pam_vbox.cpp@ 55771

Last change on this file since 55771 was 44528, checked in by vboxsync, 12 years ago
header (C) fixes
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 30.1 KB

Line
1	/* $Id: pam_vbox.cpp 44528 2013-02-04 14:27:54Z vboxsync $ */
2	/** @file
3	* pam_vbox - PAM module for auto logons.
4	*/
5
6	/*
7	* Copyright (C) 2008-2012 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18	/*******************************************************************************
19	* Header Files *
20	*******************************************************************************/
21	#define PAM_SM_AUTH
22	#define PAM_SM_ACCOUNT
23	#define PAM_SM_PASSWORD
24	#define PAM_SM_SESSION
25
26	#ifdef DEBUG
27	# define PAM_DEBUG
28	#endif
29
30	#include <security/pam_appl.h>
31	#ifdef RT_OS_LINUX
32	# include <security/_pam_macros.h>
33	#endif
34
35	#include <pwd.h>
36	#include <syslog.h>
37	#include <stdlib.h>
38
39	#include <iprt/assert.h>
40	#include <iprt/buildconfig.h>
41	#include <iprt/env.h>
42	#include <iprt/initterm.h>
43	#include <iprt/mem.h>
44	#include <iprt/stream.h>
45	#include <iprt/string.h>
46	#include <iprt/thread.h>
47	#include <iprt/time.h>
48
49	#include <VBox/VBoxGuestLib.h>
50
51	#include <VBox/log.h>
52	#ifdef VBOX_WITH_GUEST_PROPS
53	# include <VBox/HostServices/GuestPropertySvc.h>
54	using namespace guestProp;
55	#endif
56
57	#define VBOX_MODULE_NAME "pam_vbox"
58
59	#define VBOX_PAM_FLAG_SILENT "PAM_SILENT"
60	#define VBOX_PAM_FLAG_DISALLOW_NULL_AUTHTOK "PAM_DISALLOW_NULL_AUTHTOK"
61	#define VBOX_PAM_FLAG_ESTABLISH_CRED "PAM_ESTABLISH_CRED"
62	#define VBOX_PAM_FLAG_DELETE_CRED "PAM_DELETE_CRED"
63	#define VBOX_PAM_FLAG_REINITIALIZE_CRED "PAM_REINITIALIZE_CRED"
64	#define VBOX_PAM_FLAG_REFRESH_CRED "PAM_REFRESH_CRED"
65
66	RT_C_DECLS_BEGIN
67	RTDECL(int) pam_sm_authenticate(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
68	RTDECL(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
69	RTDECL(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
70	RTDECL(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
71	RTDECL(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
72	RTDECL(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv);
73	RT_C_DECLS_END
74
75	/** For debugging. */
76	#ifdef DEBUG
77	static pam_handle_t *g_pam_handle;
78	static int g_verbosity = 99;
79	#else
80	static int g_verbosity = 0;
81	#endif
82
83	/**
84	* User-provided thread data for the credentials waiting thread.
85	*/
86	typedef struct PAMVBOXTHREAD
87	{
88	/** The PAM handle. */
89	pam_handle_t *hPAM;
90	/** The timeout (in ms) to wait for credentials. */
91	uint32_t uTimeoutMS;
92	/** The overall result of the thread operation. */
93	int rc;
94	} PAMVBOXTHREAD, *PPAMVBOXTHREAD;
95
96	/**
97	* Write to system log.
98	*
99	* @param pszBuf Buffer to write to the log (NULL-terminated)
100	*/
101	static void pam_vbox_writesyslog(char *pszBuf)
102	{
103	#ifdef RT_OS_LINUX
104	openlog("pam_vbox", LOG_PID, LOG_AUTHPRIV);
105	syslog(LOG_ERR, "%s", pszBuf);
106	closelog();
107	#elif defined(RT_OS_SOLARIS)
108	syslog(LOG_ERR, "pam_vbox: %s\n", pszBuf);
109	#endif
110	}
111
112
113	/**
114	* Displays an error message.
115	*
116	* @param pszFormat The message text.
117	* @param ... Format arguments.
118	*/
119	static void pam_vbox_error(pam_handle_t hPAM, const char pszFormat, ...)
120	{
121	va_list va;
122	char *buf;
123	va_start(va, pszFormat);
124	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
125	{
126	LogRel(("%s: Error: %s", VBOX_MODULE_NAME, buf));
127	pam_vbox_writesyslog(buf);
128	RTStrFree(buf);
129	}
130	va_end(va);
131	}
132
133
134	/**
135	* Displays a debug message.
136	*
137	* @param pszFormat The message text.
138	* @param ... Format arguments.
139	*/
140	static void pam_vbox_log(pam_handle_t hPAM, const char pszFormat, ...)
141	{
142	if (g_verbosity)
143	{
144	va_list va;
145	char *buf;
146	va_start(va, pszFormat);
147	if (RT_SUCCESS(RTStrAPrintfV(&buf, pszFormat, va)))
148	{
149	/* Only do normal logging in debug mode; could contain
150	* sensitive data! */
151	LogRel(("%s: %s", VBOX_MODULE_NAME, buf));
152	/* Log to syslog */
153	pam_vbox_writesyslog(buf);
154	RTStrFree(buf);
155	}
156	va_end(va);
157	}
158	}
159
160
161	/**
162	* Sets a message using PAM's conversation function.
163	*
164	* @return IPRT status code.
165	* @param hPAM PAM handle.
166	* @param iStyle Style of message (0 = Information, 1 = Prompt
167	* echo off, 2 = Prompt echo on, 3 = Error).
168	* @param pszText Message text to set.
169	*/
170	static int vbox_set_msg(pam_handle_t hPAM, int iStyle, const char pszText)
171	{
172	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
173	AssertPtrReturn(pszText, VERR_INVALID_POINTER);
174
175	if (!iStyle)
176	iStyle = PAM_TEXT_INFO;
177
178	int rc = VINF_SUCCESS;
179
180	pam_message msg;
181	msg.msg_style = iStyle;
182	#ifdef RT_OS_SOLARIS
183	msg.msg = (char*)pszText;
184	#else
185	msg.msg = pszText;
186	#endif
187
188	#ifdef RT_OS_SOLARIS
189	pam_conv *conv = NULL;
190	int pamrc = pam_get_item(hPAM, PAM_CONV, (void **)&conv);
191	#else
192	const pam_conv *conv = NULL;
193	int pamrc = pam_get_item(hPAM, PAM_CONV, (const void **)&conv);
194	#endif
195	if ( pamrc == PAM_SUCCESS
196	&& conv)
197	{
198	pam_response *resp = NULL;
199	#ifdef RT_OS_SOLARIS
200	pam_message *msg_p = &msg;
201	#else
202	const pam_message *msg_p = &msg;
203	#endif
204	pam_vbox_log(hPAM, "Showing message \"%s\" (type %d)", pszText, iStyle);
205
206	pamrc = conv->conv(1 /* One message only */, &msg_p, &resp, conv->appdata_ptr);
207	if (resp != NULL) /* If we use PAM_TEXT_INFO we never will get something back! */
208	{
209	if (resp->resp)
210	{
211	pam_vbox_log(hPAM, "Response to message \"%s\" was \"%s\"",
212	pszText, resp->resp);
213	/** @todo Save response! */
214	free(resp->resp);
215	}
216	free(resp);
217	}
218	}
219	else
220	rc = VERR_NOT_FOUND;
221	return rc;
222	}
223
224
225	/**
226	* Initializes pam_vbox.
227	*
228	* @return IPRT status code.
229	* @param hPAM PAM handle.
230	*/
231	static int pam_vbox_init(pam_handle_t *hPAM)
232	{
233	#ifdef DEBUG
234	g_pam_handle = hPAM; /* hack for getting assertion text */
235	#endif
236
237	/* Don't make assertions panic because the PAM stack +
238	* the current logon module won't work anymore (or just restart).
239	* This could result in not able to log into the system anymore. */
240	RTAssertSetMayPanic(false);
241
242	pam_vbox_log(hPAM, "pam_vbox: %sr%s, running on %s\n",
243	RTBldCfgVersion(), RTBldCfgRevisionStr(), RTBldCfgTargetArch());
244
245	int rc = RTR3InitDll(0);
246	if (RT_FAILURE(rc))
247	{
248	pam_vbox_error(hPAM, "pam_vbox_init: could not init runtime! rc=%Rrc. Aborting\n", rc);
249	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
250	}
251
252	pam_vbox_log(hPAM, "pam_vbox_init: runtime initialized\n");
253	if (RT_SUCCESS(rc))
254	{
255	rc = VbglR3InitUser();
256	if (RT_FAILURE(rc))
257	{
258	switch(rc)
259	{
260	case VERR_ACCESS_DENIED:
261	pam_vbox_error(hPAM, "pam_vbox_init: access is denied to guest driver! Please make sure you run with sufficient rights. Aborting\n");
262	break;
263
264	case VERR_FILE_NOT_FOUND:
265	pam_vbox_error(hPAM, "pam_vbox_init: guest driver not found! Guest Additions installed? Aborting\n");
266	break;
267
268	default:
269	pam_vbox_error(hPAM, "pam_vbox_init: could not init VbglR3 library! rc=%Rrc. Aborting\n", rc);
270	break;
271	}
272	}
273	pam_vbox_log(hPAM, "pam_vbox_init: guest lib initialized\n");
274	}
275
276	if (RT_SUCCESS(rc))
277	{
278	char *rhost = NULL;
279	char *tty = NULL;
280	char *prompt = NULL;
281	#ifdef RT_OS_SOLARIS
282	pam_get_item(hPAM, PAM_RHOST, (void**) &rhost);
283	pam_get_item(hPAM, PAM_TTY, (void**) &tty);
284	pam_get_item(hPAM, PAM_USER_PROMPT, (void**) &prompt);
285	#else
286	pam_get_item(hPAM, PAM_RHOST, (const void**) &rhost);
287	pam_get_item(hPAM, PAM_TTY, (const void**) &tty);
288	pam_get_item(hPAM, PAM_USER_PROMPT, (const void**) &prompt);
289	#endif
290	pam_vbox_log(hPAM, "pam_vbox_init: rhost=%s, tty=%s, prompt=%s\n",
291	rhost ? rhost : "<none>", tty ? tty : "<none>", prompt ? prompt : "<none>");
292	}
293
294	return rc;
295	}
296
297
298	/**
299	* Shuts down pam_vbox.
300	*
301	* @return IPRT status code.
302	* @param hPAM PAM handle.
303	*/
304	static void pam_vbox_shutdown(pam_handle_t *hPAM)
305	{
306	VbglR3Term();
307	}
308
309
310	/**
311	* Checks for credentials provided by the host / HGCM.
312	*
313	* @return IPRT status code. VERR_NOT_FOUND if no credentials are available,
314	* VINF_SUCCESS on successful retrieval or another IPRT error.
315	* @param hPAM PAM handle.
316	*/
317	static int pam_vbox_check_creds(pam_handle_t *hPAM)
318	{
319	int rc = VbglR3CredentialsQueryAvailability();
320	if (RT_FAILURE(rc))
321	{
322	if (rc != VERR_NOT_FOUND)
323	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not query for credentials! rc=%Rrc. Aborting\n", rc);
324	#ifdef DEBUG
325	else
326	pam_vbox_log(hPAM, "pam_vbox_check_creds: no credentials available\n");
327	#endif
328	}
329	else
330	{
331	char *pszUsername;
332	char *pszPassword;
333	char *pszDomain;
334
335	rc = VbglR3CredentialsRetrieve(&pszUsername, &pszPassword, &pszDomain);
336	if (RT_FAILURE(rc))
337	{
338	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not retrieve credentials! rc=%Rrc. Aborting\n", rc);
339	}
340	else
341	{
342	#ifdef DEBUG
343	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=%s, domain=%s\n",
344	pszUsername, pszPassword, pszDomain);
345	#else
346	/* Don't log passwords in release mode! */
347	pam_vbox_log(hPAM, "pam_vbox_check_creds: credentials retrieved: user=%s, password=XXX, domain=%s\n",
348	pszUsername, pszDomain);
349	#endif
350	/* Fill credentials into PAM. */
351	int pamrc = pam_set_item(hPAM, PAM_USER, pszUsername);
352	if (pamrc != PAM_SUCCESS)
353	{
354	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set user name! pamrc=%d, msg=%s. Aborting\n",
355	pamrc, pam_strerror(hPAM, pamrc));
356	}
357	else
358	{
359	pamrc = pam_set_item(hPAM, PAM_AUTHTOK, pszPassword);
360	if (pamrc != PAM_SUCCESS)
361	pam_vbox_error(hPAM, "pam_vbox_check_creds: could not set password! pamrc=%d, msg=%s. Aborting\n",
362	pamrc, pam_strerror(hPAM, pamrc));
363
364	}
365	/** @todo Add handling domains as well. */
366	VbglR3CredentialsDestroy(pszUsername, pszPassword, pszDomain,
367	3 /* Three wipe passes */);
368	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with pamrc=%d, msg=%s\n",
369	pamrc, pam_strerror(hPAM, pamrc));
370	}
371	}
372
373	#ifdef DEBUG
374	pam_vbox_log(hPAM, "pam_vbox_check_creds: returned with rc=%Rrc\n", rc);
375	#endif
376	return rc;
377	}
378
379
380	#ifdef VBOX_WITH_GUEST_PROPS
381	/**
382	* Reads a guest property.
383	*
384	* @return IPRT status code.
385	* @param hPAM PAM handle.
386	* @param uClientID Guest property service client ID.
387	* @param pszKey Key (name) of guest property to read.
388	* @param fReadOnly Indicates whether this key needs to be
389	* checked if it only can be read (and not written)
390	* by the guest.
391	* @param pszValue Buffer where to store the key's value.
392	* @param cbValue Size of buffer (in bytes).
393	*/
394	static int pam_vbox_read_prop(pam_handle_t *hPAM, uint32_t uClientID,
395	const char *pszKey, bool fReadOnly,
396	char *pszValue, size_t cbValue)
397	{
398	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
399	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
400	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
401	AssertPtrReturn(pszValue, VERR_INVALID_POINTER);
402
403	int rc;
404
405	uint64_t u64Timestamp = 0;
406	char *pszValTemp;
407	char *pszFlags = NULL;
408	/* The buffer for storing the data and its initial size. We leave a bit
409	* of space here in case the maximum values are raised. */
410	void *pvBuf = NULL;
411	uint32_t cbBuf = MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
412
413	/* Because there is a race condition between our reading the size of a
414	* property and the guest updating it, we loop a few times here and
415	* hope. Actually this should never go wrong, as we are generous
416	* enough with buffer space. */
417	for (unsigned i = 0; i < 10; i++)
418	{
419	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
420	if (pvTmpBuf)
421	{
422	pvBuf = pvTmpBuf;
423	rc = VbglR3GuestPropRead(uClientID, pszKey, pvBuf, cbBuf,
424	&pszValTemp, &u64Timestamp, &pszFlags,
425	&cbBuf);
426	}
427	else
428	rc = VERR_NO_MEMORY;
429
430	switch (rc)
431	{
432	case VERR_BUFFER_OVERFLOW:
433	{
434	/* Buffer too small, try it with a bigger one next time. */
435	cbBuf += _1K;
436	continue; /* Try next round. */
437	}
438
439	default:
440	break;
441	}
442
443	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
444	break;
445	}
446
447	if (RT_SUCCESS(rc))
448	{
449	/* Check security bits. */
450	if (pszFlags)
451	{
452	if ( fReadOnly
453	&& !RTStrStr(pszFlags, "RDONLYGUEST"))
454	{
455	/* If we want a property which is read-only on the guest
456	* and it is not marked as such, deny access! */
457	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" should be read-only on guest but it is not\n",
458	pszKey);
459	rc = VERR_ACCESS_DENIED;
460	}
461	}
462	else /* No flags, no access! */
463	{
464	pam_vbox_error(hPAM, "pam_vbox_read_prop: key \"%s\" contains no/wrong flags (%s)\n",
465	pszKey, pszFlags);
466	rc = VERR_ACCESS_DENIED;
467	}
468
469	if (RT_SUCCESS(rc))
470	{
471	/* If everything went well copy property value to our destination buffer. */
472	if (!RTStrPrintf(pszValue, cbValue, "%s", pszValTemp))
473	{
474	pam_vbox_error(hPAM, "pam_vbox_read_prop: could not store value of key \"%s\"\n",
475	pszKey);
476	rc = VERR_INVALID_PARAMETER;
477	}
478
479	if (RT_SUCCESS(rc))
480	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\"=\"%s\"\n",
481	pszKey, pszValue);
482	}
483	}
484
485	pam_vbox_log(hPAM, "pam_vbox_read_prop: read key \"%s\" with rc=%Rrc\n",
486	pszKey, rc);
487	return rc;
488	}
489
490
491	/**
492	* Waits for a guest property to be changed.
493	*
494	* @return IPRT status code.
495	* @param hPAM PAM handle.
496	* @param uClientID Guest property service client ID.
497	* @param pszKey Key (name) of guest property to wait for.
498	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
499	* RT_INDEFINITE_WAIT to wait indefinitly.
500	*/
501	static int pam_vbox_wait_prop(pam_handle_t *hPAM, uint32_t uClientID,
502	const char *pszKey, uint32_t uTimeoutMS)
503	{
504	AssertPtrReturn(hPAM, VERR_INVALID_POINTER);
505	AssertReturn(uClientID, VERR_INVALID_PARAMETER);
506	AssertPtrReturn(pszKey, VERR_INVALID_POINTER);
507
508	int rc;
509
510	/* The buffer for storing the data and its initial size. We leave a bit
511	* of space here in case the maximum values are raised. */
512	void *pvBuf = NULL;
513	uint32_t cbBuf = MAX_NAME_LEN + MAX_VALUE_LEN + MAX_FLAGS_LEN + _1K;
514
515	for (int i = 0; i < 10; i++)
516	{
517	void *pvTmpBuf = RTMemRealloc(pvBuf, cbBuf);
518	if (pvTmpBuf)
519	{
520	char *pszName = NULL;
521	char *pszValue = NULL;
522	uint64_t u64TimestampOut = 0;
523	char *pszFlags = NULL;
524
525	pvBuf = pvTmpBuf;
526	rc = VbglR3GuestPropWait(uClientID, pszKey, pvBuf, cbBuf,
527	0 /* Last timestamp; just wait for next event */, uTimeoutMS,
528	&pszName, &pszValue, &u64TimestampOut,
529	&pszFlags, &cbBuf);
530	}
531	else
532	rc = VERR_NO_MEMORY;
533
534	if (rc == VERR_BUFFER_OVERFLOW)
535	{
536	/* Buffer too small, try it with a bigger one next time. */
537	cbBuf += _1K;
538	continue; /* Try next round. */
539	}
540
541	/* Everything except VERR_BUFFER_OVERLOW makes us bail out ... */
542	break;
543	}
544
545	return rc;
546	}
547	#endif
548
549	/**
550	* Thread function waiting for credentials to arrive.
551	*
552	* @return IPRT status code.
553	* @param ThreadSelf Thread struct to this thread.
554	* @param pvUser Pointer to a PAMVBOXTHREAD structure providing
555	* required data used / set by the thread.
556	*/
557	static DECLCALLBACK(int) pam_vbox_wait_thread(RTTHREAD ThreadSelf, void *pvUser)
558	{
559	PPAMVBOXTHREAD pUserData = (PPAMVBOXTHREAD)pvUser;
560	AssertPtr(pUserData);
561
562	int rc = VINF_SUCCESS;
563	/* Get current time stamp to later calculate rest of timeout left. */
564	uint64_t u64StartMS = RTTimeMilliTS();
565
566	#ifdef VBOX_WITH_GUEST_PROPS
567	uint32_t uClientID = 0;
568	rc = VbglR3GuestPropConnect(&uClientID);
569	if (RT_FAILURE(rc))
570	{
571	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Unable to connect to guest property service, rc=%Rrc\n", rc);
572	}
573	else
574	{
575	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: clientID=%u\n", uClientID);
576	#endif
577	for (;;)
578	{
579	#ifdef VBOX_WITH_GUEST_PROPS
580	if (uClientID)
581	{
582	rc = pam_vbox_wait_prop(pUserData->hPAM, uClientID,
583	"/VirtualBox/GuestAdd/PAM/CredsWaitAbort",
584	500 /* Wait 500ms, same as VBoxGINA/VBoxCredProv. */);
585	switch (rc)
586	{
587	case VINF_SUCCESS:
588	/* Somebody (guest/host) wants to abort waiting for credentials. */
589	break;
590
591	case VERR_INTERRUPTED:
592	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request timed out or was interrupted\n");
593	break;
594
595	case VERR_TIMEOUT:
596	/* We did not receive an abort message within time. */
597	break;
598
599	case VERR_TOO_MUCH_DATA:
600	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: Temporarily unable to get abort notification\n");
601	break;
602
603	default:
604	pam_vbox_error(pUserData->hPAM, "pam_vbox_wait_thread: The abort notification request failed with rc=%Rrc\n", rc);
605	break;
606	}
607
608	if (RT_SUCCESS(rc)) /* Abort waiting. */
609	{
610	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Got notification to abort waiting\n");
611	rc = VERR_CANCELLED;
612	break;
613	}
614	}
615	#endif
616	if ( RT_SUCCESS(rc)
617	\|\| rc == VERR_TIMEOUT)
618	{
619	rc = pam_vbox_check_creds(pUserData->hPAM);
620	if (RT_SUCCESS(rc))
621	{
622	/* Credentials retrieved. */
623	break; /* Thread no longer is required, bail out. */
624	}
625	else if (rc == VERR_NOT_FOUND)
626	{
627	/* No credentials found, but try next round (if there's
628	* time left for) ... */
629	#ifndef VBOX_WITH_GUEST_PROPS
630	RTThreadSleep(500); /* Wait 500 ms. */
631	#endif
632	}
633	else
634	break; /* Something bad happend ... */
635	}
636	else
637	break;
638
639	/* Calculate timeout value left after process has been started. */
640	uint64_t u64Elapsed = RTTimeMilliTS() - u64StartMS;
641	/* Is it time to bail out? */
642	if (pUserData->uTimeoutMS < u64Elapsed)
643	{
644	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread has reached timeout (%dms), exiting ...\n",
645	pUserData->uTimeoutMS);
646	rc = VERR_TIMEOUT;
647	break;
648	}
649	}
650	#ifdef VBOX_WITH_GUEST_PROPS
651	}
652	VbglR3GuestPropDisconnect(uClientID);
653	#endif
654
655	/* Save result. */
656	pUserData->rc = rc; /** @todo Use ASMAtomicXXX? */
657
658	int rc2 = RTThreadUserSignal(RTThreadSelf());
659	AssertRC(rc2);
660
661	pam_vbox_log(pUserData->hPAM, "pam_vbox_wait_thread: Waiting thread returned with rc=%Rrc\n", rc);
662	return rc;
663	}
664
665
666	/**
667	* Waits for credentials to arrive by creating and waiting for a thread.
668	*
669	* @return IPRT status code.
670	* @param hPAM PAM handle.
671	* @param uClientID Guest property service client ID.
672	* @param pszKey Key (name) of guest property to wait for.
673	* @param uTimeoutMS Timeout (in ms) to wait for the change. Specify
674	* RT_INDEFINITE_WAIT to wait indefinitly.
675	*/
676	static int pam_vbox_wait_for_creds(pam_handle_t *hPAM, uint32_t uClientID, uint32_t uTimeoutMS)
677	{
678	PAMVBOXTHREAD threadData;
679	threadData.hPAM = hPAM;
680	threadData.uTimeoutMS = uTimeoutMS;
681
682	RTTHREAD threadWait;
683	int rc = RTThreadCreate(&threadWait, pam_vbox_wait_thread,
684	(void *)&threadData, 0,
685	RTTHREADTYPE_DEFAULT, 0 /* Flags */, "pam_vbox");
686	if (RT_SUCCESS(rc))
687	{
688	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials (%dms) ...\n", uTimeoutMS);
689	/* Wait for thread to initialize. */
690	/** @todo We can do something else here in the meantime later. */
691	rc = RTThreadUserWait(threadWait, RT_INDEFINITE_WAIT);
692	if (RT_SUCCESS(rc))
693	rc = threadData.rc; /* Get back thread result to take further actions. */
694	}
695	else
696	pam_vbox_error(hPAM, "pam_vbox_wait_for_creds: Creating thread failed with rc=%Rrc\n", rc);
697
698	pam_vbox_log(hPAM, "pam_vbox_wait_for_creds: Waiting for credentials returned with rc=%Rrc\n", rc);
699	return rc;
700	}
701
702
703	DECLEXPORT(int) pam_sm_authenticate(pam_handle_t *hPAM, int iFlags,
704	int argc, const char **argv)
705	{
706	/* Parse arguments. */
707	for (int i = 0; i < argc; i++)
708	{
709	if (!RTStrICmp(argv[i], "debug"))
710	g_verbosity = 1;
711	else
712	pam_vbox_error(hPAM, "pam_vbox_authenticate: unknown command line argument \"%s\"\n", argv[i]);
713	}
714	pam_vbox_log(hPAM, "pam_vbox_authenticate called\n");
715
716	int rc = pam_vbox_init(hPAM);
717	if (RT_FAILURE(rc))
718	return PAM_SUCCESS; /* Jump out as early as we can to not mess around. */
719
720	bool fFallback = true;
721
722	#ifdef VBOX_WITH_GUEST_PROPS
723	uint32_t uClientId;
724	rc = VbglR3GuestPropConnect(&uClientId);
725	if (RT_SUCCESS(rc))
726	{
727	char szVal[256];
728	rc = pam_vbox_read_prop(hPAM, uClientId,
729	"/VirtualBox/GuestAdd/PAM/CredsWait",
730	true /* Read-only on guest */,
731	szVal, sizeof(szVal));
732	if (RT_SUCCESS(rc))
733	{
734	/* All calls which are checked against rc2 are not critical, e.g. it does
735	* not matter if they succeed or not. */
736	uint32_t uTimeoutMS = RT_INDEFINITE_WAIT; /* Wait infinite by default. */
737	int rc2 = pam_vbox_read_prop(hPAM, uClientId,
738	"/VirtualBox/GuestAdd/PAM/CredsWaitTimeout",
739	true /* Read-only on guest */,
740	szVal, sizeof(szVal));
741	if (RT_SUCCESS(rc2))
742	{
743	uTimeoutMS = RTStrToUInt32(szVal);
744	if (!uTimeoutMS)
745	{
746	pam_vbox_error(hPAM, "pam_vbox_authenticate: invalid waiting timeout value specified, defaulting to infinite timeout\n");
747	uTimeoutMS = RT_INDEFINITE_WAIT;
748	}
749	else
750	uTimeoutMS = uTimeoutMS * 1000; /* Make ms out of s. */
751	}
752
753	rc2 = pam_vbox_read_prop(hPAM, uClientId,
754	"/VirtualBox/GuestAdd/PAM/CredsMsgWaiting",
755	true /* Read-only on guest */,
756	szVal, sizeof(szVal));
757	const char *pszWaitMsg = NULL;
758	if (RT_SUCCESS(rc2))
759	pszWaitMsg = szVal;
760
761	rc2 = vbox_set_msg(hPAM, 0 /* Info message */,
762	pszWaitMsg ? pszWaitMsg : "Waiting for credentials ...");
763	if (RT_FAILURE(rc2)) /* Not critical. */
764	pam_vbox_error(hPAM, "pam_vbox_authenticate: error setting waiting information message, rc=%Rrc\n", rc2);
765
766	if (RT_SUCCESS(rc))
767	{
768	/* Before we actuall wait for credentials just make sure we didn't already get credentials
769	* set so that we can skip waiting for them ... */
770	rc = pam_vbox_check_creds(hPAM);
771	if (rc == VERR_NOT_FOUND)
772	{
773	rc = pam_vbox_wait_for_creds(hPAM, uClientId, uTimeoutMS);
774	if (rc == VERR_TIMEOUT)
775	{
776	pam_vbox_log(hPAM, "pam_vbox_authenticate: no credentials given within time\n");
777
778	rc2 = pam_vbox_read_prop(hPAM, uClientId,
779	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitTimeout",
780	true /* Read-only on guest */,
781	szVal, sizeof(szVal));
782	if (RT_SUCCESS(rc2))
783	{
784	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
785	AssertRC(rc2);
786	}
787	}
788	else if (rc == VERR_CANCELLED)
789	{
790	pam_vbox_log(hPAM, "pam_vbox_authenticate: waiting aborted\n");
791
792	rc2 = pam_vbox_read_prop(hPAM, uClientId,
793	"/VirtualBox/GuestAdd/PAM/CredsMsgWaitAbort",
794	true /* Read-only on guest */,
795	szVal, sizeof(szVal));
796	if (RT_SUCCESS(rc2))
797	{
798	rc2 = vbox_set_msg(hPAM, 0 /* Info message */, szVal);
799	AssertRC(rc2);
800	}
801	}
802	}
803
804	/* If we got here we don't need the fallback, so just deactivate it. */
805	fFallback = false;
806	}
807	}
808
809	VbglR3GuestPropDisconnect(uClientId);
810	}
811	#endif /* VBOX_WITH_GUEST_PROPS */
812
813	if (fFallback)
814	{
815	pam_vbox_log(hPAM, "pam_vbox_authenticate: falling back to old method\n");
816
817	/* If anything went wrong in the code above we just do a credentials
818	* check like it was before: Try retrieving the stuff and authenticating. */
819	int rc2 = pam_vbox_check_creds(hPAM);
820	if (RT_SUCCESS(rc))
821	rc = rc2;
822	}
823
824	pam_vbox_shutdown(hPAM);
825
826	pam_vbox_log(hPAM, "pam_vbox_authenticate: overall result rc=%Rrc\n", rc);
827
828	/* Never report an error here because if no credentials from the host are available or something
829	* went wrong we then let do the authentication by the next module in the stack. */
830
831	/* We report success here because this is all we can do right now -- we passed the credentials
832	* to the next PAM module in the block above which then might do a shadow (like pam_unix/pam_unix2)
833	* password verification to "really" authenticate the user. */
834	return PAM_SUCCESS;
835	}
836
837
838	DECLEXPORT(int) pam_sm_setcred(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
839	{
840	pam_vbox_log(hPAM, "pam_vbox_setcred called, iFlags=0x%x\n", iFlags);
841	for (int i = 0; i < argc; i++)
842	pam_vbox_log(hPAM, "pam_vbox_setcred: argv[%d] = %s\n", i, argv[i]);
843	return PAM_SUCCESS;
844	}
845
846
847	DECLEXPORT(int) pam_sm_acct_mgmt(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
848	{
849	pam_vbox_log(hPAM, "pam_vbox_acct_mgmt called\n");
850	return PAM_SUCCESS;
851	}
852
853
854	DECLEXPORT(int) pam_sm_open_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
855	{
856	pam_vbox_log(hPAM, "pam_vbox_open_session called\n");
857	RTPrintf("This session was provided by VirtualBox Guest Additions. Have a lot of fun!\n");
858	return PAM_SUCCESS;
859	}
860
861
862	DECLEXPORT(int) pam_sm_close_session(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
863	{
864	pam_vbox_log(hPAM, "pam_vbox_close_session called\n");
865	return PAM_SUCCESS;
866	}
867
868
869	DECLEXPORT(int) pam_sm_chauthtok(pam_handle_t hPAM, int iFlags, int argc, const char *argv)
870	{
871	pam_vbox_log(hPAM, "pam_vbox_sm_chauthtok called\n");
872	return PAM_SUCCESS;
873	}
874
875
876	#ifdef DEBUG
877	DECLEXPORT(void) RTAssertMsg1Weak(const char pszExpr, unsigned uLine, const char pszFile, const char *pszFunction)
878	{
879	pam_vbox_log(g_pam_handle,
880	"\n!!Assertion Failed!!\n"
881	"Expression: %s\n"
882	"Location : %s(%d) %s\n",
883	pszExpr, pszFile, uLine, pszFunction);
884	RTAssertMsg1(pszExpr, uLine, pszFile, pszFunction);
885	}
886	#endif
887

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/common/pam/pam_vbox.cpp@ 55771

Download in other formats: