ssh-keycat.c 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242
  1. /*
  2. * Redistribution and use in source and binary forms, with or without
  3. * modification, are permitted provided that the following conditions
  4. * are met:
  5. * 1. Redistributions of source code must retain the above copyright
  6. * notice, and the entire permission notice in its entirety,
  7. * including the disclaimer of warranties.
  8. * 2. Redistributions in binary form must reproduce the above copyright
  9. * notice, this list of conditions and the following disclaimer in the
  10. * documentation and/or other materials provided with the distribution.
  11. * 3. The name of the author may not be used to endorse or promote
  12. * products derived from this software without specific prior
  13. * written permission.
  14. *
  15. * ALTERNATIVELY, this product may be distributed under the terms of
  16. * the GNU Public License, in which case the provisions of the GPL are
  17. * required INSTEAD OF the above restrictions. (This clause is
  18. * necessary due to a potential bad interaction between the GPL and
  19. * the restrictions contained in a BSD-style copyright.)
  20. *
  21. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  22. * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  23. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  24. * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  25. * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  26. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  27. * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  29. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  30. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  31. * OF THE POSSIBILITY OF SUCH DAMAGE.
  32. */
  33. /*
  34. * Copyright (c) 2011 Red Hat, Inc.
  35. * Written by Tomas Mraz <tmraz@redhat.com>
  36. */
  37. #define _GNU_SOURCE
  38. #include "config.h"
  39. #include <stdio.h>
  40. #include <stdlib.h>
  41. #include <string.h>
  42. #include <sys/types.h>
  43. #include <sys/stat.h>
  44. #include <pwd.h>
  45. #include <fcntl.h>
  46. #include <unistd.h>
  47. #ifdef HAVE_STDINT_H
  48. #include <stdint.h>
  49. #endif
  50. #include <security/pam_appl.h>
  51. #include "uidswap.h"
  52. #include "misc.h"
  53. #define ERR_USAGE 1
  54. #define ERR_PAM_START 2
  55. #define ERR_OPEN_SESSION 3
  56. #define ERR_CLOSE_SESSION 4
  57. #define ERR_PAM_END 5
  58. #define ERR_GETPWNAM 6
  59. #define ERR_MEMORY 7
  60. #define ERR_OPEN 8
  61. #define ERR_FILE_MODE 9
  62. #define ERR_FDOPEN 10
  63. #define ERR_STAT 11
  64. #define ERR_WRITE 12
  65. #define ERR_PAM_PUTENV 13
  66. #define BUFLEN 4096
  67. /* Just ignore the messages in the conversation function */
  68. static int
  69. dummy_conv(int num_msg, const struct pam_message **msgm,
  70. struct pam_response **response, void *appdata_ptr)
  71. {
  72. struct pam_response *rsp;
  73. (void)msgm;
  74. (void)appdata_ptr;
  75. if (num_msg <= 0)
  76. return PAM_CONV_ERR;
  77. /* Just allocate the array as empty responses */
  78. rsp = calloc (num_msg, sizeof (struct pam_response));
  79. if (rsp == NULL)
  80. return PAM_CONV_ERR;
  81. *response = rsp;
  82. return PAM_SUCCESS;
  83. }
  84. static struct pam_conv conv = {
  85. dummy_conv,
  86. NULL
  87. };
  88. char *
  89. make_auth_keys_name(const struct passwd *pwd)
  90. {
  91. char *fname;
  92. if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
  93. return NULL;
  94. return fname;
  95. }
  96. int
  97. dump_keys(const char *user)
  98. {
  99. struct passwd *pwd;
  100. int fd = -1;
  101. FILE *f = NULL;
  102. char *fname = NULL;
  103. int rv = 0;
  104. char buf[BUFLEN];
  105. size_t len;
  106. struct stat st;
  107. if ((pwd = getpwnam(user)) == NULL) {
  108. return ERR_GETPWNAM;
  109. }
  110. if ((fname = make_auth_keys_name(pwd)) == NULL) {
  111. return ERR_MEMORY;
  112. }
  113. temporarily_use_uid(pwd);
  114. if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
  115. rv = ERR_OPEN;
  116. goto fail;
  117. }
  118. if (fstat(fd, &st) < 0) {
  119. rv = ERR_STAT;
  120. goto fail;
  121. }
  122. if (!S_ISREG(st.st_mode) ||
  123. (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
  124. rv = ERR_FILE_MODE;
  125. goto fail;
  126. }
  127. unset_nonblock(fd);
  128. if ((f = fdopen(fd, "r")) == NULL) {
  129. rv = ERR_FDOPEN;
  130. goto fail;
  131. }
  132. fd = -1;
  133. while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
  134. rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
  135. }
  136. fail:
  137. if (fd != -1)
  138. close(fd);
  139. if (f != NULL)
  140. fclose(f);
  141. free(fname);
  142. restore_uid();
  143. return rv;
  144. }
  145. static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
  146. "SELINUX_LEVEL_REQUESTED",
  147. "SELINUX_USE_CURRENT_RANGE"
  148. };
  149. extern char **environ;
  150. int
  151. set_pam_environment(pam_handle_t *pamh)
  152. {
  153. int i;
  154. size_t j;
  155. for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
  156. int len = strlen(env_names[j]);
  157. for (i = 0; environ[i] != NULL; ++i) {
  158. if (strncmp(env_names[j], environ[i], len) == 0 &&
  159. environ[i][len] == '=') {
  160. if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
  161. return ERR_PAM_PUTENV;
  162. }
  163. }
  164. }
  165. return 0;
  166. }
  167. int
  168. main(int argc, char *argv[])
  169. {
  170. pam_handle_t *pamh = NULL;
  171. int retval;
  172. int ev = 0;
  173. if (argc != 2) {
  174. fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
  175. return ERR_USAGE;
  176. }
  177. retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
  178. if (retval != PAM_SUCCESS) {
  179. return ERR_PAM_START;
  180. }
  181. ev = set_pam_environment(pamh);
  182. if (ev != 0)
  183. goto finish;
  184. retval = pam_open_session(pamh, PAM_SILENT);
  185. if (retval != PAM_SUCCESS) {
  186. ev = ERR_OPEN_SESSION;
  187. goto finish;
  188. }
  189. ev = dump_keys(argv[1]);
  190. retval = pam_close_session(pamh, PAM_SILENT);
  191. if (retval != PAM_SUCCESS) {
  192. ev = ERR_CLOSE_SESSION;
  193. }
  194. finish:
  195. retval = pam_end (pamh,retval);
  196. if (retval != PAM_SUCCESS) {
  197. ev = ERR_PAM_END;
  198. }
  199. return ev;
  200. }