swaylock/pam.c

157 lines
4.0 KiB
C
Raw Normal View History

2024-11-09 10:05:16 -06:00
#include <security/_pam_types.h>
#define _POSIX_C_SOURCE 200809L
#include <pwd.h>
#include <security/pam_appl.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
2019-01-16 16:35:14 -06:00
#include "comm.h"
#include "log.h"
2022-05-30 04:50:30 -05:00
#include "password-buffer.h"
#include "swaylock.h"
2019-01-16 16:35:14 -06:00
static char *pw_buf = NULL;
2024-11-09 10:05:16 -06:00
static bool prompt_send_response = false;
2019-01-16 16:35:14 -06:00
2019-01-18 07:52:17 -06:00
void initialize_pw_backend(int argc, char **argv) {
if (getuid() != geteuid() || getgid() != getegid()) {
swaylock_log(LOG_ERROR,
2019-01-18 07:52:17 -06:00
"swaylock is setuid, but was compiled with the PAM"
" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
exit(EXIT_FAILURE);
}
2019-01-16 16:35:14 -06:00
if (!spawn_comm_child()) {
exit(EXIT_FAILURE);
}
}
2019-01-16 16:35:14 -06:00
static int handle_conversation(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *data) {
/* PAM expects an array of responses, one for each message */
2019-01-16 16:35:14 -06:00
struct pam_response *pam_reply =
calloc(num_msg, sizeof(struct pam_response));
if (pam_reply == NULL) {
swaylock_log(LOG_ERROR, "Allocation failed");
return PAM_ABORT;
}
*resp = pam_reply;
for (int i = 0; i < num_msg; ++i) {
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON:
2024-11-09 10:05:16 -06:00
{
if (prompt_send_response) {
prompt_send_response = false;
struct comm_reply reply;
reply.kind = REPLY_CONTINUE;
if (!write_comm_reply(reply)) {
exit(EXIT_FAILURE);
}
}
ssize_t size = read_comm_request(&pw_buf);
if (size < 0) {
exit(EXIT_FAILURE);
} else if (size == 0) {
pam_reply[i].resp = NULL;
} else {
pam_reply[i].resp = strdup(pw_buf); // PAM clears and frees this
password_buffer_destroy(pw_buf, size);
pw_buf = NULL;
if (pam_reply[i].resp == NULL) {
swaylock_log(LOG_ERROR, "Allocation failed");
return PAM_ABORT;
}
2019-01-16 16:35:14 -06:00
}
break;
2024-11-09 10:05:16 -06:00
}
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
2024-11-09 10:05:16 -06:00
swaylock_log(LOG_DEBUG, "PAM message %s", msg[i]->msg);
prompt_send_response = false;
struct comm_reply reply;
reply.kind = REPLY_MSG;
strncpy(&reply.pam_msg[0], msg[i]->msg, 255);
if (!write_comm_reply(reply)) {
exit(EXIT_FAILURE);
}
break;
}
}
return PAM_SUCCESS;
}
2019-01-16 15:22:17 -06:00
static const char *get_pam_auth_error(int pam_status) {
switch (pam_status) {
case PAM_AUTH_ERR:
return "invalid credentials";
case PAM_CRED_INSUFFICIENT:
return "swaylock cannot authenticate users; check /etc/pam.d/swaylock "
"has been installed properly";
case PAM_AUTHINFO_UNAVAIL:
return "authentication information unavailable";
case PAM_MAXTRIES:
return "maximum number of authentication tries exceeded";
default:;
static char msg[64];
snprintf(msg, sizeof(msg), "unknown error (%d)", pam_status);
return msg;
}
}
2019-01-16 16:35:14 -06:00
void run_pw_backend_child(void) {
struct passwd *passwd = getpwuid(getuid());
char *username = passwd->pw_name;
2019-01-16 15:22:17 -06:00
2019-01-16 16:35:14 -06:00
const struct pam_conv conv = {
.conv = handle_conversation,
.appdata_ptr = NULL,
};
2019-01-16 16:35:14 -06:00
pam_handle_t *auth_handle = NULL;
if (pam_start("swaylock", username, &conv, &auth_handle) != PAM_SUCCESS) {
2019-01-16 15:22:17 -06:00
swaylock_log(LOG_ERROR, "pam_start failed");
2019-01-16 16:35:14 -06:00
exit(EXIT_FAILURE);
}
2019-01-16 15:22:17 -06:00
2019-01-16 16:35:14 -06:00
/* This code does not run as root */
swaylock_log(LOG_DEBUG, "Prepared to authorize user %s", username);
int pam_status = PAM_SUCCESS;
while (1) {
int pam_status = pam_authenticate(auth_handle, 0);
2024-11-09 10:05:16 -06:00
prompt_send_response = false;
2022-05-30 04:50:30 -05:00
2019-01-16 16:35:14 -06:00
bool success = pam_status == PAM_SUCCESS;
if (!success) {
swaylock_log(LOG_ERROR, "pam_authenticate failed: %s",
get_pam_auth_error(pam_status));
}
2024-11-09 10:05:16 -06:00
struct comm_reply reply;
if (success) {
reply.kind = REPLY_SUCCESS;
} else {
reply.kind = REPLY_AUTH_ERR;
}
if (!write_comm_reply(reply)) {
2019-01-16 16:35:14 -06:00
exit(EXIT_FAILURE);
}
if (success) {
/* Unsuccessful requests may be queued after a successful one;
* do not process them. */
break;
}
}
2019-01-16 15:22:17 -06:00
pam_setcred(auth_handle, PAM_REFRESH_CRED);
2019-01-16 16:35:14 -06:00
if (pam_end(auth_handle, pam_status) != PAM_SUCCESS) {
swaylock_log(LOG_ERROR, "pam_end failed");
2019-01-16 16:35:14 -06:00
exit(EXIT_FAILURE);
}
2019-01-16 15:22:17 -06:00
2019-01-16 16:35:14 -06:00
exit((pam_status == PAM_SUCCESS) ? EXIT_SUCCESS : EXIT_FAILURE);
}