From 2c94e45b3349eedc1ccfe287d0f2698991fc0de7 Mon Sep 17 00:00:00 2001 From: Russell Jones Date: Thu, 30 Jan 2020 11:32:35 -0800 Subject: [PATCH] Added more test support to pam_teleport.so. Added support for "pam_putenv" and "pam_get_item" to fetch PAM_RUSER to pam_teleport.so. This is used for test coverage. --- build.assets/Dockerfile | 4 ++- build.assets/pam/pam_teleport.so | Bin 3640 -> 4288 bytes build.assets/pam/teleport-session-echo-ruser | 1 + build.assets/pam/teleport-session-environment | 1 + modules/pam_teleport/Makefile | 2 ++ modules/pam_teleport/pam_teleport.c | 27 ++++++++++++++++++ modules/pam_teleport/pam_teleport.o | Bin 0 -> 2720 bytes .../policy/teleport-session-echo-ruser | 1 + .../policy/teleport-session-environment | 1 + 9 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 build.assets/pam/teleport-session-echo-ruser create mode 100644 build.assets/pam/teleport-session-environment create mode 100644 modules/pam_teleport/pam_teleport.o create mode 100644 modules/pam_teleport/policy/teleport-session-echo-ruser create mode 100644 modules/pam_teleport/policy/teleport-session-environment diff --git a/build.assets/Dockerfile b/build.assets/Dockerfile index 728fdec10778c..c484da6a0a9d7 100644 --- a/build.assets/Dockerfile +++ b/build.assets/Dockerfile @@ -7,8 +7,10 @@ ARG GID COPY pam/pam_teleport.so /lib/x86_64-linux-gnu/security COPY pam/teleport-acct-failure /etc/pam.d -COPY pam/teleport-session-failure /etc/pam.d COPY pam/teleport-success /etc/pam.d +COPY pam/teleport-session-failure /etc/pam.d +COPY pam/teleport-session-echo-ruser /etc/pam.d +COPY pam/teleport-session-environment /etc/pam.d RUN apt-get update; apt-get install -q -y libpam-dev libc6-dev-i386 net-tools tree diff --git a/build.assets/pam/pam_teleport.so b/build.assets/pam/pam_teleport.so index 7c95c7d511011d27f3ce38b133c48a3938597869..52300b3a67a3f1f87c369ffe235c5d5811fa401b 100644 GIT binary patch literal 4288 zcmcInOKenS6#l1E+VW^A#76^0M^lt)yv`tP@P&O%xz!d5v{8wAJDpyb>b#tL2d5^* znu2jCBqnayXmqJAG$Aq71tD=^aK(zSG3i2*Hn<>$7&cnJ^WSsYJC{o!G5*b+^Plg$ z{^$8mKTHk{)I}mnT2$>-#Kr49q?-k^o45ngt@fyT{BBV#T6f)==(b*4qX!99Dy9L7 z(ST3zwnh&Zn&BY{6}!5-*u~jSXcP3Q9lYjFQoMU@t*jUYrKyvj_4qd8^EVogG}5IQ zv>vp4H1!Sm?$)C4F6%A29q4QYewz28gXi@owd6U9`{a0*6Tp<_8YE0s>WR_<8N z)j+XS$Q8XVWQC%gw;bDXrV4rGxTSQisI`vSt~KS_InSi*+WF(+E}bnn_Nt9#Po~_I zvaAWmu^cy5a+PK0C)Lnk??}(Em3)0Px&QFsf&Eqj17eW6x+naLLj9=jk%(|Y z<@}6ve1{_wRaM5upUGfH>(m#dj5f~ePiKXsNfZ|IDp)zEdAl zD?76I-TX*5dcVoOJ<036+953zO-B~01(EbZEn!^Wf(cnD7d~qj zDs~TBuQn-y|OYw3N5VzEp4xC z-uQmgta^Fd3r{}V{usfe(~qwRJ)J{(T3SD@>uYYP8-piLJ_-3Zkn7wj@@RX66v+N0 zzVn!Um_3G~o6vgZV+^cg{u6!xpNJ ze3lI{>;gd}%;VT^9<0ca=4lIFaZw;=7H+t`1KS+Z9iA#k=Cq1!Dwx%Eq!!epwWGSN5kCk1E;6TD)F` ztzQ%`ysUezeuI+zsl^-BV#q#(z58SrMWxX!2g>ItifW<~if=?674vC&-6-C7IbVKZ zR8eZKZFFuTsBVIO=p08v{KSBV)hD|d57sAx8pltdje`%X6Q+TO)hDMkj-Nm~13pZj zvUnJN4tQAHA2l9QpIH5G?C%*K>{Hghp#!}=L)L+Tfy2pBYqY0#C}~NJQB#(18B<$# z5Lnc8Nq4uetRPrwml}b;K;b$^N*5|uv^!lHtyY4PUoTGQMaUwWBIai+%D--%g= zOCIk4CNgwa^N8dV$^RsyCi&UpluDpOxm)5(z7Z;ML>{DjVNY*?;F6bwa>1&{NU>%7 z5`P#ST8mx=W;ss@9cP^U%l|rz-z6RWHFaHM#{VlLy z0am@m_A-CTn?m1}z)XYocEDcptI#h4_QCa|N0;W#(_YP=@_()TA1ZROm-$ydB%wOmh$R)O4^-nHXPWwUh#ZF-2W$gtcy1?;^ aETs9;C*zj$vmRJj{GA;CSIGS>82?`(3o&j0 literal 3640 zcmcIn%WoTH5FdNfBs7VWRy-<-U_nJBNUR)4qn1aB<2rRvUNi}~Rncl=Z<~N$@~$DN z)D|d0xD^r-;)uk5Ku@UR&`XhkE8@^2mrAMNkOPOD2s7V)KWDwMp@0}`zxn1jkMFrN z>noX=sdy|#AcIbjNTv}W6I!wTfbKAxpkvgtQv!!y{BQh{+7G;!?S)>y>lb9a`=udmDBB=Qmt}}Q;&E4z%tvpPlDoL=QN7NM z!BMckuo~gcLB=oYU}v@B6^;KK!Ot*0ME$hhZEDMao$i3U9q`8)KNz^Sv;zv?ohRl) z#kG~HQ?k5@l_c)iUdeXydEYKwDESJg)+(iH&}Chv>XvQK^}Mx88TR>N#dDjW?G_y0 zA=_T@Jlpe~noqV{F3`;MpeGR%YJ=^!R_p)13$6wtwgycHzM2k{-y|8X5=qeXcIa8-y^@#KJvXknsZL&^ObtpH|12_g6Y-sc|O|n^M~2t_bvlmiaa)8S~!K z@(l#m{{I(49*@RvCULGB{l4I8KkpMTJPmYc! z$CJmSq4vlIX9Ju^SZQz`z&W(y2I0I~@h)n&PX<>3>~E`mH{l#waXu{^Y)H{A|BKq- zN@L+-wb<{cPuk*rTtCf_WzaRaF5n)8l?F+QY9+ZJG1?nP?rW?~9Fy^Ob!trG(Ksgm*}wJ#`j6BBJq)t=%=mbX#zofYPOE#Rx@tvcQ+S%r-rmP#Sbj=l~Tzq`;jgD zSK?vzlAMQhg7*&mn2riPzMF83pJct{Kvc%I@8QEI^USA3lqMJz~5wL*dOl?cp|c45s}`~{#ZZq7P!3MVT$_8_o!g- zM}7nUD(uXCtRJuxH(9%0ZZi+!{{+7Op@%=#zs|lgKJ>_!IlZAK>%s(o@DEri{>iWr z_t&+* #include +#include #ifdef __APPLE__ #include @@ -8,6 +9,7 @@ #include #include #include + #include #endif int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -22,6 +24,31 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { + int pam_err; + + // If the "echo_ruser" command is requested that will echo out the value of + // the PAM_RUSER variable. + if (argc > 0 && strcmp(argv[0], "echo_ruser") == 0) { + const char **ruser; + + pam_err = pam_get_item(pamh, PAM_RUSER, (const void **)ruser); + if (pam_err < 0) { + return PAM_SYSTEM_ERR; + } + + pam_info(pamh, "%s", *ruser); + return PAM_SUCCESS; + } + + // If the "set_env" command is requested, set the PAM environment variable. + if (argc > 0 && strcmp(argv[0], "set_env") == 0) { + pam_err = pam_putenv(pamh, argv[1]); + if (pam_err < 0) { + return PAM_SYSTEM_ERR; + } + return PAM_SUCCESS; + } + if (argc > 0 && argv[0][0] == '0') { return PAM_SESSION_ERR; } diff --git a/modules/pam_teleport/pam_teleport.o b/modules/pam_teleport/pam_teleport.o new file mode 100644 index 0000000000000000000000000000000000000000..f031eae74383444e1eb39c22def1979929b56ea7 GIT binary patch literal 2720 zcmbtV&1)1%6n~R(ldKxeE(%Iqn1%QS+RjLvRS7bgFiES?h&l@5+Uc}y;yOJ&bXUtn zNL(0pu{Q_{UcCArc#@zH0v^Phcn~i_4hkdjppZijqWfNTRcvZzAgm9n>ecW4-bcTx z?!H|Z8EQ);KuQ9R!MB}60meGM={c_EpbOSRQ4ingwGSyhoL&io<*@is4^P!=(;s1G zt3F$(>$9-=5%i~nj=3&$TiT7_ihh@Lcudp$I-K1CK&KS#;lKPMBFG22bl zSqv~s@ zYqe2pIfB*5YdeAg%W{Jq1P<}QkZG+8CrZ-@rNgM&v?dy32cNz+S^$zw-z>tD&FF~Ib#0U+{Lly@l7!ex8e=4ZUWP_V zLVE+)jmXcjI{C9B_A3susqz~F&G08^bpvSLQVZF5?^! zajG$X{CS@!{1bxzvIRdS>=d7dl$=l`F7Lybg3J2?nm^?*a~xOZMeC&0JiBCS%&s!f zuA0mQZQS=k^W11-xsGF((N=butqq?p?)RB#-9Q4l*^|aK&va~&_Pdu9Mxa)xZ)y%P zk~gAH(Jtajoz@;4bapu$aTybzkTb%c&V*F?rPwCOy9BO&p?--sUvOzr%7J}|QOy7A zpAj+DbTa=9w8urwPyYzQ(s2^%cSOLff=hq7=Fu+oICWkvNElV_Md7c~7X(m^2Sr`> zU&3cmX?A`O#f8uXk