Commit fd6e91f3 authored by William Jon McCann's avatar William Jon McCann

Remove old verify. Require PAM.

svn path=/branches/mccann-gobject/; revision=4971
parent 2653a0a6
......@@ -356,15 +356,15 @@ AC_TRY_CPP([#include <sys/statfs.h>
#include <sys/vmount.h>], AC_DEFINE(FSTYPE_AIX_STATFS, [],
[Define to use AIX3 statfs to get filesystem type]) fstype=AIX)
fi
if test $fstype = no; then
if test $fstype = no; then
AC_TRY_CPP([#include <mntent.h>], AC_DEFINE(FSTYPE_MNTENT, [],
[Define to use 4.3BSD getmntent to get filesystem typ]) fstype=4.3BSD)
fi
if test $fstype = no; then
if test $fstype = no; then
AC_EGREP_HEADER(f_type;, sys/mount.h, AC_DEFINE(FSTYPE_STATFS, [],
[Define to use 4.4BSD and OSF1 statfs to get filesystem typ]) fstype=4.4BSD/OSF1)
fi
if test $fstype = no; then
if test $fstype = no; then
AC_TRY_CPP([#include <sys/mount.h>
#include <sys/fs_types.h>], AC_DEFINE(FSTYPE_GETMNT, [],
[Define to use Ultrix getmnt to get filesystem typ]) fstype=Ultrix)
......@@ -382,98 +382,24 @@ AC_CHECK_HEADERS(linux/vt.h, [
GDMOPEN=gdmopen])
AC_SUBST(GDMOPEN)
dnl ## Authentication scheme
dnl ---------------------------------------------------------------------------
dnl - Check for PAM
dnl ---------------------------------------------------------------------------
have_pam=no
VRFY="verify-crypt"
if test x$enable_authentication_scheme != xcrypt -a \
x$enable_authentication_scheme != xshadow ; then
AC_CHECK_HEADERS(security/pam_appl.h, [
have_pam=yes
EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lpam"
VRFY="verify-pam"
AC_DEFINE(HAVE_PAM)])
fi
AC_CHECK_LIB(pam, pam_start, have_pam=yes)
GDMASKPASS=
EXTRA_GDMASKPASS_LIBS=
if test x$have_pam = xyes ; then
AC_CHECK_HEADERS(security/pam_misc.h, [
GDMASKPASS=gdmaskpass])
if test x$GDMASKPASS != x ; then
AC_CHECK_LIB(pam,misc_conv,,[AC_CHECK_LIB(pam_misc,misc_conv, [
EXTRA_GDMASKPASS_LIBS="$EXTRA_GDMASKPASS_LIBS -lpam_misc"], [
GDMASKPASS=], [
-lpam])])
fi
if test "x$have_pam" = "xyes"; then
PAM_LIBS="${PAM_LIBS} -lpam"
fi
AC_SUBST(GDMASKPASS)
AC_SUBST(EXTRA_GDMASKPASS_LIBS)
AC_SUBST(HAVE_PAM)
AC_SUBST(PAM_LIBS)
if test x$enable_authentication_scheme = xpam -a x$have_pam = xno ; then
AC_MSG_ERROR(PAM support requested but not available)
fi
AC_CHECK_HEADERS([security/pam_modutil.h security/pam_ext.h])
AC_CHECK_LIB(pam, pam_syslog, [AC_DEFINE(HAVE_PAM_SYSLOG, [], [Define to 1 if you have the pam_syslog function])])
if test x$have_pam = xno; then
# Check if -lcrypt is necessary, and if so
# add it to the front of the link chain
AC_CHECK_LIB(crypt, crypt, [
EXTRA_DAEMON_LIBS="-lcrypt $EXTRA_DAEMON_LIBS"])
# Check if crypt lives in a separate header file
AC_CHECK_HEADERS(crypt.h, [
AC_DEFINE(HAVE_CRYPT)])
if test x$enable_authentication_scheme = xshadow ; then
VRFY="verify-shadow"
AC_DEFINE(HAVE_SHADOW)
elif test x$enable_authentication_scheme != xcrypt ; then
# Check for shadow passwords (hack)
AC_MSG_CHECKING(for /etc/shadow)
if test -f /etc/shadow; then
VRFY="verify-shadow"
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_SHADOW)
else
AC_MSG_RESULT(no)
fi
fi
# Check How to handle authentication with the functions 'loginrestrictions',
# 'passwdexpired', 'chpass', 'setpwdb', 'getuserpw', 'putuserpw' and 'endpwdb'
AC_CHECK_FUNCS(loginrestrictions)
can_clear_admchg_flag=yes
AC_CHECK_FUNCS([passwdexpired chpass setpwdb getuserpw putuserpw endpwdb],
,can_clear_admchg_flag=no)
if test x$can_clear_admchg_flag = xyes ; then
AC_COMPILE_IFELSE([
#if !defined(S_READ) || !defined(S_WRITE) || !defined(PW_ADMCHG)
choke me
#endif
],
,[AC_CHECK_HEADERS(
usersec.h
,[AC_COMPILE_IFELSE([
#include <usersec.h>
#if !defined(S_READ) || !defined(S_WRITE) || !defined(PW_ADMCHG)
choke me
#endif
],
,
can_clear_admchg_flag=no
)]
,can_clear_admchg_flag=no
)]
)
fi
if test x$can_clear_admchg_flag = xyes ; then
AC_DEFINE(CAN_CLEAR_ADMCHG,,[Define this variable if the code to clear
the ADMCHG flag can be compiled])
fi
fi
AC_SUBST(VRFY)
dnl Check if we can use the setpenv function to add specialvariable
dnl to the environment (such as the /etc/environment file under AIX)
......@@ -809,9 +735,10 @@ if test "x$with_selinux" = "xyes" ; then
EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
fi
#
# ConsoleKit support
#
dnl ---------------------------------------------------------------------------
dnl - ConsoleKit support
dnl ---------------------------------------------------------------------------
use_console_kit=no
if test "x$with_console_kit" != "xno" ; then
use_console_kit=yes
......@@ -1412,9 +1339,6 @@ else
echo "ConsoleKit support : NO"
fi
dnl <= Authentication scheme =>
echo "Authentication scheme : $VRFY"
dnl <= Utils built =>
echo "Extra utilities built : "`echo $GDMOPEN $GDMASKPASS $GDMPREFETCH $GDMSSHSESSION`
......
......@@ -60,7 +60,7 @@ test_session_SOURCES = \
test_session_LDADD = \
$(GLIB_LIBS) \
$(GOBJECT_LIBS) \
$(EXTRA_DAEMON_LIBS) \
$(PAM_LIBS) \
$(NULL)
libexec_PROGRAMS = \
......@@ -84,8 +84,8 @@ gdm_slave_SOURCES = \
# Note that these libs are in LDFLAGS because they should come before
# everything else on the link line as they may override stuff
gdm_slave_LDFLAGS = \
$(EXTRA_DAEMON_LIBS) \
gdm_slave_LDFLAGS = \
$(PAM_LIBS) \
$(NULL)
gdm_slave_LDADD = \
......@@ -143,9 +143,6 @@ gdm_binary_SOURCES += $(XDMCP_SOURCES)
endif
EXTRA_gdm_binary_SOURCES = \
verify-pam.c \
verify-crypt.c \
verify-shadow.c \
$(XDMCP_SOURCES) \
$(NULL)
......
This diff is collapsed.
......@@ -33,23 +33,23 @@
static GMainLoop *loop;
static void
on_session_started (GdmSession *session,
GPid pid)
on_session_started (GdmSession *session,
GPid pid)
{
g_print ("session started on pid %d\n", (gint) pid);
g_print ("session started on pid %d\n", (int) pid);
}
static void
on_session_exited (GdmSession *session,
gint exit_code)
on_session_exited (GdmSession *session,
int exit_code)
{
g_print ("session exited with code %d\n", exit_code);
exit (0);
}
static void
on_session_died (GdmSession *session,
gint signal_number)
on_session_died (GdmSession *session,
int signal_number)
{
g_print ("session died with signal %d, (%s)",
signal_number,
......@@ -58,9 +58,9 @@ on_session_died (GdmSession *session,
}
static void
on_user_verified (GdmSession *session)
on_user_verified (GdmSession *session)
{
gchar *username;
char *username;
const char *args[] = { "/usr/bin/gedit", "/tmp/foo.log", NULL };
username = gdm_session_get_username (session);
......@@ -73,10 +73,10 @@ on_user_verified (GdmSession *session)
}
static void
on_user_verification_error (GdmSession *session,
GError *error)
on_user_verification_error (GdmSession *session,
GError *error)
{
gchar *username;
char *username;
username = gdm_session_get_username (session);
......@@ -89,8 +89,8 @@ on_user_verification_error (GdmSession *session,
}
static void
on_info_query (GdmSession *session,
const gchar *query_text)
on_info_query (GdmSession *session,
const char *query_text)
{
char answer[1024];
......@@ -108,22 +108,22 @@ on_info_query (GdmSession *session,
}
static void
on_info (GdmSession *session,
const gchar *info)
on_info (GdmSession *session,
const char *info)
{
g_print ("\n** NOTE: %s\n", info);
}
static void
on_problem (GdmSession *session,
const gchar *problem)
on_problem (GdmSession *session,
const char *problem)
{
g_print ("\n** WARNING: %s\n", problem);
}
static void
on_secret_info_query (GdmSession *session,
const gchar *query_text)
on_secret_info_query (GdmSession *session,
const char *query_text)
{
char answer[1024];
struct termio io_info;
......@@ -143,22 +143,22 @@ on_secret_info_query (GdmSession *session,
g_print ("\n");
gdm_session_answer_query (session, answer);
gdm_session_answer_query (session, answer);
}
static void
import_environment (GdmSession *session)
{
if (g_getenv ("PATH") != NULL)
gdm_session_set_environment_variable (session, "PATH",
gdm_session_set_environment_variable (session, "PATH",
g_getenv ("PATH"));
if (g_getenv ("DISPLAY") != NULL)
gdm_session_set_environment_variable (session, "DISPLAY",
gdm_session_set_environment_variable (session, "DISPLAY",
g_getenv ("DISPLAY"));
if (g_getenv ("XAUTHORITY") != NULL)
gdm_session_set_environment_variable (session, "XAUTHORITY",
gdm_session_set_environment_variable (session, "XAUTHORITY",
g_getenv ("XAUTHORITY"));
}
......@@ -167,15 +167,14 @@ main (int argc,
char *argv[])
{
GdmSession *session;
char *username;
int exit_code;
gchar **args;
int i;
char *username;
int exit_code;
char **args;
int i;
exit_code = 0;
g_log_set_always_fatal (G_LOG_LEVEL_ERROR
| G_LOG_LEVEL_CRITICAL | G_LOG_LEVEL_WARNING);
g_log_set_always_fatal (G_LOG_LEVEL_ERROR | G_LOG_LEVEL_CRITICAL | G_LOG_LEVEL_WARNING);
g_type_init ();
......@@ -186,14 +185,22 @@ main (int argc,
if (argc <= 1) {
username = NULL;
gdm_session_open (session, "local", NULL /* hostname */,
gdm_session_open (session,
"gdm",
NULL /* hostname */,
ttyname (STDIN_FILENO),
STDOUT_FILENO, STDERR_FILENO, NULL);
STDOUT_FILENO,
STDERR_FILENO,
NULL);
} else {
username = argv[1];
gdm_session_open_for_user (session, "local", username,
NULL, ttyname (STDIN_FILENO),
STDOUT_FILENO, STDERR_FILENO,
gdm_session_open_for_user (session,
"gdm",
username,
NULL,
ttyname (STDIN_FILENO),
STDOUT_FILENO,
STDERR_FILENO,
NULL);
}
......
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*-
*
* GDM - The GNOME Display Manager
* Copyright (C) 1999, 2000 Martin K. Petersen <mkp@mkp.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include <glib/gi18n.h>
#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#if defined (CAN_CLEAR_ADMCHG) && defined (HAVE_USERSEC_H)
# include <usersec.h>
#endif /* CAN_CLEAR_ADMCHG && HAVE_USERSEC_H */
#ifdef HAVE_CRYPT
# include <crypt.h>
#endif /* HAVE_CRYPT */
#include "gdm.h"
#include "misc.h"
#include "slave.h"
#include "verify.h"
#include "errorgui.h"
#include "gdm-common.h"
#include "gdm-daemon-config.h"
#include "gdm-socket-protocol.h"
static char *selected_user = NULL;
void
gdm_verify_select_user (const char *user)
{
g_free (selected_user);
if (ve_string_empty (user))
selected_user = NULL;
else
selected_user = g_strdup (user);
}
static void
print_cant_auth_errbox (void)
{
gboolean is_capslock = FALSE;
const char *basemsg;
char *msg;
char *ret;
ret = gdm_slave_greeter_ctl (GDM_QUERY_CAPSLOCK, "");
if ( ! ve_string_empty (ret))
is_capslock = TRUE;
g_free (ret);
basemsg = _("\nIncorrect username or password. "
"Letters must be typed in the correct "
"case.");
if (is_capslock) {
msg = g_strconcat (basemsg, " ",
_("Caps Lock is on."),
NULL);
} else {
msg = g_strdup (basemsg);
}
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, msg);
g_free (msg);
}
/**
* gdm_verify_user:
* @username: Name of user or NULL if we should ask
* @display: Name of display to register with the authentication system
* @local: boolean if local
* @allow_retry: boolean. Not used by verify-crypt. If this code
* allowed the user to retry, this boolean would specify
* whether to enable this feature. We only want this
* feature to work for normal login, not for asking for
* root password to call the configurator.
*
* Provides a communication layer between the operating system's
* authentication functions and the gdmgreeter.
*
* Returns the user's login on success and NULL on failure.
*/
gchar *
gdm_verify_user (GdmDisplay *d,
const char *username,
const gchar *display,
gboolean local,
gboolean allow_retry)
{
gchar *login, *passwd, *ppasswd;
struct passwd *pwent;
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
|| defined (HAVE_LOGINRESTRICTIONS)
gchar *message = NULL;
#endif
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
gchar *info_msg = NULL, *response = NULL;
gint reEnter, ret;
#endif
if (local && d->timed_login_ok)
gdm_slave_greeter_ctl_no_ret (GDM_STARTTIMER, "");
if (username == NULL) {
authenticate_again:
/* Ask for the user's login */
gdm_verify_select_user (NULL);
gdm_slave_greeter_ctl_no_ret (GDM_MSG, _("Please enter your username"));
login = gdm_slave_greeter_ctl (GDM_PROMPT, _("Username:"));
if (login == NULL ||
gdm_slave_greeter_check_interruption ()) {
if ( ! ve_string_empty (selected_user)) {
/* user selected */
g_free (login);
login = selected_user;
selected_user = NULL;
} else {
/* some other interruption */
if (local)
gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, "");
g_free (login);
return NULL;
}
}
gdm_slave_greeter_ctl_no_ret (GDM_MSG, "");
if (gdm_daemon_config_get_value_bool (GDM_KEY_DISPLAY_LAST_LOGIN)) {
char *info = gdm_get_last_info (login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, info);
g_free (info);
}
} else {
login = g_strdup (username);
}
gdm_slave_greeter_ctl_no_ret (GDM_SETLOGIN, login);
pwent = getpwnam (login);
ppasswd = (pwent == NULL) ? NULL : g_strdup (pwent->pw_passwd);
/* Request the user's password */
if (pwent != NULL &&
ve_string_empty (ppasswd)) {
/* eeek a passwordless account */
passwd = g_strdup ("");
} else {
passwd = gdm_slave_greeter_ctl (GDM_NOECHO, _("Password:"));
if (passwd == NULL)
passwd = g_strdup ("");
if (gdm_slave_greeter_check_interruption ()) {
if (local)
gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, "");
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
}
if (local)
gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, "");
if (pwent == NULL) {
gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY));
g_warning (_("Couldn't authenticate user \"%s\""), login);
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
/* Check whether password is valid */
if (ppasswd == NULL || (ppasswd[0] != '\0' &&
strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
gdm_sleep_no_signal (gdm_daemon_config_get_value_int (GDM_KEY_RETRY_DELAY));
g_warning (_("Couldn't authenticate user \"%s\""), login);
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
if ( ( ! gdm_daemon_config_get_value_bool (GDM_KEY_ALLOW_ROOT)||
( ! gdm_daemon_config_get_value_bool (GDM_KEY_ALLOW_REMOTE_ROOT) && ! local) ) &&
pwent->pw_uid == 0) {
g_warning (_("Root login disallowed on display '%s'"), display);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("The system administrator "
"is not allowed to login "
"from this screen"));
/*gdm_slave_greeter_ctl_no_ret (GDM_ERRDLG,
_("Root login disallowed"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#ifdef HAVE_LOGINRESTRICTIONS
/* Check with the 'loginrestrictions' function
if the user has been disallowed */
if (loginrestrictions (login, 0, NULL, &message) != 0) {
g_warning (_("User %s not allowed to log in"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
g_free (login);
g_free (passwd);
g_free (ppasswd);
if (message != NULL)
free (message);
return NULL;
}
if (message != NULL)
free (message);
message = NULL;
#else /* ! HAVE_LOGINRESTRICTIONS */
/* check for the standard method of disallowing users */
if (pwent->pw_shell != NULL &&
(strcmp (pwent->pw_shell, "/sbin/nologin") == 0 ||
strcmp (pwent->pw_shell, "/bin/true") == 0 ||
strcmp (pwent->pw_shell, "/bin/false") == 0)) {
g_warning (_("User %s not allowed to log in"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
/*gdm_slave_greeter_ctl_no_ret (GDM_ERRDLG,
_("Login disabled"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#endif /* HAVE_LOGINRESTRICTIONS */
g_free (passwd);
g_free (ppasswd);
if ( ! gdm_slave_check_user_wants_to_log_in (login)) {
g_free (login);
login = NULL;
goto authenticate_again;
}
if ( ! gdm_setup_gids (login, pwent->pw_gid)) {
g_warning (_("Cannot set user group for %s"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nCannot set your user group; "
"you will not be able to log in. "
"Please contact your system administrator."));
g_free (login);
return NULL;
}
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
switch (passwdexpired (login, &info_msg)) {
case 1 :
g_warning (_("Password of %s has expired"), login);
gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("You are required to change your password.\n"
"Please choose a new one."));
g_free (info_msg);
do {
ret = chpass (login, response, &reEnter, &message);
g_free (response);
if (ret != 1) {
if (ret != 0) {
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nCannot change your password; "
"you will not be able to log in. "
"Please try again later or contact "
"your system administrator."));
} else if ((reEnter != 0) && (message)) {
response = gdm_slave_greeter_ctl (GDM_NOECHO, message);
if (response == NULL)
response = g_strdup ("");
}
}
g_free (message);
message = NULL;
} while ( ((reEnter != 0) && (ret == 0))
|| (ret ==1) );
g_free (response);
g_free (message);
if ((ret != 0) || (reEnter != 0)) {
return NULL;
}
#if defined (CAN_CLEAR_ADMCHG)
/* The password is changed by root, clear the ADM_CHG
flag in the passwd file */
ret = setpwdb (S_READ | S_WRITE);
if (!ret) {
upwd = getuserpw (login);
if (upwd == NULL) {
ret = -1;
} else {
upwd->upw_flags &= ~PW_ADMCHG;
ret = putuserpw (upwd);
if (!ret) {
ret = endpwdb ();
}
}
}
if (ret) {
gdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but "
"you may have to change it again. "
"Please try again later or contact "
"your system administrator."));
}
#else /* !CAN_CLEAR_ADMCHG */
gdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but you "
"may have to change it again. Please try again "
"later or contact your system administrator."));
#endif /* CAN_CLEAR_ADMCHG */
break;
case 2 :
g_warning (_("Password of %s has expired"), login);
gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("Your password has expired.\n"
"Only a system administrator can now change it"));
g_free (info_msg);
return NULL;
break;
case -1 :
g_warning (_("Internal error on passwdexpired"));
gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("An internal error occurred. You will not be able to log in.\n"
"Please try again later or contact your system administrator."));
g_free (info_msg);
return NULL;
break;
default :
g_free (info_msg);
break;
}
#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
return login;
}
/**
* gdm_verify_setup_user:
* @login: The name of the user
* @display: The name of the display
*
* This is used for auto loging in. This just sets up the login
* session for this user
*/
gboolean
gdm_verify_setup_user (GdmDisplay *d,
const gchar *login, const gchar *display,
char **new_login)
{
struct passwd *pwent;
*new_login = NULL;
pwent = getpwnam (login);
if (pwent == NULL) {
g_warning (_("Cannot get passwd structure for %s"), login);
return FALSE;