pam_vbox.cpp@ 39741

Last change on this file since 39741 was 39741, checked in by vboxsync, 13 years ago
pam_vbox: More cdecl stuff.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 30.1 KB

Line
1	/* $Id: pam_vbox.cpp 39741 2012-01-10 16:00:49Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2011 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18	/*******************************************************************************
19	* Header Files *
20	*******************************************************************************/
21	#define PAM_SM_AUTH
22	#define PAM_SM_ACCOUNT
23	#define PAM_SM_PASSWORD
24	#define PAM_SM_SESSION
25
26	#ifdef DEBUG
27	# define PAM_DEBUG
28	#endif
29
30	#include <security/pam_appl.h>
31	#ifdef RT_OS_LINUX
32	# include <security/_pam_macros.h>
33	#endif
34
35	#include <pwd.h>
36	#include <syslog.h>
37	#include <stdlib.h>
38
39	#include <iprt/assert.h>
40	#include <iprt/buildconfig.h>
41	#include <iprt/env.h>
42	#include <iprt/initterm.h>
43	#include <iprt/mem.h>
44	#include <iprt/stream.h>
45	#include <iprt/string.h>
46	#include <iprt/thread.h>
47	#include <iprt/time.h>
48
49	#include <VBox/VBoxGuestLib.h>
50
51	#include <VBox/log.h>
52	#ifdef VBOX_WITH_GUEST_PROPS
53	# include <VBox/HostServices/GuestPropertySvc.h>
54	using namespace guestProp;
55	#endif
56
57	#define VBOX_MODULE_NAME "pam_vbox"
58
59	RT_C_DECLS_BEGIN
60	RTDECL(int) pam_sm_authenticate(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
61	RTDECL(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
62	RTDECL(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
63	RTDECL(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
64	RTDECL(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
65	RTDECL(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
66	RT_C_DECLS_END
67
68	/** For debugging. */
69	#ifdef DEBUG
70	static pam_handle_t *g_pam_handle;
71	static int g_verbosity = 99;
72	#else
73	static int g_verbosity = 0;
74	#endif
75
76	/**
77	* User-provided thread data for the credentials waiting thread.
78	*/
79	typedef struct PAMVBOXTHREAD
80	{
81	/** The PAM handle. */
82	pam_handle_t *hPAM;
83	/** The timeout (in ms) to wait for credentials. */
84	uint32_t uTimeoutMS;
85	/** The overall result of the thread operation. */
86	int rc;
87	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
88
89	/**
90	* Write to system log.
91	*
92	* @param pszBuf Buffer to write to the log (NULL-terminated)
93	*/
94	static void pam_vbox_writesyslog(char *pszBuf)
95	{
96	#ifdef RT_OS_LINUX
97	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
98	syslog(LOG_ERR, "%s", pszBuf);
99	closelog();
100	#elif defined(RT_OS_SOLARIS)
101	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
102	#endif
103	}
104
105
106	/**
107	* Displays an error message.
108	*
109	* @param pszFormat The message text.
110	* @param ... Format arguments.
111	*/
112	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
113	{
114	va_list va;
115	char *buf;
116	va_start(va, pszFormat);
117	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
118	{
119	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
120	pam_vbox_writesyslog(buf);
121	RTStrFree(buf);
122	}
123	va_end(va);
124	}
125
126
127	/**
128	* Displays a debug message.
129	*
130	* @param pszFormat The message text.
131	* @param ... Format arguments.
132	*/
133	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
134	{
135	if (g_verbosity)
136	{
137	va_list va;
138	char *buf;
139	va_start(va, pszFormat);
140	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
141	{
142	/* Only do normal logging in debug mode; could contain
143	* sensitive data! */
144	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
145	/* Log to syslog */
146	pam_vbox_writesyslog(buf);
147	RTStrFree(buf);
148	}
149	va_end(va);
150	}
151	}
152
153
154	/**
155	* Sets a message using PAM's conversation function.
156	*
157	* @return IPRT status code.
158	* @param hPAM PAM handle.
159	* @param iStyle Style of message (0 = Information, 1 = Prompt
160	* echo off, 2 = Prompt echo on, 3 = Error).
161	* @param pszText Message text to set.
162	*/
163	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
164	{
165	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
166	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
167
168	if (!iStyle)
169	iStyle = PAM_TEXT_INFO;
170
171	int rc = VINF_SUCCESS;
172
173	pam_message msg;
174	msg.msg_style = iStyle;
175	#ifdef RT_OS_SOLARIS
176	msg.msg = (char*)pszText;
177	#else
178	msg.msg = pszText;
179	#endif
180
181	#ifdef RT_OS_SOLARIS
182	pam_conv *conv = NULL;
183	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
184	#else
185	const pam_conv *conv = NULL;
186	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
187	#endif
188	if ( pamrc == PAM_SUCCESS
189	&& conv)
190	{
191	pam_response *resp = NULL;
192	#ifdef RT_OS_SOLARIS
193	pam_message *msg_p = &msg;
194	#else
195	const pam_message *msg_p = &msg;
196	#endif
197	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
198
199	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
200	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
201	{
202	if (resp->resp)
203	{
204	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
205	pszText, resp->resp);
206	/** @todo Save response! */
207	free(resp->resp);
208	}
209	free(resp);
210	}
211	}
212	else
213	rc = VERR_NOT_FOUND;
214	return rc;
215	}
216
217
218	/**
219	* Initializes pam_vbox.
220	*
221	* @return IPRT status code.
222	* @param hPAM PAM handle.
223	*/
224	static int pam_vbox_init(pam_handle_t *hPAM)
225	{
226	#ifdef DEBUG
227	g_pam_handle = hPAM; /* hack for getting assertion text */
228	#endif
229
230	/* Don't make assertions panic because the PAM stack +
231	* the current logon module won't work anymore (or just restart).
232	* This could result in not able to log into the system anymore. */
233	RTAssertSetMayPanic(false);
234
235	pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
236	RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
237
238	int rc = RTR3InitDll(0);
239	if (RT_FAILURE(rc))
240	{
241	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
242	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
243	}
244
245	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
246	if (RT_SUCCESS(rc))
247	{
248	rc = VbglR3InitUser();
249	if (RT_FAILURE(rc))
250	{
251	switch(rc)
252	{
253	case VERR_ACCESS_DENIED:
254	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
255	break;
256
257	case VERR_FILE_NOT_FOUND:
258	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
259	break;
260
261	default:
262	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
263	break;
264	}
265	}
266	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
267	}
268
269	if (RT_SUCCESS(rc))
270	{
271	char *rhost = NULL;
272	char *tty = NULL;
273	char *prompt = NULL;
274	#ifdef RT_OS_SOLARIS
275	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
276	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
277	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
278	#else
279	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
280	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
281	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
282	#endif
283	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
284	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
285	}
286
287	return rc;
288	}
289
290
291	/**
292	* Shuts down pam_vbox.
293	*
294	* @return IPRT status code.
295	* @param hPAM PAM handle.
296	*/
297	static void pam_vbox_shutdown(pam_handle_t *hPAM)
298	{
299	VbglR3Term();
300	}
301
302
303	/**
304	* Checks for credentials provided by the host / HGCM.
305	*
306	* @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
307	* VINF_SUCCESS on successful retrieval or another IPRT error.
308	* @param hPAM PAM handle.
309	*/
310	static int pam_vbox_check_creds(pam_handle_t *hPAM)
311	{
312	int rc = VbglR3CredentialsQueryAvailability();
313	if (RT_FAILURE(rc))
314	{
315	if (rc != VERR_NOT_FOUND)
316	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
317	#ifdef DEBUG
318	else
319	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
320	#endif
321	}
322	else
323	{
324	char *pszUsername;
325	char *pszPassword;
326	char *pszDomain;
327
328	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
329	if (RT_FAILURE(rc))
330	{
331	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
332	}
333	else
334	{
335	#ifdef DEBUG
336	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
337	pszUsername, pszPassword, pszDomain);
338	#else
339	/* Don't log passwords in release mode! */
340	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
341	pszUsername, pszDomain);
342	#endif
343	/* Fill credentials into PAM. */
344	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
345	if (pamrc != PAM_SUCCESS)
346	{
347	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
348	pamrc, pam_strerror(hPAM, pamrc));
349	}
350	else
351	{
352	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
353	if (pamrc != PAM_SUCCESS)
354	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
355	pamrc, pam_strerror(hPAM, pamrc));
356
357	}
358	/** @todo Add handling domains as well. */
359	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
360	3 /* Three wipe passes */);
361	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
362	pamrc, pam_strerror(hPAM, pamrc));
363	}
364	}
365
366	#ifdef DEBUG
367	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
368	#endif
369	return rc;
370	}
371
372
373	#ifdef VBOX_WITH_GUEST_PROPS
374	/**
375	* Reads a guest property.
376	*
377	* @return IPRT status code.
378	* @param hPAM PAM handle.
379	* @param uClientID Guest property service client ID.
380	* @param pszKey Key (name) of guest property to read.
381	* @param fReadOnly Indicates whether this key needs to be
382	* checked if it only can be read (and not written)
383	* by the guest.
384	* @param pszValue Buffer where to store the key's value.
385	* @param cbValue Size of buffer (in bytes).
386	*/
387	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
388	const char *pszKey, bool fReadOnly,
389	char *pszValue, size_t cbValue)
390	{
391	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
392	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
393	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
394	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
395
396	int rc;
397
398	uint64_t u64Timestamp = 0;
399	char *pszValTemp;
400	char *pszFlags = NULL;
401	/* The buffer for storing the data and its initial size. We leave a bit
402	* of space here in case the maximum values are raised. */
403	void *pvBuf = NULL;
404	uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
405
406	/* Because there is a race condition between our reading the size of a
407	* property and the guest updating it, we loop a few times here and
408	* hope. Actually this should never go wrong, as we are generous
409	* enough with buffer space. */
410	for (unsigned i = 0; i < 10; i++)
411	{
412	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
413	if (pvTmpBuf)
414	{
415	pvBuf = pvTmpBuf;
416	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
417	&pszValTemp, &u64Timestamp, &pszFlags,
418	&cbBuf);
419	}
420	else
421	rc = VERR_NO_MEMORY;
422
423	switch (rc)
424	{
425	case VERR_BUFFER_OVERFLOW:
426	{
427	/* Buffer too small, try it with a bigger one next time. */
428	cbBuf += _1K;
429	continue; /* Try next round. */
430	}
431
432	default:
433	break;
434	}
435
436	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
437	break;
438	}
439
440	if (RT_SUCCESS(rc))
441	{
442	/* Check security bits. */
443	if (pszFlags)
444	{
445	if ( fReadOnly
446	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
447	{
448	/* If we want a property which is read-only on the guest
449	* and it is not marked as such, deny access! */
450	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
451	pszKey);
452	rc = VERR_ACCESS_DENIED;
453	}
454	}
455	else /* No flags, no access! */
456	{
457	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
458	pszKey, pszFlags);
459	rc = VERR_ACCESS_DENIED;
460	}
461
462	if (RT_SUCCESS(rc))
463	{
464	/* If everything went well copy property value to our destination buffer. */
465	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
466	{
467	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
468	pszKey);
469	rc = VERR_INVALID_PARAMETER;
470	}
471
472	if (RT_SUCCESS(rc))
473	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
474	pszKey, pszValue);
475	}
476	}
477
478	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
479	pszKey, rc);
480	return rc;
481	}
482
483
484	/**
485	* Waits for a guest property to be changed.
486	*
487	* @return IPRT status code.
488	* @param hPAM PAM handle.
489	* @param uClientID Guest property service client ID.
490	* @param pszKey Key (name) of guest property to wait for.
491	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
492	* RT_INDEFINITE_WAIT to wait indefinitly.
493	*/
494	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
495	const char *pszKey, uint32_t uTimeoutMS)
496	{
497	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
498	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
499	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
500
501	int rc;
502
503	/* The buffer for storing the data and its initial size. We leave a bit
504	* of space here in case the maximum values are raised. */
505	void *pvBuf = NULL;
506	uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
507
508	for (int i = 0; i < 10; i++)
509	{
510	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
511	if (pvTmpBuf)
512	{
513	char *pszName = NULL;
514	char *pszValue = NULL;
515	uint64_t u64TimestampOut = 0;
516	char *pszFlags = NULL;
517
518	pvBuf = pvTmpBuf;
519	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
520	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
521	&pszName, &pszValue, &u64TimestampOut,
522	&pszFlags, &cbBuf);
523	}
524	else
525	rc = VERR_NO_MEMORY;
526
527	if (rc == VERR_BUFFER_OVERFLOW)
528	{
529	/* Buffer too small, try it with a bigger one next time. */
530	cbBuf += _1K;
531	continue; /* Try next round. */
532	}
533
534	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
535	break;
536	}
537
538	return rc;
539	}
540	#endif
541
542	/**
543	* Thread function waiting for credentials to arrive.
544	*
545	* @return IPRT status code.
546	* @param ThreadSelf Thread struct to this thread.
547	* @param pvUser Pointer to a PAMVBOXTHREAD structure providing
548	* required data used / set by the thread.
549	*/
550	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
551	{
552	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
553	AssertPtr(pUserData);
554
555	int rc = VINF_SUCCESS;
556	/* Get current time stamp to later calculate rest of timeout left. */
557	uint64_t u64StartMS = RTTimeMilliTS();
558
559	#ifdef VBOX_WITH_GUEST_PROPS
560	uint32_t uClientID = 0;
561	rc = VbglR3GuestPropConnect(&uClientID);
562	if (RT_FAILURE(rc))
563	{
564	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
565	}
566	else
567	{
568	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
569	#endif
570	for (;;)
571	{
572	#ifdef VBOX_WITH_GUEST_PROPS
573	if (uClientID)
574	{
575	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
576	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
577	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
578	switch (rc)
579	{
580	case VINF_SUCCESS:
581	/* Somebody (guest/host) wants to abort waiting for credentials. */
582	break;
583
584	case VERR_INTERRUPTED:
585	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
586	break;
587
588	case VERR_TIMEOUT:
589	/* We did not receive an abort message within time. */
590	break;
591
592	case VERR_TOO_MUCH_DATA:
593	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
594	break;
595
596	default:
597	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
598	break;
599	}
600
601	if (RT_SUCCESS(rc)) /* Abort waiting. */
602	{
603	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
604	rc = VERR_CANCELLED;
605	break;
606	}
607	}
608	#endif
609	if ( RT_SUCCESS(rc)
610	\|\| rc == VERR_TIMEOUT)
611	{
612	rc = pam_vbox_check_creds(pUserData->hPAM);
613	if (RT_SUCCESS(rc))
614	{
615	/* Credentials retrieved. */
616	break; /* Thread no longer is required, bail out. */
617	}
618	else if (rc == VERR_NOT_FOUND)
619	{
620	/* No credentials found, but try next round (if there's
621	* time left for) ... */
622	#ifndef VBOX_WITH_GUEST_PROPS
623	RTThreadSleep(500); /* Wait 500 ms. */
624	#endif
625	}
626	else
627	break; /* Something bad happend ... */
628	}
629	else
630	break;
631
632	/* Calculate timeout value left after process has been started. */
633	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
634	/* Is it time to bail out? */
635	if (pUserData->uTimeoutMS < u64Elapsed)
636	{
637	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
638	pUserData->uTimeoutMS);
639	rc = VERR_TIMEOUT;
640	break;
641	}
642	}
643	#ifdef VBOX_WITH_GUEST_PROPS
644	}
645	VbglR3GuestPropDisconnect(uClientID);
646	#endif
647
648	/* Save result. */
649	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
650
651	int rc2 = RTThreadUserSignal(RTThreadSelf());
652	AssertRC(rc2);
653
654	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
655	return rc;
656	}
657
658
659	/**
660	* Waits for credentials to arrive by creating and waiting for a thread.
661	*
662	* @return IPRT status code.
663	* @param hPAM PAM handle.
664	* @param uClientID Guest property service client ID.
665	* @param pszKey Key (name) of guest property to wait for.
666	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
667	* RT_INDEFINITE_WAIT to wait indefinitly.
668	*/
669	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
670	{
671	PAMVBOXTHREAD threadData;
672	threadData.hPAM = hPAM;
673	threadData.uTimeoutMS = uTimeoutMS;
674
675	RTTHREAD threadWait;
676	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
677	(void *)&threadData, 0,
678	RTTHREADTYPE_DEFAULT, RTTHREADFLAGS_WAITABLE, "pam_vbox");
679	if (RT_SUCCESS(rc))
680	{
681	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
682	/* Wait for thread to initialize. */
683	/** @todo We can do something else here in the meantime later. */
684	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
685	if (RT_SUCCESS(rc))
686	rc = threadData.rc; /* Get back thread result to take further actions. */
687	}
688	else
689	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
690
691	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
692	return rc;
693	}
694
695
696	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
697	int argc, const char **argv)
698	{
699	/* Parse arguments. */
700	for (int i = 0; i < argc; i++)
701	{
702	if (!RTStrICmp(argv[i], "debug"))
703	g_verbosity = 1;
704	else
705	pam_vbox_error(hPAM, "pam_sm_authenticate: unknown command line argument \"%s\"\n", argv[i]);
706	}
707	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
708
709	int rc = pam_vbox_init(hPAM);
710	if (RT_FAILURE(rc))
711	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
712
713	bool fFallback = true;
714
715	#ifdef VBOX_WITH_GUEST_PROPS
716	uint32_t uClientId;
717	rc = VbglR3GuestPropConnect(&uClientId);
718	if (RT_SUCCESS(rc))
719	{
720	char szVal[256];
721	rc = pam_vbox_read_prop(hPAM, uClientId,
722	"/VirtualBox/GuestAdd/PAM/CredsWait",
723	true /* Read-only on guest */,
724	szVal, sizeof(szVal));
725	if (RT_SUCCESS(rc))
726	{
727	/* All calls which are checked against rc2 are not critical, e.g. it does
728	* not matter if they succeed or not. */
729	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
730	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
731	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
732	true /* Read-only on guest */,
733	szVal, sizeof(szVal));
734	if (RT_SUCCESS(rc2))
735	{
736	uTimeoutMS = RTStrToUInt32(szVal);
737	if (!uTimeoutMS)
738	{
739	pam_vbox_error(hPAM, "pam_sm_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
740	uTimeoutMS = RT_INDEFINITE_WAIT;
741	}
742	else
743	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
744	}
745
746	rc2 = pam_vbox_read_prop(hPAM, uClientId,
747	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
748	true /* Read-only on guest */,
749	szVal, sizeof(szVal));
750	const char *pszWaitMsg = NULL;
751	if (RT_SUCCESS(rc2))
752	pszWaitMsg = szVal;
753
754	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
755	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
756	if (RT_FAILURE(rc2)) /* Not critical. */
757	pam_vbox_error(hPAM, "pam_sm_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
758
759	if (RT_SUCCESS(rc))
760	{
761	/* Before we actuall wait for credentials just make sure we didn't already get credentials
762	* set so that we can skip waiting for them ... */
763	rc = pam_vbox_check_creds(hPAM);
764	if (rc == VERR_NOT_FOUND)
765	{
766	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
767	if (RT_SUCCESS(rc))
768	{
769	/* Waiting for credentials succeeded, try getting those ... */
770	rc = pam_vbox_check_creds(hPAM);
771	if (RT_FAILURE(rc))
772	pam_vbox_error(hPAM, "pam_sm_authenticate: no credentials given, even when waited for it, rc=%Rrc\n", rc);
773	}
774	else if (rc == VERR_TIMEOUT)
775	{
776	pam_vbox_log(hPAM, "pam_sm_authenticate: no credentials given within time\n");
777
778	rc2 = pam_vbox_read_prop(hPAM, uClientId,
779	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
780	true /* Read-only on guest */,
781	szVal, sizeof(szVal));
782	if (RT_SUCCESS(rc2))
783	{
784	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
785	AssertRC(rc2);
786	}
787	}
788	else if (rc == VERR_CANCELLED)
789	{
790	pam_vbox_log(hPAM, "pam_sm_authenticate: waiting aborted\n");
791
792	rc2 = pam_vbox_read_prop(hPAM, uClientId,
793	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
794	true /* Read-only on guest */,
795	szVal, sizeof(szVal));
796	if (RT_SUCCESS(rc2))
797	{
798	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
799	AssertRC(rc2);
800	}
801	}
802	}
803
804	/* If we got here we don't need the fallback, so just deactivate it. */
805	fFallback = false;
806	}
807	}
808
809	VbglR3GuestPropDisconnect(uClientId);
810	}
811	#endif /* VBOX_WITH_GUEST_PROPS */
812
813	if (fFallback)
814	{
815	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
816
817	/* If anything went wrong in the code above we just do a credentials
818	* check like it was before: Try retrieving the stuff and authenticating. */
819	int rc2 = pam_vbox_check_creds(hPAM);
820	if (RT_SUCCESS(rc))
821	rc = rc2;
822	}
823
824	pam_vbox_shutdown(hPAM);
825
826	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
827
828	/* Never report an error here because if no credentials from the host are available or something
829	* went wrong we then let do the authentication by the next module in the stack. */
830
831	/* We report success here because this is all we can do right now -- we passed the credentials
832	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
833	* password verification to "really" authenticate the user. */
834	return PAM_SUCCESS;
835	}
836
837
838	DECLEXPORT(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
839	{
840	pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
841	for (int i = 0; i < argc; i++)
842	pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
843	return PAM_SUCCESS;
844	}
845
846
847	DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
848	{
849	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
850	return PAM_SUCCESS;
851	}
852
853
854	DECLEXPORT(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
855	{
856	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
857	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
858	return PAM_SUCCESS;
859	}
860
861
862	DECLEXPORT(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
863	{
864	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
865	return PAM_SUCCESS;
866	}
867
868
869	DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
870	{
871	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
872	return PAM_SUCCESS;
873	}
874
875
876	#ifdef DEBUG
877	DECLEXPORT(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
878	{
879	pam_vbox_log(g_pam_handle,
880	"\n!!Assertion Failed!!\n"
881	"Expression: %s\n"
882	"Location : %s(%d) %s\n",
883	pszExpr, pszFile, uLine, pszFunction);
884	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
885	}
886	#endif
887

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 39741

Download in other formats: