pam_tcb: Refactor unix_run_helper_binary().

besser82 · besser82 · commit 2f2349291278 · 2024-12-16T19:43:16.000+01:00
Refactor the function to be non-static and
to allow for more versatile use.

Signed-off-by: Björn Esser &lt;besser82@fedoraproject.org&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -41,6 +41,13 @@
 	binary to be run as root if e.g. SELinux prevents access to file
 	storing the hashed user password.
 	* progs/tcb_chkpwd.c (unix_verify_password): Likewise.
+	* pam_tcb/support.c (unix_run_helper_binary): Refactor function to
+	be non-static and to allow for more versatile use.
+	* pam_tcb/support.h (unix_run_helper_binary): New function.
+	* pam_tcb/support.c (run_chkpwd_binary): New static function wrapper
+	around unix_run_helper_binary().
+	* pam_tcb/support.c (unix_verify_password_plain):
+	Replace call to unix_run_helper_binary() with run_chkpwd_binary().
 
 2021-09-30  Björn Esser  <besser82 at fedoraproject.org>
 
diff --git a/pam_tcb/support.c b/pam_tcb/support.c
@@ -279,29 +279,29 @@ int _unix_blankpasswd(pam_handle_t *pamh, const char *user)
 }
 
 /*
- * Verify the password of a user.
+ * Run a helper binary.
  */
-
-static int unix_run_helper_binary(const char *user, const char *pass)
+int unix_run_helper_binary(const char *user, const char *pass,
+			   const char *helper_binary, char *const argv[],
+			   const char config[8], void *retval_helper,
+			   size_t retval_size)
 {
-	int retval = PAM_AUTH_ERR, child, fail = 0, status, fds[2], retpipe[2];
+	int child, retval = 0, status, fds[2], retpipe[2];
 	sighandler_t sigchld, sigpipe;
 	int len;
-	char *argv[] = {CHKPWD_HELPER, NULL};
 	char *envp[] = {NULL};
 
 	D(("called"));
 
-	if (!pam_unix_param.helper)
-		return PAM_AUTH_ERR;
-
 	/* create a pipe for the password */
 	if (pipe(fds)) {
 		D(("could not make pipe"));
+		retval = 1;
 		goto out;
 	}
 	if (pipe(retpipe)) {
 		D(("could not make pipe"));
+		retval = 1;
 		goto out_pipe;
 	}
 
@@ -311,6 +311,7 @@ static int unix_run_helper_binary(const char *user, const char *pass)
 	switch ((child = fork())) {
 	case -1:
 		D(("fork failed"));
+		retval = 1;
 		goto out_signal;
 
 	case 0:
@@ -327,7 +328,7 @@ static int unix_run_helper_binary(const char *user, const char *pass)
 			_exit(1);
 
 		/* exec binary helper */
-		execve(pam_unix_param.helper, argv, envp);
+		execve(helper_binary, argv, envp);
 
 		/* should not get here: exit with error */
 		D(("helper binary is not available"));
@@ -337,39 +338,29 @@ static int unix_run_helper_binary(const char *user, const char *pass)
 		/* wait for child */
 		close(fds[0]);
 		close(retpipe[1]);
-		if (on(UNIX__NULLOK)) {
-			if (write_loop(fds[1], "nullok\0\0", 8) != 8)
-				fail = 1;
-		} else {
-			if (write_loop(fds[1], "nonull\0\0", 8) != 8)
-				fail = 1;
-		}
+		if (write_loop(fds[1], config, 8) != 8)
+			retval = 1;
 		len = strlen(user) + 1;
-		if (write_loop(fds[1], user, len) != len)
-			fail = 1;
-		else {
+		if (write_loop(fds[1], user, len) != len) {
+			retval = 1;
+		} else {
 			len = strlen(pass) + 1;
 			if (write_loop(fds[1], pass, len) != len)
-				fail = 1;
+				retval = 1;
 		}
 		pass = NULL;
 		close(fds[1]);
 		/* wait for helper to complete */
 		if (waitpid(child, &status, 0) != child) {
 			status = 0;
-			fail = 1;
+			retval = 1;
 		}
-		if (read_loop(retpipe[0], (char *)&retval, sizeof(retval)) !=
-		    sizeof(retval))
-			fail = 1;
+		if (read_loop(retpipe[0], (char *)retval_helper, retval_size) !=
+		    (int)retval_size)
+			retval = 1;
 		close(retpipe[0]);
 		if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
-			fail = 1;
-		if (fail)
-			retval = PAM_AUTH_ERR;
-		else
-			retval = (retval == TCB_MAGIC) ?
-			    PAM_SUCCESS : PAM_AUTH_ERR;
+			retval = 1;
 	}
 
 out_signal:
@@ -387,6 +378,37 @@ static int unix_run_helper_binary(const char *user, const char *pass)
 	return retval;
 }
 
+/*
+ * Verify the password of a user.
+ */
+
+static int run_chkpwd_binary(const char *user, const char *pass)
+{
+	char *argv[] = { CHKPWD_HELPER, "chkpwd", NULL };
+	char config[8];
+	int retval_helper;
+
+	if (!pam_unix_param.helper)
+		goto end;
+
+	if (on(UNIX__NULLOK)) {
+		memcpy(config, "nullok\0\0", 8);
+	} else {
+		memcpy(config, "nonull\0\0", 8);
+	}
+
+	if (unix_run_helper_binary (user, pass, pam_unix_param.helper,
+				    argv, config, (void *)&retval_helper,
+				    sizeof(retval_helper)))
+		goto end;
+
+	if (retval_helper == TCB_MAGIC)
+		return PAM_SUCCESS;
+
+end:
+	return PAM_AUTH_ERR;
+}
+
 static int check_crypt(pam_handle_t *pamh, const char *pass,
     const char *stored_hash)
 {
@@ -478,7 +500,7 @@ static int unix_verify_password_plain(pam_handle_t *pamh,
 		if (uid == geteuid() && (uid == pw->pw_uid || uid == 0)) {
 			/* We are not privileged enough perhaps this is the reason? */
 			D(("running helper binary"));
-			retval = unix_run_helper_binary(user, pass);
+			retval = run_chkpwd_binary(user, pass);
 		} else {
 			D(("user's record unavailable"));
 			pam_syslog(pamh, LOG_ALERT,
diff --git a/pam_tcb/support.h b/pam_tcb/support.h
@@ -184,6 +184,10 @@ extern int _set_ctrl(pam_handle_t *, int flags, int argc, const char **argv);
 extern int _unix_blankpasswd(pam_handle_t *, const char *user);
 extern int _unix_verify_password(pam_handle_t *, const char *, const char *);
 extern int unix_getspnam(struct spwd **, const struct passwd *);
+extern int unix_run_helper_binary(const char *user, const char *pass,
+				  const char *helper_binary, char *const argv[],
+				  const char helper_command[8],
+				  void *retval_helper, size_t retval_size);
 extern char *crypt_wrapper(pam_handle_t *, const char *, const char *);
 extern char *do_crypt(pam_handle_t *, const char *);
 
