pam: applied patches von torstenu

bareos · Sep 20, 2018 · c2ce820 · c2ce820
1 parent c57e850
commit c2ce820
Show file tree

Hide file tree

Showing 7 changed files with 135 additions and 18 deletions.
diff --git a/core/cmake/BareosFindAllLibraries.cmake b/core/cmake/BareosFindAllLibraries.cmake
@@ -58,6 +58,8 @@ BareosFindLibraryAndHeaders("cap" "sys/capability.h")
 BareosFindLibraryAndHeaders("gfapi" "glusterfs/api/glfs.h")
 BareosFindLibraryAndHeaders("droplet" "droplet.h")
 
+BareosFindLibraryAndHeaders("pam" "security/pam_appl.h")
+
 BareosFindLibraryAndHeaders("lzo2" "lzo/lzoconf.h")
 if (${LZO2_FOUND})
    SET(HAVE_LZO 1)

diff --git a/core/src/dird/CMakeLists.txt b/core/src/dird/CMakeLists.txt
@@ -71,7 +71,7 @@ set(BAREOS_DIR_LIBRARIES
    bareosfind
    ${LMDB_LIBS}
    ${NDMP_LIBS}
-   )
+)
 
 IF(HAVE_WIN32)
    LIST(APPEND BAREOS_DIR_LIBRARIES
@@ -101,7 +101,6 @@ target_link_libraries(bareos-dbcheck
 #                      jansson ${OPENSSL_LIBS} acl cap lzo2
 #)
 
-
 INSTALL(TARGETS bareos-dir bareos-dbcheck DESTINATION "${sbindir}")
 INSTALL(FILES query.sql DESTINATION "${scriptdir}")
 

diff --git a/core/src/dird/ua_server.cc b/core/src/dird/ua_server.cc
@@ -39,6 +39,7 @@
 #include "dird/ua_output.h"
 #include "dird/ua_server.h"
 #include "lib/bnet.h"
+#include "lib/pam_handler.h"
 
 namespace directordaemon {
 
@@ -92,6 +93,11 @@ void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket)
       goto getout;
    }
 
+   if (!pam_authenticate_useragent("user", "passwocht")) {
+      goto getout;
+   }
+
+
    while (!ua->quit) {
       if (ua->api) {
          user_agent_socket->signal(BNET_MAIN_PROMPT);

diff --git a/core/src/include/baconfig.h b/core/src/include/baconfig.h
@@ -576,6 +576,8 @@ int msg_(const char *file, int line, POOLMEM *&pool_buf, const char *fmt, ...);
 #define bstrdup(str) strcpy((char *)bmalloc(strlen((str))+1),(str))
 #endif
 
+#define actuallystrdup(str) strcpy((char *)actuallymalloc(strlen((str))+1), (str))
+
 #ifdef DEBUG
 #define bmalloc(size) b_malloc(__FILE__, __LINE__, (size))
 #endif

diff --git a/core/src/lib/CMakeLists.txt b/core/src/lib/CMakeLists.txt
@@ -18,18 +18,18 @@
 #   02110-1301, USA.
 
 set(INCLUDE_FILES ../include/baconfig.h ../include/bareos.h
-   ../include/bc_types.h ../include/config.h
-   ../include/jcr.h ../include/version.h
-   address_conf.h alist.h attr.h base64.h berrno.h
-   bits.h bpipe.h breg.h bregex.h bsock.h
-   bsock_tcp.h btime.h btimers.h cbuf.h
-   crypto.h crypto_cache.h devlock.h dlist.h fnmatch.h
-   guid_to_name.h htable.h ini.h lex.h lib.h lockmgr.h
-   md5.h mem_pool.h message.h mntent_cache.h ordered_cbuf.h parse_conf.h
-   plugins.h qualified_resource_name_type_converter.h queue.h rblist.h
-   runscript.h rwlock.h scsi_crypto.h scsi_lli.h scsi_tapealert.h sellist.h
-   serial.h sha1.h smartall.h status.h tls.h tls_conf.h tree.h var.h
-   watchdog.h workq.h)
+		../include/bc_types.h ../include/config.h
+		../include/jcr.h ../include/version.h
+		address_conf.h alist.h attr.h base64.h berrno.h
+		bits.h bpipe.h breg.h bregex.h bsock.h
+      bsock_tcp.h btime.h btimers.h cbuf.h
+		crypto.h crypto_cache.h devlock.h dlist.h fnmatch.h
+		guid_to_name.h htable.h ini.h lex.h lib.h lockmgr.h
+		md5.h mem_pool.h message.h mntent_cache.h ordered_cbuf.h parse_conf.h
+      plugins.h qualified_resource_name_type_converter.h queue.h rblist.h
+      runscript.h rwlock.h scsi_crypto.h scsi_lli.h scsi_tapealert.h sellist.h
+		serial.h sha1.h smartall.h status.h tls.h tls_conf.h tree.h var.h
+		watchdog.h workq.h)
 
 INSTALL(FILES ${INCLUDE_FILES} DESTINATION ${includedir})
 
@@ -70,10 +70,6 @@ ELSE()
      scsi_tapealert.cc)
 ENDIF()
 
-set (BAREOSCFG_SRCS ini.cc lex.cc parse_bsr.cc res.cc parse_conf.cc 
-     res.cc qualified_resource_name_type_converter.cc)
-LIST(APPEND BAREOS_SRCS ${BAREOSCFG_SRCS})
-
 add_library(bareos SHARED ${BAREOS_SRCS})
 
 target_link_libraries(bareos

diff --git a/core/src/lib/pam_handler.cc b/core/src/lib/pam_handler.cc
@@ -0,0 +1,104 @@
+//
+// Created by torsten on 17.04.18.
+//
+#include "pam_handler.h"
+
+#include "bareos.h"
+#include <cstring>
+#include <security/pam_appl.h>
+
+static const int debuglevel = 200;
+
+static const std::string service_name("bareos");
+
+class PamData {
+public:
+   std::string password_;
+   std::string username_;
+
+   PamData(std::string username, std::string password) {
+      username_ = username;
+      password_ = password;
+   }
+};
+
+/// PAM-Callback calls Bareos PAM-Handler
+static int conv(int num_msg, const struct pam_message **msgm,
+                struct pam_response **response, void *appdata_ptr) {
+   if (!num_msg || !*msgm || !response) {
+      return PAM_BUF_ERR;
+   }
+
+   if ((num_msg <= 0) || (num_msg > PAM_MAX_NUM_MSG)) {
+      return (PAM_CONV_ERR);
+   }
+
+   struct pam_response *resp;
+   auto pam_data = reinterpret_cast<PamData *>(appdata_ptr);
+
+   if ((resp = static_cast<pam_response *>(actuallycalloc(num_msg, sizeof(struct pam_response)))) == nullptr) {
+      return PAM_BUF_ERR;
+   }
+
+   switch ((*msgm)->msg_style) {
+      case PAM_PROMPT_ECHO_OFF:
+      case PAM_PROMPT_ECHO_ON: {
+         resp->resp = actuallystrdup(pam_data->password_.c_str());
+         break;
+      }
+      case PAM_ERROR_MSG:
+      case PAM_TEXT_INFO:break;
+      default: {
+         const pam_message *m = *msgm;
+         Dmsg3(debuglevel, "message[%d]: pam error type: %d error: \"%s\"\n",
+               1, m->msg_style, m->msg);
+         goto err;
+      }
+   }
+
+   *response = resp;
+   return PAM_SUCCESS;
+
+   err:
+   for (int i = 0; i < num_msg; ++i) {
+      if (resp[i].resp != NULL) {
+         memset(resp[i].resp, 0, strlen(resp[i].resp));
+         free(resp[i].resp);
+      }
+   }
+   memset(resp, 0, num_msg * sizeof *resp);
+   free(resp);
+   *response = NULL;
+   return PAM_CONV_ERR;
+}
+
+bool pam_authenticate_useragent(std::string username, std::string password) {
+   PamData pam_data(username, password);
+   const struct pam_conv pam_conversation = {conv, (void *) &pam_data};
+   pam_handle_t *pamh = nullptr;
+
+   /* START */
+   int err = pam_start(service_name.c_str(), username.c_str(), &pam_conversation, &pamh);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM start failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   err = pam_set_item(pamh, PAM_RUSER, username.c_str());
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM set_item failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   /* AUTHENTICATE */
+   err = pam_authenticate(pamh, 0);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM authentication failed: %s\n", pam_strerror(pamh, err));
+   }
+
+   /* END */
+   if (pam_end(pamh, err) != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM end failed: %s\n", pam_strerror(pamh, err));
+      return false;
+   }
+
+   return err == 0;
+}
diff --git a/core/src/lib/pam_handler.h b/core/src/lib/pam_handler.h
@@ -0,0 +1,8 @@
+#ifndef BAREOS_PAM_H
+#define BAREOS_PAM_H
+
+#include <string>
+
+bool pam_authenticate_useragent(std::string username, std::string password);
+
+#endif //BAREOS_PAM_H