Added more test support to pam_teleport.so.

Added support for "pam_putenv" and "pam_get_item" to fetch PAM_RUSER to pam_teleport.so. This is used for test coverage.
gravitational · Jan 30, 2020 · 2c94e45 · 2c94e45
1 parent 4bb027e
commit 2c94e45
Show file tree

Hide file tree

Showing 9 changed files with 36 additions and 1 deletion.
diff --git a/build.assets/Dockerfile b/build.assets/Dockerfile
@@ -7,8 +7,10 @@ ARG GID
 
 COPY pam/pam_teleport.so /lib/x86_64-linux-gnu/security
 COPY pam/teleport-acct-failure /etc/pam.d
-COPY pam/teleport-session-failure /etc/pam.d
 COPY pam/teleport-success /etc/pam.d
+COPY pam/teleport-session-failure /etc/pam.d
+COPY pam/teleport-session-echo-ruser /etc/pam.d
+COPY pam/teleport-session-environment /etc/pam.d
 
 RUN apt-get update; apt-get install -q -y libpam-dev libc6-dev-i386 net-tools tree
 

diff --git a/build.assets/pam/pam_teleport.so b/build.assets/pam/pam_teleport.so
diff --git a/build.assets/pam/teleport-session-echo-ruser b/build.assets/pam/teleport-session-echo-ruser
@@ -0,0 +1 @@
+session     required    pam_teleport.so echo_ruser
diff --git a/build.assets/pam/teleport-session-environment b/build.assets/pam/teleport-session-environment
@@ -0,0 +1 @@
+session     required    pam_teleport.so set_env foo=bar
diff --git a/modules/pam_teleport/Makefile b/modules/pam_teleport/Makefile
@@ -26,6 +26,8 @@ install:
 	cp pam_teleport.so $(PAM_MODULE_PATH)
 	sudo cp policy/teleport-acct-failure $(PAM_POLICY_PATH)
 	sudo cp policy/teleport-session-failure $(PAM_POLICY_PATH)
+	sudo cp policy/teleport-session-echo-ruser $(PAM_POLICY_PATH)
+	sudo cp policy/teleport-session-environment $(PAM_POLICY_PATH)
 	sudo cp policy/teleport-success $(PAM_POLICY_PATH)
 
 pam_teleport.so: pam_teleport.o

diff --git a/modules/pam_teleport/pam_teleport.c b/modules/pam_teleport/pam_teleport.c
@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 #ifdef __APPLE__
   #include <security/pam_appl.h>
@@ -8,6 +9,7 @@
   #include <security/pam_appl.h>
   #include <security/pam_modules.h>
   #include <security/pam_ext.h>
+  #include <sys/types.h>
 #endif
 
 int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
@@ -22,6 +24,31 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 
 int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
+    int pam_err;
+
+    // If the "echo_ruser" command is requested that will echo out the value of
+    // the PAM_RUSER variable.
+    if (argc > 0 && strcmp(argv[0], "echo_ruser") == 0) {
+	    const char **ruser;
+
+        pam_err = pam_get_item(pamh, PAM_RUSER, (const void **)ruser);
+        if (pam_err < 0) {
+            return PAM_SYSTEM_ERR;
+        }
+
+        pam_info(pamh, "%s", *ruser);
+        return PAM_SUCCESS;
+    }
+
+    // If the "set_env" command is requested, set the PAM environment variable.
+    if (argc > 0 && strcmp(argv[0], "set_env") == 0) {
+        pam_err = pam_putenv(pamh, argv[1]);
+        if (pam_err < 0) {
+            return PAM_SYSTEM_ERR;
+        }
+        return PAM_SUCCESS;
+    }
+
     if (argc > 0 && argv[0][0] == '0') {
         return PAM_SESSION_ERR;
     }

diff --git a/modules/pam_teleport/pam_teleport.o b/modules/pam_teleport/pam_teleport.o
diff --git a/modules/pam_teleport/policy/teleport-session-echo-ruser b/modules/pam_teleport/policy/teleport-session-echo-ruser
@@ -0,0 +1 @@
+session     required    pam_teleport.so echo_ruser
diff --git a/modules/pam_teleport/policy/teleport-session-environment b/modules/pam_teleport/policy/teleport-session-environment
@@ -0,0 +1 @@
+session     required    pam_teleport.so set_env foo=bar
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		session required pam_teleport.so set_env foo=bar