VirtualBox

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 38548

Last change on this file since 38548 was 38548, checked in by vboxsync, 13 years ago

pam_vbox: Documentation.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 29.2 KB
Line 
1/* $Id: pam_vbox.cpp 38548 2011-08-26 13:25:29Z vboxsync $ */
2/** @file
3 * pam_vbox - PAM module for auto logons.
4 */
5
6/*
7 * Copyright (C) 2008-2011 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18/*******************************************************************************
19* Header Files *
20*******************************************************************************/
21#define PAM_SM_AUTH
22#define PAM_SM_ACCOUNT
23#define PAM_SM_PASSWORD
24#define PAM_SM_SESSION
25
26#ifdef DEBUG
27# define PAM_DEBUG
28#endif
29
30#ifdef RT_OS_SOLARIS
31# include <security/pam_appl.h>
32#endif
33#include <security/pam_modules.h>
34#include <security/pam_appl.h>
35#ifdef RT_OS_LINUX
36# include <security/_pam_macros.h>
37#endif
38
39#include <pwd.h>
40#include <syslog.h>
41#include <stdlib.h>
42
43#include <iprt/assert.h>
44#include <iprt/env.h>
45#include <iprt/initterm.h>
46#include <iprt/mem.h>
47#include <iprt/stream.h>
48#include <iprt/string.h>
49#include <iprt/thread.h>
50#include <iprt/time.h>
51
52#include <VBox/VBoxGuestLib.h>
53
54#include <VBox/log.h>
55#ifdef VBOX_WITH_GUEST_PROPS
56# include <VBox/HostServices/GuestPropertySvc.h>
57 using namespace guestProp;
58#endif
59
60#define VBOX_MODULE_NAME "pam_vbox"
61
62/** For debugging. */
63#ifdef DEBUG
64static pam_handle_t *g_pam_handle;
65static int g_verbosity = 99;
66#else
67static int g_verbosity = 0;
68#endif
69
70/**
71 * User-provided thread data for the credentials waiting thread.
72 */
73typedef struct PAMVBOXTHREAD
74{
75 /** The PAM handle. */
76 pam_handle_t *hPAM;
77 /** The timeout (in ms) to wait for credentials. */
78 uint32_t uTimeoutMS;
79 /** The overall result of the thread operation. */
80 int rc;
81} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
82
83/**
84 * Write to system log.
85 *
86 * @param pszBuf Buffer to write to the log (NULL-terminated)
87 */
88static void pam_vbox_writesyslog(char *pszBuf)
89{
90#ifdef RT_OS_LINUX
91 openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
92 syslog(LOG_ERR, "%s", pszBuf);
93 closelog();
94#elif defined(RT_OS_SOLARIS)
95 syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
96#endif
97}
98
99
100/**
101 * Displays an error message.
102 *
103 * @param pszFormat The message text.
104 * @param ... Format arguments.
105 */
106static void pam_vbox_error(pam_handle_t *hPAM, const char *pszFormat, ...)
107{
108 va_list va;
109 char *buf;
110 va_start(va, pszFormat);
111 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
112 {
113 LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
114 pam_vbox_writesyslog(buf);
115 RTStrFree(buf);
116 }
117 va_end(va);
118}
119
120
121/**
122 * Displays a debug message.
123 *
124 * @param pszFormat The message text.
125 * @param ... Format arguments.
126 */
127static void pam_vbox_log(pam_handle_t *hPAM, const char *pszFormat, ...)
128{
129 if (g_verbosity)
130 {
131 va_list va;
132 char *buf;
133 va_start(va, pszFormat);
134 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
135 {
136 /* Only do normal logging in debug mode; could contain
137 * sensitive data! */
138 LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
139 /* Log to syslog */
140 pam_vbox_writesyslog(buf);
141 RTStrFree(buf);
142 }
143 va_end(va);
144 }
145}
146
147
148/**
149 * Sets a message using PAM's conversation function.
