PUBLIC bool websVerifyPamPassword(Webs *wp)
{
WebsBuf abilities;
pam_handle_t *pamh;
UserInfo info;
struct pam_conv conv = { pamChat, &info };
struct group *gp;
int res, i;
assure(wp);
assure(wp->username && wp->username);
assure(wp->password);
assure(!wp->encoded);
info.name = (char*) wp->username;
info.password = (char*) wp->password;
pamh = NULL;
if ((res = pam_start("login", info.name, &conv, &pamh)) != PAM_SUCCESS) {
return 0;
}
if ((res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
pam_end(pamh, PAM_SUCCESS);
trace(5, "httpPamVerifyUser failed to verify %s", wp->username);
return 0;
}
pam_end(pamh, PAM_SUCCESS);
trace(5, "httpPamVerifyUser verified %s", wp->username);
if (!wp->user) {
wp->user = websLookupUser(wp->username);
}
if (!wp->user) {
Gid groups[32];
int ngroups;
/*
Create a temporary user with a abilities set to the groups
*/
ngroups = sizeof(groups) / sizeof(Gid);
if ((i = getgrouplist(wp->username, 99999, groups, &ngroups)) >= 0) {
bufCreate(&abilities, 128, -1);
for (i = 0; i < ngroups; i++) {
if ((gp = getgrgid(groups[i])) != 0) {
bufPutStr(&abilities, gp->gr_name);
bufPutc(&abilities, ' ');
}
}
bufAddNull(&abilities);
trace(5, "Create temp user \"%s\" with abilities: %s", wp->username, abilities.servp);
if ((wp->user = websAddUser(wp->username, 0, abilities.servp)) == 0) {
return 0;
}
computeUserAbilities(wp->user);
}
}
return 1;
}
int main(int argc, char *argv[])
{
WebsBuf buf;
char *password, *authFile, *username, *encodedPassword, *realm, *cp, *roles;
int i, errflg, create, nextArg;
username = 0;
create = errflg = 0;
password = 0;
for (i = 1; i < argc && !errflg; i++) {
if (argv[i][0] != '-') {
break;
}
for (cp = &argv[i][1]; *cp && !errflg; cp++) {
if (*cp == 'c') {
create++;
} else if (*cp == 'p') {
if (++i == argc) {
errflg++;
} else {
password = argv[i];
break;
}
} else {
errflg++;
}
}
}
nextArg = i;
if ((nextArg + 3) > argc) {
errflg++;
}
if (errflg) {
printUsage();
exit(2);
}
authFile = argv[nextArg++];
realm = argv[nextArg++];
username = argv[nextArg++];
bufCreate(&buf, 0, 0);
for (i = nextArg; i < argc; ) {
bufPutStr(&buf, argv[i]);
if (++i < argc) {
bufPutc(&buf, ',');
}
}
roles = sclone(buf.servp);
websOpenAuth(1);
if (!create) {
if (websLoad(authFile) < 0) {
exit(2);
}
if (access(authFile, W_OK) < 0) {
error("Can't write to %s", authFile);
exit(4);
}
} else if (access(authFile, R_OK) < 0) {
error("Can't create %s, already exists", authFile);
exit(5);
}
if (!password && (password = getPassword()) == 0) {
exit(1);
}
encodedPassword = websMD5(sfmt("%s:%s:%s", username, realm, password));
websRemoveUser(username);
if (websAddUser(username, encodedPassword, roles) < 0) {
exit(7);
}
if (writeAuthFile(authFile) < 0) {
exit(6);
}
websCloseAuth();
return 0;
}
