int
main (int argc, char *argv[])
{
int rc;
const char *user_to_auth;
const char *cookie;
struct pam_conv pam_conversation;
pam_handle_t *pam_h;
const void *authed_user;
rc = 0;
pam_h = NULL;
/* clear the entire environment to avoid attacks using with libraries honoring environment variables */
if (_polkit_clearenv () != 0)
goto error;
/* set a minimal environment */
setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
/* check that we are setuid root */
if (geteuid () != 0)
{
gchar *s;
fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
/* Special-case a very common error triggered in jhbuild setups */
s = g_strdup_printf ("Incorrect permissions on %s (needs to be setuid root)", argv[0]);
send_to_helper ("PAM_ERROR_MSG ", s);
g_free (s);
goto error;
}
openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
/* check for correct invocation */
if (argc != 3)
{
syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
goto error;
}
user_to_auth = argv[1];
cookie = argv[2];
if (getuid () != 0)
{
/* check we're running with a non-tty stdin */
if (isatty (STDIN_FILENO) != 0)
{
syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
goto error;
}
}
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
#endif /* PAH_DEBUG */
pam_conversation.conv = conversation_function;
pam_conversation.appdata_ptr = NULL;
/* start the pam stack */
rc = pam_start ("polkit-1",
user_to_auth,
&pam_conversation,
&pam_h);
if (rc != PAM_SUCCESS)
{
fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
goto error;
}
/* set the requesting user */
rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
if (rc != PAM_SUCCESS)
{
fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
goto error;
}
/* is user really user? */
rc = pam_authenticate (pam_h, 0);
if (rc != PAM_SUCCESS)
{
const char *err;
err = pam_strerror (pam_h, rc);
fprintf (stderr, "polkit-agent-helper-1: pam_authenticate failed: %s\n", err);
goto error;
}
/* permitted access? */
rc = pam_acct_mgmt (pam_h, 0);
if (rc != PAM_SUCCESS)
{
const char *err;
err = pam_strerror (pam_h, rc);
fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", err);
goto error;
}
/* did we auth the right user? */
rc = pam_get_item (pam_h, PAM_USER, &authed_user);
if (rc != PAM_SUCCESS)
{
const char *err;
err = pam_strerror (pam_h, rc);
fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", err);
goto error;
}
if (strcmp (authed_user, user_to_auth) != 0)
{
fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
user_to_auth, (const char *) authed_user);
goto error;
}
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
#endif /* PAH_DEBUG */
pam_end (pam_h, rc);
pam_h = NULL;
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
#endif /* PAH_DEBUG */
/* now send a D-Bus message to the PolicyKit daemon that
* includes a) the cookie; and b) the user we authenticated
*/
if (!send_dbus_message (cookie, user_to_auth))
{
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
#endif /* PAH_DEBUG */
goto error;
}
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
#endif /* PAH_DEBUG */
fprintf (stdout, "SUCCESS\n");
flush_and_wait();
return 0;
error:
if (pam_h != NULL)
pam_end (pam_h, rc);
fprintf (stdout, "FAILURE\n");
flush_and_wait();
return 1;
}
static int
conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
{
struct pam_response *aresp;
char buf[PAM_MAX_RESP_SIZE];
int i;
(void)data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return PAM_CONV_ERR;
if ((aresp = calloc(n, sizeof *aresp)) == NULL)
return PAM_BUF_ERR;
for (i = 0; i < n; ++i)
{
aresp[i].resp_retcode = 0;
aresp[i].resp = NULL;
switch (msg[i]->msg_style)
{
case PAM_PROMPT_ECHO_OFF:
send_to_helper ("PAM_PROMPT_ECHO_OFF", msg[i]->msg);
goto conv1;
case PAM_PROMPT_ECHO_ON:
send_to_helper ("PAM_PROMPT_ECHO_ON", msg[i]->msg);
conv1:
if (fgets (buf, sizeof buf, stdin) == NULL)
goto error;
if (strlen (buf) > 0 &&
buf[strlen (buf) - 1] == '\n')
buf[strlen (buf) - 1] = '\0';
aresp[i].resp = strdup (buf);
if (aresp[i].resp == NULL)
goto error;
break;
case PAM_ERROR_MSG:
send_to_helper ("PAM_ERROR_MSG", msg[i]->msg);
break;
case PAM_TEXT_INFO:
send_to_helper ("PAM_TEXT_INFO", msg[i]->msg);
break;
default:
goto error;
}
}
*resp = aresp;
return PAM_SUCCESS;
error:
for (i = 0; i < n; ++i)
{
if (aresp[i].resp != NULL) {
memset (aresp[i].resp, 0, strlen(aresp[i].resp));
free (aresp[i].resp);
}
}
memset (aresp, 0, n * sizeof *aresp);
free (aresp);
*resp = NULL;
return PAM_CONV_ERR;
}