150 *
151 * @return IPRT status code.
152 * @param hPAM PAM handle.
153 * @param iStyle Style of message (0 = Information, 1 = Prompt
154 * echo off, 2 = Prompt echo on, 3 = Error).
155 * @param pszText Message text to set.
156 */
157static int vbox_set_msg(pam_handle_t *hPAM, int iStyle, const char *pszText)
158{
159 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
160 AssertPtrReturn(pszText, VERR_INVALID_POINTER);
161
162 if (!iStyle)
163 iStyle = PAM_TEXT_INFO;
164
165 int rc = VINF_SUCCESS;
166
167 pam_message msg;
168 msg.msg_style = iStyle;
169#ifdef RT_OS_SOLARIS
170 msg.msg = (char*)pszText;
171#else
172 msg.msg = pszText;
173#endif
174
175#ifdef RT_OS_SOLARIS
176 pam_conv *conv = NULL;
177 int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
178#else
179 const pam_conv *conv = NULL;
180 int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
181#endif
182 if ( pamrc == PAM_SUCCESS
183 && conv)
184 {
185 pam_response *resp = NULL;
186#ifdef RT_OS_SOLARIS
187 pam_message *msg_p = &msg;
188#else
189 const pam_message *msg_p = &msg;
190#endif
191 pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
192
193 pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
194 if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
195 {
196 if (resp->resp)
197 {
198 pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
199 pszText, resp->resp);
200 /** @todo Save response! */
201 free(resp->resp);
202 }
203 free(resp);
204 }
205 }
206 else
207 rc = VERR_NOT_FOUND;
208 return rc;
209}
210
211
212/**
213 * Initializes pam_vbox.
214 *
215 * @return IPRT status code.
216 * @param hPAM PAM handle.
217 */
218static int pam_vbox_init(pam_handle_t *hPAM)
219{
220#ifdef DEBUG
221 g_pam_handle = hPAM; /* hack for getting assertion text */
222#endif
223
224 /* Don't make assertions panic because the PAM stack +
225 * the current logon module won't work anymore (or just restart).
226 * This could result in not able to log into the system anymore. */
227 RTAssertSetMayPanic(false);
228
229 int rc = RTR3Init();
230 if (RT_FAILURE(rc))
231 {
232 pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
233 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
234 }
235
236 pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
237 if (RT_SUCCESS(rc))
238 {
239 rc = VbglR3InitUser();
240 if (RT_FAILURE(rc))
241 {
242 switch(rc)
243 {
244 case VERR_ACCESS_DENIED:
245 pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
246 break;
247
248 case VERR_FILE_NOT_FOUND:
249 pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
250 break;
251
252 default:
253 pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
254 break;
255 }
256 }
257 pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
258 }
259
260 if (RT_SUCCESS(rc))
261 {
262 char *rhost = NULL;
263 char *tty = NULL;
264 char *prompt = NULL;
265#ifdef RT_OS_SOLARIS
266 pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
267 pam_get_item(hPAM, PAM_TTY, (void**) &tty);
268 pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
269#else
270 pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
271 pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
272 pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
273#endif
274 pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
275 rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
276 }
277
278 return rc;
279}
280
281
282/**
283 * Shuts down pam_vbox.
284 *
285 * @return IPRT status code.
286 * @param hPAM PAM handle.
287 */
288static void pam_vbox_shutdown(pam_handle_t *hPAM)
289{
290 VbglR3Term();
291}
292
293
294/**
295 * Checks for credentials provided by the host / HGCM.
296 *
297 * @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
298 * VINF_SUCCESS on successful retrieval or another IPRT error.
299 * @param hPAM PAM handle.
300 */
301static int pam_vbox_check_creds(pam_handle_t *hPAM)
302{
303 int rc = VbglR3CredentialsQueryAvailability();
304 if (RT_FAILURE(rc))
305 {
306 if (rc != VERR_NOT_FOUND)
307 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
308#ifdef DEBUG
309 else
310 pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
311#endif
312 }
313 else
314 {
315 char *pszUsername;
316 char *pszPassword;
317 char *pszDomain;
318
319 rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
320 if (RT_FAILURE(rc))
321 {
322 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
323 }
324 else
325 {
326#ifdef DEBUG
327 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
328 pszUsername, pszPassword, pszDomain);
329#else
330 /* Don't log passwords in release mode! */
331 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
332 pszUsername, pszDomain);
333#endif
334 /* Fill credentials into PAM. */
335 int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
336 if (pamrc != PAM_SUCCESS)
337 {
338 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
339 pamrc, pam_strerror(hPAM, pamrc));
340 }
341 else
342 {
343 pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
344 if (pamrc != PAM_SUCCESS)
345 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
346 pamrc, pam_strerror(hPAM, pamrc));
347
348 }
349 /** @todo Add handling domains as well. */
350 VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
351 3 /* Three wipe passes */);
352 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
353 pamrc, pam_strerror(hPAM, pamrc));
354 }
355 }
356
357#ifdef DEBUG
358 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
359#endif
360 return rc;
361}
362
363
364#ifdef VBOX_WITH_GUEST_PROPS
365/**
366 * Reads a guest property.
367 *
368 * @return IPRT status code.
369 * @param hPAM PAM handle.
370 * @param uClientID Guest property service client ID.
371 * @param pszKey Key (name) of guest property to read.
372 * @param fReadOnly Indicates whether this key needs to be
373 * checked if it only can be read (and *not* written)
374 * by the guest.
375 * @param pszValue Buffer where to store the key's value.
376 * @param cbValue Size of buffer (in bytes).
377 */
378static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
379 const char *pszKey, bool fReadOnly,
380 char *pszValue, size_t cbValue)
381{
382 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
383 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
384 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
385 AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
386
387 int rc;
388
389 uint64_t u64Timestamp = 0;
390 char *pszValTemp;
391 char *pszFlags = NULL;
392 /* The buffer for storing the data and its initial size. We leave a bit
393 * of space here in case the maximum values are raised. */
394 void *pvBuf = NULL;
395 uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
396
397 /* Because there is a race condition between our reading the size of a
398 * property and the guest updating it, we loop a few times here and
399 * hope. Actually this should never go wrong, as we are generous
400 * enough with buffer space. */
401 for (unsigned i = 0; i < 10; i++)
402 {
403 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
404 if (pvTmpBuf)
405 {
406 pvBuf = pvTmpBuf;
407 rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
408 &pszValTemp, &u64Timestamp, &pszFlags,
409 &cbBuf);
410 }
411 else
412 rc = VERR_NO_MEMORY;
413
414 switch (rc)
415 {
416 case VERR_BUFFER_OVERFLOW:
417 {
418 /* Buffer too small, try it with a bigger one next time. */
419 cbBuf += _1K;
420 continue; /* Try next round. */
421 }
422
423 default:
424 break;
425 }
426
427 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
428 break;
429 }
430
431 if (RT_SUCCESS(rc))
432 {
433 /* Check security bits. */
434 if (pszFlags)
435 {
436 if ( fReadOnly
437 && !RTStrStr(pszFlags, "RDONLYGUEST"))
438 {
439 /* If we want a property which is read-only on the guest
440 * and it is *not* marked as such, deny access! */
441 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
442 pszKey);
443 rc = VERR_ACCESS_DENIED;
444 }
445 }
446 else /* No flags, no access! */
447 {
448 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
449 pszKey, pszFlags);
450 rc = VERR_ACCESS_DENIED;
451 }
452
453 if (RT_SUCCESS(rc))
454 {
455 /* If everything went well copy property value to our destination buffer. */
456 if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
457 {
458 pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
459 pszKey);
460 rc = VERR_INVALID_PARAMETER;
461 }
462 }
463 }
464
465 pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\" with rc=%Rrc\n",
466 pszKey, pszValue, rc);
467 return rc;
468}
469
470
471/**
472 * Waits for a guest property to be changed.
473 *
474 * @return IPRT status code.
475 * @param hPAM PAM handle.
476 * @param uClientID Guest property service client ID.
477 * @param pszKey Key (name) of guest property to wait for.
478 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
479 * RT_INDEFINITE_WAIT to wait indefinitly.
480 */
481static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
482 const char *pszKey, uint32_t uTimeoutMS)
483{
484 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
485 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
486 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
487
488 int rc;
489
490 /* The buffer for storing the data and its initial size. We leave a bit
491 * of space here in case the maximum values are raised. */
492 void *pvBuf = NULL;
493 uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
494
495 for (int i = 0; i < 10; i++)
496 {
497 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
498 if (pvTmpBuf)
499 {
500 char *pszName = NULL;
501 char *pszValue = NULL;
502 uint64_t u64TimestampOut = 0;
503 char *pszFlags = NULL;
504
505 pvBuf = pvTmpBuf;
506 rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
507 0 /* Last timestamp; just wait for next event */, uTimeoutMS,
508 &pszName, &pszValue, &u64TimestampOut,
509 &pszFlags, &cbBuf);
510 }
511 else
512 rc = VERR_NO_MEMORY;
513
514 if (rc == VERR_BUFFER_OVERFLOW)
515 {
516 /* Buffer too small, try it with a bigger one next time. */
517 cbBuf += _1K;
518 continue; /* Try next round. */
519 }
520
521 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
522 break;
523 }
524
525 return rc;
526}
527#endif
528
529
530/**
531 * Thread function waiting for credentials to arrive.
532 *
533 * @return IPRT status code.
534 * @param ThreadSelf Thread struct to this thread.
535 * @param pvUser Pointer to a PAMVBOXTHREAD structure providing
536 * required data used / set by the thread.
537 */
538static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
539{
540 PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
541 AssertPtr(pUserData);
542
543 int rc = VINF_SUCCESS;
544 /* Get current time stamp to later calculate rest of timeout left. */
545 uint64_t u64StartMS = RTTimeMilliTS();
546
547#ifdef VBOX_WITH_GUEST_PROPS
548 uint32_t uClientID = 0;
549 rc = VbglR3GuestPropConnect(&uClientID);
550 if (RT_FAILURE(rc))
551 {
552 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
553 }
554 else
555 {
556 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
557#endif
558 for (;;)
559 {
560#ifdef VBOX_WITH_GUEST_PROPS
561 if (uClientID)
562 {
563 rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
564 "/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
565 500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
566 switch (rc)
567 {
568 case VINF_SUCCESS:
569 /* Somebody (guest/host) wants to abort waiting for credentials. */
570 break;
571
572 case VERR_INTERRUPTED:
573 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
574 break;
575
576 case VERR_TIMEOUT:
577 /* We did not receive an abort message within time. */
578 break;
579
580 case VERR_TOO_MUCH_DATA:
581 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
582 break;
583
584 default:
585 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
586 break;
587 }
588
589 if (RT_SUCCESS(rc)) /* Abort waiting. */
590 {
591 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
592 rc = VERR_CANCELLED;
593 break;
594 }
595 }
596#endif
597 if ( RT_SUCCESS(rc)
598 || rc == VERR_TIMEOUT)
599 {
600 rc = pam_vbox_check_creds(pUserData->hPAM);
601 if (RT_SUCCESS(rc))
602 {
603 /* Credentials retrieved. */
604 break; /* Thread no longer is required, bail out. */
605 }
606 else if (rc == VERR_NOT_FOUND)
607 {
608 /* No credentials found, but try next round (if there's
609 * time left for) ... */
610#ifndef VBOX_WITH_GUEST_PROPS
611 RTThreadSleep(500); /* Wait 500 ms. */
612#endif
613 }
614 else
615 break; /* Something bad happend ... */
616 }
617 else
618 break;
619
620 /* Calculate timeout value left after process has been started. */
621 uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
622 /* Is it time to bail out? */
623 if (pUserData->uTimeoutMS < u64Elapsed)
624 {
625 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
626 pUserData->uTimeoutMS);
627 rc = VERR_TIMEOUT;
628 break;
629 }
630 }
631#ifdef VBOX_WITH_GUEST_PROPS
632 }
633 VbglR3GuestPropDisconnect(uClientID);
634#endif
635
636 /* Save result. */
637 pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
638
639 int rc2 = RTThreadUserSignal(RTThreadSelf());
640 AssertRC(rc2);
641
642 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
643 return rc;
644}
645
646
647/**
648 * Waits for credentials to arrive by creating and waiting for a thread.
649 *
650 * @return IPRT status code.
651 * @param hPAM PAM handle.
652 * @param uClientID Guest property service client ID.
653 * @param pszKey Key (name) of guest property to wait for.
654 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
655 * RT_INDEFINITE_WAIT to wait indefinitly.
656 */
657static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
658{
659 PAMVBOXTHREAD threadData;
660 threadData.hPAM = hPAM;
661 threadData.uTimeoutMS = uTimeoutMS;
662
663 RTTHREAD threadWait;
664 int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
665 (void *)&threadData, 0,
666 RTTHREADTYPE_DEFAULT, RTTHREADFLAGS_WAITABLE, "pam_vbox");
667 if (RT_SUCCESS(rc))
668 {
669 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
670 /* Wait for thread to initialize. */
671 /** @todo We can do something else here in the meantime later. */
672 rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
673 if (RT_SUCCESS(rc))
674 rc = threadData.rc; /* Get back thread result to take further actions. */
675 }
676 else
677 pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
678
679 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
680 return rc;
681}
682
683
684DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
685 int argc, const char **argv)
686{
687 /* Parse arguments. */
688 int i;
689 for (i = 0; i < argc; i++)
690 {
691 if (!RTStrICmp(argv[i], "debug"))
692 g_verbosity = 1;
693 else
694 pam_vbox_error(hPAM, "pam_sm_authenticate: unknown command line argument \"%s\"\n", argv[i]);
695 }
696 pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
697
698 int rc = pam_vbox_init(hPAM);
699 if (RT_FAILURE(rc))
700 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
701
702 bool fFallback = true;
703
704#ifdef VBOX_WITH_GUEST_PROPS
705 uint32_t uClientId;
706 rc = VbglR3GuestPropConnect(&uClientId);
707 if (RT_SUCCESS(rc))
708 {
709 char szVal[256];
710 rc = pam_vbox_read_prop(hPAM, uClientId,
711 "/VirtualBox/GuestAdd/PAM/CredsWait",
712 true /* Read-only on guest */,
713 szVal, sizeof(szVal));
714 if (RT_SUCCESS(rc))
715 {
716 /* All calls which are checked against rc2 are not critical, e.g. it does
717 * not matter if they succeed or not. */
718 uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
719 int rc2 = pam_vbox_read_prop(hPAM, uClientId,
720 "/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
721 true /* Read-only on guest */,
722 szVal, sizeof(szVal));
723 if (RT_SUCCESS(rc2))
724 {
725 uTimeoutMS = RTStrToUInt32(szVal);
726 if (!uTimeoutMS)
727 {
728 pam_vbox_error(hPAM, "pam_sm_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
729 uTimeoutMS = RT_INDEFINITE_WAIT;
730 }
731 else
732 uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
733 }
734
735 rc2 = pam_vbox_read_prop(hPAM, uClientId,
736 "/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
737 true /* Read-only on guest */,
738 szVal, sizeof(szVal));
739 const char *pszWaitMsg = NULL;
740 if (RT_SUCCESS(rc2))
741 pszWaitMsg = szVal;
742
743 rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
744 pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
745 if (RT_FAILURE(rc2)) /* Not critical. */
746 pam_vbox_error(hPAM, "pam_sm_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
747
748 if (RT_SUCCESS(rc))
749 {
750 /* Before we actuall wait for credentials just make sure we didn't already get credentials
751 * set so that we can skip waiting for them ... */
752 rc = pam_vbox_check_creds(hPAM);
753 if (rc == VERR_NOT_FOUND)
754 {
755 rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
756 if (RT_SUCCESS(rc))
757 {
758 /* Waiting for credentials succeeded, try getting those ... */
759 rc = pam_vbox_check_creds(hPAM);
760 if (RT_FAILURE(rc))
761 pam_vbox_error(hPAM, "pam_sm_authenticate: no credentials given, even when waited for it, rc=%Rrc\n", rc);
762 }
763 else if (rc == VERR_TIMEOUT)
764 {
765 pam_vbox_log(hPAM, "pam_sm_authenticate: no credentials given within time\n");
766
767 rc2 = pam_vbox_read_prop(hPAM, uClientId,
768 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
769 true /* Read-only on guest */,
770 szVal, sizeof(szVal));
771 if (RT_SUCCESS(rc2))
772 {
773 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
774 AssertRC(rc2);
775 }
776 }
777 else if (rc == VERR_CANCELLED)
778 {
779 pam_vbox_log(hPAM, "pam_sm_authenticate: waiting aborted\n");
780
781 rc2 = pam_vbox_read_prop(hPAM, uClientId,
782 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
783 true /* Read-only on guest */,
784 szVal, sizeof(szVal));
785 if (RT_SUCCESS(rc2))
786 {
787 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
788 AssertRC(rc2);
789 }
790 }
791 }
792
793 /* If we got here we don't need the fallback, so just deactivate it. */
794 fFallback = false;
795 }
796 }
797
798 VbglR3GuestPropDisconnect(uClientId);
799 }
800#endif /* VBOX_WITH_GUEST_PROPS */
801
802 if (fFallback)
803 {
804 pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
805
806 /* If anything went wrong in the code above we just do a credentials
807 * check like it was before: Try retrieving the stuff and authenticating. */
808 int rc2 = pam_vbox_check_creds(hPAM);
809 if (RT_SUCCESS(rc))
810 rc = rc2;
811 }
812
813 pam_vbox_shutdown(hPAM);
814
815 pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
816
817 /* Never report an error here because if no credentials from the host are available or something
818 * went wrong we then let do the authentication by the next module in the stack. */
819
820 /* We report success here because this is all we can do right now -- we passed the credentials
821 * to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
822 * password verification to "really" authenticate the user. */
823 return PAM_SUCCESS;
824}
825
826
827DECLEXPORT(int) pam_sm_setcred(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
828{
829 pam_vbox_log(hPAM, "pam_vbox_setcred called\n");
830 return PAM_SUCCESS;
831}
832
833
834DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
835{
836 pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
837 return PAM_SUCCESS;
838}
839
840
841DECLEXPORT(int) pam_sm_open_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
842{
843 pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
844 RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
845 return PAM_SUCCESS;
846}
847
848
849DECLEXPORT(int) pam_sm_close_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
850{
851 pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
852 return PAM_SUCCESS;
853}
854
855DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
856{
857 pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
858 return PAM_SUCCESS;
859}
860
861#ifdef DEBUG
862DECLEXPORT(void) RTAssertMsg1Weak(const char *pszExpr, unsigned uLine, const char *pszFile, const char *pszFunction)
863{
864 pam_vbox_log(g_pam_handle,
865 "\n!!Assertion Failed!!\n"
866 "Expression: %s\n"
867 "Location : %s(%d) %s\n",
868 pszExpr, pszFile, uLine, pszFunction);
869 RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
870}
871#endif
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette