pam_vbox.cpp@ 39740

Last change on this file since 39740 was 39740, checked in by vboxsync, 13 years ago
pam_vbox: More cdecl stuff.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 29.5 KB

Line
1	/* $Id: pam_vbox.cpp 39740 2012-01-10 15:46:17Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2011 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18	/*******************************************************************************
19	* Header Files *
20	*******************************************************************************/
21	#define PAM_SM_AUTH
22	#define PAM_SM_ACCOUNT
23	#define PAM_SM_PASSWORD
24	#define PAM_SM_SESSION
25
26	#ifdef DEBUG
27	# define PAM_DEBUG
28	#endif
29
30	#include <security/pam_appl.h>
31	#ifdef RT_OS_LINUX
32	# include <security/_pam_macros.h>
33	#endif
34
35	#include <pwd.h>
36	#include <syslog.h>
37	#include <stdlib.h>
38
39	#include <iprt/assert.h>
40	#include <iprt/buildconfig.h>
41	#include <iprt/env.h>
42	#include <iprt/initterm.h>
43	#include <iprt/mem.h>
44	#include <iprt/stream.h>
45	#include <iprt/string.h>
46	#include <iprt/thread.h>
47	#include <iprt/time.h>
48
49	#include <VBox/VBoxGuestLib.h>
50
51	#include <VBox/log.h>
52	#ifdef VBOX_WITH_GUEST_PROPS
53	# include <VBox/HostServices/GuestPropertySvc.h>
54	using namespace guestProp;
55	#endif
56
57	#define VBOX_MODULE_NAME "pam_vbox"
58
59	/** For debugging. */
60	#ifdef DEBUG
61	static pam_handle_t *g_pam_handle;
62	static int g_verbosity = 99;
63	#else
64	static int g_verbosity = 0;
65	#endif
66
67	/**
68	* User-provided thread data for the credentials waiting thread.
69	*/
70	typedef struct PAMVBOXTHREAD
71	{
72	/** The PAM handle. */
73	pam_handle_t *hPAM;
74	/** The timeout (in ms) to wait for credentials. */
75	uint32_t uTimeoutMS;
76	/** The overall result of the thread operation. */
77	int rc;
78	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
79
80	/**
81	* Write to system log.
82	*
83	* @param pszBuf Buffer to write to the log (NULL-terminated)
84	*/
85	static void pam_vbox_writesyslog(char *pszBuf)
86	{
87	#ifdef RT_OS_LINUX
88	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
89	syslog(LOG_ERR, "%s", pszBuf);
90	closelog();
91	#elif defined(RT_OS_SOLARIS)
92	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
93	#endif
94	}
95
96
97	/**
98	* Displays an error message.
99	*
100	* @param pszFormat The message text.
101	* @param ... Format arguments.
102	*/
103	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
104	{
105	va_list va;
106	char *buf;
107	va_start(va, pszFormat);
108	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
109	{
110	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
111	pam_vbox_writesyslog(buf);
112	RTStrFree(buf);
113	}
114	va_end(va);
115	}
116
117
118	/**
119	* Displays a debug message.
120	*
121	* @param pszFormat The message text.
122	* @param ... Format arguments.
123	*/
124	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
125	{
126	if (g_verbosity)
127	{
128	va_list va;
129	char *buf;
130	va_start(va, pszFormat);
131	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
132	{
133	/* Only do normal logging in debug mode; could contain
134	* sensitive data! */
135	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
136	/* Log to syslog */
137	pam_vbox_writesyslog(buf);
138	RTStrFree(buf);
139	}
140	va_end(va);
141	}
142	}
143
144
145	/**
146	* Sets a message using PAM's conversation function.
147	*
148	* @return IPRT status code.
149	* @param hPAM PAM handle.
150	* @param iStyle Style of message (0 = Information, 1 = Prompt
151	* echo off, 2 = Prompt echo on, 3 = Error).
152	* @param pszText Message text to set.
153	*/
154	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
155	{
156	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
157	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
158
159	if (!iStyle)
160	iStyle = PAM_TEXT_INFO;
161
162	int rc = VINF_SUCCESS;
163
164	pam_message msg;
165	msg.msg_style = iStyle;
166	#ifdef RT_OS_SOLARIS
167	msg.msg = (char*)pszText;
168	#else
169	msg.msg = pszText;
170	#endif
171
172	#ifdef RT_OS_SOLARIS
173	pam_conv *conv = NULL;
174	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
175	#else
176	const pam_conv *conv = NULL;
177	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
178	#endif
179	if ( pamrc == PAM_SUCCESS
180	&& conv)
181	{
182	pam_response *resp = NULL;
183	#ifdef RT_OS_SOLARIS
184	pam_message *msg_p = &msg;
185	#else
186	const pam_message *msg_p = &msg;
187	#endif
188	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
189
190	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
191	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
192	{
193	if (resp->resp)
194	{
195	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
196	pszText, resp->resp);
197	/** @todo Save response! */
198	free(resp->resp);
199	}
200	free(resp);
201	}
202	}
203	else
204	rc = VERR_NOT_FOUND;
205	return rc;
206	}
207
208
209	/**
210	* Initializes pam_vbox.
211	*
212	* @return IPRT status code.
213	* @param hPAM PAM handle.
214	*/
215	static int pam_vbox_init(pam_handle_t *hPAM)
216	{
217	#ifdef DEBUG
218	g_pam_handle = hPAM; /* hack for getting assertion text */
219	#endif
220
221	/* Don't make assertions panic because the PAM stack +
222	* the current logon module won't work anymore (or just restart).
223	* This could result in not able to log into the system anymore. */
224	RTAssertSetMayPanic(false);
225
226	pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
227	RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
228
229	int rc = RTR3InitDll(0);
230	if (RT_FAILURE(rc))
231	{
232	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
233	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
234	}
235
236	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
237	if (RT_SUCCESS(rc))
238	{
239	rc = VbglR3InitUser();
240	if (RT_FAILURE(rc))
241	{
242	switch(rc)
243	{
244	case VERR_ACCESS_DENIED:
245	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
246	break;
247
248	case VERR_FILE_NOT_FOUND:
249	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
250	break;
251
252	default:
253	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
254	break;
255	}
256	}
257	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
258	}
259
260	if (RT_SUCCESS(rc))
261	{
262	char *rhost = NULL;
263	char *tty = NULL;
264	char *prompt = NULL;
265	#ifdef RT_OS_SOLARIS
266	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
267	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
268	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
269	#else
270	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
271	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
272	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
273	#endif
274	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
275	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
276	}
277
278	return rc;
279	}
280
281
282	/**
283	* Shuts down pam_vbox.
284	*
285	* @return IPRT status code.
286	* @param hPAM PAM handle.
287	*/
288	static void pam_vbox_shutdown(pam_handle_t *hPAM)
289	{
290	VbglR3Term();
291	}
292
293
294	/**
295	* Checks for credentials provided by the host / HGCM.
296	*
297	* @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
298	* VINF_SUCCESS on successful retrieval or another IPRT error.
299	* @param hPAM PAM handle.
300	*/
301	static int pam_vbox_check_creds(pam_handle_t *hPAM)
302	{
303	int rc = VbglR3CredentialsQueryAvailability();
304	if (RT_FAILURE(rc))
305	{
306	if (rc != VERR_NOT_FOUND)
307	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
308	#ifdef DEBUG
309	else
310	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
311	#endif
312	}
313	else
314	{
315	char *pszUsername;
316	char *pszPassword;
317	char *pszDomain;
318
319	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
320	if (RT_FAILURE(rc))
321	{
322	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
323	}
324	else
325	{
326	#ifdef DEBUG
327	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
328	pszUsername, pszPassword, pszDomain);
329	#else
330	/* Don't log passwords in release mode! */
331	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
332	pszUsername, pszDomain);
333	#endif
334	/* Fill credentials into PAM. */
335	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
336	if (pamrc != PAM_SUCCESS)
337	{
338	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
339	pamrc, pam_strerror(hPAM, pamrc));
340	}
341	else
342	{
343	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
344	if (pamrc != PAM_SUCCESS)
345	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
346	pamrc, pam_strerror(hPAM, pamrc));
347
348	}
349	/** @todo Add handling domains as well. */
350	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
351	3 /* Three wipe passes */);
352	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
353	pamrc, pam_strerror(hPAM, pamrc));
354	}
355	}
356
357	#ifdef DEBUG
358	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
359	#endif
360	return rc;
361	}
362
363
364	#ifdef VBOX_WITH_GUEST_PROPS
365	/**
366	* Reads a guest property.
367	*
368	* @return IPRT status code.
369	* @param hPAM PAM handle.
370	* @param uClientID Guest property service client ID.
371	* @param pszKey Key (name) of guest property to read.
372	* @param fReadOnly Indicates whether this key needs to be
373	* checked if it only can be read (and not written)
374	* by the guest.
375	* @param pszValue Buffer where to store the key's value.
376	* @param cbValue Size of buffer (in bytes).
377	*/
378	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
379	const char *pszKey, bool fReadOnly,
380	char *pszValue, size_t cbValue)
381	{
382	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
383	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
384	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
385	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
386
387	int rc;
388
389	uint64_t u64Timestamp = 0;
390	char *pszValTemp;
391	char *pszFlags = NULL;
392	/* The buffer for storing the data and its initial size. We leave a bit
393	* of space here in case the maximum values are raised. */
394	void *pvBuf = NULL;
395	uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
396
397	/* Because there is a race condition between our reading the size of a
398	* property and the guest updating it, we loop a few times here and
399	* hope. Actually this should never go wrong, as we are generous
400	* enough with buffer space. */
401	for (unsigned i = 0; i < 10; i++)
402	{
403	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
404	if (pvTmpBuf)
405	{
406	pvBuf = pvTmpBuf;
407	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
408	&pszValTemp, &u64Timestamp, &pszFlags,
409	&cbBuf);
410	}
411	else
412	rc = VERR_NO_MEMORY;
413
414	switch (rc)
415	{
416	case VERR_BUFFER_OVERFLOW:
417	{
418	/* Buffer too small, try it with a bigger one next time. */
419	cbBuf += _1K;
420	continue; /* Try next round. */
421	}
422
423	default:
424	break;
425	}
426
427	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
428	break;
429	}
430
431	if (RT_SUCCESS(rc))
432	{
433	/* Check security bits. */
434	if (pszFlags)
435	{
436	if ( fReadOnly
437	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
438	{
439	/* If we want a property which is read-only on the guest
440	* and it is not marked as such, deny access! */
441	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
442	pszKey);
443	rc = VERR_ACCESS_DENIED;
444	}
445	}
446	else /* No flags, no access! */
447	{
448	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
449	pszKey, pszFlags);
450	rc = VERR_ACCESS_DENIED;
451	}
452
453	if (RT_SUCCESS(rc))
454	{
455	/* If everything went well copy property value to our destination buffer. */
456	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
457	{
458	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
459	pszKey);
460	rc = VERR_INVALID_PARAMETER;
461	}
462
463	if (RT_SUCCESS(rc))
464	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
465	pszKey, pszValue);
466	}
467	}
468
469	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
470	pszKey, rc);
471	return rc;
472	}
473
474
475	/**
476	* Waits for a guest property to be changed.
477	*
478	* @return IPRT status code.
479	* @param hPAM PAM handle.
480	* @param uClientID Guest property service client ID.
481	* @param pszKey Key (name) of guest property to wait for.
482	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
483	* RT_INDEFINITE_WAIT to wait indefinitly.
484	*/
485	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
486	const char *pszKey, uint32_t uTimeoutMS)
487	{
488	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
489	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
490	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
491
492	int rc;
493
494	/* The buffer for storing the data and its initial size. We leave a bit
495	* of space here in case the maximum values are raised. */
496	void *pvBuf = NULL;
497	uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
498
499	for (int i = 0; i < 10; i++)
500	{
501	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
502	if (pvTmpBuf)
503	{
504	char *pszName = NULL;
505	char *pszValue = NULL;
506	uint64_t u64TimestampOut = 0;
507	char *pszFlags = NULL;
508
509	pvBuf = pvTmpBuf;
510	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
511	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
512	&pszName, &pszValue, &u64TimestampOut,
513	&pszFlags, &cbBuf);
514	}
515	else
516	rc = VERR_NO_MEMORY;
517
518	if (rc == VERR_BUFFER_OVERFLOW)
519	{
520	/* Buffer too small, try it with a bigger one next time. */
521	cbBuf += _1K;
522	continue; /* Try next round. */
523	}
524
525	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
526	break;
527	}
528
529	return rc;
530	}
531	#endif
532
533	/**
534	* Thread function waiting for credentials to arrive.
535	*
536	* @return IPRT status code.
537	* @param ThreadSelf Thread struct to this thread.
538	* @param pvUser Pointer to a PAMVBOXTHREAD structure providing
539	* required data used / set by the thread.
540	*/
541	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
542	{
543	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
544	AssertPtr(pUserData);
545
546	int rc = VINF_SUCCESS;
547	/* Get current time stamp to later calculate rest of timeout left. */
548	uint64_t u64StartMS = RTTimeMilliTS();
549
550	#ifdef VBOX_WITH_GUEST_PROPS
551	uint32_t uClientID = 0;
552	rc = VbglR3GuestPropConnect(&uClientID);
553	if (RT_FAILURE(rc))
554	{
555	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
556	}
557	else
558	{
559	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
560	#endif
561	for (;;)
562	{
563	#ifdef VBOX_WITH_GUEST_PROPS
564	if (uClientID)
565	{
566	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
567	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
568	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
569	switch (rc)
570	{
571	case VINF_SUCCESS:
572	/* Somebody (guest/host) wants to abort waiting for credentials. */
573	break;
574
575	case VERR_INTERRUPTED:
576	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
577	break;
578
579	case VERR_TIMEOUT:
580	/* We did not receive an abort message within time. */
581	break;
582
583	case VERR_TOO_MUCH_DATA:
584	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
585	break;
586
587	default:
588	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
589	break;
590	}
591
592	if (RT_SUCCESS(rc)) /* Abort waiting. */
593	{
594	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
595	rc = VERR_CANCELLED;
596	break;
597	}
598	}
599	#endif
600	if ( RT_SUCCESS(rc)
601	\|\| rc == VERR_TIMEOUT)
602	{
603	rc = pam_vbox_check_creds(pUserData->hPAM);
604	if (RT_SUCCESS(rc))
605	{
606	/* Credentials retrieved. */
607	break; /* Thread no longer is required, bail out. */
608	}
609	else if (rc == VERR_NOT_FOUND)
610	{
611	/* No credentials found, but try next round (if there's
612	* time left for) ... */
613	#ifndef VBOX_WITH_GUEST_PROPS
614	RTThreadSleep(500); /* Wait 500 ms. */
615	#endif
616	}
617	else
618	break; /* Something bad happend ... */
619	}
620	else
621	break;
622
623	/* Calculate timeout value left after process has been started. */
624	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
625	/* Is it time to bail out? */
626	if (pUserData->uTimeoutMS < u64Elapsed)
627	{
628	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
629	pUserData->uTimeoutMS);
630	rc = VERR_TIMEOUT;
631	break;
632	}
633	}
634	#ifdef VBOX_WITH_GUEST_PROPS
635	}
636	VbglR3GuestPropDisconnect(uClientID);
637	#endif
638
639	/* Save result. */
640	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
641
642	int rc2 = RTThreadUserSignal(RTThreadSelf());
643	AssertRC(rc2);
644
645	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
646	return rc;
647	}
648
649
650	/**
651	* Waits for credentials to arrive by creating and waiting for a thread.
652	*
653	* @return IPRT status code.
654	* @param hPAM PAM handle.
655	* @param uClientID Guest property service client ID.
656	* @param pszKey Key (name) of guest property to wait for.
657	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
658	* RT_INDEFINITE_WAIT to wait indefinitly.
659	*/
660	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
661	{
662	PAMVBOXTHREAD threadData;
663	threadData.hPAM = hPAM;
664	threadData.uTimeoutMS = uTimeoutMS;
665
666	RTTHREAD threadWait;
667	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
668	(void *)&threadData, 0,
669	RTTHREADTYPE_DEFAULT, RTTHREADFLAGS_WAITABLE, "pam_vbox");
670	if (RT_SUCCESS(rc))
671	{
672	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
673	/* Wait for thread to initialize. */
674	/** @todo We can do something else here in the meantime later. */
675	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
676	if (RT_SUCCESS(rc))
677	rc = threadData.rc; /* Get back thread result to take further actions. */
678	}
679	else
680	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
681
682	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
683	return rc;
684	}
685
686
687	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
688	int argc, const char **argv)
689	{
690	/* Parse arguments. */
691	for (int i = 0; i < argc; i++)
692	{
693	if (!RTStrICmp(argv[i], "debug"))
694	g_verbosity = 1;
695	else
696	pam_vbox_error(hPAM, "pam_sm_authenticate: unknown command line argument \"%s\"\n", argv[i]);
697	}
698	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
699
700	int rc = pam_vbox_init(hPAM);
701	if (RT_FAILURE(rc))
702	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
703
704	bool fFallback = true;
705
706	#ifdef VBOX_WITH_GUEST_PROPS
707	uint32_t uClientId;
708	rc = VbglR3GuestPropConnect(&uClientId);
709	if (RT_SUCCESS(rc))
710	{
711	char szVal[256];
712	rc = pam_vbox_read_prop(hPAM, uClientId,
713	"/VirtualBox/GuestAdd/PAM/CredsWait",
714	true /* Read-only on guest */,
715	szVal, sizeof(szVal));
716	if (RT_SUCCESS(rc))
717	{
718	/* All calls which are checked against rc2 are not critical, e.g. it does
719	* not matter if they succeed or not. */
720	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
721	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
722	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
723	true /* Read-only on guest */,
724	szVal, sizeof(szVal));
725	if (RT_SUCCESS(rc2))
726	{
727	uTimeoutMS = RTStrToUInt32(szVal);
728	if (!uTimeoutMS)
729	{
730	pam_vbox_error(hPAM, "pam_sm_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
731	uTimeoutMS = RT_INDEFINITE_WAIT;
732	}
733	else
734	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
735	}
736
737	rc2 = pam_vbox_read_prop(hPAM, uClientId,
738	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
739	true /* Read-only on guest */,
740	szVal, sizeof(szVal));
741	const char *pszWaitMsg = NULL;
742	if (RT_SUCCESS(rc2))
743	pszWaitMsg = szVal;
744
745	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
746	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
747	if (RT_FAILURE(rc2)) /* Not critical. */
748	pam_vbox_error(hPAM, "pam_sm_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
749
750	if (RT_SUCCESS(rc))
751	{
752	/* Before we actuall wait for credentials just make sure we didn't already get credentials
753	* set so that we can skip waiting for them ... */
754	rc = pam_vbox_check_creds(hPAM);
755	if (rc == VERR_NOT_FOUND)
756	{
757	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
758	if (RT_SUCCESS(rc))
759	{
760	/* Waiting for credentials succeeded, try getting those ... */
761	rc = pam_vbox_check_creds(hPAM);
762	if (RT_FAILURE(rc))
763	pam_vbox_error(hPAM, "pam_sm_authenticate: no credentials given, even when waited for it, rc=%Rrc\n", rc);
764	}
765	else if (rc == VERR_TIMEOUT)
766	{
767	pam_vbox_log(hPAM, "pam_sm_authenticate: no credentials given within time\n");
768
769	rc2 = pam_vbox_read_prop(hPAM, uClientId,
770	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
771	true /* Read-only on guest */,
772	szVal, sizeof(szVal));
773	if (RT_SUCCESS(rc2))
774	{
775	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
776	AssertRC(rc2);
777	}
778	}
779	else if (rc == VERR_CANCELLED)
780	{
781	pam_vbox_log(hPAM, "pam_sm_authenticate: waiting aborted\n");
782
783	rc2 = pam_vbox_read_prop(hPAM, uClientId,
784	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
785	true /* Read-only on guest */,
786	szVal, sizeof(szVal));
787	if (RT_SUCCESS(rc2))
788	{
789	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
790	AssertRC(rc2);
791	}
792	}
793	}
794
795	/* If we got here we don't need the fallback, so just deactivate it. */
796	fFallback = false;
797	}
798	}
799
800	VbglR3GuestPropDisconnect(uClientId);
801	}
802	#endif /* VBOX_WITH_GUEST_PROPS */
803
804	if (fFallback)
805	{
806	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
807
808	/* If anything went wrong in the code above we just do a credentials
809	* check like it was before: Try retrieving the stuff and authenticating. */
810	int rc2 = pam_vbox_check_creds(hPAM);
811	if (RT_SUCCESS(rc))
812	rc = rc2;
813	}
814
815	pam_vbox_shutdown(hPAM);
816
817	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
818
819	/* Never report an error here because if no credentials from the host are available or something
820	* went wrong we then let do the authentication by the next module in the stack. */
821
822	/* We report success here because this is all we can do right now -- we passed the credentials
823	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
824	* password verification to "really" authenticate the user. */
825	return PAM_SUCCESS;
826	}
827
828	RTDECL(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
829	{
830	pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
831	for (int i = 0; i < argc; i++)
832	pam_vbox_log(hPAM, "pam_vbox_setcred: argv[0] = %s\n", argv[i]);
833	return PAM_SUCCESS;
834	}
835
836	RTDECL(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
837	{
838	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
839	return PAM_SUCCESS;
840	}
841
842
843	RTDECL(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
844	{
845	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
846	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
847	return PAM_SUCCESS;
848	}
849
850
851	RTDECL(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
852	{
853	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
854	return PAM_SUCCESS;
855	}
856
857	RTDECL(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
858	{
859	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
860	return PAM_SUCCESS;
861	}
862
863	#ifdef DEBUG
864	RTDECL(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
865	{
866	pam_vbox_log(g_pam_handle,
867	"\n!!Assertion Failed!!\n"
868	"Expression: %s\n"
869	"Location : %s(%d) %s\n",
870	pszExpr, pszFile, uLine, pszFunction);
871	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
872	}
873	#endif

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 39740

Download in other formats: