pam_tcb: Use helper binary for expiration verification of a user acco…

…unt. Perform verification through an external helper binary to possibly gain higher privileges if the verification fails for insufficient credentials in the first time. Signed-off-by: Björn Esser <[email protected]>
openwall · Oct 12, 2021 · 0f39f93 · 0f39f93
1 parent c3b4f1e
commit 0f39f93
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -15,6 +15,13 @@
 	Replace call to unix_run_helper_binary() with run_chkpwd_binary().
 	* progs/tcb_chkpwd.c: Refactor the helper program to also perform
 	verifications for the expiration of user accounts.
+	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Perform expiration
+	verification of a user account through an external helper binary
+	if the verification fails for insufficient credentials.
+	* pam_tcb/pam_unix_acct.c (run_chkpwd_binary): New static function
+	wrapper around unix_run_helper_binary().
+	* pam_tcb/Makefile: Add custom rule with "CHKPWD_HELPER" macro
+	definined to compile pam_unix_acct.o.
 
 2021-09-30  Björn Esser  <besser82 at fedoraproject.org>
 

diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
@@ -23,6 +23,10 @@ $(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
 .c.o:
 	$(CC) $(CFLAGS) -fPIC -c $< -o $@
 
+pam_unix_acct.o: pam_unix_acct.c
+	$(CC) $(CFLAGS) -DCHKPWD_HELPER=\"$(LIBEXECDIR)/chkpwd/tcb_chkpwd\" \
+		-fPIC -c $< -o $@
+
 support.o: support.c
 	$(CC) $(CFLAGS) -DCHKPWD_HELPER=\"$(LIBEXECDIR)/chkpwd/tcb_chkpwd\" \
 		-fPIC -c $< -o $@

diff --git a/pam_tcb/pam_unix_acct.c b/pam_tcb/pam_unix_acct.c
@@ -76,6 +76,35 @@ static int acct_shadow(unused pam_handle_t *pamh, const void *void_user)
 	return ACCT_SUCCESS;
 }
 
+/*
+ * Use an external helper binary to perform account management.
+ */
+static int run_chkpwd_binary(const char *user)
+{
+	char *argv[] = { CHKPWD_HELPER, "chkacct", NULL };
+	char config[8];
+	int retval_helper;
+
+	if (!pam_unix_param.helper)
+		goto end;
+
+	if (on(UNIX_SHADOW)) {
+		memcpy(config, "shadow\0\0", 8);
+	} else {
+		memcpy(config, "passwd\0\0", 8);
+	}
+
+	if (unix_run_helper_binary (user, "NULL", pam_unix_param.helper,
+				    argv, config, (void *)&retval_helper,
+				    sizeof(retval_helper)))
+		goto end;
+
+	return retval_helper;
+
+end:
+	return ACCT_0;
+}
+
 /*
  * The account management entry point.
  */
@@ -112,6 +141,14 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 		retval = acct_shadow(pamh, user);
 	else
 		retval = _unix_fork(pamh, acct_shadow, user);
+	if (retval == ACCT_2) {
+		uid_t uid = getuid();
+		if (uid == geteuid() && (uid == pw->pw_uid || uid == 0)) {
+			/* We are not privileged enough perhaps this is the reason? */
+			D(("running helper binary"));
+			retval = run_chkpwd_binary(user);
+		}
+	}
 	if (retval > 255) {
 		daysleft = retval / 256;
 		retval %= 256;