pam_vbox.cpp@ 76535

Last change on this file since 76535 was 70068, checked in by vboxsync, 7 years ago
GuestPropertySvc.h: Working on making it usable from C (VBoxGuest, ++)
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 30.5 KB

Line
1	/* $Id: pam_vbox.cpp 70068 2017-12-11 17:28:02Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2017 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18
19	/*********************************************************************************************************************************
20	* Header Files *
21	*********************************************************************************************************************************/
22	#define PAM_SM_AUTH
23	#define PAM_SM_ACCOUNT
24	#define PAM_SM_PASSWORD
25	#define PAM_SM_SESSION
26
27	#ifdef DEBUG
28	# define PAM_DEBUG
29	#endif
30
31	#include <security/pam_appl.h>
32	#ifdef RT_OS_LINUX
33	# include <security/_pam_macros.h>
34	#endif
35
36	#include <pwd.h>
37	#include <syslog.h>
38	#include <stdlib.h>
39
40	#include <iprt/assert.h>
41	#include <iprt/buildconfig.h>
42	#include <iprt/env.h>
43	#include <iprt/initterm.h>
44	#include <iprt/mem.h>
45	#include <iprt/stream.h>
46	#include <iprt/string.h>
47	#include <iprt/thread.h>
48	#include <iprt/time.h>
49
50	#include <VBox/VBoxGuestLib.h>
51
52	#include <VBox/log.h>
53	#ifdef VBOX_WITH_GUEST_PROPS
54	# include <VBox/HostServices/GuestPropertySvc.h>
55	#endif
56
57	#define VBOX_MODULE_NAME "pam_vbox"
58
59	#define VBOX_PAM_FLAG_SILENT "PAM_SILENT"
60	#define VBOX_PAM_FLAG_DISALLOW_NULL_AUTHTOK "PAM_DISALLOW_NULL_AUTHTOK"
61	#define VBOX_PAM_FLAG_ESTABLISH_CRED "PAM_ESTABLISH_CRED"
62	#define VBOX_PAM_FLAG_DELETE_CRED "PAM_DELETE_CRED"
63	#define VBOX_PAM_FLAG_REINITIALIZE_CRED "PAM_REINITIALIZE_CRED"
64	#define VBOX_PAM_FLAG_REFRESH_CRED "PAM_REFRESH_CRED"
65
66	RT_C_DECLS_BEGIN
67	RTDECL(int) pam_sm_authenticate(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
68	RTDECL(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
69	RTDECL(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
70	RTDECL(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
71	RTDECL(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
72	RTDECL(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
73	RT_C_DECLS_END
74
75	/** For debugging. */
76	#ifdef DEBUG
77	static pam_handle_t *g_pam_handle;
78	static int g_verbosity = 99;
79	#else
80	static int g_verbosity = 0;
81	#endif
82
83	/**
84	* User-provided thread data for the credentials waiting thread.
85	*/
86	typedef struct PAMVBOXTHREAD
87	{
88	/** The PAM handle. */
89	pam_handle_t *hPAM;
90	/** The timeout (in ms) to wait for credentials. */
91	uint32_t uTimeoutMS;
92	/** The overall result of the thread operation. */
93	int rc;
94	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
95
96	/**
97	* Write to system log.
98	*
99	* @param pszBuf Buffer to write to the log (NULL-terminated)
100	*/
101	static void pam_vbox_writesyslog(char *pszBuf)
102	{
103	#ifdef RT_OS_LINUX
104	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
105	syslog(LOG_ERR, "%s", pszBuf);
106	closelog();
107	#elif defined(RT_OS_SOLARIS)
108	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
109	#endif
110	}
111
112
113	/**
114	* Displays an error message.
115	*
116	* @param hPAM PAM handle.
117	* @param pszFormat The message text.
118	* @param ... Format arguments.
119	*/
120	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
121	{
122	RT_NOREF1(hPAM);
123	va_list va;
124	char *buf;
125	va_start(va, pszFormat);
126	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
127	{
128	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
129	pam_vbox_writesyslog(buf);
130	RTStrFree(buf);
131	}
132	va_end(va);
133	}
134
135
136	/**
137	* Displays a debug message.
138	*
139	* @param hPAM PAM handle.
140	* @param pszFormat The message text.
141	* @param ... Format arguments.
142	*/
143	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
144	{
145	RT_NOREF1(hPAM);
146	if (g_verbosity)
147	{
148	va_list va;
149	char *buf;
150	va_start(va, pszFormat);
151	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
152	{
153	/* Only do normal logging in debug mode; could contain
154	* sensitive data! */
155	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
156	/* Log to syslog */
157	pam_vbox_writesyslog(buf);
158	RTStrFree(buf);
159	}
160	va_end(va);
161	}
162	}
163
164
165	/**
166	* Sets a message using PAM's conversation function.
167	*
168	* @return IPRT status code.
169	* @param hPAM PAM handle.
170	* @param iStyle Style of message (0 = Information, 1 = Prompt
171	* echo off, 2 = Prompt echo on, 3 = Error).
172	* @param pszText Message text to set.
173	*/
174	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
175	{
176	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
177	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
178
179	if (!iStyle)
180	iStyle = PAM_TEXT_INFO;
181
182	int rc = VINF_SUCCESS;
183
184	pam_message msg;
185	msg.msg_style = iStyle;
186	#ifdef RT_OS_SOLARIS
187	msg.msg = (char*)pszText;
188	#else
189	msg.msg = pszText;
190	#endif
191
192	#ifdef RT_OS_SOLARIS
193	pam_conv *conv = NULL;
194	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
195	#else
196	const pam_conv *conv = NULL;
197	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
198	#endif
199	if ( pamrc == PAM_SUCCESS
200	&& conv)
201	{
202	pam_response *resp = NULL;
203	#ifdef RT_OS_SOLARIS
204	pam_message *msg_p = &msg;
205	#else
206	const pam_message *msg_p = &msg;
207	#endif
208	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
209
210	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
211	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
212	{
213	if (resp->resp)
214	{
215	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
216	pszText, resp->resp);
217	/** @todo Save response! */
218	free(resp->resp);
219	}
220	free(resp);
221	}
222	}
223	else
224	rc = VERR_NOT_FOUND;
225	return rc;
226	}
227
228
229	/**
230	* Initializes pam_vbox.
231	*
232	* @return IPRT status code.
233	* @param hPAM PAM handle.
234	*/
235	static int pam_vbox_init(pam_handle_t *hPAM)
236	{
237	#ifdef DEBUG
238	g_pam_handle = hPAM; /* hack for getting assertion text */
239	#endif
240
241	/* Don't make assertions panic because the PAM stack +
242	* the current logon module won't work anymore (or just restart).
243	* This could result in not able to log into the system anymore. */
244	RTAssertSetMayPanic(false);
245
246	pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
247	RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
248
249	int rc = RTR3InitDll(0);
250	if (RT_FAILURE(rc))
251	{
252	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
253	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
254	}
255
256	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
257	if (RT_SUCCESS(rc))
258	{
259	rc = VbglR3InitUser();
260	if (RT_FAILURE(rc))
261	{
262	switch(rc)
263	{
264	case VERR_ACCESS_DENIED:
265	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
266	break;
267
268	case VERR_FILE_NOT_FOUND:
269	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
270	break;
271
272	default:
273	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
274	break;
275	}
276	}
277	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
278	}
279
280	if (RT_SUCCESS(rc))
281	{
282	char *rhost = NULL;
283	char *tty = NULL;
284	char *prompt = NULL;
285	#ifdef RT_OS_SOLARIS
286	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
287	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
288	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
289	#else
290	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
291	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
292	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
293	#endif
294	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
295	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
296	}
297
298	return rc;
299	}
300
301
302	/**
303	* Shuts down pam_vbox.
304	*
305	* @return IPRT status code.
306	* @param hPAM PAM handle.
