pam_vbox.cpp@ 61522

Last change on this file since 61522 was 57358, checked in by vboxsync, 9 years ago
*: scm cleanup run.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 30.2 KB

Line
1	/* $Id: pam_vbox.cpp 57358 2015-08-14 15:16:38Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2015 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18
19	/*********************************************************************************************************************************
20	* Header Files *
21	*********************************************************************************************************************************/
22	#define PAM_SM_AUTH
23	#define PAM_SM_ACCOUNT
24	#define PAM_SM_PASSWORD
25	#define PAM_SM_SESSION
26
27	#ifdef DEBUG
28	# define PAM_DEBUG
29	#endif
30
31	#include <security/pam_appl.h>
32	#ifdef RT_OS_LINUX
33	# include <security/_pam_macros.h>
34	#endif
35
36	#include <pwd.h>
37	#include <syslog.h>
38	#include <stdlib.h>
39
40	#include <iprt/assert.h>
41	#include <iprt/buildconfig.h>
42	#include <iprt/env.h>
43	#include <iprt/initterm.h>
44	#include <iprt/mem.h>
45	#include <iprt/stream.h>
46	#include <iprt/string.h>
47	#include <iprt/thread.h>
48	#include <iprt/time.h>
49
50	#include <VBox/VBoxGuestLib.h>
51
52	#include <VBox/log.h>
53	#ifdef VBOX_WITH_GUEST_PROPS
54	# include <VBox/HostServices/GuestPropertySvc.h>
55	using namespace guestProp;
56	#endif
57
58	#define VBOX_MODULE_NAME "pam_vbox"
59
60	#define VBOX_PAM_FLAG_SILENT "PAM_SILENT"
61	#define VBOX_PAM_FLAG_DISALLOW_NULL_AUTHTOK "PAM_DISALLOW_NULL_AUTHTOK"
62	#define VBOX_PAM_FLAG_ESTABLISH_CRED "PAM_ESTABLISH_CRED"
63	#define VBOX_PAM_FLAG_DELETE_CRED "PAM_DELETE_CRED"
64	#define VBOX_PAM_FLAG_REINITIALIZE_CRED "PAM_REINITIALIZE_CRED"
65	#define VBOX_PAM_FLAG_REFRESH_CRED "PAM_REFRESH_CRED"
66
67	RT_C_DECLS_BEGIN
68	RTDECL(int) pam_sm_authenticate(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
69	RTDECL(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
70	RTDECL(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
71	RTDECL(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
72	RTDECL(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
73	RTDECL(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
74	RT_C_DECLS_END
75
76	/** For debugging. */
77	#ifdef DEBUG
78	static pam_handle_t *g_pam_handle;
79	static int g_verbosity = 99;
80	#else
81	static int g_verbosity = 0;
82	#endif
83
84	/**
85	* User-provided thread data for the credentials waiting thread.
86	*/
87	typedef struct PAMVBOXTHREAD
88	{
89	/** The PAM handle. */
90	pam_handle_t *hPAM;
91	/** The timeout (in ms) to wait for credentials. */
92	uint32_t uTimeoutMS;
93	/** The overall result of the thread operation. */
94	int rc;
95	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
96
97	/**
98	* Write to system log.
99	*
100	* @param pszBuf Buffer to write to the log (NULL-terminated)
101	*/
102	static void pam_vbox_writesyslog(char *pszBuf)
103	{
104	#ifdef RT_OS_LINUX
105	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
106	syslog(LOG_ERR, "%s", pszBuf);
107	closelog();
108	#elif defined(RT_OS_SOLARIS)
109	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
110	#endif
111	}
112
113
114	/**
115	* Displays an error message.
116	*
117	* @param pszFormat The message text.
118	* @param ... Format arguments.
119	*/
120	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
121	{
122	va_list va;
123	char *buf;
124	va_start(va, pszFormat);
125	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
126	{
127	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
128	pam_vbox_writesyslog(buf);
129	RTStrFree(buf);
130	}
131	va_end(va);
132	}
133
134
135	/**
136	* Displays a debug message.
137	*
138	* @param pszFormat The message text.
139	* @param ... Format arguments.
140	*/
141	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
142	{
143	if (g_verbosity)
144	{
145	va_list va;
146	char *buf;
147	va_start(va, pszFormat);
148	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
149	{
150	/* Only do normal logging in debug mode; could contain
151	* sensitive data! */
152	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
153	/* Log to syslog */
154	pam_vbox_writesyslog(buf);
155	RTStrFree(buf);
156	}
157	va_end(va);
158	}
159	}
160
161
162	/**
163	* Sets a message using PAM's conversation function.
164	*
165	* @return IPRT status code.
166	* @param hPAM PAM handle.
167	* @param iStyle Style of message (0 = Information, 1 = Prompt
168	* echo off, 2 = Prompt echo on, 3 = Error).
169	* @param pszText Message text to set.
170	*/
171	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
172	{
173	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
174	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
175
176	if (!iStyle)
177	iStyle = PAM_TEXT_INFO;
178
179	int rc = VINF_SUCCESS;
180
181	pam_message msg;
182	msg.msg_style = iStyle;
183	#ifdef RT_OS_SOLARIS
184	msg.msg = (char*)pszText;
185	#else
186	msg.msg = pszText;
187	#endif
188
189	#ifdef RT_OS_SOLARIS
190	pam_conv *conv = NULL;
191	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
192	#else
193	const pam_conv *conv = NULL;
194	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
195	#endif
196	if ( pamrc == PAM_SUCCESS
197	&& conv)
198	{
199	pam_response *resp = NULL;
200	#ifdef RT_OS_SOLARIS
201	pam_message *msg_p = &msg;
202	#else
203	const pam_message *msg_p = &msg;
204	#endif
205	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
206
207	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
208	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
209	{
210	if (resp->resp)
211	{
212	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
213	pszText, resp->resp);
214	/** @todo Save response! */
215	free(resp->resp);
216	}
217	free(resp);
218	}
219	}
220	else
221	rc = VERR_NOT_FOUND;
222	return rc;
223	}
224
225
226	/**
227	* Initializes pam_vbox.
228	*
229	* @return IPRT status code.
230	* @param hPAM PAM handle.
231	*/
232	static int pam_vbox_init(pam_handle_t *hPAM)
233	{
234	#ifdef DEBUG
235	g_pam_handle = hPAM; /* hack for getting assertion text */
236	#endif
237
238	/* Don't make assertions panic because the PAM stack +
239	* the current logon module won't work anymore (or just restart).
240	* This could result in not able to log into the system anymore. */
241	RTAssertSetMayPanic(false);
242
243	pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
244	RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
245
246	int rc = RTR3InitDll(0);
247	if (RT_FAILURE(rc))
248	{
249	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
250	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
251	}
252
253	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
254	if (RT_SUCCESS(rc))
255	{
256	rc = VbglR3InitUser();
257	if (RT_FAILURE(rc))
258	{
259	switch(rc)
260	{
261	case VERR_ACCESS_DENIED:
262	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
263	break;
264
265	case VERR_FILE_NOT_FOUND:
266	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
267	break;
268
269	default:
270	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
271	break;
272	}
273	}
274	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
275	}
276
277	if (RT_SUCCESS(rc))
278	{
279	char *rhost = NULL;
280	char *tty = NULL;
281	char *prompt = NULL;
282	#ifdef RT_OS_SOLARIS
283	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
284	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
285	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
286	#else
287	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
288	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
289	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
290	#endif
291	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
292	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
293	}
294
295	return rc;
296	}
297
298
299	/**
300	* Shuts down pam_vbox.
301	*
302	* @return IPRT status code.
303	* @param hPAM PAM handle.
