/* * Copyright (c) 1999,2007,2019-21 Andrew G. Morgan * * The purpose of this module is to enforce inheritable, bounding and * ambient capability sets for a specified user. */ /* #define PAM_DEBUG */ #ifndef _DEFAULT_SOURCE #define _DEFAULT_SOURCE #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define USER_CAP_FILE "/etc/security/capability.conf" #define CAP_FILE_BUFFER_SIZE 4096 #define CAP_FILE_DELIMITERS " \t\n" /* * pam_cap_s is used to summarize argument values in a parsed form. */ struct pam_cap_s { int debug; int keepcaps; int autoauth; int defer; const char *user; const char *conf_filename; const char *fallback; pam_handle_t *pamh; }; /* * load_groups obtains the list all of the groups associated with the * requested user: gid & supplemental groups. */ static int load_groups(const char *user, char ***groups, int *groups_n) { struct passwd *pwd; gid_t grps[NGROUPS_MAX]; int ngrps = NGROUPS_MAX; *groups = NULL; *groups_n = 0; pwd = getpwnam(user); if (pwd == NULL) { return -1; } /* must include at least pwd->pw_gid, hence < 1 test. */ if (getgrouplist(user, pwd->pw_gid, grps, &ngrps) < 1) { return -1; } *groups = calloc(ngrps, sizeof(char *)); if (*groups == NULL) { return -1; } int g_n = 0, i; for (i = 0; i < ngrps; i++) { const struct group *g = getgrgid(grps[i]); if (g == NULL) { continue; } D(("noting [%s] is a member of [%s]", user, g->gr_name)); (*groups)[g_n++] = strdup(g->gr_name); } *groups_n = g_n; return 0; } /* obtain the desired IAB capabilities for the current user */ static char *read_capabilities_for_user(const char *user, const char *source) { char *cap_string = NULL; char buffer[CAP_FILE_BUFFER_SIZE], *line; char **groups; int groups_n; FILE *cap_file; if (load_groups(user, &groups, &groups_n)) { D(("unknown user [%s]", user)); return NULL; } cap_file = fopen(source, "r"); if (cap_file == NULL) { D(("failed to open capability file")); goto defer; } int found_one = 0; while (!found_one && (line = fgets(buffer, CAP_FILE_BUFFER_SIZE, cap_file))) { const char *cap_text; char *next = NULL; cap_text = strtok_r(line, CAP_FILE_DELIMITERS, &next); if (cap_text == NULL) { D(("empty line")); continue; } if (*cap_text == '#') { D(("comment line")); continue; } /* * Explore whether any of the ids are a match for the current * user. */ while ((line = strtok_r(next, CAP_FILE_DELIMITERS, &next))) { if (strcmp("*", line) == 0) { D(("wildcard matched")); found_one = 1; break; } if (strcmp(user, line) == 0) { D(("exact match for user")); found_one = 1; break; } if (line[0] != '@') { D(("user [%s] is not [%s] - skipping", user, line)); } int i; for (i=0; i < groups_n; i++) { if (!strcmp(groups[i], line+1)) { D(("user group matched [%s]", line)); found_one = 1; break; } } if (found_one) { break; } } if (found_one) { cap_string = strdup(cap_text); D(("user [%s] matched - caps are [%s]", user, cap_string)); } cap_text = NULL; line = NULL; } fclose(cap_file); defer: memset(buffer, 0, CAP_FILE_BUFFER_SIZE); int i; for (i = 0; i < groups_n; i++) { char *g = groups[i]; _pam_overwrite(g); _pam_drop(g); } if (groups != NULL) { memset(groups, 0, groups_n * sizeof(char *)); _pam_drop(groups); } return cap_string; } /* * This is the "defer" cleanup function that actually applies the IAB * tuple. This happens really late in the PAM session, hopefully after * the application has performed its setuid() function. */ static void iab_apply(pam_handle_t *pamh, void *data, int error_status) { cap_iab_t iab = data; int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT); #ifdef PAM_DEBUG { cap_t c = cap_get_proc(); cap_iab_t tu = cap_iab_get_proc(); char *tc, *ttu; tc = cap_to_text(c, NULL); ttu = cap_iab_to_text(tu); D(("iab_apply with uid=%d,euid=%d and error_status=0x%08x \"%s\", [%s]", getuid(), geteuid(), error_status, tc, ttu)); cap_free(ttu); cap_free(tc); cap_free(tu); cap_free(c); } #endif data = NULL; if (error_status & PAM_DATA_REPLACE) { goto done; } if (retval != PAM_SUCCESS || !(error_status & PAM_DATA_SILENT)) { goto done; } if (cap_iab_set_proc(iab) != 0) { D(("IAB setting failed")); } done: cap_free(iab); } /* * Set capabilities for current process to match the current * permitted+executable sets combined with the configured inheritable * set. */ static int set_capabilities(struct pam_cap_s *cs) { cap_t cap_s; char *conf_caps; int ok = 0; cap_iab_t iab; cap_s = cap_get_proc(); if (cap_s == NULL) { D(("your kernel is capability challenged - upgrade: %s", strerror(errno))); return 0; } conf_caps = read_capabilities_for_user(cs->user, cs->conf_filename ? cs->conf_filename:USER_CAP_FILE ); if (conf_caps == NULL) { D(("no capabilities found for user [%s]", cs->user)); if (cs->fallback == NULL) { goto cleanup_cap_s; } conf_caps = strdup(cs->fallback); D(("user [%s] received fallback caps [%s]", cs->user, conf_caps)); } ssize_t conf_caps_length = strlen(conf_caps); if (!strcmp(conf_caps, "all")) { /* * all here is interpreted as no change/pass through, which is * likely to be the same as none for sensible system defaults. */ ok = 1; goto cleanup_conf; } if (!strcmp(conf_caps, "none")) { /* clearing CAP_INHERITABLE will also clear the ambient caps, * but for legacy reasons we do not alter the bounding set. */ cap_clear_flag(cap_s, CAP_INHERITABLE); if (!cap_set_proc(cap_s)) { ok = 1; } goto cleanup_conf; } iab = cap_iab_from_text(conf_caps); if (iab == NULL) { D(("unable to parse the IAB [%s] value", conf_caps)); goto cleanup_conf; } if (cs->defer) { D(("configured to delay applying IAB")); pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); iab = NULL; } else if (!cap_iab_set_proc(iab)) { D(("able to set the IAB [%s] value", conf_caps)); ok = 1; } cap_free(iab); if (cs->keepcaps) { /* * Best effort to set keep caps - this may help work around * situations where applications are using a capabilities * unaware setuid() call. * * It isn't needed unless you want to support Ambient vector * values in the IAB. In this case, it will likely also * require you use the "defer" module argument. */ D(("setting keepcaps")); (void) cap_prctlw(PR_SET_KEEPCAPS, 1, 0, 0, 0, 0); } cleanup_conf: memset(conf_caps, 0, conf_caps_length); _pam_drop(conf_caps); cleanup_cap_s: cap_free(cap_s); cap_s = NULL; return ok; } /* log errors */ static void _pam_log(int err, const char *format, ...) { va_list args; va_start(args, format); openlog("pam_cap", LOG_CONS|LOG_PID, LOG_AUTH); vsyslog(err, format, args); va_end(args); closelog(); } static void parse_args(int argc, const char **argv, struct pam_cap_s *pcs) { D(("parsing %d module arg(s)", argc)); memset(pcs, 0, sizeof(*pcs)); /* step through arguments */ for (; argc-- > 0; ++argv) { if (!strcmp(*argv, "debug")) { pcs->debug = 1; } else if (!strncmp(*argv, "config=", 7)) { pcs->conf_filename = 7 + *argv; } else if (!strcmp(*argv, "keepcaps")) { pcs->keepcaps = 1; } else if (!strcmp(*argv, "autoauth")) { pcs->autoauth = 1; } else if (!strncmp(*argv, "default=", 8)) { pcs->fallback = 8 + *argv; } else if (!strcmp(*argv, "defer")) { pcs->defer = 1; } else { _pam_log(LOG_ERR, "unknown option; %s", *argv); } } } /* * pam_sm_authenticate parses the config file with respect to the user * being authenticated and determines if they are covered by any * capability inheritance rules. */ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval; struct pam_cap_s pcs; char *conf_caps; parse_args(argc, argv, &pcs); retval = pam_get_user(pamh, &pcs.user, NULL); if (retval == PAM_CONV_AGAIN) { D(("user conversation is not available yet")); memset(&pcs, 0, sizeof(pcs)); return PAM_INCOMPLETE; } if (pcs.autoauth) { D(("pam_sm_authenticate autoauth = success")); memset(&pcs, 0, sizeof(pcs)); return PAM_SUCCESS; } if (retval != PAM_SUCCESS) { D(("pam_get_user failed: %s", pam_strerror(pamh, retval))); memset(&pcs, 0, sizeof(pcs)); return PAM_AUTH_ERR; } conf_caps = read_capabilities_for_user(pcs.user, pcs.conf_filename ? pcs.conf_filename:USER_CAP_FILE ); memset(&pcs, 0, sizeof(pcs)); if (conf_caps) { D(("it appears that there are capabilities for this user [%s]", conf_caps)); /* We could also store this as a pam_[gs]et_data item for use by the setcred call to follow. However, this precludes using pam_cap as just a cred module, and requires that the 'auth' component be called first. As it is, there is a small race associated with a redundant read of the config. */ _pam_overwrite(conf_caps); _pam_drop(conf_caps); return PAM_SUCCESS; } D(("there are no capabilities restrictions on this user")); return PAM_IGNORE; } /* * pam_sm_setcred optionally applies inheritable capabilities loaded * by the pam_sm_authenticate pass for the user. If it doesn't apply * them directly (because of the "defer" module argument), it caches * the cap_iab_t value for later use during the pam_end() call. */ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval = 0; struct pam_cap_s pcs; if (!(flags & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { D(("we don't handle much in the way of credentials")); return PAM_IGNORE; } parse_args(argc, argv, &pcs); retval = pam_get_item(pamh, PAM_USER, (const void **)&pcs.user); if ((retval != PAM_SUCCESS) || (pcs.user == NULL) || !(pcs.user[0])) { D(("user's name is not set")); return PAM_AUTH_ERR; } pcs.pamh = pamh; retval = set_capabilities(&pcs); memset(&pcs, 0, sizeof(pcs)); return (retval ? PAM_SUCCESS:PAM_IGNORE); }