Merge branch 'master' of github.com:jeroennijhof/pam_tacplus into v1.5.x

INSTALL

@@ -93,6 +93,10 @@ of `autoconf'.
      targets like `make install' and `make uninstall' work correctly.
      This target is generally not run by end users.
 
+  9. If you're running SElinux in Enforcing mode, you need to set
+     your policy controls appropriately.  For Fedora/RHEL/CentOS, this
+     is done with "setsebool -P nis_enabled 1" (as root).
+
 Compilers and Options
 =====================
 

configure.ac

@@ -36,8 +36,13 @@ dnl Checks for libraries.
 AC_CHECK_LIB(pam, pam_start)
 AC_CHECK_LIB(tac, tac_connect)
 AC_CHECK_LIB(crypto, MD5_Init)
-AC_CHECK_LIB(crypto, RAND_pseudo_bytes)
-AC_CHECK_LIB(util, logwtmp)
+AC_CHECK_LIB(crypto, RAND_pseudo_bytes,
+            [AC_DEFINE([HAVE_RAND_PSEUDO_BYTES], [1], [Define to 1 if you have the `RAND_pseudo_bytes' function.])])
+AC_CHECK_LIB(crypto, RAND_bytes,
+             [AC_DEFINE([HAVE_RAND_BYTES], [1], [Define to 1 if you have the `RAND_bytes' function.])])
+AC_CHECK_LIB(c, pututxline,
+	     [AC_DEFINE([HAVE_PUTUTXLINE], [1], [Define to 1 if you have the `pututxline' function.])],
+	     [AC_CHECK_LIB(util, logwtmp)])
 
 case "$host" in
 	sparc-* | sparc64-*)
@@ -47,11 +52,11 @@ esac
 dnl --------------------------------------------------------------------
 dnl Checks for header files.
 AC_HEADER_STDC
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h ])
-AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h linux/random.h sys/random.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h])
+AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h sys/random.h])
 AC_CHECK_HEADER(security/pam_appl.h, [], [AC_MSG_ERROR([PAM libraries missing. Install with "yum install pam-devel" or "apt-get install libpam-dev".])] )
 AM_CONDITIONAL(MY_MD5, [test "$ac_cv_header_openssl_md5_h" = "no" ])
-AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"])
+AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_bytes" = "yes" || test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"])
 
 dnl --------------------------------------------------------------------
 dnl Checks for typedefs, structures, and compiler characteristics.

libtac/include/libtac.h

@@ -44,6 +44,18 @@ extern "C" {
 #endif
 #include "tacplus.h"
 
+#if defined(__clang__)
+#define __CLANG_PREREQ(maj, min) ((__clang_major__ > (maj)) || (__clang_major__ == (maj) && __clang_minor__ >= (min)))
+#else
+#define __CLANG_PREREQ(maj, min) (0)
+#endif
+
+#if __GNUC_PREREQ(3, 2) || __CLANG_PREREQ(4, 0)
+#define __Unused __attribute__ ((unused))
+#else
+#define __Unused /* unused */
+#endif
+
 #if defined(DEBUGTAC) && !defined(TACDEBUG)
 # ifdef __GNUC__
 #define TACDEBUG(level, fmt, ...) syslog(level, fmt, ## __VA_ARGS__)

libtac/lib/author_r.c

@@ -187,6 +187,7 @@ int tac_author_read(int fd, struct areply *re) {
 	/* XXX support optional vs mandatory arguments */
 	case TAC_PLUS_AUTHOR_STATUS_PASS_REPL:
 		tac_free_attrib(&re->attr);
+		/*FALLTHRU*/
 
 	case TAC_PLUS_AUTHOR_STATUS_PASS_ADD: {
 		u_char *argp;

libtac/lib/magic.c

@@ -63,17 +63,21 @@ magic()
 {
     u_int32_t num;
 
+#ifdef HAVE_RAND_BYTES
+    RAND_bytes((unsigned char *)&num, sizeof(num));
+#else
     RAND_pseudo_bytes((unsigned char *)&num, sizeof(num));
+#endif
 
     return num;
 }
 
 #elif defined(HAVE_GETRANDOM)
 
-# if defined(HAVE_LINUX_RANDOM_H)
-#  include <linux/random.h>
-# elif defined(HAVE_SYS_RANDOM_H)
+# if defined(HAVE_SYS_RANDOM_H)
 #  include <sys/random.h>
+# else
+#  error no header containing getrandom(2) declaration
 # endif
 
 /*

pam_tacplus.c

@@ -654,33 +654,29 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
 
 	attr = arep.attr;
 	while (attr != NULL) {
-		char attribute[attr->attr_len];
-		char value[attr->attr_len];
-		char *sep;
-
-		sep = index(attr->attr, '=');
-		if (sep == NULL)
-			sep = index(attr->attr, '*');
-		if (sep != NULL) {
-			bcopy(attr->attr, attribute, attr->attr_len - strlen(sep));
-			attribute[attr->attr_len - strlen(sep)] = '\0';
-			bcopy(sep, value, strlen(sep));
-			value[strlen(sep)] = '\0';
+		size_t len = strcspn(attr->attr, "=*");
+		if (len < attr->attr_len) {
+			char avpair[attr->attr_len+1];
+			bcopy(attr->attr, avpair, attr->attr_len+1); /* Also copy terminating NUL */
 
+			if (ctrl & PAM_TAC_DEBUG)
+				syslog(LOG_DEBUG, "%s: returned attribute `%s' from server",
+						__FUNCTION__, avpair);
+
+			avpair[len] = '='; // replace '*' by '='
 			size_t i;
-			for (i = 0; attribute[i] != '\0'; i++) {
-				attribute[i] = toupper(attribute[i]);
-				if (attribute[i] == '-')
-					attribute[i] = '_';
+			for (i = 0; i < len; i++) {
+				avpair[i] = toupper(avpair[i]);
+				if (avpair[i] == '-')
+					avpair[i] = '_';
 			}
 
 			if (ctrl & PAM_TAC_DEBUG)
-				syslog(LOG_DEBUG, "%s: returned attribute `%s%s' from server",
-						__FUNCTION__, attribute, value);
+				syslog(LOG_DEBUG, "%s: setting PAM environment `%s'",
+						__FUNCTION__, avpair);
 
 			/* make returned attributes available for other PAM modules via PAM environment */
-			if (pam_putenv(pamh,
-					strncat(attribute, value, strlen(value))) != PAM_SUCCESS)
+			if (pam_putenv(pamh, avpair) != PAM_SUCCESS)
 				syslog(LOG_WARNING, "%s: unable to set PAM environment",
 						__FUNCTION__);
 
@@ -715,7 +711,11 @@ PAM_EXTERN
 int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
 		const char **argv) {
 #if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
+# if defined(HAVE_RAND_BYTES)
+	RAND_bytes((unsigned char *) &task_id, sizeof(task_id));
+# else
 	RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id));
+# endif
 #else
 	task_id=(short int) magic();
 #endif

support.c

@@ -109,14 +109,12 @@ int converse(pam_handle_t * pamh, int nargs, const struct pam_message *message,
 }
 
 /* stolen from pam_stress */
-int tacacs_get_password (pam_handle_t * pamh, int flags,
+int tacacs_get_password (pam_handle_t * pamh, int flags __Unused,
     int ctrl, char **password) {
 
     const void *pam_pass;
     char *pass = NULL;
 
-    flags = flags;				/* unused */
-
     if (ctrl & PAM_TAC_DEBUG)
         syslog (LOG_DEBUG, "%s: called", __FUNCTION__);
 

tacc.c

@@ -19,7 +19,6 @@
 #include <string.h>
 #include <syslog.h>
 #include <errno.h>
-#include <utmp.h>
 #include <sys/file.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -34,6 +33,12 @@
 #include "config.h"
 #endif
 
+#if defined(HAVE_PUTUTXLINE)
+#include <utmpx.h>
+#elif defined(HAVE_LOGWTMP)
+#include <utmp.h>
+#endif
+
 #include "tacplus.h"
 #include "libtac.h"
 
@@ -58,7 +63,6 @@
 
 /* prototypes */
 void sighandler(int sig);
-void showusage(char *argv0);
 unsigned long getservername(char *serv);
 void showusage(char *progname);
 void showversion(char *progname);
@@ -79,6 +83,13 @@ typedef unsigned char flag;
 flag quiet = 0;
 char *user = NULL; /* global, because of signal handler */
 
+#if defined(HAVE_PUTUTXLINE)
+struct utmpx utmpx;
+#endif
+
+/* take the length of a string constant without the NUL */
+#define C_STRLEN(str)	(sizeof("" str) - 1)
+
 /* command line options */
 static struct option long_options[] =
 		{
@@ -163,8 +174,12 @@ int main(int argc, char **argv) {
 				break;
 			case 'V':
 				showversion(argv[0]);
+				/*NOTREACHED*/
+				break;
 			case 'h':
 				showusage(argv[0]);
+				/*NOTREACHED*/
+				break;
 			case 'u':
 				user = optarg;
 				break;
@@ -173,8 +188,7 @@ int main(int argc, char **argv) {
 				break;
 			case 'L':
 				// tac_login is a global variable initialized in libtac
-				bzero(tac_login, sizeof(tac_login));
-				strncpy(tac_login, optarg, sizeof(tac_login) - 1);
+				xstrcpy(tac_login, optarg, sizeof(tac_login));
 				break;
 			case 'p':
 				pass = optarg;
@@ -316,7 +330,11 @@ int main(int argc, char **argv) {
 		struct tac_attrib *attr = NULL;
 		sprintf(buf, "%lu", time(0));
 		tac_add_attrib(&attr, "start_time", buf);
+#ifdef HAVE_RAND_BYTES
+		RAND_bytes((unsigned char *) &task_id, sizeof(task_id));
+#else
 		RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id));
+#endif
 		sprintf(buf, "%hu", task_id);
 		tac_add_attrib(&attr, "task_id", buf);
 		tac_add_attrib(&attr, "service", service);
@@ -347,10 +365,28 @@ int main(int argc, char **argv) {
 	}
 
 	/* log in local utmp */
-#ifdef HAVE_LOGWTMP
-	if (log_wtmp)
+	if (log_wtmp) {
+#if defined(HAVE_PUTUTXLINE)
+		struct timeval tv;
+
+		gettimeofday(&tv, NULL);
+
+		memset(&utmpx, 0, sizeof(utmpx));
+		utmpx.ut_type = USER_PROCESS;
+		utmpx.ut_pid = getpid();
+		xstrcpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line));
+		strncpy(utmpx.ut_id, tty + C_STRLEN("tty"), sizeof(utmpx.ut_id));
+		xstrcpy(utmpx.ut_host, "dialup", sizeof(utmpx.ut_host));
+		utmpx.ut_tv.tv_sec = tv.tv_sec;
+		utmpx.ut_tv.tv_usec = tv.tv_usec;
+		xstrcpy(utmpx.ut_user, user, sizeof(utmpx.ut_user));
+		/* ut_addr unused ... */
+		setutxent();
+		pututxline(&utmpx);
+#elif defined(HAVE_LOGWTMP)
 		logwtmp(tty, user, "dialup");
 #endif
+	}
 
 	if (command != NULL) {
 		int ret;
@@ -429,17 +465,24 @@ int main(int argc, char **argv) {
 	}
 
 	/* logout from utmp */
-#ifdef HAVE_LOGWTMP
-	if (log_wtmp)
+	if (log_wtmp) {
+#if defined(HAVE_PUTUTXLINE)
+		utmpx.ut_type = DEAD_PROCESS;
+		memset(utmpx.ut_line, 0, sizeof(utmpx.ut_line));
+		memset(utmpx.ut_user, 0, sizeof(utmpx.ut_user));
+		memset(utmpx.ut_host, 0, sizeof(utmpx.ut_host));
+		utmpx.ut_tv.tv_sec = utmpx.ut_tv.tv_usec = 0;
+		setutxent();
+		pututxline(&utmpx);
+#elif defined(HAVE_LOGWTMP)
 		logwtmp(tty, "", "");
 #endif
+	}
 
 	exit(EXIT_OK);
 }
 
-void sighandler(int sig) {
-	sig = sig;				/* unused */
-
+void sighandler(int sig __Unused) {
 	TACDEBUG(LOG_DEBUG, "caught signal %d", sig);
 }
 
@@ -565,19 +608,15 @@ unsigned long getservername(char *serv) {
 	return (-1);
 }
 
-void timeout_handler(int signum) {
-	signum = signum;			/* unused */
-
+void timeout_handler(int signum __Unused) {
 	syslog(LOG_ERR, "timeout reading password from user %s", user);
 }
 
 #ifdef TACDEBUG_AT_RUNTIME
-void logmsg(int level, const char *fmt, ...)
+void logmsg(int level __Unused, const char *fmt, ...)
 {
 	va_list ap;
 
-	level = level;				/* unused */
-
 	va_start(ap, fmt);
 	vfprintf(stderr, fmt, ap);
 	va_end(ap);