From 0f39f93ff223bffd28f2bd6873daa08dac127ca1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Tue, 12 Oct 2021 15:35:34 +0200
Subject: [PATCH] pam_tcb: Use helper binary for expiration verification of a
 user account.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Perform verification through an external helper binary to possibly gain
higher privileges if the verification fails for insufficient credentials
in the first time.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
 ChangeLog               |  7 +++++++
 pam_tcb/Makefile        |  4 ++++
 pam_tcb/pam_unix_acct.c | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 03d9b42..81a1926 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,13 @@
 	Replace call to unix_run_helper_binary() with run_chkpwd_binary().
 	* progs/tcb_chkpwd.c: Refactor the helper program to also perform
 	verifications for the expiration of user accounts.
+	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Perform expiration
+	verification of a user account through an external helper binary
+	if the verification fails for insufficient credentials.
+	* pam_tcb/pam_unix_acct.c (run_chkpwd_binary): New static function
+	wrapper around unix_run_helper_binary().
+	* pam_tcb/Makefile: Add custom rule with "CHKPWD_HELPER" macro
+	definined to compile pam_unix_acct.o.
 
 2021-09-30  Björn Esser  <besser82 at fedoraproject.org>
 
diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
index 7673bd5..fe47330 100644
--- a/pam_tcb/Makefile
+++ b/pam_tcb/Makefile
@@ -23,6 +23,10 @@ $(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
 .c.o:
 	$(CC) $(CFLAGS) -fPIC -c $< -o $@
 
+pam_unix_acct.o: pam_unix_acct.c
+	$(CC) $(CFLAGS) -DCHKPWD_HELPER=\"$(LIBEXECDIR)/chkpwd/tcb_chkpwd\" \
+		-fPIC -c $< -o $@
+
 support.o: support.c
 	$(CC) $(CFLAGS) -DCHKPWD_HELPER=\"$(LIBEXECDIR)/chkpwd/tcb_chkpwd\" \
 		-fPIC -c $< -o $@
diff --git a/pam_tcb/pam_unix_acct.c b/pam_tcb/pam_unix_acct.c
index a69b931..b275abe 100644
--- a/pam_tcb/pam_unix_acct.c
+++ b/pam_tcb/pam_unix_acct.c
@@ -76,6 +76,35 @@ static int acct_shadow(unused pam_handle_t *pamh, const void *void_user)
 	return ACCT_SUCCESS;
 }
 
+/*
+ * Use an external helper binary to perform account management.
+ */
+static int run_chkpwd_binary(const char *user)
+{
+	char *argv[] = { CHKPWD_HELPER, "chkacct", NULL };
+	char config[8];
+	int retval_helper;
+
+	if (!pam_unix_param.helper)
+		goto end;
+
+	if (on(UNIX_SHADOW)) {
+		memcpy(config, "shadow\0\0", 8);
+	} else {
+		memcpy(config, "passwd\0\0", 8);
+	}
+
+	if (unix_run_helper_binary (user, "NULL", pam_unix_param.helper,
+				    argv, config, (void *)&retval_helper,
+				    sizeof(retval_helper)))
+		goto end;
+
+	return retval_helper;
+
+end:
+	return ACCT_0;
+}
+
 /*
  * The account management entry point.
  */
@@ -112,6 +141,14 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 		retval = acct_shadow(pamh, user);
 	else
 		retval = _unix_fork(pamh, acct_shadow, user);
+	if (retval == ACCT_2) {
+		uid_t uid = getuid();
+		if (uid == geteuid() && (uid == pw->pw_uid || uid == 0)) {
+			/* We are not privileged enough perhaps this is the reason? */
+			D(("running helper binary"));
+			retval = run_chkpwd_binary(user);
+		}
+	}
 	if (retval > 255) {
 		daysleft = retval / 256;
 		retval %= 256;