int pam_end(pam_handle_t *pamh, int pam_status) { int ret; D(("entering pam_end()")); IF_NO_PAMH("pam_end", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } #ifdef HAVE_LIBAUDIT _pam_audit_end(pamh, pam_status); #endif #ifdef CONFIG_PROP_STATSD_STATSD if (pam_status == PAM_SUCCESS) { char buf[MAX_PAM_STATS_BUF_SIZE]; memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE); snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_succeeded_%s %s", pamh->user,pamh->service_name); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s %s statsd incr failed", buf, pamh->service_name); } snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_users %s", pamh->user); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s - failed", buf); } snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_services %s", pamh->service_name); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s - failed", buf); } } #endif /* first liberate the modules (it is not inconcevible that the modules may need to use the service_name etc. to clean up) */ _pam_free_data(pamh, pam_status); /* now drop all modules */ if ((ret = _pam_free_handlers(pamh)) != PAM_SUCCESS) { return ret; /* error occurred */ } /* from this point we cannot call the modules any more. Free the remaining memory used by the Linux-PAM interface */ _pam_drop_env(pamh); /* purge the environment */ _pam_overwrite(pamh->authtok); /* blank out old token */ _pam_drop(pamh->authtok); _pam_overwrite(pamh->oldauthtok); /* blank out old token */ _pam_drop(pamh->oldauthtok); _pam_overwrite(pamh->former.prompt); _pam_drop(pamh->former.prompt); /* drop saved prompt */ _pam_overwrite(pamh->service_name); _pam_drop(pamh->service_name); _pam_overwrite(pamh->user); _pam_drop(pamh->user); _pam_overwrite(pamh->prompt); _pam_drop(pamh->prompt); /* prompt for pam_get_user() */ _pam_overwrite(pamh->tty); _pam_drop(pamh->tty); _pam_overwrite(pamh->rhost); _pam_drop(pamh->rhost); _pam_overwrite(pamh->ruser); _pam_drop(pamh->ruser); _pam_drop(pamh->pam_conversation); pamh->fail_delay.delay_fn_ptr = NULL; /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); D(("exiting pam_end() successfully")); return PAM_SUCCESS; }
int pam_end(pam_handle_t *pamh, int pam_status) { int ret; D(("entering pam_end()")); IF_NO_PAMH("pam_end", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } /* first liberate the modules (it is not inconcevible that the modules may need to use the service_name etc. to clean up) */ _pam_free_data(pamh, pam_status); /* now drop all modules */ if ((ret = _pam_free_handlers(pamh)) != PAM_SUCCESS) { return ret; /* error occurred */ } /* from this point we cannot call the modules any more. Free the remaining memory used by the Linux-PAM interface */ _pam_drop_env(pamh); /* purge the environment */ _pam_overwrite(pamh->authtok); /* blank out old token */ _pam_drop(pamh->authtok); _pam_overwrite(pamh->oldauthtok); /* blank out old token */ _pam_drop(pamh->oldauthtok); _pam_overwrite(pamh->former.prompt); _pam_drop(pamh->former.prompt); /* drop saved prompt */ _pam_overwrite(pamh->service_name); _pam_drop(pamh->service_name); _pam_overwrite(pamh->user); _pam_drop(pamh->user); _pam_overwrite(pamh->prompt); _pam_drop(pamh->prompt); /* prompt for pam_get_user() */ _pam_overwrite(pamh->tty); _pam_drop(pamh->tty); _pam_overwrite(pamh->rhost); _pam_drop(pamh->rhost); _pam_overwrite(pamh->ruser); _pam_drop(pamh->ruser); _pam_drop(pamh->pam_conversation); pamh->fail_delay.delay_fn_ptr = NULL; /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); D(("exiting pam_end() successfully")); return PAM_SUCCESS; }
int pam_start ( const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) { D(("called pam_start: [%s] [%s] [%p] [%p]" ,service_name, user, pam_conversation, pamh)); if (pamh == NULL) { pam_syslog(NULL, LOG_CRIT, "pam_start: invalid argument: pamh == NULL"); return (PAM_SYSTEM_ERR); } if (service_name == NULL) { pam_syslog(NULL, LOG_CRIT, "pam_start: invalid argument: service == NULL"); return (PAM_SYSTEM_ERR); } if (pam_conversation == NULL) { pam_syslog(NULL, LOG_CRIT, "pam_start: invalid argument: conv == NULL"); return (PAM_SYSTEM_ERR); } if ((*pamh = calloc(1, sizeof(**pamh))) == NULL) { pam_syslog(NULL, LOG_CRIT, "pam_start: calloc failed for *pamh"); return (PAM_BUF_ERR); } /* All service names should be files below /etc/pam.d and nothing else. Forbid paths. */ if (strrchr(service_name, '/') != NULL) service_name = strrchr(service_name, '/') + 1; /* Mark the caller as the application - permission to do certain things is limited to a module or an application */ __PAM_TO_APP(*pamh); if (((*pamh)->service_name = _pam_strdup(service_name)) == NULL) { pam_syslog(*pamh, LOG_CRIT, "pam_start: _pam_strdup failed for service name"); _pam_drop(*pamh); return (PAM_BUF_ERR); } else { char *tmp; for (tmp=(*pamh)->service_name; *tmp; ++tmp) *tmp = tolower(*tmp); /* require lower case */ } if (user) { if (((*pamh)->user = _pam_strdup(user)) == NULL) { pam_syslog(*pamh, LOG_CRIT, "pam_start: _pam_strdup failed for user"); _pam_drop((*pamh)->service_name); _pam_drop(*pamh); return (PAM_BUF_ERR); } } else (*pamh)->user = NULL; (*pamh)->tty = NULL; (*pamh)->prompt = NULL; /* prompt for pam_get_user() */ (*pamh)->ruser = NULL; (*pamh)->rhost = NULL; (*pamh)->authtok = NULL; (*pamh)->oldauthtok = NULL; (*pamh)->fail_delay.delay_fn_ptr = NULL; (*pamh)->former.choice = PAM_NOT_STACKED; (*pamh)->former.substates = NULL; #ifdef HAVE_LIBAUDIT (*pamh)->audit_state = 0; #endif (*pamh)->xdisplay = NULL; (*pamh)->authtok_type = NULL; memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); if (((*pamh)->pam_conversation = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) { pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv"); _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); _pam_drop(*pamh); return (PAM_BUF_ERR); } else { memcpy((*pamh)->pam_conversation, pam_conversation, sizeof(struct pam_conv)); } (*pamh)->data = NULL; if ( _pam_make_env(*pamh) != PAM_SUCCESS ) { pam_syslog(*pamh,LOG_ERR,"pam_start: failed to initialize environment"); _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); _pam_drop(*pamh); return PAM_ABORT; } _pam_reset_timer(*pamh); /* initialize timer support */ _pam_start_handlers(*pamh); /* cannot fail */ /* According to the SunOS man pages, loading modules and resolving * symbols happens on the first call from the application. */ if ( _pam_init_handlers(*pamh) != PAM_SUCCESS ) { pam_syslog(*pamh, LOG_ERR, "pam_start: failed to initialize handlers"); _pam_drop_env(*pamh); /* purge the environment */ _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); _pam_drop(*pamh); return PAM_ABORT; } D(("exiting pam_start successfully")); return PAM_SUCCESS; }