307	*/
308	static void pam_vbox_shutdown(pam_handle_t *hPAM)
309	{
310	RT_NOREF1(hPAM);
311	VbglR3Term();
312	}
313
314
315	/**
316	* Checks for credentials provided by the host / HGCM.
317	*
318	* @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
319	* VINF_SUCCESS on successful retrieval or another IPRT error.
320	* @param hPAM PAM handle.
321	*/
322	static int pam_vbox_check_creds(pam_handle_t *hPAM)
323	{
324	int rc = VbglR3CredentialsQueryAvailability();
325	if (RT_FAILURE(rc))
326	{
327	if (rc != VERR_NOT_FOUND)
328	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
329	#ifdef DEBUG
330	else
331	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
332	#endif
333	}
334	else
335	{
336	char *pszUsername;
337	char *pszPassword;
338	char *pszDomain;
339
340	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
341	if (RT_FAILURE(rc))
342	{
343	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
344	}
345	else
346	{
347	#ifdef DEBUG
348	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
349	pszUsername, pszPassword, pszDomain);
350	#else
351	/* Don't log passwords in release mode! */
352	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
353	pszUsername, pszDomain);
354	#endif
355	/* Fill credentials into PAM. */
356	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
357	if (pamrc != PAM_SUCCESS)
358	{
359	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
360	pamrc, pam_strerror(hPAM, pamrc));
361	}
362	else
363	{
364	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
365	if (pamrc != PAM_SUCCESS)
366	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
367	pamrc, pam_strerror(hPAM, pamrc));
368
369	}
370	/** @todo Add handling domains as well. */
371	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
372	3 /* Three wipe passes */);
373	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
374	pamrc, pam_strerror(hPAM, pamrc));
375	}
376	}
377
378	#ifdef DEBUG
379	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
380	#endif
381	return rc;
382	}
383
384
385	#ifdef VBOX_WITH_GUEST_PROPS
386	/**
387	* Reads a guest property.
388	*
389	* @return IPRT status code.
390	* @param hPAM PAM handle.
391	* @param uClientID Guest property service client ID.
392	* @param pszKey Key (name) of guest property to read.
393	* @param fReadOnly Indicates whether this key needs to be
394	* checked if it only can be read (and not written)
395	* by the guest.
396	* @param pszValue Buffer where to store the key's value.
397	* @param cbValue Size of buffer (in bytes).
398	*/
399	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
400	const char *pszKey, bool fReadOnly,
401	char *pszValue, size_t cbValue)
402	{
403	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
404	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
405	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
406	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
407
408	int rc;
409
410	uint64_t u64Timestamp = 0;
411	char *pszValTemp;
412	char *pszFlags = NULL;
413	/* The buffer for storing the data and its initial size. We leave a bit
414	* of space here in case the maximum values are raised. */
415	void *pvBuf = NULL;
416	uint32_t cbBuf = GUEST_PROP_MAX_VALUE_LEN + GUEST_PROP_MAX_FLAGS_LEN + _1K;
417
418	/* Because there is a race condition between our reading the size of a
419	* property and the guest updating it, we loop a few times here and
420	* hope. Actually this should never go wrong, as we are generous
421	* enough with buffer space. */
422	for (unsigned i = 0; i < 10; i++)
423	{
424	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
425	if (pvTmpBuf)
426	{
427	pvBuf = pvTmpBuf;
428	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
429	&pszValTemp, &u64Timestamp, &pszFlags,
430	&cbBuf);
431	}
432	else
433	rc = VERR_NO_MEMORY;
434
435	switch (rc)
436	{
437	case VERR_BUFFER_OVERFLOW:
438	{
439	/* Buffer too small, try it with a bigger one next time. */
440	cbBuf += _1K;
441	continue; /* Try next round. */
442	}
443
444	default:
445	break;
446	}
447
448	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
449	break;
450	}
451
452	if (RT_SUCCESS(rc))
453	{
454	/* Check security bits. */
455	if (pszFlags)
456	{
457	if ( fReadOnly
458	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
459	{
460	/* If we want a property which is read-only on the guest
461	* and it is not marked as such, deny access! */
462	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
463	pszKey);
464	rc = VERR_ACCESS_DENIED;
465	}
466	}
467	else /* No flags, no access! */
468	{
469	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
470	pszKey, pszFlags);
471	rc = VERR_ACCESS_DENIED;
472	}
473
474	if (RT_SUCCESS(rc))
475	{
476	/* If everything went well copy property value to our destination buffer. */
477	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
478	{
479	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
480	pszKey);
481	rc = VERR_INVALID_PARAMETER;
482	}
483
484	if (RT_SUCCESS(rc))
485	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
486	pszKey, pszValue);
487	}
488	}
489
490	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
491	pszKey, rc);
492	return rc;
493	}
494
495
496	/**
497	* Waits for a guest property to be changed.
498	*
499	* @return IPRT status code.
500	* @param hPAM PAM handle.
501	* @param uClientID Guest property service client ID.
502	* @param pszKey Key (name) of guest property to wait for.
503	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
504	* RT_INDEFINITE_WAIT to wait indefinitly.
505	*/
506	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
507	const char *pszKey, uint32_t uTimeoutMS)
508	{
509	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
510	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
511	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
512
513	int rc;
514
515	/* The buffer for storing the data and its initial size. We leave a bit
516	* of space here in case the maximum values are raised. */
517	void *pvBuf = NULL;
518	uint32_t cbBuf = GUEST_PROP_MAX_NAME_LEN + GUEST_PROP_MAX_VALUE_LEN + GUEST_PROP_MAX_FLAGS_LEN + _1K;
519
520	for (int i = 0; i < 10; i++)
521	{
522	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
523	if (pvTmpBuf)
524	{
525	char *pszName = NULL;
526	char *pszValue = NULL;
527	uint64_t u64TimestampOut = 0;
528	char *pszFlags = NULL;
529
530	pvBuf = pvTmpBuf;
531	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
532	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
533	&pszName, &pszValue, &u64TimestampOut,
534	&pszFlags, &cbBuf);
535	}
536	else
537	rc = VERR_NO_MEMORY;
538
539	if (rc == VERR_BUFFER_OVERFLOW)
540	{
541	/* Buffer too small, try it with a bigger one next time. */
542	cbBuf += _1K;
543	continue; /* Try next round. */
544	}
545
546	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
547	break;
548	}
549
550	return rc;
551	}
552	#endif
553
554	/**
555	* Thread function waiting for credentials to arrive.
556	*
557	* @return IPRT status code.
558	* @param hThreadSelf Thread handle.
559	* @param pvUser Pointer to a PAMVBOXTHREAD structure providing
560	* required data used / set by the thread.
561	*/
562	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD hThreadSelf, void *pvUser)
563	{
564	RT_NOREF1(hThreadSelf);
565	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
566	AssertPtr(pUserData);
567
568	int rc = VINF_SUCCESS;
569	/* Get current time stamp to later calculate rest of timeout left. */
570	uint64_t u64StartMS = RTTimeMilliTS();
571
572	#ifdef VBOX_WITH_GUEST_PROPS
573	uint32_t uClientID = 0;
574	rc = VbglR3GuestPropConnect(&uClientID);
575	if (RT_FAILURE(rc))
576	{
577	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
578	}
579	else
580	{
581	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
582	#endif
583	for (;;)
584	{
585	#ifdef VBOX_WITH_GUEST_PROPS
586	if (uClientID)
587	{
588	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
589	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
590	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
591	switch (rc)
592	{
593	case VINF_SUCCESS:
594	/* Somebody (guest/host) wants to abort waiting for credentials. */
595	break;
596
597	case VERR_INTERRUPTED:
598	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
599	break;
600
601	case VERR_TIMEOUT:
602	/* We did not receive an abort message within time. */
603	break;
604
605	case VERR_TOO_MUCH_DATA:
606	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
607	break;
608
609	default:
610	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
611	break;
612	}
613
614	if (RT_SUCCESS(rc)) /* Abort waiting. */
615	{
616	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
617	rc = VERR_CANCELLED;
618	break;
619	}
620	}
621	#endif
622	if ( RT_SUCCESS(rc)
623	\|\| rc == VERR_TIMEOUT)
624	{
625	rc = pam_vbox_check_creds(pUserData->hPAM);
626	if (RT_SUCCESS(rc))
627	{
628	/* Credentials retrieved. */
629	break; /* Thread no longer is required, bail out. */
630	}
631	else if (rc == VERR_NOT_FOUND)
632	{
633	/* No credentials found, but try next round (if there's
634	* time left for) ... */
635	#ifndef VBOX_WITH_GUEST_PROPS
636	RTThreadSleep(500); /* Wait 500 ms. */
637	#endif
638	}
639	else
640	break; /* Something bad happend ... */
641	}
642	else
643	break;
644
645	/* Calculate timeout value left after process has been started. */
646	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
647	/* Is it time to bail out? */
648	if (pUserData->uTimeoutMS < u64Elapsed)
649	{
650	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
651	pUserData->uTimeoutMS);
652	rc = VERR_TIMEOUT;
653	break;
654	}
655	}
656	#ifdef VBOX_WITH_GUEST_PROPS
657	}
658	VbglR3GuestPropDisconnect(uClientID);
659	#endif
660
661	/* Save result. */
662	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
663
664	int rc2 = RTThreadUserSignal(RTThreadSelf());
665	AssertRC(rc2);
666
667	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
668	return rc;
669	}
670
671
672	/**
673	* Waits for credentials to arrive by creating and waiting for a thread.
674	*
675	* @return IPRT status code.
676	* @param hPAM PAM handle.
677	* @param uClientID Guest property service client ID.
678	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
679	* RT_INDEFINITE_WAIT to wait indefinitly.
680	*/
681	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
682	{
683	RT_NOREF1(uClientID);
684	PAMVBOXTHREAD threadData;
685	threadData.hPAM = hPAM;
686	threadData.uTimeoutMS = uTimeoutMS;
687
688	RTTHREAD threadWait;
689	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
690	(void *)&threadData, 0,
691	RTTHREADTYPE_DEFAULT, 0 /* Flags */, "pam_vbox");
692	if (RT_SUCCESS(rc))
693	{
694	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
695	/* Wait for thread to initialize. */
696	/** @todo We can do something else here in the meantime later. */
697	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
698	if (RT_SUCCESS(rc))
699	rc = threadData.rc; /* Get back thread result to take further actions. */
700	}
701	else
702	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
703
704	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
705	return rc;
706	}
707
708
709	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
710	{
711	RT_NOREF1(iFlags);
712
713	/* Parse arguments. */
714	for (int i = 0; i < argc; i++)
715	{
716	if (!RTStrICmp(argv[i], "debug"))
717	g_verbosity = 1;
718	else
719	pam_vbox_error(hPAM, "pam_vbox_authenticate: unknown command line argument \"%s\"\n", argv[i]);
720	}
721	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
722
723	int rc = pam_vbox_init(hPAM);
724	if (RT_FAILURE(rc))
725	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
726
727	bool fFallback = true;
728
729	#ifdef VBOX_WITH_GUEST_PROPS
730	uint32_t uClientId;
731	rc = VbglR3GuestPropConnect(&uClientId);
732	if (RT_SUCCESS(rc))
733	{
734	char szVal[256];
735	rc = pam_vbox_read_prop(hPAM, uClientId,
736	"/VirtualBox/GuestAdd/PAM/CredsWait",
737	true /* Read-only on guest */,
738	szVal, sizeof(szVal));
739	if (RT_SUCCESS(rc))
740	{
741	/* All calls which are checked against rc2 are not critical, e.g. it does
742	* not matter if they succeed or not. */
743	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
744	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
745	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
746	true /* Read-only on guest */,
747	szVal, sizeof(szVal));
748	if (RT_SUCCESS(rc2))
749	{
750	uTimeoutMS = RTStrToUInt32(szVal);
751	if (!uTimeoutMS)
752	{
753	pam_vbox_error(hPAM, "pam_vbox_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
754	uTimeoutMS = RT_INDEFINITE_WAIT;
755	}
756	else
757	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
758	}
759
760	rc2 = pam_vbox_read_prop(hPAM, uClientId,
761	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
762	true /* Read-only on guest */,
763	szVal, sizeof(szVal));
764	const char *pszWaitMsg = NULL;
765	if (RT_SUCCESS(rc2))
766	pszWaitMsg = szVal;
767
768	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
769	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
770	if (RT_FAILURE(rc2)) /* Not critical. */
771	pam_vbox_error(hPAM, "pam_vbox_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
772
773	if (RT_SUCCESS(rc))
774	{
775	/* Before we actuall wait for credentials just make sure we didn't already get credentials
776	* set so that we can skip waiting for them ... */
777	rc = pam_vbox_check_creds(hPAM);
778	if (rc == VERR_NOT_FOUND)
779	{
780	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
781	if (rc == VERR_TIMEOUT)
782	{
783	pam_vbox_log(hPAM, "pam_vbox_authenticate: no credentials given within time\n");
784
785	rc2 = pam_vbox_read_prop(hPAM, uClientId,
786	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
787	true /* Read-only on guest */,
788	szVal, sizeof(szVal));
789	if (RT_SUCCESS(rc2))
790	{
791	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
792	AssertRC(rc2);
793	}
794	}
795	else if (rc == VERR_CANCELLED)
796	{
797	pam_vbox_log(hPAM, "pam_vbox_authenticate: waiting aborted\n");
798
799	rc2 = pam_vbox_read_prop(hPAM, uClientId,
800	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
801	true /* Read-only on guest */,
802	szVal, sizeof(szVal));
803	if (RT_SUCCESS(rc2))
804	{
805	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
806	AssertRC(rc2);
807	}
808	}
809	}
810
811	/* If we got here we don't need the fallback, so just deactivate it. */
812	fFallback = false;
813	}
814	}
815
816	VbglR3GuestPropDisconnect(uClientId);
817	}
818	#endif /* VBOX_WITH_GUEST_PROPS */
819
820	if (fFallback)
821	{
822	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
823
824	/* If anything went wrong in the code above we just do a credentials
825	* check like it was before: Try retrieving the stuff and authenticating. */
826	int rc2 = pam_vbox_check_creds(hPAM);
827	if (RT_SUCCESS(rc))
828	rc = rc2;
829	}
830
831	pam_vbox_shutdown(hPAM);
832
833	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
834
835	/* Never report an error here because if no credentials from the host are available or something
836	* went wrong we then let do the authentication by the next module in the stack. */
837
838	/* We report success here because this is all we can do right now -- we passed the credentials
839	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
840	* password verification to "really" authenticate the user. */
841	return PAM_SUCCESS;
842	}
843
844
845	DECLEXPORT(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
846	{
847	pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
848	for (int i = 0; i < argc; i++)
849	pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
850	return PAM_SUCCESS;
851	}
852
853
854	DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
855	{
856	RT_NOREF3(iFlags, argc, argv);
857	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
858	return PAM_SUCCESS;
859	}
860
861
862	DECLEXPORT(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
863	{
864	RT_NOREF3(iFlags, argc, argv);
865	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
866	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
867	return PAM_SUCCESS;
868	}
869
870
871	DECLEXPORT(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
872	{
873	RT_NOREF3(iFlags, argc, argv);
874	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
875	return PAM_SUCCESS;
876	}
877
878
879	DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
880	{
881	RT_NOREF3(iFlags, argc, argv);
882	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
883	return PAM_SUCCESS;
884	}
885
886
887	#ifdef DEBUG
888	DECLEXPORT(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
889	{
890	pam_vbox_log(g_pam_handle,
891	"\n!!Assertion Failed!!\n"
892	"Expression: %s\n"
893	"Location : %s(%d) %s\n",
894	pszExpr, pszFile, uLine, pszFunction);
895	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
896	}
897	#endif
898

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 76535

Download in other formats: