VirtualBox

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 69498

Last change on this file since 69498 was 69498, checked in by vboxsync, 7 years ago

backed out r118835 as it incorrectly updated the 'This file is based on' file headers.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 30.5 KB
Line 
1/* $Id: pam_vbox.cpp 69498 2017-10-28 15:07:25Z vboxsync $ */
2/** @file
3 * pam_vbox - PAM module for auto logons.
4 */
5
6/*
7 * Copyright (C) 2008-2016 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18
19/*********************************************************************************************************************************
20* Header Files *
21*********************************************************************************************************************************/
22#define PAM_SM_AUTH
23#define PAM_SM_ACCOUNT
24#define PAM_SM_PASSWORD
25#define PAM_SM_SESSION
26
27#ifdef DEBUG
28# define PAM_DEBUG
29#endif
30
31#include <security/pam_appl.h>
32#ifdef RT_OS_LINUX
33# include <security/_pam_macros.h>
34#endif
35
36#include <pwd.h>
37#include <syslog.h>
38#include <stdlib.h>
39
40#include <iprt/assert.h>
41#include <iprt/buildconfig.h>
42#include <iprt/env.h>
43#include <iprt/initterm.h>
44#include <iprt/mem.h>
45#include <iprt/stream.h>
46#include <iprt/string.h>
47#include <iprt/thread.h>
48#include <iprt/time.h>
49
50#include <VBox/VBoxGuestLib.h>
51
52#include <VBox/log.h>
53#ifdef VBOX_WITH_GUEST_PROPS
54# include <VBox/HostServices/GuestPropertySvc.h>
55 using namespace guestProp;
56#endif
57
58#define VBOX_MODULE_NAME "pam_vbox"
59
60#define VBOX_PAM_FLAG_SILENT "PAM_SILENT"
61#define VBOX_PAM_FLAG_DISALLOW_NULL_AUTHTOK "PAM_DISALLOW_NULL_AUTHTOK"
62#define VBOX_PAM_FLAG_ESTABLISH_CRED "PAM_ESTABLISH_CRED"
63#define VBOX_PAM_FLAG_DELETE_CRED "PAM_DELETE_CRED"
64#define VBOX_PAM_FLAG_REINITIALIZE_CRED "PAM_REINITIALIZE_CRED"
65#define VBOX_PAM_FLAG_REFRESH_CRED "PAM_REFRESH_CRED"
66
67RT_C_DECLS_BEGIN
68RTDECL(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
69RTDECL(int) pam_sm_setcred(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
70RTDECL(int) pam_sm_acct_mgmt(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
71RTDECL(int) pam_sm_open_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
72RTDECL(int) pam_sm_close_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
73RTDECL(int) pam_sm_chauthtok(pam_handle_t *hPAM, int iFlags, int argc, const char **argv);
74RT_C_DECLS_END
75
76/** For debugging. */
77#ifdef DEBUG
78static pam_handle_t *g_pam_handle;
79static int g_verbosity = 99;
80#else
81static int g_verbosity = 0;
82#endif
83
84/**
85 * User-provided thread data for the credentials waiting thread.
86 */
87typedef struct PAMVBOXTHREAD
88{
89 /** The PAM handle. */
90 pam_handle_t *hPAM;
91 /** The timeout (in ms) to wait for credentials. */
92 uint32_t uTimeoutMS;
93 /** The overall result of the thread operation. */
94 int rc;
95} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
96
97/**
98 * Write to system log.
99 *
100 * @param pszBuf Buffer to write to the log (NULL-terminated)
101 */
102static void pam_vbox_writesyslog(char *pszBuf)
103{
104#ifdef RT_OS_LINUX
105 openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
106 syslog(LOG_ERR, "%s", pszBuf);
107 closelog();
108#elif defined(RT_OS_SOLARIS)
109 syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
110#endif
111}
112
113
114/**
115 * Displays an error message.
116 *
117 * @param hPAM PAM handle.
118 * @param pszFormat The message text.
119 * @param ... Format arguments.
120 */
121static void pam_vbox_error(pam_handle_t *hPAM, const char *pszFormat, ...)
