view src/authenticate.c @ 298:1aa690671cd7 noffle

[svn] * src/client.c: Fix horror in authentication.
author bears
date Mon, 10 Feb 2003 18:28:30 +0000
parents bf200dccbce5
children 20abd71918ad
line wrap: on
line source

/*
  authenticate.c

  Do client authentication

  $Id: authenticate.c 423 2003-01-12 17:05:49Z bears $
*/

#if HAVE_CONFIG_H
#include <config.h>
#endif

#include <errno.h>
#include <grp.h>
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include "common.h"
#include "authenticate.h"
#include "configfile.h"
#include "log.h"
#include "portable.h"
#include "util.h"

#if USE_AUTH

#if USE_PAM
#include <security/pam_appl.h>

static const char *password;

/*
 * It's a bit tricky to go around asking PAM questions at this stage,
 * as well as not fitting NNTP, so just repond to all PAM questions
 * with the password and hope that works.
 */
static int noffle_conv(	int num_msg, 
			const struct pam_message **msgm,
			struct pam_response **response, 
			void *appdata_ptr	)
{
    struct pam_response *reply;

    UNUSED(appdata_ptr);
    UNUSED(msgm);
    
    reply = calloc( num_msg, sizeof (struct pam_response) );
    reply->resp = strdup( password );
    reply->resp_retcode = 0;
    *response = reply;
    return PAM_SUCCESS;
}

static struct pam_conv conv = {
    noffle_conv,
    NULL
};

static pam_handle_t *pamh = NULL;
static Bool pam_session_opened = FALSE;
static Bool pam_set_cred = FALSE;
static uid_t oldEuid;

static Bool
PAM_open( void )
{
    int retval;

    /* To use PAM successfully we need to be root. */
    ASSERT ( getuid() == 0 );
    
    ASSERT( pamh == NULL );

    /*
     * Preserve old eUid to be restored when PAM closes and set
     * current euid to root for PAMs benefit.
     */
    oldEuid = geteuid();
    if ( seteuid( 0 ) < 0 )
    {
	Log_err( "Cannot set euid to root: %s", strerror( errno ) );
	return FALSE;
    }
    
    retval = pam_start( "noffle", NULL, &conv, &pamh );
    if ( retval != PAM_SUCCESS )
    {
	Log_err( "Cannot starting authentication: %s",
		 pam_strerror( pamh, retval ) );
	return FALSE;
    }

    return TRUE;
}

static enum AuthResult
PAM_authenticate( const char *user, const char *pass )
{
    int retval;
    
    ASSERT( pamh != NULL );

    password = pass;
    
    retval = pam_set_item( pamh, PAM_USER, user );
    if ( retval != PAM_SUCCESS )
	Log_dbg( LOG_DBG_AUTH, "pam_set_item failed: %s",
		 pam_strerror( pamh, retval ) );

    if ( retval == PAM_SUCCESS )
    {
	retval = pam_authenticate( pamh, PAM_SILENT );
	if ( retval != PAM_SUCCESS )
	    Log_dbg( LOG_DBG_AUTH, "pam_authenticate failed: %s",
		     pam_strerror( pamh, retval ) );
    }

    if ( retval == PAM_SUCCESS )
    {
	  retval = pam_setcred( pamh, PAM_ESTABLISH_CRED );
	  if ( retval != PAM_SUCCESS )
	      Log_dbg( LOG_DBG_AUTH, "pam_setcred failed: %s",
		       pam_strerror( pamh, retval ) );
	  else
	      pam_set_cred = TRUE;
    }
    
    if ( retval == PAM_SUCCESS )
    {
	  retval = pam_open_session( pamh, 0 );
	  if ( retval != PAM_SUCCESS )
	      Log_dbg( LOG_DBG_AUTH, "pam_open_session failed: %s",
		       pam_strerror( pamh, retval ) );
	  else
	      pam_session_opened = TRUE;
    }

    switch ( retval )
    {
    case PAM_SUCCESS:
	return AUTH_OK;

    case PAM_MAXTRIES:
	return AUTH_DISCONNECT;

    case PAM_ABORT:
	return AUTH_ERROR;
    }

    return AUTH_FAILED;
}

static void
PAM_close( void )
{
    int retval = 0;
    