304	*/
305	static void pam_vbox_shutdown(pam_handle_t *hPAM)
306	{
307	VbglR3Term();
308	}
309
310
311	/**
312	* Checks for credentials provided by the host / HGCM.
313	*
314	* @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
315	* VINF_SUCCESS on successful retrieval or another IPRT error.
316	* @param hPAM PAM handle.
317	*/
318	static int pam_vbox_check_creds(pam_handle_t *hPAM)
319	{
320	int rc = VbglR3CredentialsQueryAvailability();
321	if (RT_FAILURE(rc))
322	{
323	if (rc != VERR_NOT_FOUND)
324	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
325	#ifdef DEBUG
326	else
327	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
328	#endif
329	}
330	else
331	{
332	char *pszUsername;
333	char *pszPassword;
334	char *pszDomain;
335
336	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
337	if (RT_FAILURE(rc))
338	{
339	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
340	}
341	else
342	{
343	#ifdef DEBUG
344	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
345	pszUsername, pszPassword, pszDomain);
346	#else
347	/* Don't log passwords in release mode! */
348	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
349	pszUsername, pszDomain);
350	#endif
351	/* Fill credentials into PAM. */
352	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
353	if (pamrc != PAM_SUCCESS)
354	{
355	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
356	pamrc, pam_strerror(hPAM, pamrc));
357	}
358	else
359	{
360	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
361	if (pamrc != PAM_SUCCESS)
362	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
363	pamrc, pam_strerror(hPAM, pamrc));
364
365	}
366	/** @todo Add handling domains as well. */
367	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
368	3 /* Three wipe passes */);
369	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
370	pamrc, pam_strerror(hPAM, pamrc));
371	}
372	}
373
374	#ifdef DEBUG
375	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
376	#endif
377	return rc;
378	}
379
380
381	#ifdef VBOX_WITH_GUEST_PROPS
382	/**
383	* Reads a guest property.
384	*
385	* @return IPRT status code.
386	* @param hPAM PAM handle.
387	* @param uClientID Guest property service client ID.
388	* @param pszKey Key (name) of guest property to read.
389	* @param fReadOnly Indicates whether this key needs to be
390	* checked if it only can be read (and not written)
391	* by the guest.
392	* @param pszValue Buffer where to store the key's value.
393	* @param cbValue Size of buffer (in bytes).
394	*/
395	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
396	const char *pszKey, bool fReadOnly,
397	char *pszValue, size_t cbValue)
398	{
399	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
400	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
401	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
402	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
403
404	int rc;
405
406	uint64_t u64Timestamp = 0;
407	char *pszValTemp;
408	char *pszFlags = NULL;
409	/* The buffer for storing the data and its initial size. We leave a bit
410	* of space here in case the maximum values are raised. */
411	void *pvBuf = NULL;
412	uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
413
414	/* Because there is a race condition between our reading the size of a
415	* property and the guest updating it, we loop a few times here and
416	* hope. Actually this should never go wrong, as we are generous
417	* enough with buffer space. */
418	for (unsigned i = 0; i < 10; i++)
419	{
420	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
421	if (pvTmpBuf)
422	{
423	pvBuf = pvTmpBuf;
424	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
425	&pszValTemp, &u64Timestamp, &pszFlags,
426	&cbBuf);
427	}
428	else
429	rc = VERR_NO_MEMORY;
430
431	switch (rc)
432	{
433	case VERR_BUFFER_OVERFLOW:
434	{
435	/* Buffer too small, try it with a bigger one next time. */
436	cbBuf += _1K;
437	continue; /* Try next round. */
438	}
439
440	default:
441	break;
442	}
443
444	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
445	break;
446	}
447
448	if (RT_SUCCESS(rc))
449	{
450	/* Check security bits. */
451	if (pszFlags)
452	{
453	if ( fReadOnly
454	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
455	{
456	/* If we want a property which is read-only on the guest
457	* and it is not marked as such, deny access! */
458	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
459	pszKey);
460	rc = VERR_ACCESS_DENIED;
461	}
462	}
463	else /* No flags, no access! */
464	{
465	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
466	pszKey, pszFlags);
467	rc = VERR_ACCESS_DENIED;
468	}
469
470	if (RT_SUCCESS(rc))
471	{
472	/* If everything went well copy property value to our destination buffer. */
473	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
474	{
475	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
476	pszKey);
477	rc = VERR_INVALID_PARAMETER;
478	}
479
480	if (RT_SUCCESS(rc))
481	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
482	pszKey, pszValue);
483	}
484	}
485
486	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
487	pszKey, rc);
488	return rc;
489	}
490
491
492	/**
493	* Waits for a guest property to be changed.
494	*
495	* @return IPRT status code.
496	* @param hPAM PAM handle.
497	* @param uClientID Guest property service client ID.
498	* @param pszKey Key (name) of guest property to wait for.
499	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
500	* RT_INDEFINITE_WAIT to wait indefinitly.
501	*/
502	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
503	const char *pszKey, uint32_t uTimeoutMS)
504	{
505	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
506	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
507	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
508
509	int rc;
510
511	/* The buffer for storing the data and its initial size. We leave a bit
512	* of space here in case the maximum values are raised. */
513	void *pvBuf = NULL;
514	uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
515
516	for (int i = 0; i < 10; i++)
517	{
518	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
519	if (pvTmpBuf)
520	{
521	char *pszName = NULL;
522	char *pszValue = NULL;
523	uint64_t u64TimestampOut = 0;
524	char *pszFlags = NULL;
525
526	pvBuf = pvTmpBuf;
527	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
528	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
529	&pszName, &pszValue, &u64TimestampOut,
530	&pszFlags, &cbBuf);
531	}
532	else
533	rc = VERR_NO_MEMORY;
534
535	if (rc == VERR_BUFFER_OVERFLOW)
536	{
537	/* Buffer too small, try it with a bigger one next time. */
538	cbBuf += _1K;
539	continue; /* Try next round. */
540	}
541
542	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
543	break;
544	}
545
546	return rc;
547	}
548	#endif
549
550	/**
551	* Thread function waiting for credentials to arrive.
552	*
553	* @return IPRT status code.
554	* @param ThreadSelf Thread struct to this thread.
555	* @param pvUser Pointer to a PAMVBOXTHREAD structure providing
556	* required data used / set by the thread.
557	*/
558	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
559	{
560	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
561	AssertPtr(pUserData);
562
563	int rc = VINF_SUCCESS;
564	/* Get current time stamp to later calculate rest of timeout left. */
565	uint64_t u64StartMS = RTTimeMilliTS();
566
567	#ifdef VBOX_WITH_GUEST_PROPS
568	uint32_t uClientID = 0;
569	rc = VbglR3GuestPropConnect(&uClientID);
570	if (RT_FAILURE(rc))
571	{
572	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
573	}
574	else
575	{
576	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
577	#endif
578	for (;;)
579	{
580	#ifdef VBOX_WITH_GUEST_PROPS
581	if (uClientID)
582	{
583	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
584	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
585	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
586	switch (rc)
587	{
588	case VINF_SUCCESS:
589	/* Somebody (guest/host) wants to abort waiting for credentials. */
590	break;
591
592	case VERR_INTERRUPTED:
593	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
594	break;
595
596	case VERR_TIMEOUT:
597	/* We did not receive an abort message within time. */
598	break;
599
600	case VERR_TOO_MUCH_DATA:
601	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
602	break;
603
604	default:
605	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
606	break;
607	}
608
609	if (RT_SUCCESS(rc)) /* Abort waiting. */
610	{
611	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
612	rc = VERR_CANCELLED;
613	break;
614	}
615	}
616	#endif
617	if ( RT_SUCCESS(rc)
618	\|\| rc == VERR_TIMEOUT)
619	{
620	rc = pam_vbox_check_creds(pUserData->hPAM);
621	if (RT_SUCCESS(rc))
622	{
623	/* Credentials retrieved. */
624	break; /* Thread no longer is required, bail out. */
625	}
626	else if (rc == VERR_NOT_FOUND)
627	{
628	/* No credentials found, but try next round (if there's
629	* time left for) ... */
630	#ifndef VBOX_WITH_GUEST_PROPS
631	RTThreadSleep(500); /* Wait 500 ms. */
632	#endif
633	}
634	else
635	break; /* Something bad happend ... */
636	}
637	else
638	break;
639
640	/* Calculate timeout value left after process has been started. */
641	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
642	/* Is it time to bail out? */
643	if (pUserData->uTimeoutMS < u64Elapsed)
644	{
645	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
646	pUserData->uTimeoutMS);
647	rc = VERR_TIMEOUT;
648	break;
649	}
650	}
651	#ifdef VBOX_WITH_GUEST_PROPS
652	}
653	VbglR3GuestPropDisconnect(uClientID);
654	#endif
655
656	/* Save result. */
657	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
658
659	int rc2 = RTThreadUserSignal(RTThreadSelf());
660	AssertRC(rc2);
661
662	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
663	return rc;
664	}
665
666
667	/**
668	* Waits for credentials to arrive by creating and waiting for a thread.
669	*
670	* @return IPRT status code.
671	* @param hPAM PAM handle.
672	* @param uClientID Guest property service client ID.
673	* @param pszKey Key (name) of guest property to wait for.
674	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
675	* RT_INDEFINITE_WAIT to wait indefinitly.
676	*/
677	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
678	{
679	PAMVBOXTHREAD threadData;
680	threadData.hPAM = hPAM;
681	threadData.uTimeoutMS = uTimeoutMS;
682
683	RTTHREAD threadWait;
684	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
685	(void *)&threadData, 0,
686	RTTHREADTYPE_DEFAULT, 0 /* Flags */, "pam_vbox");
687	if (RT_SUCCESS(rc))
688	{
689	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
690	/* Wait for thread to initialize. */
691	/** @todo We can do something else here in the meantime later. */
692	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
693	if (RT_SUCCESS(rc))
694	rc = threadData.rc; /* Get back thread result to take further actions. */
695	}
696	else
697	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
698
699	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
700	return rc;
701	}
702
703
704	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
705	int argc, const char **argv)
706	{
707	/* Parse arguments. */
708	for (int i = 0; i < argc; i++)
709	{
710	if (!RTStrICmp(argv[i], "debug"))
711	g_verbosity = 1;
712	else
713	pam_vbox_error(hPAM, "pam_vbox_authenticate: unknown command line argument \"%s\"\n", argv[i]);
714	}
715	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
716
717	int rc = pam_vbox_init(hPAM);
718	if (RT_FAILURE(rc))
719	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
720
721	bool fFallback = true;
722
723	#ifdef VBOX_WITH_GUEST_PROPS
724	uint32_t uClientId;
725	rc = VbglR3GuestPropConnect(&uClientId);
726	if (RT_SUCCESS(rc))
727	{
728	char szVal[256];
729	rc = pam_vbox_read_prop(hPAM, uClientId,
730	"/VirtualBox/GuestAdd/PAM/CredsWait",
731	true /* Read-only on guest */,
732	szVal, sizeof(szVal));
733	if (RT_SUCCESS(rc))
734	{
735	/* All calls which are checked against rc2 are not critical, e.g. it does
736	* not matter if they succeed or not. */
737	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
738	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
739	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
740	true /* Read-only on guest */,
741	szVal, sizeof(szVal));
742	if (RT_SUCCESS(rc2))
743	{
744	uTimeoutMS = RTStrToUInt32(szVal);
745	if (!uTimeoutMS)
746	{
747	pam_vbox_error(hPAM, "pam_vbox_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
748	uTimeoutMS = RT_INDEFINITE_WAIT;
749	}
750	else
751	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
752	}
753
754	rc2 = pam_vbox_read_prop(hPAM, uClientId,
755	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
756	true /* Read-only on guest */,
757	szVal, sizeof(szVal));
758	const char *pszWaitMsg = NULL;
759	if (RT_SUCCESS(rc2))
760	pszWaitMsg = szVal;
761
762	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
763	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
764	if (RT_FAILURE(rc2)) /* Not critical. */
765	pam_vbox_error(hPAM, "pam_vbox_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
766
767	if (RT_SUCCESS(rc))
768	{
769	/* Before we actuall wait for credentials just make sure we didn't already get credentials
770	* set so that we can skip waiting for them ... */
771	rc = pam_vbox_check_creds(hPAM);
772	if (rc == VERR_NOT_FOUND)
773	{
774	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
775	if (rc == VERR_TIMEOUT)
776	{
777	pam_vbox_log(hPAM, "pam_vbox_authenticate: no credentials given within time\n");
778
779	rc2 = pam_vbox_read_prop(hPAM, uClientId,
780	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
781	true /* Read-only on guest */,
782	szVal, sizeof(szVal));
783	if (RT_SUCCESS(rc2))
784	{
785	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
786	AssertRC(rc2);
787	}
788	}
789	else if (rc == VERR_CANCELLED)
790	{
791	pam_vbox_log(hPAM, "pam_vbox_authenticate: waiting aborted\n");
792
793	rc2 = pam_vbox_read_prop(hPAM, uClientId,
794	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
795	true /* Read-only on guest */,
796	szVal, sizeof(szVal));
797	if (RT_SUCCESS(rc2))
798	{
799	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
800	AssertRC(rc2);
801	}
802	}
803	}
804
805	/* If we got here we don't need the fallback, so just deactivate it. */
806	fFallback = false;
807	}
808	}
809
810	VbglR3GuestPropDisconnect(uClientId);
811	}
812	#endif /* VBOX_WITH_GUEST_PROPS */
813
814	if (fFallback)
815	{
816	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
817
818	/* If anything went wrong in the code above we just do a credentials
819	* check like it was before: Try retrieving the stuff and authenticating. */
820	int rc2 = pam_vbox_check_creds(hPAM);
821	if (RT_SUCCESS(rc))
822	rc = rc2;
823	}
824
825	pam_vbox_shutdown(hPAM);
826
827	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
828
829	/* Never report an error here because if no credentials from the host are available or something
830	* went wrong we then let do the authentication by the next module in the stack. */
831
832	/* We report success here because this is all we can do right now -- we passed the credentials
833	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
834	* password verification to "really" authenticate the user. */
835	return PAM_SUCCESS;
836	}
837
838
839	DECLEXPORT(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
840	{
841	pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
842	for (int i = 0; i < argc; i++)
843	pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
844	return PAM_SUCCESS;
845	}
846
847
848	DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
849	{
850	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
851	return PAM_SUCCESS;
852	}
853
854
855	DECLEXPORT(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
856	{
857	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
858	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
859	return PAM_SUCCESS;
860	}
861
862
863	DECLEXPORT(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
864	{
865	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
866	return PAM_SUCCESS;
867	}
868
869
870	DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
871	{
872	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
873	return PAM_SUCCESS;
874	}
875
876
877	#ifdef DEBUG
878	DECLEXPORT(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
879	{
880	pam_vbox_log(g_pam_handle,
881	"\n!!Assertion Failed!!\n"
882	"Expression: %s\n"
883	"Location : %s(%d) %s\n",
884	pszExpr, pszFile, uLine, pszFunction);
885	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
886	}
887	#endif
888

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 61522

Download in other formats: