mirror of
https://github.com/MariaDB/server.git
synced 2025-01-30 18:41:56 +01:00
277 lines
6.5 KiB
C
277 lines
6.5 KiB
C
/*
|
|
Pam module to change user names arbitrarily in the pam stack.
|
|
|
|
Compile as
|
|
|
|
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
|
|
|
|
Install as appropriate (for example, in /lib/security/).
|
|
Add to your /etc/pam.d/mysql (preferably, at the end) this line:
|
|
=========================================================
|
|
auth required pam_user_map.so
|
|
=========================================================
|
|
|
|
And create /etc/security/user_map.conf with the desired mapping
|
|
in the format: orig_user_name: mapped_user_name
|
|
@user's_group_name: mapped_user_name
|
|
=========================================================
|
|
#comments and empty lines are ignored
|
|
john: jack
|
|
bob: admin
|
|
top: accounting
|
|
@group_ro: readonly
|
|
=========================================================
|
|
|
|
If something doesn't work as expected you can get verbose
|
|
comments with the 'debug' option like this
|
|
=========================================================
|
|
auth required pam_user_map.so debug
|
|
=========================================================
|
|
These comments are written to the syslog as 'authpriv.debug'
|
|
and usually end up in /var/log/secure file.
|
|
*/
|
|
|
|
#include <config_auth_pam.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <ctype.h>
|
|
#include <string.h>
|
|
#include <syslog.h>
|
|
#include <grp.h>
|
|
#include <pwd.h>
|
|
|
|
#ifdef HAVE_PAM_EXT_H
|
|
#include <security/pam_ext.h>
|
|
#endif
|
|
|
|
#ifdef HAVE_PAM_APPL_H
|
|
#include <unistd.h>
|
|
#include <security/pam_appl.h>
|
|
#endif
|
|
|
|
#include <security/pam_modules.h>
|
|
|
|
#ifndef HAVE_PAM_SYSLOG
|
|
#include <stdarg.h>
|
|
static void
|
|
pam_syslog (const pam_handle_t *pamh, int priority,
|
|
const char *fmt, ...)
|
|
{
|
|
va_list args;
|
|
va_start (args, fmt);
|
|
vsyslog (priority, fmt, args);
|
|
va_end (args);
|
|
}
|
|
#endif
|
|
|
|
#define FILENAME "/etc/security/user_map.conf"
|
|
#define skip(what) while (*s && (what)) s++
|
|
#define SYSLOG_DEBUG if (mode_debug) pam_syslog
|
|
|
|
#define GROUP_BUFFER_SIZE 100
|
|
static const char debug_keyword[]= "debug";
|
|
|
|
#ifdef HAVE_POSIX_GETGROUPLIST
|
|
typedef gid_t my_gid_t;
|
|
#else
|
|
typedef int my_gid_t;
|
|
#endif
|
|
|
|
static int populate_user_groups(const char *user, my_gid_t **groups)
|
|
{
|
|
my_gid_t user_group_id;
|
|
my_gid_t *loc_groups= *groups;
|
|
int ng;
|
|
|
|
{
|
|
struct passwd *pw= getpwnam(user);
|
|
if (!pw)
|
|
return 0;
|
|
user_group_id= pw->pw_gid;
|
|
}
|
|
|
|
ng= GROUP_BUFFER_SIZE;
|
|
if (getgrouplist(user, user_group_id, loc_groups, &ng) < 0)
|
|
{
|
|
/* The rare case when the user is present in more than */
|
|
/* GROUP_BUFFER_SIZE groups. */
|
|
loc_groups= (my_gid_t *) malloc(ng * sizeof (my_gid_t));
|
|
|
|
if (!loc_groups)
|
|
return 0;
|
|
|
|
(void) getgrouplist(user, user_group_id, loc_groups, &ng);
|
|
*groups= (my_gid_t*)loc_groups;
|
|
}
|
|
|
|
return ng;
|
|
}
|
|
|
|
|
|
static int user_in_group(const my_gid_t *user_groups, int ng,const char *group)
|
|
{
|
|
my_gid_t group_id;
|
|
const my_gid_t *groups_end = user_groups + ng;
|
|
|
|
{
|
|
struct group *g= getgrnam(group);
|
|
if (!g)
|
|
return 0;
|
|
group_id= g->gr_gid;
|
|
}
|
|
|
|
for (; user_groups < groups_end; user_groups++)
|
|
{
|
|
if (*user_groups == group_id)
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void print_groups(pam_handle_t *pamh, const my_gid_t *user_groups, int ng)
|
|
{
|
|
char buf[256];
|
|
char *c_buf= buf, *buf_end= buf+sizeof(buf)-2;
|
|
struct group *gr;
|
|
int cg;
|
|
|
|
for (cg=0; cg < ng; cg++)
|
|
{
|
|
char *c;
|
|
if (c_buf == buf_end)
|
|
break;
|
|
*(c_buf++)= ',';
|
|
if (!(gr= getgrgid(user_groups[cg])) ||
|
|
!(c= gr->gr_name))
|
|
continue;
|
|
while (*c)
|
|
{
|
|
if (c_buf == buf_end)
|
|
break;
|
|
*(c_buf++)= *(c++);
|
|
}
|
|
}
|
|
c_buf[0]= c_buf[1]= 0;
|
|
pam_syslog(pamh, LOG_DEBUG, "User belongs to %d %s [%s].\n",
|
|
ng, (ng == 1) ? "group" : "groups", buf+1);
|
|
}
|
|
|
|
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|
int argc, const char *argv[])
|
|
{
|
|
int mode_debug= 0;
|
|
int pam_err, line= 0;
|
|
const char *username;
|
|
char buf[256];
|
|
FILE *f;
|
|
my_gid_t group_buffer[GROUP_BUFFER_SIZE];
|
|
my_gid_t *groups= group_buffer;
|
|
int n_groups= -1;
|
|
|
|
for (; argc > 0; argc--)
|
|
{
|
|
if (strcasecmp(argv[argc-1], debug_keyword) == 0)
|
|
mode_debug= 1;
|
|
}
|
|
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG, "Opening file '%s'.\n", FILENAME);
|
|
|
|
f= fopen(FILENAME, "r");
|
|
if (f == NULL)
|
|
{
|
|
pam_syslog(pamh, LOG_ERR, "Cannot open '%s'\n", FILENAME);
|
|
return PAM_SYSTEM_ERR;
|
|
}
|
|
|
|
pam_err = pam_get_item(pamh, PAM_USER, (const void**)&username);
|
|
if (pam_err != PAM_SUCCESS)
|
|
{
|
|
pam_syslog(pamh, LOG_ERR, "Cannot get username.\n");
|
|
goto ret;
|
|
}
|
|
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG, "Incoming username '%s'.\n", username);
|
|
|
|
while (fgets(buf, sizeof(buf), f) != NULL)
|
|
{
|
|
char *s= buf, *from, *to, *end_from, *end_to;
|
|
int check_group;
|
|
int cmp_result;
|
|
|
|
line++;
|
|
|
|
skip(isspace(*s));
|
|
if (*s == '#' || *s == 0) continue;
|
|
if ((check_group= *s == '@'))
|
|
{
|
|
if (n_groups < 0)
|
|
{
|
|
n_groups= populate_user_groups(username, &groups);
|
|
if (mode_debug)
|
|
print_groups(pamh, groups, n_groups);
|
|
}
|
|
s++;
|
|
}
|
|
from= s;
|
|
skip(isalnum(*s) || (*s == '_') || (*s == '.') || (*s == '-') ||
|
|
(*s == '$') || (*s == '\\') || (*s == '/') || (*s == '@'));
|
|
end_from= s;
|
|
skip(isspace(*s));
|
|
if (end_from == from || *s++ != ':') goto syntax_error;
|
|
skip(isspace(*s));
|
|
to= s;
|
|
skip(isalnum(*s) || (*s == '_') || (*s == '.') || (*s == '-') ||
|
|
(*s == '$'));
|
|
end_to= s;
|
|
if (end_to == to) goto syntax_error;
|
|
|
|
*end_from= *end_to= 0;
|
|
|
|
if (check_group)
|
|
{
|
|
cmp_result= user_in_group(groups, n_groups, from);
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG, "Check if user is in group '%s': %s\n",
|
|
from, cmp_result ? "YES":"NO");
|
|
}
|
|
else
|
|
{
|
|
cmp_result= (strcmp(username, from) == 0);
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG, "Check if username '%s': %s\n",
|
|
from, cmp_result ? "YES":"NO");
|
|
}
|
|
if (cmp_result)
|
|
{
|
|
pam_err= pam_set_item(pamh, PAM_USER, to);
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG,
|
|
(pam_err == PAM_SUCCESS) ? "User mapped as '%s'\n" :
|
|
"Couldn't map as '%s'\n", to);
|
|
goto ret;
|
|
}
|
|
}
|
|
|
|
SYSLOG_DEBUG(pamh, LOG_DEBUG, "User not found in the list.\n");
|
|
pam_err= PAM_AUTH_ERR;
|
|
goto ret;
|
|
|
|
syntax_error:
|
|
pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
|
|
pam_err= PAM_SYSTEM_ERR;
|
|
ret:
|
|
if (groups != group_buffer)
|
|
free(groups);
|
|
|
|
fclose(f);
|
|
|
|
return pam_err;
|
|
}
|
|
|
|
|
|
int pam_sm_setcred(pam_handle_t *pamh, int flags,
|
|
int argc, const char *argv[])
|
|
{
|
|
|
|
return PAM_SUCCESS;
|
|
}
|
|
|