122{
123 RT_NOREF1(hPAM);
124 va_list va;
125 char *buf;
126 va_start(va, pszFormat);
127 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
128 {
129 LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
130 pam_vbox_writesyslog(buf);
131 RTStrFree(buf);
132 }
133 va_end(va);
134}
135
136
137/**
138 * Displays a debug message.
139 *
140 * @param hPAM PAM handle.
141 * @param pszFormat The message text.
142 * @param ... Format arguments.
143 */
144static void pam_vbox_log(pam_handle_t *hPAM, const char *pszFormat, ...)
145{
146 RT_NOREF1(hPAM);
147 if (g_verbosity)
148 {
149 va_list va;
150 char *buf;
151 va_start(va, pszFormat);
152 if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
153 {
154 /* Only do normal logging in debug mode; could contain
155 * sensitive data! */
156 LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
157 /* Log to syslog */
158 pam_vbox_writesyslog(buf);
159 RTStrFree(buf);
160 }
161 va_end(va);
162 }
163}
164
165
166/**
167 * Sets a message using PAM's conversation function.
168 *
169 * @return IPRT status code.
170 * @param hPAM PAM handle.
171 * @param iStyle Style of message (0 = Information, 1 = Prompt
172 * echo off, 2 = Prompt echo on, 3 = Error).
173 * @param pszText Message text to set.
174 */
175static int vbox_set_msg(pam_handle_t *hPAM, int iStyle, const char *pszText)
176{
177 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
178 AssertPtrReturn(pszText, VERR_INVALID_POINTER);
179
180 if (!iStyle)
181 iStyle = PAM_TEXT_INFO;
182
183 int rc = VINF_SUCCESS;
184
185 pam_message msg;
186 msg.msg_style = iStyle;
187#ifdef RT_OS_SOLARIS
188 msg.msg = (char*)pszText;
189#else
190 msg.msg = pszText;
191#endif
192
193#ifdef RT_OS_SOLARIS
194 pam_conv *conv = NULL;
195 int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
196#else
197 const pam_conv *conv = NULL;
198 int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
199#endif
200 if ( pamrc == PAM_SUCCESS
201 && conv)
202 {
203 pam_response *resp = NULL;
204#ifdef RT_OS_SOLARIS
205 pam_message *msg_p = &msg;
206#else
207 const pam_message *msg_p = &msg;
208#endif
209 pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
210
211 pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
212 if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
213 {
214 if (resp->resp)
215 {
216 pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
217 pszText, resp->resp);
218 /** @todo Save response! */
219 free(resp->resp);
220 }
221 free(resp);
222 }
223 }
224 else
225 rc = VERR_NOT_FOUND;
226 return rc;
227}
228
229
230/**
231 * Initializes pam_vbox.
232 *
233 * @return IPRT status code.
234 * @param hPAM PAM handle.
235 */
236static int pam_vbox_init(pam_handle_t *hPAM)
237{
238#ifdef DEBUG
239 g_pam_handle = hPAM; /* hack for getting assertion text */
240#endif
241
242 /* Don't make assertions panic because the PAM stack +
243 * the current logon module won't work anymore (or just restart).
244 * This could result in not able to log into the system anymore. */
245 RTAssertSetMayPanic(false);
246
247 pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
248 RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
249
250 int rc = RTR3InitDll(0);
251 if (RT_FAILURE(rc))
252 {
253 pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
254 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
255 }
256
257 pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
258 if (RT_SUCCESS(rc))
259 {
260 rc = VbglR3InitUser();
261 if (RT_FAILURE(rc))
262 {
263 switch(rc)
264 {
265 case VERR_ACCESS_DENIED:
266 pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
267 break;
268
269 case VERR_FILE_NOT_FOUND:
270 pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
271 break;
272
273 default:
274 pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
275 break;
276 }
277 }
278 pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
279 }
280
281 if (RT_SUCCESS(rc))
282 {
283 char *rhost = NULL;
284 char *tty = NULL;
285 char *prompt = NULL;
286#ifdef RT_OS_SOLARIS
287 pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
288 pam_get_item(hPAM, PAM_TTY, (void**) &tty);
289 pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
290#else
291 pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
292 pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
293 pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
294#endif
295 pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
296 rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
297 }
298
299 return rc;
300}
301
302
303/**
304 * Shuts down pam_vbox.
305 *
306 * @return IPRT status code.
307 * @param hPAM PAM handle.
308 */
309static void pam_vbox_shutdown(pam_handle_t *hPAM)
310{
311 RT_NOREF1(hPAM);
312 VbglR3Term();
313}
314
315
316/**
317 * Checks for credentials provided by the host / HGCM.
318 *
319 * @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
320 * VINF_SUCCESS on successful retrieval or another IPRT error.
321 * @param hPAM PAM handle.
322 */
323static int pam_vbox_check_creds(pam_handle_t *hPAM)
324{
325 int rc = VbglR3CredentialsQueryAvailability();
326 if (RT_FAILURE(rc))
327 {
328 if (rc != VERR_NOT_FOUND)
329 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
330#ifdef DEBUG
331 else
332 pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
333#endif
334 }
335 else
336 {
337 char *pszUsername;
338 char *pszPassword;
339 char *pszDomain;
340
341 rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
342 if (RT_FAILURE(rc))
343 {
344 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
345 }
346 else
347 {
348#ifdef DEBUG
349 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
350 pszUsername, pszPassword, pszDomain);
351#else
352 /* Don't log passwords in release mode! */
353 pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
354 pszUsername, pszDomain);
355#endif
356 /* Fill credentials into PAM. */
357 int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
358 if (pamrc != PAM_SUCCESS)
359 {
360 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
361 pamrc, pam_strerror(hPAM, pamrc));
362 }
363 else
364 {
365 pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
366 if (pamrc != PAM_SUCCESS)
367 pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
368 pamrc, pam_strerror(hPAM, pamrc));
369
370 }
371 /** @todo Add handling domains as well. */
372 VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
373 3 /* Three wipe passes */);
374 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
375 pamrc, pam_strerror(hPAM, pamrc));
376 }
377 }
378
379#ifdef DEBUG
380 pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
381#endif
382 return rc;
383}
384
385
386#ifdef VBOX_WITH_GUEST_PROPS
387/**
388 * Reads a guest property.
389 *
390 * @return IPRT status code.
391 * @param hPAM PAM handle.
392 * @param uClientID Guest property service client ID.
393 * @param pszKey Key (name) of guest property to read.
394 * @param fReadOnly Indicates whether this key needs to be
395 * checked if it only can be read (and *not* written)
396 * by the guest.
397 * @param pszValue Buffer where to store the key's value.
398 * @param cbValue Size of buffer (in bytes).
399 */
400static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
401 const char *pszKey, bool fReadOnly,
402 char *pszValue, size_t cbValue)
403{
404 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
405 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
406 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
407 AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
408
409 int rc;
410
411 uint64_t u64Timestamp = 0;
412 char *pszValTemp;
413 char *pszFlags = NULL;
414 /* The buffer for storing the data and its initial size. We leave a bit
415 * of space here in case the maximum values are raised. */
416 void *pvBuf = NULL;
417 uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
418
419 /* Because there is a race condition between our reading the size of a
420 * property and the guest updating it, we loop a few times here and
421 * hope. Actually this should never go wrong, as we are generous
422 * enough with buffer space. */
423 for (unsigned i = 0; i < 10; i++)
424 {
425 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
426 if (pvTmpBuf)
427 {
428 pvBuf = pvTmpBuf;
429 rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
430 &pszValTemp, &u64Timestamp, &pszFlags,
431 &cbBuf);
432 }
433 else
434 rc = VERR_NO_MEMORY;
435
436 switch (rc)
437 {
438 case VERR_BUFFER_OVERFLOW:
439 {
440 /* Buffer too small, try it with a bigger one next time. */
441 cbBuf += _1K;
442 continue; /* Try next round. */
443 }
444
445 default:
446 break;
447 }
448
449 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
450 break;
451 }
452
453 if (RT_SUCCESS(rc))
454 {
455 /* Check security bits. */
456 if (pszFlags)
457 {
458 if ( fReadOnly
459 && !RTStrStr(pszFlags, "RDONLYGUEST"))
460 {
461 /* If we want a property which is read-only on the guest
462 * and it is *not* marked as such, deny access! */
463 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
464 pszKey);
465 rc = VERR_ACCESS_DENIED;
466 }
467 }
468 else /* No flags, no access! */
469 {
470 pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
471 pszKey, pszFlags);
472 rc = VERR_ACCESS_DENIED;
473 }
474
475 if (RT_SUCCESS(rc))
476 {
477 /* If everything went well copy property value to our destination buffer. */
478 if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
479 {
480 pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
481 pszKey);
482 rc = VERR_INVALID_PARAMETER;
483 }
484
485 if (RT_SUCCESS(rc))
486 pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
487 pszKey, pszValue);
488 }
489 }
490
491 pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
492 pszKey, rc);
493 return rc;
494}
495
496
497/**
498 * Waits for a guest property to be changed.
499 *
500 * @return IPRT status code.
501 * @param hPAM PAM handle.
502 * @param uClientID Guest property service client ID.
503 * @param pszKey Key (name) of guest property to wait for.
504 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
505 * RT_INDEFINITE_WAIT to wait indefinitly.
506 */
507static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
508 const char *pszKey, uint32_t uTimeoutMS)
509{
510 AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
511 AssertReturn(uClientID, VERR_INVALID_PARAMETER);
512 AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
513
514 int rc;
515
516 /* The buffer for storing the data and its initial size. We leave a bit
517 * of space here in case the maximum values are raised. */
518 void *pvBuf = NULL;
519 uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
520
521 for (int i = 0; i < 10; i++)
522 {
523 void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
524 if (pvTmpBuf)
525 {
526 char *pszName = NULL;
527 char *pszValue = NULL;
528 uint64_t u64TimestampOut = 0;
529 char *pszFlags = NULL;
530
531 pvBuf = pvTmpBuf;
532 rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
533 0 /* Last timestamp; just wait for next event */, uTimeoutMS,
534 &pszName, &pszValue, &u64TimestampOut,
535 &pszFlags, &cbBuf);
536 }
537 else
538 rc = VERR_NO_MEMORY;
539
540 if (rc == VERR_BUFFER_OVERFLOW)
541 {
542 /* Buffer too small, try it with a bigger one next time. */
543 cbBuf += _1K;
544 continue; /* Try next round. */
545 }
546
547 /* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
548 break;
549 }
550
551 return rc;
552}
553#endif
554
555/**
556 * Thread function waiting for credentials to arrive.
557 *
558 * @return IPRT status code.
559 * @param hThreadSelf Thread handle.
560 * @param pvUser Pointer to a PAMVBOXTHREAD structure providing
561 * required data used / set by the thread.
562 */
563static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD hThreadSelf, void *pvUser)
564{
565 RT_NOREF1(hThreadSelf);
566 PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
567 AssertPtr(pUserData);
568
569 int rc = VINF_SUCCESS;
570 /* Get current time stamp to later calculate rest of timeout left. */
571 uint64_t u64StartMS = RTTimeMilliTS();
572
573#ifdef VBOX_WITH_GUEST_PROPS
574 uint32_t uClientID = 0;
575 rc = VbglR3GuestPropConnect(&uClientID);
576 if (RT_FAILURE(rc))
577 {
578 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
579 }
580 else
581 {
582 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
583#endif
584 for (;;)
585 {
586#ifdef VBOX_WITH_GUEST_PROPS
587 if (uClientID)
588 {
589 rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
590 "/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
591 500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
592 switch (rc)
593 {
594 case VINF_SUCCESS:
595 /* Somebody (guest/host) wants to abort waiting for credentials. */
596 break;
597
598 case VERR_INTERRUPTED:
599 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
600 break;
601
602 case VERR_TIMEOUT:
603 /* We did not receive an abort message within time. */
604 break;
605
606 case VERR_TOO_MUCH_DATA:
607 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
608 break;
609
610 default:
611 pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
612 break;
613 }
614
615 if (RT_SUCCESS(rc)) /* Abort waiting. */
616 {
617 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
618 rc = VERR_CANCELLED;
619 break;
620 }
621 }
622#endif
623 if ( RT_SUCCESS(rc)
624 || rc == VERR_TIMEOUT)
625 {
626 rc = pam_vbox_check_creds(pUserData->hPAM);
627 if (RT_SUCCESS(rc))
628 {
629 /* Credentials retrieved. */
630 break; /* Thread no longer is required, bail out. */
631 }
632 else if (rc == VERR_NOT_FOUND)
633 {
634 /* No credentials found, but try next round (if there's
635 * time left for) ... */
636#ifndef VBOX_WITH_GUEST_PROPS
637 RTThreadSleep(500); /* Wait 500 ms. */
638#endif
639 }
640 else
641 break; /* Something bad happend ... */
642 }
643 else
644 break;
645
646 /* Calculate timeout value left after process has been started. */
647 uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
648 /* Is it time to bail out? */
649 if (pUserData->uTimeoutMS < u64Elapsed)
650 {
651 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
652 pUserData->uTimeoutMS);
653 rc = VERR_TIMEOUT;
654 break;
655 }
656 }
657#ifdef VBOX_WITH_GUEST_PROPS
658 }
659 VbglR3GuestPropDisconnect(uClientID);
660#endif
661
662 /* Save result. */
663 pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
664
665 int rc2 = RTThreadUserSignal(RTThreadSelf());
666 AssertRC(rc2);
667
668 pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
669 return rc;
670}
671
672
673/**
674 * Waits for credentials to arrive by creating and waiting for a thread.
675 *
676 * @return IPRT status code.
677 * @param hPAM PAM handle.
678 * @param uClientID Guest property service client ID.
679 * @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
680 * RT_INDEFINITE_WAIT to wait indefinitly.
681 */
682static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
683{
684 RT_NOREF1(uClientID);
685 PAMVBOXTHREAD threadData;
686 threadData.hPAM = hPAM;
687 threadData.uTimeoutMS = uTimeoutMS;
688
689 RTTHREAD threadWait;
690 int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
691 (void *)&threadData, 0,
692 RTTHREADTYPE_DEFAULT, 0 /* Flags */, "pam_vbox");
693 if (RT_SUCCESS(rc))
694 {
695 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
696 /* Wait for thread to initialize. */
697 /** @todo We can do something else here in the meantime later. */
698 rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
699 if (RT_SUCCESS(rc))
700 rc = threadData.rc; /* Get back thread result to take further actions. */
701 }
702 else
703 pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
704
705 pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
706 return rc;
707}
708
709
710DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
711{
712 RT_NOREF1(iFlags);
713
714 /* Parse arguments. */
715 for (int i = 0; i < argc; i++)
716 {
717 if (!RTStrICmp(argv[i], "debug"))
718 g_verbosity = 1;
719 else
720 pam_vbox_error(hPAM, "pam_vbox_authenticate: unknown command line argument \"%s\"\n", argv[i]);
721 }
722 pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
723
724 int rc = pam_vbox_init(hPAM);
725 if (RT_FAILURE(rc))
726 return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
727
728 bool fFallback = true;
729
730#ifdef VBOX_WITH_GUEST_PROPS
731 uint32_t uClientId;
732 rc = VbglR3GuestPropConnect(&uClientId);
733 if (RT_SUCCESS(rc))
734 {
735 char szVal[256];
736 rc = pam_vbox_read_prop(hPAM, uClientId,
737 "/VirtualBox/GuestAdd/PAM/CredsWait",
738 true /* Read-only on guest */,
739 szVal, sizeof(szVal));
740 if (RT_SUCCESS(rc))
741 {
742 /* All calls which are checked against rc2 are not critical, e.g. it does
743 * not matter if they succeed or not. */
744 uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
745 int rc2 = pam_vbox_read_prop(hPAM, uClientId,
746 "/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
747 true /* Read-only on guest */,
748 szVal, sizeof(szVal));
749 if (RT_SUCCESS(rc2))
750 {
751 uTimeoutMS = RTStrToUInt32(szVal);
752 if (!uTimeoutMS)
753 {
754 pam_vbox_error(hPAM, "pam_vbox_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
755 uTimeoutMS = RT_INDEFINITE_WAIT;
756 }
757 else
758 uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
759 }
760
761 rc2 = pam_vbox_read_prop(hPAM, uClientId,
762 "/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
763 true /* Read-only on guest */,
764 szVal, sizeof(szVal));
765 const char *pszWaitMsg = NULL;
766 if (RT_SUCCESS(rc2))
767 pszWaitMsg = szVal;
768
769 rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
770 pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
771 if (RT_FAILURE(rc2)) /* Not critical. */
772 pam_vbox_error(hPAM, "pam_vbox_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
773
774 if (RT_SUCCESS(rc))
775 {
776 /* Before we actuall wait for credentials just make sure we didn't already get credentials
777 * set so that we can skip waiting for them ... */
778 rc = pam_vbox_check_creds(hPAM);
779 if (rc == VERR_NOT_FOUND)
780 {
781 rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
782 if (rc == VERR_TIMEOUT)
783 {
784 pam_vbox_log(hPAM, "pam_vbox_authenticate: no credentials given within time\n");
785
786 rc2 = pam_vbox_read_prop(hPAM, uClientId,
787 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
788 true /* Read-only on guest */,
789 szVal, sizeof(szVal));
790 if (RT_SUCCESS(rc2))
791 {
792 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
793 AssertRC(rc2);
794 }
795 }
796 else if (rc == VERR_CANCELLED)
797 {
798 pam_vbox_log(hPAM, "pam_vbox_authenticate: waiting aborted\n");
799
800 rc2 = pam_vbox_read_prop(hPAM, uClientId,
801 "/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
802 true /* Read-only on guest */,
803 szVal, sizeof(szVal));
804 if (RT_SUCCESS(rc2))
805 {
806 rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
807 AssertRC(rc2);
808 }
809 }
810 }
811
812 /* If we got here we don't need the fallback, so just deactivate it. */
813 fFallback = false;
814 }
815 }
816
817 VbglR3GuestPropDisconnect(uClientId);
818 }
819#endif /* VBOX_WITH_GUEST_PROPS */
820
821 if (fFallback)
822 {
823 pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
824
825 /* If anything went wrong in the code above we just do a credentials
826 * check like it was before: Try retrieving the stuff and authenticating. */
827 int rc2 = pam_vbox_check_creds(hPAM);
828 if (RT_SUCCESS(rc))
829 rc = rc2;
830 }
831
832 pam_vbox_shutdown(hPAM);
833
834 pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
835
836 /* Never report an error here because if no credentials from the host are available or something
837 * went wrong we then let do the authentication by the next module in the stack. */
838
839 /* We report success here because this is all we can do right now -- we passed the credentials
840 * to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
841 * password verification to "really" authenticate the user. */
842 return PAM_SUCCESS;
843}
844
845
846DECLEXPORT(int) pam_sm_setcred(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
847{
848 pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
849 for (int i = 0; i < argc; i++)
850 pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
851 return PAM_SUCCESS;
852}
853
854
855DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
856{
857 RT_NOREF3(iFlags, argc, argv);
858 pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
859 return PAM_SUCCESS;
860}
861
862
863DECLEXPORT(int) pam_sm_open_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
864{
865 RT_NOREF3(iFlags, argc, argv);
866 pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
867 RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
868 return PAM_SUCCESS;
869}
870
871
872DECLEXPORT(int) pam_sm_close_session(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
873{
874 RT_NOREF3(iFlags, argc, argv);
875 pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
876 return PAM_SUCCESS;
877}
878
879
880DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t *hPAM, int iFlags, int argc, const char **argv)
881{
882 RT_NOREF3(iFlags, argc, argv);
883 pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
884 return PAM_SUCCESS;
885}
886
887
888#ifdef DEBUG
889DECLEXPORT(void) RTAssertMsg1Weak(const char *pszExpr, unsigned uLine, const char *pszFile, const char *pszFunction)
890{
891 pam_vbox_log(g_pam_handle,
892 "\n!!Assertion Failed!!\n"
893 "Expression: %s\n"
894 "Location : %s(%d) %s\n",
895 pszExpr, pszFile, uLine, pszFunction);
896 RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
897}
898#endif
899
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette