pam_modules/smb/smb_passwd.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident   "%Z%%M% %I% %E% SMI"

#include <sys/types.h>
#include <sys/varargs.h>
#include <string.h>
#include <syslog.h>
#include <stdlib.h>

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>

#include <libintl.h>
#include <passwdutil.h>

#include <smbsrv/libsmb.h>

/*PRINTFLIKE3*/
static void
error(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
{
    va_list ap;
    char message[PAM_MAX_MSG_SIZE];

    if (nowarn)
        return;

    va_start(ap, fmt);
    (void) vsnprintf(message, sizeof (message), fmt, ap);
    (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
        NULL);
    va_end(ap);
}

/*PRINTFLIKE3*/
static void
info(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
{
    va_list ap;
    char message[PAM_MAX_MSG_SIZE];

    if (nowarn)
        return;

    va_start(ap, fmt);
    (void) vsnprintf(message, sizeof (message), fmt, ap);
    (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
        NULL);
    va_end(ap);
}

int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    boolean_t debug = B_FALSE;
    boolean_t nowarn = B_FALSE;
    pwu_repository_t files_rep;
    char *user, *local_user;
    char *newpw;
    char *service;
    int privileged;
    int res;
    int i;

    for (i = 0; i < argc; i++) {
        if (strcmp(argv[i], "debug") == 0)
            debug = B_TRUE;
        else if (strcmp(argv[i], "nowarn") == 0)
            nowarn = B_TRUE;
    }

    if ((flags & PAM_PRELIM_CHECK) != 0)
        return (PAM_IGNORE);

    if ((flags & PAM_UPDATE_AUTHTOK) == 0)
        return (PAM_SYSTEM_ERR);

    if ((flags & PAM_SILENT) != 0)
        nowarn = B_TRUE;

    if (debug)
        __pam_log(LOG_AUTH | LOG_DEBUG,
            "pam_smb_passwd: storing authtok");

    (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
    (void) pam_get_item(pamh, PAM_USER, (void **)&user);

    if (user == NULL || *user == '\0') {
        __pam_log(LOG_AUTH | LOG_ERR,
            "pam_smb_passwd: username is empty");
        return (PAM_USER_UNKNOWN);
    }

    (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
    if (newpw == NULL) {
        /*
         * A module on the stack has removed PAM_AUTHTOK. We fail
         */
        return (PAM_AUTHTOK_ERR);
    }

    /* Check to see if this is a local user */
    files_rep.type = "files";
    files_rep.scope = NULL;
    files_rep.scope_len = 0;
    res = __user_to_authenticate(user, &files_rep, &local_user,
        &privileged);
    if (res != PWU_SUCCESS) {
        switch (res) {
        case PWU_NOT_FOUND:
            /* if not a local user, ignore */
            if (debug) {
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "pam_smb_passwd: %s is not local", user);
            }
            return (PAM_IGNORE);
        case PWU_DENIED:
            return (PAM_PERM_DENIED);
        }
        return (PAM_SYSTEM_ERR);
    }

    smb_pwd_init(B_FALSE);

    res = smb_pwd_setpasswd(user, newpw);

    smb_pwd_fini();

    /*
     * now map the various return states to user messages
     * and PAM return codes.
     */
    switch (res) {
    case SMB_PWE_SUCCESS:
        info(nowarn, pamh, dgettext(TEXT_DOMAIN,
            "%s: SMB password successfully changed for %s"),
            service, user);
        return (PAM_SUCCESS);

    case SMB_PWE_STAT_FAILED:
        __pam_log(LOG_AUTH | LOG_ERR,
            "%s: stat of SMB password file failed", service);
        return (PAM_SYSTEM_ERR);

    case SMB_PWE_OPEN_FAILED:
    case SMB_PWE_WRITE_FAILED:
    case SMB_PWE_CLOSE_FAILED:
    case SMB_PWE_UPDATE_FAILED:
        error(nowarn, pamh, dgettext(TEXT_DOMAIN,
            "%s: Unexpected failure. SMB password database unchanged."),
            service);
        return (PAM_SYSTEM_ERR);

    case SMB_PWE_BUSY:
        error(nowarn, pamh, dgettext(TEXT_DOMAIN,
            "%s: SMB password database busy. Try again later."),
            service);

        return (PAM_AUTHTOK_LOCK_BUSY);

    case SMB_PWE_USER_UNKNOWN:
        error(nowarn, pamh, dgettext(TEXT_DOMAIN,
            "%s: %s does not exist."), service, user);
        return (PAM_USER_UNKNOWN);

    case SMB_PWE_USER_DISABLE:
        error(nowarn, pamh, dgettext(TEXT_DOMAIN,
            "%s: %s is disable. SMB password database unchanged."),
            service, user);
        return (PAM_IGNORE);

    case SMB_PWE_DENIED:
        return (PAM_PERM_DENIED);

    default:
        res = PAM_SYSTEM_ERR;
        break;
    }

    return (res);
}