meantime later. */
691 rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
692 if (RT_SUCCESS(rc))
693 rc = threadData.rc; /* Get back thread result to take further actions. */
694 }
695 else
696 pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
697
698 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
699 return rc;
700}
701
702
703DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
704 int argc, const char **argv)
705{
706 /* Parse arguments. */
707 for (int i = 0; i < argc; i++)
708 {
709 if (!RTStrICmp(argv[i], "debug"))
710 g_verbosity = 1;
711 else
712 pam_vbox_error(hPAM, "pam_vbox_authenticate: unknown command line argument \"%s\"\n", argv[i]);
713 }
714 pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
715
716 int rc = pam_vbox_init(hPAM);
717 if (RT_FAILURE(rc))
718 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
719
720 bool fFallback = true;
721
722#ifdef VBOX_WITH_GUEST_PROPS
723 uint32_t uClientId;
724 rc = VbglR3GuestPropConnect(&uClientId);
725 if (RT_SUCCESS(rc))
726 {
727 char szVal[256];
728 rc = pam_vbox_read_prop(hPAM, uClientId,
729 "/VirtualBox/GuestAdd/PAM/CredsWait",
730 true /* Read-only on guest */,
731 szVal, sizeof(szVal));
732 if (RT_SUCCESS(rc))
733 {
734 /* All calls which are checked against rc2 are not critical, e.g. it does
735 * not matter if they succeed or not. */
736 uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
737 int rc2 = pam_vbox_read_prop(hPAM, uClientId,
738 "/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
739 true /* Read-only on guest */,
740 szVal, sizeof(szVal));
741 if (RT_SUCCESS(rc2))
742 {
743 uTimeoutMS = RTStrToUInt32(szVal);
744 if (!uTimeoutMS)
745 {
746 pam_vbox_error(hPAM, "pam_vbox_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
747 uTimeoutMS = RT_INDEFINITE_WAIT;
748 }
749 else
750 uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
751 }
752
753 rc2 = pam_vbox_read_prop(hPAM, uClientId,
754 "/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
755 true /* Read-only on guest */,
756 szVal, sizeof(szVal));
757 const char *pszWaitMsg = NULL;
758 if (RT_SUCCESS(rc2))
759 pszWaitMsg = szVal;
760
761 rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
762 pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
763 if (RT_FAILURE(rc2)) /* Not critical. */
764 pam_vbox_error(hPAM, "pam_vbox_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
765
766 if (RT_SUCCESS(rc))
767 {
768 /* Before we actuall wait for credentials just make sure we didn't already get credentials
769 * set so that we can skip waiting for them ... */
770 rc = pam_vbox_check_creds(hPAM);
771 if (rc == VERR_NOT_FOUND)
772 {
773 rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
774 if (rc == VERR_TIMEOUT)
775 {
776 pam_vbox_log(hPAM, "pam_vbox_authenticate: no credentials given within time\n");
777
778 rc2 = pam_vbox_read_prop(hPAM, uClientId,
779 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
780 true /* Read-only on guest */,
781 szVal, sizeof(szVal));
782 if (RT_SUCCESS(rc2))
783 {
784 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
785 AssertRC(rc2);
786 }
787 }
788 else if (rc == VERR_CANCELLED)
789 {
790 pam_vbox_log(hPAM, "pam_vbox_authenticate: waiting aborted\n");
791
792 rc2 = pam_vbox_read_prop(hPAM, uClientId,
793 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
794 true /* Read-only on guest */,
795 szVal, sizeof(szVal));
796 if (RT_SUCCESS(rc2))
797 {
798 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
799 AssertRC(rc2);
800 }
801 }
802 }
803
804 /* If we got here we don't need the fallback, so just deactivate it. */
805 fFallback = false;
806 }
807 }
808
809 VbglR3GuestPropDisconnect(uClientId);
810 }
811#endif /* VBOX_WITH_GUEST_PROPS */
812
813 if (fFallback)
814 {
815 pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
816
817 /* If anything went wrong in the code above we just do a credentials
818 * check like it was before: Try retrieving the stuff and authenticating. */
819 int rc2 = pam_vbox_check_creds(hPAM);
820 if (RT_SUCCESS(rc))
821 rc = rc2;
822 }
823
824 pam_vbox_shutdown(hPAM);
825
826 pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
827
828 /* Never report an error here because if no credentials from the host are available or something
829 * went wrong we then let do the authentication by the next module in the stack. */
830
831 /* We report success here because this is all we can do right now -- we passed the credentials
832 * to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
833 * password verification to "really" authenticate the user. */
834 return PAM_SUCCESS;
835}
836
837
838DECLEXPORT(int) pam_sm_setcred(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
839{
840 pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
841 for (int i = 0; i < argc; i++)
842 pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
843 return PAM_SUCCESS;
844}
845
846
847DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
848{
849 pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
850 return PAM_SUCCESS;
851}
852
853
854DECLEXPORT(int) pam_sm_open_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
855{
856 pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
857 RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
858 return PAM_SUCCESS;
859}
860
861
862DECLEXPORT(int) pam_sm_close_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
863{
864 pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
865 return PAM_SUCCESS;
866}
867
868
869DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
870{
871 pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
872 return PAM_SUCCESS;
873}
874
875
876#ifdef DEBUG
877DECLEXPORT(void) RTAssertMsg1Weak(const char *pszExpr, unsigned uLine, const char *pszFile, const char *pszFunction)
878{
879 pam_vbox_log(g_pam_handle,
880 "\n!!Assertion Failed!!\n"
881 "Expression: %s\n"
882 "Location : %s(%d) %s\n",
883 pszExpr, pszFile, uLine, pszFunction);
884 RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
885}
886#endif
887
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette