Commit 074df278 authored by Antoine Jacoutot's avatar Antoine Jacoutot Committed by Miloslav Trmač

Add support for OpenBSD

- OpenBSD does not use PAM nor SHADOW but bsd_auth(3) for authentication
- get_kinfo_proc(): adapt FreeBSD code to OpenBSD
- OpenBSD, get/setnetgrent are defined in netgroup.h and getnetgrent(3) takes a
const char

https://bugs.freedesktop.org/show_bug.cgi?id=75187
parent 28a6e624
...@@ -167,11 +167,15 @@ fi ...@@ -167,11 +167,15 @@ fi
dnl --------------------------------------------------------------------------- dnl ---------------------------------------------------------------------------
dnl - Check whether setnetgrent has a return value dnl - Check whether setnetgrent has a return value
dnl --------------------------------------------------------------------------- dnl ---------------------------------------------------------------------------
AC_CHECK_HEADERS([netgroup.h])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <stddef.h> #include <stddef.h>
#include <netdb.h> #ifdef HAVE_NETGROUP_H
]], [[ #include <netgroup.h>
int r = setnetgrent (NULL);]])], #else
#include <netdb.h>
#endif
]], [[int r = setnetgrent (NULL);]])],
[AC_DEFINE([HAVE_SETNETGRENT_RETURN], 1, [Define to 1 if setnetgrent has return value])]) [AC_DEFINE([HAVE_SETNETGRENT_RETURN], 1, [Define to 1 if setnetgrent has return value])])
dnl --------------------------------------------------------------------------- dnl ---------------------------------------------------------------------------
...@@ -318,6 +322,11 @@ case $POLKIT_AUTHFW in ...@@ -318,6 +322,11 @@ case $POLKIT_AUTHFW in
AC_DEFINE(POLKIT_AUTHFW_SHADOW, 1, [If using the Shadow authentication framework]) AC_DEFINE(POLKIT_AUTHFW_SHADOW, 1, [If using the Shadow authentication framework])
;; ;;
bsdauth)
need_pam=no
AC_DEFINE(POLKIT_AUTHFW_BSDAUTH, 1, [If using the bsd_auth(3) authentication framework])
;;
*) *)
AC_MSG_ERROR([Unknown Authentication Framework: $POLKIT_AUTHFW]) AC_MSG_ERROR([Unknown Authentication Framework: $POLKIT_AUTHFW])
;; ;;
...@@ -326,6 +335,7 @@ esac ...@@ -326,6 +335,7 @@ esac
AM_CONDITIONAL(POLKIT_AUTHFW_NONE, [test x$POLKIT_AUTHFW = xnone], [Using no authfw]) AM_CONDITIONAL(POLKIT_AUTHFW_NONE, [test x$POLKIT_AUTHFW = xnone], [Using no authfw])
AM_CONDITIONAL(POLKIT_AUTHFW_PAM, [test x$POLKIT_AUTHFW = xpam], [Using PAM authfw]) AM_CONDITIONAL(POLKIT_AUTHFW_PAM, [test x$POLKIT_AUTHFW = xpam], [Using PAM authfw])
AM_CONDITIONAL(POLKIT_AUTHFW_SHADOW, [test x$POLKIT_AUTHFW = xshadow], [Using Shadow authfw]) AM_CONDITIONAL(POLKIT_AUTHFW_SHADOW, [test x$POLKIT_AUTHFW = xshadow], [Using Shadow authfw])
AM_CONDITIONAL(POLKIT_AUTHFW_BSDAUTH, [test x$POLKIT_AUTHFW = xbsdauth], [Using bsd_auth(3) authfw])
dnl --------------------------------------------------------------------------- dnl ---------------------------------------------------------------------------
...@@ -505,6 +515,9 @@ case "$host_os" in ...@@ -505,6 +515,9 @@ case "$host_os" in
*freebsd*) *freebsd*)
AC_DEFINE([HAVE_FREEBSD], 1, [Is this a FreeBSD system?]) AC_DEFINE([HAVE_FREEBSD], 1, [Is this a FreeBSD system?])
;; ;;
*openbsd*)
AC_DEFINE([HAVE_OPENBSD], 1, [Is this an OpenBSD system?])
;;
esac esac
GOBJECT_INTROSPECTION_CHECK([0.6.2]) GOBJECT_INTROSPECTION_CHECK([0.6.2])
......
...@@ -29,6 +29,9 @@ ...@@ -29,6 +29,9 @@
#include <sys/sysctl.h> #include <sys/sysctl.h>
#include <sys/user.h> #include <sys/user.h>
#endif #endif
#ifdef HAVE_OPENBSD
#include <sys/sysctl.h>
#endif
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
...@@ -86,7 +89,7 @@ static guint64 get_start_time_for_pid (gint pid, ...@@ -86,7 +89,7 @@ static guint64 get_start_time_for_pid (gint pid,
static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process, static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process,
GError **error); GError **error);
#ifdef HAVE_FREEBSD #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD)
static gboolean get_kinfo_proc (gint pid, struct kinfo_proc *p); static gboolean get_kinfo_proc (gint pid, struct kinfo_proc *p);
#endif #endif
...@@ -554,12 +557,36 @@ get_kinfo_proc (pid_t pid, struct kinfo_proc *p) ...@@ -554,12 +557,36 @@ get_kinfo_proc (pid_t pid, struct kinfo_proc *p)
} }
#endif #endif
#ifdef HAVE_OPENBSD
static gboolean
get_kinfo_proc (gint pid, struct kinfo_proc *p)
{
int name[6];
u_int namelen;
size_t sz;
sz = sizeof(*p);
namelen = 0;
name[namelen++] = CTL_KERN;
name[namelen++] = KERN_PROC;
name[namelen++] = KERN_PROC_PID;
name[namelen++] = pid;
name[namelen++] = sz;
name[namelen++] = 1;
if (sysctl (name, namelen, p, &sz, NULL, 0) == -1)
return FALSE;
return TRUE;
}
#endif
static guint64 static guint64
get_start_time_for_pid (pid_t pid, get_start_time_for_pid (pid_t pid,
GError **error) GError **error)
{ {
guint64 start_time; guint64 start_time;
#ifndef HAVE_FREEBSD #if !defined(HAVE_FREEBSD) && !defined(HAVE_OPENBSD)
gchar *filename; gchar *filename;
gchar *contents; gchar *contents;
size_t length; size_t length;
...@@ -647,7 +674,11 @@ get_start_time_for_pid (pid_t pid, ...@@ -647,7 +674,11 @@ get_start_time_for_pid (pid_t pid,
goto out; goto out;
} }
#ifdef HAVE_FREEBSD
start_time = (guint64) p.ki_start.tv_sec; start_time = (guint64) p.ki_start.tv_sec;
#else
start_time = (guint64) p.p_ustart_sec;
#endif
out: out:
#endif #endif
...@@ -662,7 +693,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, ...@@ -662,7 +693,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
gint result; gint result;
gchar *contents; gchar *contents;
gchar **lines; gchar **lines;
#ifdef HAVE_FREEBSD #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD)
struct kinfo_proc p; struct kinfo_proc p;
#else #else
gchar filename[64]; gchar filename[64];
...@@ -676,7 +707,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, ...@@ -676,7 +707,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
lines = NULL; lines = NULL;
contents = NULL; contents = NULL;
#ifdef HAVE_FREEBSD #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD)
if (get_kinfo_proc (process->pid, &p) == 0) if (get_kinfo_proc (process->pid, &p) == 0)
{ {
g_set_error (error, g_set_error (error,
...@@ -688,7 +719,11 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, ...@@ -688,7 +719,11 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
goto out; goto out;
} }
#if defined(HAVE_FREEBSD)
result = p.ki_uid; result = p.ki_uid;
#else
result = p.p_uid;
#endif
#else #else
/* see 'man proc' for layout of the status file /* see 'man proc' for layout of the status file
......
...@@ -91,6 +91,9 @@ endif ...@@ -91,6 +91,9 @@ endif
if POLKIT_AUTHFW_SHADOW if POLKIT_AUTHFW_SHADOW
polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
endif endif
if POLKIT_AUTHFW_BSDAUTH
polkit_agent_helper_1_SOURCES += polkitagenthelper-bsdauth.c
endif
polkit_agent_helper_1_CFLAGS = \ polkit_agent_helper_1_CFLAGS = \
-D_POLKIT_COMPILATION \ -D_POLKIT_COMPILATION \
......
/*
* Copyright (C) 2008 Red Hat, Inc.
* Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com>
* Copyright (C) 2010 Antoine Jacoutot <ajacoutot@openbsd.org>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, write to the
* Free Software Foundation, Inc., 59 Temple Place, Suite 330,
* Boston, MA 02111-1307, USA.
*
* Authors: Andrew Psaltis <ampsaltis@gmail.com>, based on
* polkitagenthelper.c which was written by
* David Zeuthen <davidz@redhat.com>
*/
#include "config.h"
#include "polkitagenthelperprivate.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <syslog.h>
#include <pwd.h>
#include <login_cap.h>
#include <bsd_auth.h>
#include <polkit/polkit.h>
static gboolean bsdauth_authenticate (const char *user_to_auth);
int
main (int argc, char *argv[])
{
struct passwd *pw;
const char *user_to_auth;
char *cookie;
/* clear the entire environment to avoid attacks with
libraries honoring environment variables */
if (_polkit_clearenv () != 0)
goto error;
/* set a minimal environment */
setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
/* check that we are setuid root */
if (geteuid () != 0)
{
fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
goto error;
}
openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
/* check for correct invocation */
if (!(argc == 2 || argc == 3))
{
syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
goto error;
}
if (getuid () != 0)
{
/* check we're running with a non-tty stdin */
if (isatty (STDIN_FILENO) != 0)
{
syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
goto error;
}
}
user_to_auth = argv[1];
cookie = read_cookie (argc, argv);
if (!cookie)
goto error;
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
#endif /* PAH_DEBUG */
/* Search the password database for the user requesting authentication */
if ((pw = getpwnam (user_to_auth)) == NULL)
{
syslog (LOG_NOTICE, "password database information request for user %s [uid=%d] failed", user_to_auth, getuid());
fprintf(stderr, "polkit-agent-helper-1: could not get user information for '%s'", user_to_auth);
goto error;
}
/* Check the user's identity */
if (!bsdauth_authenticate (user_to_auth))
{
syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth);
fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n");
goto error;
}
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to polkit daemon\n");
#endif /* PAH_DEBUG */
/* now send a D-Bus message to the polkit daemon that
* includes a) the cookie; and b) the user we authenticated
*/
if (!send_dbus_message (cookie, user_to_auth))
{
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to polkit daemon\n");
#endif /* PAH_DEBUG */
goto error;
}
free (cookie);
#ifdef PAH_DEBUG
fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to polkit daemon\n");
#endif /* PAH_DEBUG */
fprintf (stdout, "SUCCESS\n");
flush_and_wait ();
return 0;
error:
free (cookie);
fprintf (stdout, "FAILURE\n");
flush_and_wait ();
return 1;
}
static gboolean
bsdauth_authenticate (const char *user_to_auth)
{
char passwd[512];
fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n");
fflush (stdout);
usleep (10 * 1000); /* since fflush(3) seems buggy */
if (fgets (passwd, sizeof (passwd), stdin) == NULL)
goto error;
if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n')
passwd[strlen (passwd) - 1] = '\0';
if (auth_userokay((char *)user_to_auth, NULL, "auth-polkit", passwd) == 0)
goto error;
return 1;
error:
return 0;
}
...@@ -23,7 +23,11 @@ ...@@ -23,7 +23,11 @@
#include <errno.h> #include <errno.h>
#include <pwd.h> #include <pwd.h>
#include <grp.h> #include <grp.h>
#if defined HAVE_OPENBSD
#include <netgroup.h>
#else
#include <netdb.h> #include <netdb.h>
#endif
#include <string.h> #include <string.h>
#include <glib/gstdio.h> #include <glib/gstdio.h>
#include <locale.h> #include <locale.h>
...@@ -2236,7 +2240,11 @@ get_users_in_net_group (PolkitIdentity *group, ...@@ -2236,7 +2240,11 @@ get_users_in_net_group (PolkitIdentity *group,
for (;;) for (;;)
{ {
#if defined HAVE_OPENBSD
const char *hostname, *username, *domainname;
#else
char *hostname, *username, *domainname; char *hostname, *username, *domainname;
#endif
PolkitIdentity *user; PolkitIdentity *user;
GError *error = NULL; GError *error = NULL;
......
...@@ -24,7 +24,11 @@ ...@@ -24,7 +24,11 @@
#include <errno.h> #include <errno.h>
#include <pwd.h> #include <pwd.h>
#include <grp.h> #include <grp.h>
#if defined HAVE_OPENBSD
#include <netgroup.h>
#else
#include <netdb.h> #include <netdb.h>
#endif
#include <string.h> #include <string.h>
#include <glib/gstdio.h> #include <glib/gstdio.h>
#include <locale.h> #include <locale.h>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment