pam_modules/authtok_check/dict.c

1N/A/*
1N/A * CDDL HEADER START
1N/A *
1N/A * The contents of this file are subject to the terms of the
1N/A * Common Development and Distribution License (the "License").
1N/A * You may not use this file except in compliance with the License.
1N/A *
1N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
1N/A * or http://www.opensolaris.org/os/licensing.
1N/A * See the License for the specific language governing permissions
1N/A * and limitations under the License.
1N/A *
1N/A * When distributing Covered Code, include this CDDL HEADER in each
1N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1N/A * If applicable, add the following below this CDDL HEADER, with the
1N/A * fields enclosed by brackets "[]" replaced with your own identifying
1N/A * information: Portions Copyright [yyyy] [name of copyright owner]
1N/A *
1N/A * CDDL HEADER END
1N/A */
1N/A/*
1N/A * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
1N/A * Use is subject to license terms.
1N/A */
1N/A
1N/A#include <sys/stat.h>
1N/A#include <stdio.h>
1N/A#include <syslog.h>
1N/A#include <fcntl.h>
1N/A#include <time.h>
1N/A#include <errno.h>
1N/A#include <signal.h>
1N/A#include "packer.h"
1N/A
1N/Astatic int lockfd = -1;
1N/Astatic struct flock flock = { 0, 0, 0, 0, 0, 0 };
1N/A
1N/Achar dblock[PATH_MAX];
1N/A
1N/A#define LOCK_WAIT   1000000
1N/A#define LOCK_RETRIES    60
1N/A
1N/A/*
1N/A * lock_db()
1N/A *
1N/A * Create a lockfile to prevent simultaneous access to the database
1N/A * creation routines. We set a timeout to LOCK_WAIT seconds. If we
1N/A * haven't obtained a lock after LOCK_RETIRES attempts, we bail out.
1N/A *
1N/A * returns 0 on succes, -1 on (lock) failure.
1N/A * side effect: the directory "path" will be created if it didn't exist.
1N/A */
1N/Aint
1N/Alock_db(char *path)
1N/A{
1N/A    int retval;
1N/A    struct stat st;
1N/A    int retries = 0;
1N/A
1N/A    /* create directory "path" if it doesn't exist */
1N/A    if (stat(path, &st) == -1) {
1N/A        if (errno != ENOENT ||
1N/A            (mkdir(path, 0755) == -1 || chmod(path, 0755) == -1))
1N/A            return (-1);
1N/A    }
1N/A
1N/A    (void) snprintf(dblock, sizeof (dblock), "%s/authtok_check.lock", path);
1N/A
1N/A    if ((lockfd = open(dblock, O_WRONLY|O_CREAT|O_EXCL, 0400)) == -1) {
1N/A        if (errno == EEXIST)
1N/A            lockfd = open(dblock, O_WRONLY);
1N/A        if (lockfd == -1) {
1N/A            int olderrno = errno;
1N/A            syslog(LOG_ERR, "pam_authtok_check::pam_sm_chauthtok: "
1N/A                "can't open lockfile: %s", strerror(errno));
1N/A            errno = olderrno;
1N/A            return (-1);
1N/A        }
1N/A    }
1N/A
1N/A    do {
1N/A        flock.l_type = F_WRLCK;
1N/A        retval = fcntl(lockfd, F_SETLK, &flock);
1N/A        if (retval == -1)
1N/A            (void) usleep(LOCK_WAIT);
1N/A    } while (retval == -1 && ++retries < LOCK_RETRIES);
1N/A
1N/A    if (retval == -1) {
1N/A        int errno_saved = errno;
1N/A        syslog(LOG_ERR, "pam_authtok_check::pam_sm_chauthtok: timeout "
1N/A            "waiting for dictionary lock.");
1N/A        errno = errno_saved;
1N/A    }
1N/A
1N/A    return (retval);
1N/A}
1N/A
1N/A/*
1N/A * unlock_db()
1N/A *
1N/A * Release the database lock
1N/A */
1N/Avoid
1N/Aunlock_db(void)
1N/A{
1N/A    if (lockfd != -1) {
1N/A        flock.l_type = F_UNLCK;
1N/A        (void) fcntl(lockfd, F_SETLK, &flock);
1N/A        (void) close(lockfd);
1N/A        lockfd = -1;
1N/A    }
1N/A}
1N/A
1N/A/*
1N/A * database_present()
1N/A *
1N/A * returns 0 if the database files are found, and the database size is
1N/A * greater than 0 and the database version matches the current version.
1N/A */
1N/Aint
1N/Adatabase_present(char *path)
1N/A{
1N/A    struct stat st;
1N/A    char dict_hwm[PATH_MAX];
1N/A    char dict_pwd[PATH_MAX];
1N/A    char dict_pwi[PATH_MAX];
1N/A    PWDICT *dict;
1N/A
1N/A    (void) snprintf(dict_hwm, sizeof (dict_hwm), "%s/%s", path,
1N/A        DICT_DATABASE_HWM);
1N/A    (void) snprintf(dict_pwd, sizeof (dict_pwd), "%s/%s", path,
1N/A        DICT_DATABASE_PWD);
1N/A    (void) snprintf(dict_pwi, sizeof (dict_pwi), "%s/%s", path,
1N/A        DICT_DATABASE_PWI);
1N/A
1N/A    if (stat(dict_hwm, &st) == -1 ||
1N/A        (stat(dict_pwd, &st) == -1 || st.st_size == 0) ||
1N/A        stat(dict_pwi, &st) == -1)
1N/A        return (NO_DICTDATABASE);
1N/A
1N/A    /* verify database version number by trying to open it */
1N/A    if ((dict = PWOpen(path, "r")) == NULL) {
1N/A        /* the files are there, but an outdated version */
1N/A        PWRemove(path);
1N/A        return (NO_DICTDATABASE);
1N/A    }
1N/A    (void) PWClose(dict);
1N/A    return (0);
1N/A}
1N/A
1N/A/*
1N/A * build_dict_database(list, char *path)
1N/A *
1N/A * Create the Crack Dictionary Database based on the list of sources
1N/A * dictionaries specified in "list". Store the database in "path".
1N/A */
1N/Aint
1N/Abuild_dict_database(char *list, char *path)
1N/A{
1N/A    return (packer(list, path) == -1 ? DICTDATABASE_BUILD_ERR : 0);
1N/A}
1N/A
1N/A/*
1N/A * Rebuild the database in "path" if the database is older than one of the
1N/A * files listed in "list", or older than the config-file PWADMIN.
1N/A */
1N/Aint
1N/Aupdate_dict_database(char *list, char *path)
1N/A{
1N/A    struct stat st_db;
1N/A    struct stat st_file;
1N/A    char *buf;
1N/A    char *listcopy;
1N/A    boolean_t update_needed = B_FALSE;
1N/A    char dbase_pwd[PATH_MAX];
1N/A
1N/A    (void) snprintf(dbase_pwd, sizeof (dbase_pwd), "%s/%s", path,
1N/A        DICT_DATABASE_PWD);
1N/A
1N/A    if (stat(dbase_pwd, &st_db) == -1)
1N/A        return (DICTFILE_ERR);
1N/A
1N/A    if ((listcopy = strdup(list)) == NULL)
1N/A        return (DICTFILE_ERR);
1N/A
1N/A    buf = strtok(listcopy,  "\t ,");
1N/A
1N/A    /* Compare mtime of each listed dictionary against DB mtime */
1N/A    while (update_needed == B_FALSE && buf != NULL) {
1N/A        if (stat(buf, &st_file) == -1) {
1N/A            if (errno == ENOENT) {
1N/A                syslog(LOG_ERR,
1N/A                    "pam_authtok_check:update_dict_database: "
1N/A                    "dictionary \"%s\" not present.", buf);
1N/A            } else {
1N/A                syslog(LOG_ERR,
1N/A                    "pam_authtok_check:update_dict_database: "
1N/A                    "stat(%s) failed: %s", buf,
1N/A                    strerror(errno));
1N/A            }
1N/A            free(listcopy);
1N/A            return (DICTFILE_ERR);
1N/A        }
1N/A        if (st_db.st_mtime < st_file.st_mtime)
1N/A            update_needed = B_TRUE; /* database out of date */
1N/A        buf = strtok(NULL, "\t ,");
1N/A    }
1N/A
1N/A    free(listcopy);
1N/A
1N/A    /*
1N/A     * If /etc/default/passwd is updated, generate the database.
1N/A     * Because this is the only way we can check if files have been
1N/A     * added/deleted from DICTIONLIST.
1N/A     * Drawback: the database will also be generated when other
1N/A     * tunables are changed.
1N/A     */
1N/A    if (stat(PWADMIN, &st_file) != -1 && st_db.st_mtime < st_file.st_mtime)
1N/A        update_needed = B_TRUE;
1N/A
1N/A    if (update_needed) {
1N/A        /*
1N/A         * Since we actually rebuild the database, we need to remove
1N/A         * the old database first.
1N/A         */
1N/A        PWRemove(path);
1N/A        return (build_dict_database(list, path));
1N/A    }
1N/A
1N/A    return (0);
1N/A}
1N/A
1N/A/*
1N/A * Build or update database, while holding the global lock.
1N/A */
1N/Aint
1N/Amake_dict_database(char *list, char *path)
1N/A{
1N/A    int r = -1;
1N/A
1N/A    if (lock_db(path) == 0) {
1N/A        if (database_present(path) == NO_DICTDATABASE)
1N/A            r = build_dict_database(list, path);
1N/A        else
1N/A            r = update_dict_database(list, path);
1N/A        unlock_db();
1N/A    }
1N/A    return (r);
1N/A}