    ASSERT ( pamh != NULL );

    if ( pam_session_opened )
    {
	pam_session_opened = FALSE;
	retval = pam_close_session( pamh, 0 );
	if ( retval != PAM_SUCCESS )
	    Log_dbg( LOG_DBG_AUTH, "pam_close_session failed: %s",
		     pam_strerror( pamh, retval ) );
    }

    if ( pam_set_cred )
    {
	pam_set_cred = FALSE;
	retval = pam_setcred( pamh, PAM_DELETE_CRED );
	if ( retval != PAM_SUCCESS )
	    Log_dbg( LOG_DBG_AUTH, "pam_set_cred failed: %s",
		     pam_strerror( pamh, retval ) );
    }

    retval = pam_end( pamh, retval );
    if ( retval != PAM_SUCCESS )
	Log_dbg( LOG_DBG_AUTH, "pam_end failed: %s",
		 pam_strerror( pamh, retval ) );
    pamh = NULL;

    /*
     * For completeness set euid back to original value, though it'll
     * probably be set again by Auth_dropPrivs.
     */
    if ( seteuid( oldEuid ) < 0 )
	Log_err( "Cannot set euid back to %d: %s",
		 oldEuid, strerror( errno ) );
}

#else

/*
 * No PAM, so provide a simple alternative.
 *
 * USERSFILE is a simple plain-text file consisting of username password
 * pairs, one pair per line. Comments are prefixed by '#'. Blank lines
 * are ignored.
 *
 * By way of a simple security check, the users file MUST be only
 * readable and writable by the owner.
 */

#define	AUTH_MAX_TRIES		3

static int authTries = 0;

static enum AuthResult
file_authenticate( const char *user, const char *pass )
{
    Str file, line;
    FILE *f;
    struct stat statBuf;
    enum AuthResult res = AUTH_FAILED;

    Utl_cpyStr( file, USERSFILE );
    if ( stat( file, &statBuf ) < 0 )
    {
	Log_err( "Cannot read %s (%s)", file, strerror( errno ) );
	return AUTH_ERROR;
    }
    if ( !S_ISREG( statBuf.st_mode ) )
    {
	Log_err( "%s must be a regular file, not a link", file );
	return AUTH_ERROR;
    }
    if ( ( statBuf.st_mode & ( S_IRWXG | S_IRWXO ) ) != 0 )
    {
	Log_err( "%s must be readable only by its owner", file );
	return AUTH_ERROR;
    }
    
    if ( ! ( f = fopen( file, "r" ) ) )
    {
        Log_err( "Cannot read %s (%s)", file, strerror( errno ) );
        return AUTH_ERROR;
    }
    while ( res == AUTH_FAILED && fgets( line, MAXCHAR, f ) )
    {
	Str theUser, thePass;
	char *p;
	
        p = Utl_stripWhiteSpace( line );
	Utl_stripComment( p );

	if ( *p == '\0' )
	    continue;
	
	if ( sscanf( p, MAXCHAR_FMT " " MAXCHAR_FMT, theUser, thePass ) != 2 )
	{
	    res = AUTH_ERROR;
	    Log_err( "Badly formatted line %s in %s", p, file );
	    break;
	}

	if ( strcmp( user, theUser ) == 0 )
	{
	    if ( strcmp( pass, thePass ) == 0 )
		res = AUTH_OK;
	    break;
	}
    }

    fclose( f );

    if ( res == AUTH_FAILED )
    {
	authTries++;
	sleep( authTries * authTries );
	if ( authTries >= AUTH_MAX_TRIES )
	    res = AUTH_DISCONNECT;
    }

    return res;
}

#endif	/* USE_PAM */
#endif /* USE_AUTH */

/* Open authentication session. */
Bool
Auth_open( void )
{
#if USE_AUTH
#if USE_PAM
    return PAM_open();
#else
    return TRUE;
#endif    
#else
    return TRUE;
#endif
}

/* Authenticate a user and password. */
enum AuthResult
Auth_authenticate( const char *user, const char *pass )
{
#if USE_AUTH
#if USE_PAM
    return PAM_authenticate( user, pass );
#else
    return file_authenticate( user, pass );
#endif    
#else
    UNUSED(user);
    UNUSED(pass);
    
    return TRUE;
#endif    
}

/* Authentication session now closed. */
void
Auth_close( void )
{
#if USE_AUTH && USE_PAM
    PAM_close();
#endif    
}

static uid_t noffleUid = (uid_t) -1;
static gid_t noffleGid= (gid_t) -1;
static Bool adminUser = FALSE;

/* Check we have appropriate privs for authentication. */
Bool
Auth_checkPrivs( void )
{
    uid_t euid;
    gid_t egid;
    uid_t ruid;
    struct passwd* pwnam;
    struct group* grnam;

    euid = geteuid();
    egid = getegid();
    
    pwnam = getpwnam( Cfg_noffleUser() );
    if ( pwnam == NULL )
    {
	Log_err( "Noffle user %s is not a known user", Cfg_noffleUser() );
	return FALSE;
    }
    noffleUid = pwnam->pw_uid;

    grnam = getgrnam( Cfg_noffleGroup() );
    if ( grnam == NULL )
    {
	Log_err( "Noffle group %s is not a known group", Cfg_noffleGroup() );
	return FALSE;
    }
    noffleGid = grnam->gr_gid;
    
    ruid = getuid();

    /* Determine if admin user - root, news... */
    adminUser = ( ruid == 0 || ruid == noffleUid );
    if ( ! adminUser && grnam->gr_mem != NULL )
    {
	/* ... or member of group news. */
	pwnam = getpwuid( ruid );
	if ( pwnam != NULL )
	{
	    char* name = pwnam->pw_name;
	    char** grpmembers = grnam->gr_mem;
	    char* grpmember;

	    for ( grpmember = *grpmembers;
		  grpmember != NULL;
		  grpmember = *++grpmembers )
	    {
		if ( strcmp( name, grpmember ) == 0 )
		{
		    adminUser = TRUE;
		    break;
		}
	    }
	}
	else
	    Log_err( "Cannot get user info for uid %d: %s",
		     ruid, strerror( errno ) );
    }
    
    /*
     * If we're really root, we will set the privs we require later. Otherwise
     * we need to check that everything is as it should be.
     */
    if ( ruid != 0 )
    {
#if USE_AUTH && USE_PAM
	if( Cfg_needClientAuth() )
	{
	    Log_err( "Noffle must run as root to use PAM authentication" );
	    return FALSE;
	}
#endif
    
	if ( noffleUid != euid )
	{
	    Log_err( "Noffle needs to run as root or user %s", Cfg_noffleUser() );
	    return FALSE;
	}

	if ( noffleGid != egid )
	{
	    Log_err( "Noffle needs to run as root or as group %s",
		     Cfg_noffleGroup() );
	    return FALSE;
	}
    }
    
    return TRUE;
}

/*
 * See if we should be permitted admin access. Admins can do anything,
 * non-admins can only read articles, list groups and post.
 *
 * This must be called after Auth_checkPrivs.
 */
Bool
Auth_admin( void )
{
    ASSERT( noffleUid != (uid_t) -1 && noffleGid != (gid_t) -1 );

    return adminUser;
}


/*
 * Drop any privs required for authentication.
 *
 * Must be called AFTER Auth_checkPrivs.
 */
Bool
Auth_dropPrivs( void )
{
    uid_t euid;

    ASSERT( noffleUid != (uid_t) -1 && noffleGid != (gid_t) -1 );

    /*
     * We only need to drop privs if we're currently root. We
     * should have already checked we're the news user on startup.
     */
    euid = geteuid();
    if ( euid != 0 )
	return TRUE;

    if ( setgid( noffleGid ) != 0 )
    {
	Log_err( "Can't set group %s: %s",
		 Cfg_noffleGroup(), strerror( errno ) );
	return FALSE;
    }

    if ( setuid( noffleUid ) != 0 )
    {
	Log_err( "Can't set user to %s: %s",
		 Cfg_noffleUser(), strerror( errno ) );
	return FALSE;
    }

    return TRUE;
}