static void test_get_user_cfgfile_path(void) { char *file; int ret = get_user_cfgfile_path("/foo/bar", "test", "root", &file); assert(ret == 1); assert(strcmp(file, "/foo/bar/test") == 0); free(file); ret = get_user_cfgfile_path(NULL, "test", "root", &file); assert(ret == 1); assert(strcmp(file, "/root/.yubico/test") == 0); free(file); }
static void test_get_user_cfgfile_path(void) { char *file; struct passwd user; int ret; user.pw_name = "root"; user.pw_dir = "/root"; ret = get_user_cfgfile_path("/foo/bar", "test", &user, &file); assert(ret == 1); assert(strcmp(file, "/foo/bar/test") == 0); free(file); ret = get_user_cfgfile_path(NULL, "test", &user, &file); assert(ret == 1); assert(strcmp(file, "/root/.yubico/test") == 0); free(file); }
/* * Authorize authenticated OTP_ID for login as USERNAME using * AUTHFILE. Return 0 on failures, otherwise success. */ static int authorize_user_token (struct cfg *cfg, const char *username, const char *otp_id) { int retval; if (cfg->auth_file) { /* Administrator had configured the file and specified is name as an argument for this module. */ retval = check_user_token (cfg, cfg->auth_file, username, otp_id); } else { char *userfile = NULL; /* Getting file from user home directory ..... i.e. ~/.yubico/authorized_yubikeys */ if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) return 0; retval = check_user_token (cfg, userfile, username, otp_id); free (userfile); } return retval; #undef USERFILE }
/* * Authorize authenticated OTP_ID for login as USERNAME using * AUTHFILE. Return 0 on failures, otherwise success. */ static int authorize_user_token (struct cfg *cfg, const char *username, const char *otp_id, pam_handle_t *pamh) { int retval; if (cfg->auth_file) { /* Administrator had configured the file and specified is name as an argument for this module. */ DBG (("Using system-wide auth_file %s", cfg->auth_file)); retval = check_user_token (cfg, cfg->auth_file, username, otp_id); } else { char *userfile = NULL; struct passwd *p; p = getpwnam (username); if (p == NULL) { DBG (("getpwnam: %s", strerror(errno))); return 0; } /* Getting file from user home directory ..... i.e. ~/.yubico/authorized_yubikeys */ if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) { D (("Failed figuring out per-user cfgfile")); return 0; } DBG (("Dropping privileges")); if (drop_privileges(p, pamh) < 0) { D (("could not drop privileges")); return 0; } retval = check_user_token (cfg, userfile, username, otp_id); if (restore_privileges(pamh) < 0) { DBG (("could not restore privileges")); return 0; } free (userfile); } return retval; }
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn) { /* Getting file from user home directory, i.e. ~/.yubico/challenge, or * from a system wide directory. */ /* The challenge to use is located in a file in the user's home directory, * which therefor can't be encrypted. If an encrypted home directory is used, * the option chalresp_path can be used to point to a system-wide directory. */ const char *filename = NULL; /* not including directory */ char *ptr = NULL; unsigned int serial = 0; int ret; if (! yk_get_serial(yk, 0, 0, &serial)) { D (("Failed to read serial number (serial-api-visible disabled?).")); if (! chalresp_path) filename = "challenge"; else filename = user->pw_name; } else { /* We have serial number */ /* 0xffffffff == 4294967295 == 10 digits */ size_t len = strlen(chalresp_path == NULL ? "challenge" : user->pw_name) + 1 + 10 + 1; if ((ptr = malloc(len)) != NULL) { int res = snprintf(ptr, len, "%s-%u", chalresp_path == NULL ? "challenge" : user->pw_name, serial); filename = ptr; if (res < 0 || (unsigned long)res > len) { /* Not enough space, strangely enough. */ free(ptr); filename = NULL; } } } if (filename == NULL) return 0; ret = get_user_cfgfile_path (chalresp_path, filename, user, fn); if(ptr) { free(ptr); } return ret; }