1 /*
2  * session.c - PPP session control.
3  *
4  * Copyright (c) 2007 Diego Rivera. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. The name(s) of the authors of this software must not be used to
14  *    endorse or promote products derived from this software without
15  *    prior written permission.
16  *
17  * 3. Redistributions of any form whatsoever must retain the following
18  *    acknowledgment:
19  *    "This product includes software developed by Paul Mackerras
20  *     <paulus@samba.org>".
21  *
22  * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
23  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
24  * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
25  * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
26  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
27  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
28  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
29  *
30  * Derived from auth.c, which is:
31  *
32  * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved.
33  *
34  * Redistribution and use in source and binary forms, with or without
35  * modification, are permitted provided that the following conditions
36  * are met:
37  *
38  * 1. Redistributions of source code must retain the above copyright
39  *    notice, this list of conditions and the following disclaimer.
40  *
41  * 2. Redistributions in binary form must reproduce the above copyright
42  *    notice, this list of conditions and the following disclaimer in
43  *    the documentation and/or other materials provided with the
44  *    distribution.
45  *
46  * 3. The name "Carnegie Mellon University" must not be used to
47  *    endorse or promote products derived from this software without
48  *    prior written permission. For permission or any legal
49  *    details, please contact
50  *      Office of Technology Transfer
51  *      Carnegie Mellon University
52  *      5000 Forbes Avenue
53  *      Pittsburgh, PA  15213-3890
54  *      (412) 268-4387, fax: (412) 268-7395
55  *      tech-transfer@andrew.cmu.edu
56  *
57  * 4. Redistributions of any form whatsoever must retain the following
58  *    acknowledgment:
59  *    "This product includes software developed by Computing Services
60  *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
61  *
62  * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
63  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
64  * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
65  * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
66  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
67  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
68  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
69  */
70 
71 #include <stdio.h>
72 #include <stdlib.h>
73 #include <string.h>
74 #include <pwd.h>
75 #if !defined(__ANDROID__)
76 #include <crypt.h>
77 #endif
78 #ifdef HAS_SHADOW
79 #include <shadow.h>
80 #endif
81 #include <time.h>
82 #include <utmp.h>
83 #include <fcntl.h>
84 #include <unistd.h>
85 #include "pppd.h"
86 #include "session.h"
87 
88 #ifdef USE_PAM
89 #include <security/pam_appl.h>
90 #endif /* #ifdef USE_PAM */
91 
92 #define SET_MSG(var, msg) if (var != NULL) { var[0] = msg; }
93 #define COPY_STRING(s) ((s) ? strdup(s) : NULL)
94 
95 #define SUCCESS_MSG "Session started successfully"
96 #define ABORT_MSG "Session can't be started without a username"
97 #define SERVICE_NAME "ppp"
98 
99 #define SESSION_FAILED  0
100 #define SESSION_OK      1
101 
102 /* We have successfully started a session */
103 static bool logged_in = 0;
104 
105 #ifdef USE_PAM
106 /*
107  * Static variables used to communicate between the conversation function
108  * and the server_login function
109  */
110 static const char *PAM_username;
111 static const char *PAM_password;
112 static int   PAM_session = 0;
113 static pam_handle_t *pamh = NULL;
114 
115 /* PAM conversation function
116  * Here we assume (for now, at least) that echo on means login name, and
117  * echo off means password.
118  */
119 
conversation(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata_ptr)120 static int conversation (int num_msg,
121 #ifndef SOL2
122     const
123 #endif
124     struct pam_message **msg,
125     struct pam_response **resp, void *appdata_ptr)
126 {
127     int replies = 0;
128     struct pam_response *reply = NULL;
129 
130     reply = malloc(sizeof(struct pam_response) * num_msg);
131     if (!reply) return PAM_CONV_ERR;
132 
133     for (replies = 0; replies < num_msg; replies++) {
134         switch (msg[replies]->msg_style) {
135             case PAM_PROMPT_ECHO_ON:
136                 reply[replies].resp_retcode = PAM_SUCCESS;
137                 reply[replies].resp = COPY_STRING(PAM_username);
138                 /* PAM frees resp */
139                 break;
140             case PAM_PROMPT_ECHO_OFF:
141                 reply[replies].resp_retcode = PAM_SUCCESS;
142                 reply[replies].resp = COPY_STRING(PAM_password);
143                 /* PAM frees resp */
144                 break;
145             case PAM_TEXT_INFO:
146                 /* fall through */
147             case PAM_ERROR_MSG:
148                 /* ignore it, but pam still wants a NULL response... */
149                 reply[replies].resp_retcode = PAM_SUCCESS;
150                 reply[replies].resp = NULL;
151                 break;
152             default:
153                 /* Must be an error of some sort... */
154                 free (reply);
155                 return PAM_CONV_ERR;
156         }
157     }
158     *resp = reply;
159     return PAM_SUCCESS;
160 }
161 
162 static struct pam_conv pam_conv_data = {
163     &conversation,
164     NULL
165 };
166 #endif /* #ifdef USE_PAM */
167 
168 int
session_start(flags,user,passwd,ttyName,msg)169 session_start(flags, user, passwd, ttyName, msg)
170     const int flags;
171     const char *user;
172     const char *passwd;
173     const char *ttyName;
174     char **msg;
175 {
176 #ifdef USE_PAM
177     bool ok = 1;
178     const char *usr;
179     int pam_error;
180     bool try_session = 0;
181 #else /* #ifdef USE_PAM */
182     struct passwd *pw;
183     char *cbuf;
184 #ifdef HAS_SHADOW
185     struct spwd *spwd;
186     struct spwd *getspnam();
187     long now = 0;
188 #endif /* #ifdef HAS_SHADOW */
189 #endif /* #ifdef USE_PAM */
190 
191     SET_MSG(msg, SUCCESS_MSG);
192 
193     /* If no verification is requested, then simply return an OK */
194     if (!(SESS_ALL & flags)) {
195         return SESSION_OK;
196     }
197 
198 #if defined(__ANDROID__)
199     return SESSION_FAILED;
200 #endif
201 
202     if (user == NULL) {
203        SET_MSG(msg, ABORT_MSG);
204        return SESSION_FAILED;
205     }
206 
207 #ifdef USE_PAM
208     /* Find the '\\' in the username */
209     /* This needs to be fixed to support different username schemes */
210     if ((usr = strchr(user, '\\')) == NULL)
211 	usr = user;
212     else
213 	usr++;
214 
215     PAM_session = 0;
216     PAM_username = usr;
217     PAM_password = passwd;
218 
219     dbglog("Initializing PAM (%d) for user %s", flags, usr);
220     pam_error = pam_start (SERVICE_NAME, usr, &pam_conv_data, &pamh);
221     dbglog("---> PAM INIT Result = %d", pam_error);
222     ok = (pam_error == PAM_SUCCESS);
223 
224     if (ok) {
225         ok = (pam_set_item(pamh, PAM_TTY, ttyName) == PAM_SUCCESS) &&
226 	    (pam_set_item(pamh, PAM_RHOST, ifname) == PAM_SUCCESS);
227     }
228 
229     if (ok && (SESS_AUTH & flags)) {
230         dbglog("Attempting PAM authentication");
231         pam_error = pam_authenticate (pamh, PAM_SILENT);
232         if (pam_error == PAM_SUCCESS) {
233             /* PAM auth was OK */
234             dbglog("PAM Authentication OK for %s", user);
235         } else {
236             /* No matter the reason, we fail because we're authenticating */
237             ok = 0;
238             if (pam_error == PAM_USER_UNKNOWN) {
239                 dbglog("User unknown, failing PAM authentication");
240                 SET_MSG(msg, "User unknown - cannot authenticate via PAM");
241             } else {
242                 /* Any other error means authentication was bad */
243                 dbglog("PAM Authentication failed: %d: %s", pam_error,
244 		       pam_strerror(pamh, pam_error));
245                 SET_MSG(msg, (char *) pam_strerror (pamh, pam_error));
246             }
247         }
248     }
249 
250     if (ok && (SESS_ACCT & flags)) {
251         dbglog("Attempting PAM account checks");
252         pam_error = pam_acct_mgmt (pamh, PAM_SILENT);
253         if (pam_error == PAM_SUCCESS) {
254             /*
255 	     * PAM account was OK, set the flag which indicates that we should
256 	     * try to perform the session checks.
257 	     */
258             try_session = 1;
259             dbglog("PAM Account OK for %s", user);
260         } else {
261             /*
262 	     * If the account checks fail, then we should not try to perform
263 	     * the session check, because they don't make sense.
264 	     */
265             try_session = 0;
266             if (pam_error == PAM_USER_UNKNOWN) {
267                 /*
268 		 * We're checking the account, so it's ok to not have one
269 		 * because the user might come from the secrets files, or some
270 		 * other plugin.
271 		 */
272                 dbglog("User unknown, ignoring PAM restrictions");
273                 SET_MSG(msg, "User unknown - ignoring PAM restrictions");
274             } else {
275                 /* Any other error means session is rejected */
276                 ok = 0;
277                 dbglog("PAM Account checks failed: %d: %s", pam_error,
278 		       pam_strerror(pamh, pam_error));
279                 SET_MSG(msg, (char *) pam_strerror (pamh, pam_error));
280             }
281         }
282     }
283 
284     if (ok && try_session && (SESS_ACCT & flags)) {
285         /* Only open a session if the user's account was found */
286         pam_error = pam_open_session (pamh, PAM_SILENT);
287         if (pam_error == PAM_SUCCESS) {
288             dbglog("PAM Session opened for user %s", user);
289             PAM_session = 1;
290         } else {
291             dbglog("PAM Session denied for user %s", user);
292             SET_MSG(msg, (char *) pam_strerror (pamh, pam_error));
293             ok = 0;
294         }
295     }
296 
297     /* This is needed because apparently the PAM stuff closes the log */
298     reopen_log();
299 
300     /* If our PAM checks have already failed, then we must return a failure */
301     if (!ok) return SESSION_FAILED;
302 
303 #elif !defined(__ANDROID__) /* #ifdef USE_PAM */
304 
305 /*
306  * Use the non-PAM methods directly.  'pw' will remain NULL if the user
307  * has not been authenticated using local UNIX system services.
308  */
309 
310     pw = NULL;
311     if ((SESS_AUTH & flags)) {
312 	pw = getpwnam(user);
313 
314 	endpwent();
315 	/*
316 	 * Here, we bail if we have no user account, because there is nothing
317 	 * to verify against.
318 	 */
319 	if (pw == NULL)
320 	    return SESSION_FAILED;
321 
322 #ifdef HAS_SHADOW
323 
324 	spwd = getspnam(user);
325 	endspent();
326 
327 	/*
328 	 * If there is no shadow entry for the user, then we can't verify the
329 	 * account.
330 	 */
331 	if (spwd == NULL)
332 	    return SESSION_FAILED;
333 
334 	/*
335 	 * We check validity all the time, because if the password has expired,
336 	 * then clearly we should not authenticate against it (if we're being
337 	 * called for authentication only).  Thus, in this particular instance,
338 	 * there is no real difference between using the AUTH, SESS or ACCT
339 	 * flags, or combinations thereof.
340 	 */
341 	now = time(NULL) / 86400L;
342 	if ((spwd->sp_expire > 0 && now >= spwd->sp_expire)
343 	    || ((spwd->sp_max >= 0 && spwd->sp_max < 10000)
344 	    && spwd->sp_lstchg >= 0
345 	    && now >= spwd->sp_lstchg + spwd->sp_max)) {
346 	    warn("Password for %s has expired", user);
347 	    return SESSION_FAILED;
348 	}
349 
350 	/* We have a valid shadow entry, keep the password */
351 	pw->pw_passwd = spwd->sp_pwdp;
352 
353 #endif /* #ifdef HAS_SHADOW */
354 
355 	/*
356 	 * If no passwd, don't let them login if we're authenticating.
357 	 */
358         if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2)
359             return SESSION_FAILED;
360 	cbuf = crypt(passwd, pw->pw_passwd);
361 	if (!cbuf || strcmp(cbuf, pw->pw_passwd) != 0)
362             return SESSION_FAILED;
363     }
364 
365 #endif /* #ifdef USE_PAM */
366 
367     /*
368      * Write a wtmp entry for this user.
369      */
370 
371     if (SESS_ACCT & flags) {
372 	if (strncmp(ttyName, "/dev/", 5) == 0)
373 	    ttyName += 5;
374 	logwtmp(ttyName, user, ifname); /* Add wtmp login entry */
375 	logged_in = 1;
376 
377 #if defined(_PATH_LASTLOG) && !defined(USE_PAM)
378 	/*
379 	 * Enter the user in lastlog only if he has been authenticated using
380 	 * local system services.  If he has not, then we don't know what his
381 	 * UID might be, and lastlog is indexed by UID.
382 	 */
383 	if (pw != NULL) {
384             struct lastlog ll;
385             int fd;
386 	    time_t tnow;
387 
388             if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
389                 (void)lseek(fd, (off_t)(pw->pw_uid * sizeof(ll)), SEEK_SET);
390                 memset((void *)&ll, 0, sizeof(ll));
391 		(void)time(&tnow);
392                 ll.ll_time = tnow;
393                 (void)strncpy(ll.ll_line, ttyName, sizeof(ll.ll_line));
394                 (void)strncpy(ll.ll_host, ifname, sizeof(ll.ll_host));
395                 (void)write(fd, (char *)&ll, sizeof(ll));
396                 (void)close(fd);
397             }
398 	}
399 #endif /* _PATH_LASTLOG and not USE_PAM */
400 	info("user %s logged in on tty %s intf %s", user, ttyName, ifname);
401     }
402 
403     return SESSION_OK;
404 }
405 
406 /*
407  * session_end - Logout the user.
408  */
409 void
session_end(const char * ttyName)410 session_end(const char* ttyName)
411 {
412 #ifdef USE_PAM
413     int pam_error = PAM_SUCCESS;
414 
415     if (pamh != NULL) {
416         if (PAM_session) pam_error = pam_close_session (pamh, PAM_SILENT);
417         PAM_session = 0;
418         pam_end (pamh, pam_error);
419         pamh = NULL;
420 	/* Apparently the pam stuff does closelog(). */
421 	reopen_log();
422     }
423 #endif
424     if (logged_in) {
425 	if (strncmp(ttyName, "/dev/", 5) == 0)
426 	    ttyName += 5;
427 	logwtmp(ttyName, "", ""); /* Wipe out utmp logout entry */
428 	logged_in = 0;
429     }
430 }
431