pam: applied patches von torstenu

core/cmake/BareosFindAllLibraries.cmake

@@ -58,6 +58,8 @@ BareosFindLibraryAndHeaders("cap" "sys/capability.h")
 BareosFindLibraryAndHeaders("gfapi" "glusterfs/api/glfs.h")
 BareosFindLibraryAndHeaders("droplet" "droplet.h")
 
+BareosFindLibraryAndHeaders("pam" "security/pam_appl.h")
+
 BareosFindLibraryAndHeaders("lzo2" "lzo/lzoconf.h")
 if (${LZO2_FOUND})
    SET(HAVE_LZO 1)

core/src/dird/CMakeLists.txt

@@ -68,7 +68,7 @@ set(BAREOS_DIR_LIBRARIES
    bareosfind
    ${LMDB_LIBS}
    ${NDMP_LIBS}
-   )
+)
 
 IF(HAVE_WIN32)
    LIST(APPEND BAREOS_DIR_LIBRARIES
@@ -98,7 +98,6 @@ target_link_libraries(bareos-dbcheck
 #                      jansson ${OPENSSL_LIBS} acl cap lzo2
 #)
 
-
 INSTALL(TARGETS bareos-dir bareos-dbcheck DESTINATION "${sbindir}")
 INSTALL(FILES query.sql DESTINATION "${scriptdir}")
 

core/src/dird/ua_server.cc

@@ -38,6 +38,7 @@
 #include "dird/ua_output.h"
 #include "dird/ua_server.h"
 #include "lib/bnet.h"
+#include "lib/pam_handler.h"
 
 /* Imported variables */
 
@@ -93,6 +94,11 @@ void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket)
       goto getout;
    }
 
+   if (!pam_authenticate_useragent("user", "passwocht")) {
+      goto getout;
+   }
+
+
    while (!ua->quit) {
       if (ua->api) {
          user_agent_socket->signal(BNET_MAIN_PROMPT);

core/src/include/baconfig.h

@@ -595,6 +595,8 @@ DLL_IMP_EXP int msg_(const char *file, int line, POOLMEM *&pool_buf, const char
 #define bstrdup(str) strcpy((char *)bmalloc(strlen((str))+1),(str))
 #endif
 
+#define actuallystrdup(str) strcpy((char *)actuallymalloc(strlen((str))+1), (str))
+
 #ifdef DEBUG
 #define bmalloc(size) b_malloc(__FILE__, __LINE__, (size))
 #endif

core/src/lib/CMakeLists.txt

@@ -26,7 +26,8 @@ include_directories(../include ..
    ${LZO2_INCLUDE_DIRS}
    ${CAP_INCLUDE_DIRS}
    ${WRAP_INCLUDE_DIRS}
-   )
+   ${PAM_INCLUDE_DIRS}
+)
 
 set(INCLUDE_FILES ../include/baconfig.h ../include/bareos.h
 		../include/bc_types.h ../include/config.h
@@ -55,7 +56,7 @@ set (BAREOS_SRCS  address_conf.cc alist.cc attr.cc attribs.cc base64.cc
    queue.cc rblist.cc runscript.cc rwlock.cc scan.cc scsi_crypto.cc  scsi_lli.cc
    sellist.cc serial.cc sha1.cc signal.cc  smartall.cc
    tls_gnutls.cc tls_none.cc tls_nss.cc tls_conf.cc tls_openssl.cc tree.cc util.cc var.cc
-   watchdog.cc workq.cc)
+   watchdog.cc workq.cc pam_handler.cc pam_handler.h)
 
 IF(HAVE_WIN32)
    LIST(APPEND BAREOS_SRCS
@@ -74,7 +75,7 @@ add_library(bareos SHARED ${BAREOS_SRCS})
 target_link_libraries(bareos
    ${OPENSSL_LIBRARIES} ${PTHREAD_LIBRARIES} ${FASTLZ_LIBRARIES} ${ZLIB_LIBRARIES}
    ${ACL_LIBRARIES} ${LZO2_LIBRARIES} ${CAP_LIBRARIES} ${WRAP_LIBRARIES} ${CAM_LIBRARIES}
-   ${WINDOWS_LIBRARIES} ${JANSSON_LIBRARIES})
+   ${WINDOWS_LIBRARIES} ${JANSSON_LIBRARIES} ${PAM_LIBRARIES})
 
 set (BAREOSCFG_SRCS ini.cc lex.cc parse_bsr.cc )
 

core/src/lib/pam_handler.cc

@@ -0,0 +1,104 @@
+//
+// Created by torsten on 17.04.18.
+//
+#include "pam_handler.h"
+
+#include "bareos.h"
+#include <cstring>
+#include <security/pam_appl.h>
+
+static const int debuglevel = 200;
+
+static const std::string service_name("bareos");
+
+class PamData {
+public:
+   std::string password_;
+   std::string username_;
+
+   PamData(std::string username, std::string password) {
+      username_ = username;
+      password_ = password;
+   }
+};
+
+/// PAM-Callback calls Bareos PAM-Handler
+static int conv(int num_msg, const struct pam_message **msgm,
+                struct pam_response **response, void *appdata_ptr) {
+   if (!num_msg || !*msgm || !response) {
+      return PAM_BUF_ERR;
+   }
+
+   if ((num_msg <= 0) || (num_msg > PAM_MAX_NUM_MSG)) {
+      return (PAM_CONV_ERR);
+   }
+
+   struct pam_response *resp;
+   auto pam_data = reinterpret_cast<PamData *>(appdata_ptr);
+
+   if ((resp = static_cast<pam_response *>(actuallycalloc(num_msg, sizeof(struct pam_response)))) == nullptr) {
+      return PAM_BUF_ERR;
+   }
+
+   switch ((*msgm)->msg_style) {
+      case PAM_PROMPT_ECHO_OFF:
+      case PAM_PROMPT_ECHO_ON: {
+         resp->resp = actuallystrdup(pam_data->password_.c_str());
+         break;
+      }
+      case PAM_ERROR_MSG:
+      case PAM_TEXT_INFO:break;
+      default: {
+         const pam_message *m = *msgm;
+         Dmsg3(debuglevel, "message[%d]: pam error type: %d error: \"%s\"\n",
+               1, m->msg_style, m->msg);
+         goto err;
+      }
+   }
+
+   *response = resp;
+   return PAM_SUCCESS;
+
+   err:
+   for (int i = 0; i < num_msg; ++i) {
+      if (resp[i].resp != NULL) {
+         memset(resp[i].resp, 0, strlen(resp[i].resp));
+         free(resp[i].resp);
+      }
+   }
+   memset(resp, 0, num_msg * sizeof *resp);
+   free(resp);
+   *response = NULL;
+   return PAM_CONV_ERR;
+}
+
+bool pam_authenticate_useragent(std::string username, std::string password) {
+   PamData pam_data(username, password);
+   const struct pam_conv pam_conversation = {conv, (void *) &pam_data};
+   pam_handle_t *pamh = nullptr;
+
+   /* START */
+   int err = pam_start(service_name.c_str(), username.c_str(), &pam_conversation, &pamh);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM start failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   err = pam_set_item(pamh, PAM_RUSER, username.c_str());
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM set_item failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   /* AUTHENTICATE */
+   err = pam_authenticate(pamh, 0);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM authentication failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   /* END */
+   if (pam_end(pamh, err) != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM end failed: %s\n", pam_strerror(pamh, err));
+      return false;
+   }
+
+   return err == 0;
+}

core/src/lib/pam_handler.h

@@ -0,0 +1,8 @@
+#ifndef BAREOS_PAM_H
+#define BAREOS_PAM_H
+
+#include <string>
+
+bool pam_authenticate_useragent(std::string username, std::string password);
+
+#endif //BAREOS_PAM_H