1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #ifndef _PAM_IMPL_H
27 #define _PAM_IMPL_H
28
29 #ifdef __cplusplus
30 extern "C" {
31 #endif
32
33 #include <limits.h>
34 #include <shadow.h>
35 #include <sys/types.h>
36
37 #define PAMTXD "SUNW_OST_SYSOSPAM"
38
39 #define PAM_CONFIG "/etc/pam.conf"
40 #define PAM_ISA "/$ISA/"
41 #define PAM_LIB_DIR "/usr/lib/security/"
42 #ifdef _LP64
43 #define PAM_ISA_DIR "/64/"
44 #else /* !_LP64 */
45 #define PAM_ISA_DIR "/"
46 #endif /* _LP64 */
47
48 /* Service Module Types */
49
50 /*
51 * If new service types are added, they should be named in
52 * pam_framework.c::pam_snames[] as well.
53 */
54
55 #define PAM_ACCOUNT_NAME "account"
56 #define PAM_AUTH_NAME "auth"
57 #define PAM_PASSWORD_NAME "password"
58 #define PAM_SESSION_NAME "session"
59
60 #define PAM_ACCOUNT_MODULE 0
61 #define PAM_AUTH_MODULE 1
62 #define PAM_PASSWORD_MODULE 2
63 #define PAM_SESSION_MODULE 3
64
65 #define PAM_NUM_MODULE_TYPES 4
66
67 /* Control Flags */
68
69 #define PAM_BINDING_NAME "binding"
70 #define PAM_INCLUDE_NAME "include"
71 #define PAM_OPTIONAL_NAME "optional"
72 #define PAM_REQUIRED_NAME "required"
73 #define PAM_REQUISITE_NAME "requisite"
74 #define PAM_SUFFICIENT_NAME "sufficient"
75
76 #define PAM_BINDING 0x01
77 #define PAM_INCLUDE 0x02
78 #define PAM_OPTIONAL 0x04
79 #define PAM_REQUIRED 0x08
80 #define PAM_REQUISITE 0x10
81 #define PAM_SUFFICIENT 0x20
82
83 #define PAM_REQRD_BIND (PAM_REQUIRED | PAM_BINDING)
84 #define PAM_SUFFI_BIND (PAM_SUFFICIENT | PAM_BINDING)
85
86 /* Function Indicators */
87
88 #define PAM_AUTHENTICATE 1
89 #define PAM_SETCRED 2
90 #define PAM_ACCT_MGMT 3
91 #define PAM_OPEN_SESSION 4
92 #define PAM_CLOSE_SESSION 5
93 #define PAM_CHAUTHTOK 6
94
95 /* PAM tracing */
96
97 #define PAM_DEBUG "/etc/pam_debug"
98 #define LOG_PRIORITY "log_priority="
99 #define LOG_FACILITY "log_facility="
100 #define DEBUG_FLAGS "debug_flags="
101 #define PAM_DEBUG_NONE 0x0000
102 #define PAM_DEBUG_DEFAULT 0x0001
103 #define PAM_DEBUG_ITEM 0x0002
104 #define PAM_DEBUG_MODULE 0x0004
105 #define PAM_DEBUG_CONF 0x0008
106 #define PAM_DEBUG_DATA 0x0010
107 #define PAM_DEBUG_CONV 0x0020
108 #define PAM_DEBUG_AUTHTOK 0x8000
109
110 #define PAM_MAX_ITEMS 64 /* Max number of items */
111 #define PAM_MAX_INCLUDE 32 /* Max include flag recursions */
112
113 /* authentication module functions */
114 #define PAM_SM_AUTHENTICATE "pam_sm_authenticate"
115 #define PAM_SM_SETCRED "pam_sm_setcred"
116
117 /* session module functions */
118 #define PAM_SM_OPEN_SESSION "pam_sm_open_session"
119 #define PAM_SM_CLOSE_SESSION "pam_sm_close_session"
120
121 /* password module functions */
122 #define PAM_SM_CHAUTHTOK "pam_sm_chauthtok"
123
124 /* account module functions */
125 #define PAM_SM_ACCT_MGMT "pam_sm_acct_mgmt"
126
127 /* max # of authentication token attributes */
128 #define PAM_MAX_NUM_ATTR 10
129
130 /* max size (in chars) of an authentication token attribute */
131 #define PAM_MAX_ATTR_SIZE 80
132
133 /* utility function prototypes */
134
135 /* source values when calling __pam_get_authtok() */
136 #define PAM_PROMPT 1 /* prompt user for new password */
137 #define PAM_HANDLE 2 /* get password from pam handle (item) */
138
139 #if PASS_MAX >= PAM_MAX_RESP_SIZE
140 #error PASS_MAX > PAM_MAX_RESP_SIZE
141 #endif /* PASS_MAX >= PAM_MAX_RESP_SIZE */
142
143 extern int
144 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
145 char **authtok);
146
147 extern int
148 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
149 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
150
151 extern void
152 __pam_log(int priority, const char *format, ...);
153
154 /* file handle for pam.conf */
155 struct pam_fh {
156 int fconfig; /* file descriptor returned by open() */
157 char line[256];
158 size_t bufsize; /* size of the buffer which holds */
159 /* the content of pam.conf */
160 char *bufferp; /* used to process data */
161 char *data; /* contents of pam.conf */
162 };
163
164 /* items that can be set/retrieved thru pam_[sg]et_item() */
165 struct pam_item {
166 void *pi_addr; /* pointer to item */
167 int pi_size; /* size of item */
168 };
169
170 /* module specific data stored in the pam handle */
171 struct pam_module_data {
172 char *module_data_name; /* unique module data name */
173 void *data; /* the module specific data */
174 void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
175 struct pam_module_data *next; /* pointer to next module data */
176 };
177
178 /* each entry from pam.conf is stored here (in the pam handle) */
179 typedef struct pamtab {
180 char *pam_service; /* PAM service, e.g. login, rlogin */
181 int pam_type; /* AUTH, ACCOUNT, PASSWORD, SESSION */
182 int pam_flag; /* required, optional, sufficient */
183 int pam_err; /* error if line overflow */
184 char *module_path; /* module library */
185 int module_argc; /* module specific options */
186 char **module_argv;
187 void *function_ptr; /* pointer to struct holding function ptrs */
188 struct pamtab *next;
189 } pamtab_t;
190
191 /* list of open fd's (modules that were dlopen'd) */
192 typedef struct fd_list {
193 void *mh; /* module handle */
194 struct fd_list *next;
195 } fd_list;
196
197 /* list of PAM environment varialbes */
198 typedef struct env_list {
199 char *name;
200 char *value;
201 struct env_list *next;
202 } env_list;
203
204 /* pam_inmodule values for pam item checking */
205 #define RW_OK 0 /* Read Write items OK */
206 #define RO_OK 1 /* Read Only items OK */
207 #define WO_OK 2 /* Write Only items/data OK */
208
209 /* the pam handle */
210 struct pam_handle {
211 struct pam_item ps_item[PAM_MAX_ITEMS]; /* array of PAM items */
212 int include_depth;
213 int pam_inmodule; /* Protect restricted pam_get_item calls */
214 char *pam_conf_name[PAM_MAX_INCLUDE+1];
215 pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
216 pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
217 struct pam_module_data *ssd; /* module specific data */
218 fd_list *fd; /* module fd's */
219 env_list *pam_env; /* environment variables */
220 };
221
222 /*
223 * the function_ptr field in pamtab_t
224 * will point to one of these modules
225 */
226 struct auth_module {
227 int (*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
228 const char **argv);
229 int (*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
230 const char **argv);
231 };
232
233 struct password_module {
234 int (*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
235 const char **argv);
236 };
237
238 struct session_module {
239 int (*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
240 const char **argv);
241 int (*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
242 const char **argv);
243 };
244
245 struct account_module {
246 int (*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
247 const char **argv);
248 };
249
250 #ifdef __cplusplus
251 }
252 #endif
253
254 #endif /* _PAM_IMPL_H */