<sopwith@redhat.com> (see copyright below for full details)
*/
-#include "pam_winbind.h"
-#define CONST_DISCARD(type,ptr) ((type)(void *)ptr)
+#define UID_WRAPPER_NOT_REPLACE
+#include "pam_winbind.h"
static int wbc_error_to_pam_error(wbcErr status)
{
#endif
-/*
- * Work around the pam API that has functions with void ** as parameters
- * These lead to strict aliasing warnings with gcc.
- */
-static int _pam_get_item(const pam_handle_t *pamh,
- int item_type,
- const void *_item)
-{
- const void **item = (const void **)_item;
- return pam_get_item(pamh, item_type, item);
-}
-static int _pam_get_data(const pam_handle_t *pamh,
- const char *module_data_name,
- const void *_data)
-{
- const void **data = (const void **)_data;
- return pam_get_data(pamh, module_data_name, data);
-}
-
/* some syslogging */
#ifdef HAVE_PAM_VSYSLOG
char *format2 = NULL;
const char *service;
- _pam_get_item(pamh, PAM_SERVICE, &service);
+ pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
format2 = (char *)malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
if (format2 == NULL) {
config_file = PAM_WINBIND_CONFIG_FILE;
}
- d = iniparser_load(CONST_DISCARD(char *, config_file));
+ d = iniparser_load(discard_const_p(char, config_file));
if (d == NULL) {
goto config_from_pam;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:debug"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:debug"), false)) {
ctrl |= WINBIND_DEBUG_ARG;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:debug_state"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:debug_state"), false)) {
ctrl |= WINBIND_DEBUG_STATE;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:cached_login"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:cached_login"), false)) {
ctrl |= WINBIND_CACHED_LOGIN;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:krb5_auth"), false)) {
ctrl |= WINBIND_KRB5_AUTH;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:silent"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:silent"), false)) {
ctrl |= WINBIND_SILENT;
}
- if (iniparser_getstr(d, CONST_DISCARD(char *, "global:krb5_ccache_type")) != NULL) {
+ if (iniparser_getstring(d, discard_const_p(char, "global:krb5_ccache_type"), NULL) != NULL) {
ctrl |= WINBIND_KRB5_CCACHE_TYPE;
}
- if ((iniparser_getstr(d, CONST_DISCARD(char *, "global:require-membership-of"))
+ if ((iniparser_getstring(d, discard_const_p(char, "global:require-membership-of"), NULL)
!= NULL) ||
- (iniparser_getstr(d, CONST_DISCARD(char *, "global:require_membership_of"))
+ (iniparser_getstring(d, discard_const_p(char, "global:require_membership_of"), NULL)
!= NULL)) {
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:try_first_pass"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:try_first_pass"), false)) {
ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
}
- if (iniparser_getint(d, CONST_DISCARD(char *, "global:warn_pwd_expire"), 0)) {
+ if (iniparser_getint(d, discard_const_p(char, "global:warn_pwd_expire"), 0)) {
ctrl |= WINBIND_WARN_PWD_EXPIRE;
}
- if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:mkhomedir"), false)) {
+ if (iniparser_getboolean(d, discard_const_p(char, "global:mkhomedir"), false)) {
ctrl |= WINBIND_MKHOMEDIR;
}
textdomain_init();
#endif
- r = TALLOC_ZERO_P(NULL, struct pwb_context);
+ r = talloc_zero(NULL, struct pwb_context);
if (!r) {
return PAM_BUF_ERR;
}
int retval;
struct pam_conv *conv;
- retval = _pam_get_item(pamh, PAM_CONV, &conv);
+ retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
if (retval == PAM_SUCCESS) {
retval = conv->conv(nargs,
(const struct pam_message **)message,
{
struct pam_message msg, *pmsg;
struct pam_response *resp = NULL;
- const char *prompt;
int ret;
bool retval = false;
- prompt = _("Do you want to change your password now?");
pmsg = &msg;
msg.msg_style = PAM_RADIO_TYPE;
- msg.msg = prompt;
+ msg.msg = _("Do you want to change your password now?");
ret = converse(ctx->pamh, 1, &pmsg, &resp);
if (resp == NULL) {
if (ret == PAM_SUCCESS) {
}
_pam_log(ctx, LOG_CRIT, "Received [%s] reply from application.\n", resp->resp);
- if (strcasecmp(resp->resp, "yes") == 0) {
+ if ((resp->resp != NULL) && (strcasecmp(resp->resp, "yes") == 0)) {
retval = true;
}
char *sid_list_buffer,
int sid_list_buffer_size)
{
- const char* sid_string = NULL;
- char *sid_str = NULL;
+ char sid_string[WBC_SID_STRING_BUFLEN];
/* lookup name? */
if (IS_SID_STRING(name)) {
- sid_string = name;
+ strlcpy(sid_string, name, sizeof(sid_string));
} else {
wbcErr wbc_status;
struct wbcDomainSid sid;
return false;
}
- wbc_status = wbcSidToString(&sid, &sid_str);
- if (!WBC_ERROR_IS_OK(wbc_status)) {
- return false;
- }
-
- sid_string = sid_str;
+ wbcSidToStringBuf(&sid, sid_string, sizeof(sid_string));
}
if (!safe_append_string(sid_list_buffer, sid_string,
sid_list_buffer_size)) {
- wbcFreeMemory(sid_str);
return false;
}
-
- wbcFreeMemory(sid_str);
return true;
}
static void _pam_setup_krb5_env(struct pwb_context *ctx,
struct wbcLogonUserInfo *info)
{
- char var[PATH_MAX];
+ char *var = NULL;
int ret;
uint32_t i;
const char *krb5ccname = NULL;
_pam_log_debug(ctx, LOG_DEBUG,
"request returned KRB5CCNAME: %s", krb5ccname);
- if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
+ if (asprintf(&var, "KRB5CCNAME=%s", krb5ccname) == -1) {
return;
}
"failed to set KRB5CCNAME to %s: %s",
var, pam_strerror(ctx->pamh, ret));
}
+ free(var);
}
/**
&logon.blobs,
"krb5_cc_type",
0,
- (uint8_t *)cctype,
+ discard_const_p(uint8_t, cctype),
strlen(cctype)+1);
if (!WBC_ERROR_IS_OK(wbc_status)) {
goto done;
}
done:
- if (logon.blobs) {
- wbcFreeMemory(logon.blobs);
- }
+ wbcFreeMemory(logon.blobs);
if (info && info->blobs && !p_info) {
wbcFreeMemory(info->blobs);
}
}
params.account_name = user;
- params.level = WBC_AUTH_USER_LEVEL_PLAIN;
+ params.level = WBC_CHANGE_PASSWORD_LEVEL_PLAIN;
params.old_password.plaintext = oldpass;
params.new_password.plaintext = newpass;
params.flags = flags;
switch (wbc_status) {
case WBC_ERR_UNKNOWN_USER:
+ /* match other insane libwbclient return codes */
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_DOMAIN_NOT_FOUND:
return 1;
case WBC_ERR_SUCCESS:
return 0;
if (on(WINBIND_TRY_FIRST_PASS_ARG, ctrl) ||
on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
- retval = _pam_get_item(ctx->pamh, authtok_flag, &item);
+ retval = pam_get_item(ctx->pamh,
+ authtok_flag,
+ (const void **) &item);
if (retval != PAM_SUCCESS) {
/* very strange. */
_pam_log(ctx, LOG_ALERT,
retval = pam_set_item(ctx->pamh, authtok_flag, token);
_pam_delete(token); /* clean it up */
if (retval != PAM_SUCCESS ||
- (retval = _pam_get_item(ctx->pamh, authtok_flag, &item)) != PAM_SUCCESS) {
+ (retval = pam_get_item(ctx->pamh, authtok_flag, (const void **) &item)) != PAM_SUCCESS) {
_pam_log(ctx, LOG_CRIT, "error manipulating password");
return retval;
goto out;
}
- parm_opt = iniparser_getstr(ctx->dict, key);
+ parm_opt = iniparser_getstring(ctx->dict, key, NULL);
TALLOC_FREE(key);
_pam_log_debug(ctx, LOG_INFO, "CONFIG file: %s '%s'\n",
return NULL;
}
- return talloc_asprintf(ctx, "%s\\%s", domain, name);
+ return talloc_asprintf(ctx, "%s%c%s", domain, sep, name);
}
static int _pam_delete_cred(pam_handle_t *pamh, int flags,
&logoff.blobs,
"ccfilename",
0,
- (uint8_t *)ccname,
+ discard_const_p(uint8_t, ccname),
strlen(ccname)+1);
if (!WBC_ERROR_IS_OK(wbc_status)) {
goto out;
_pam_free_data_info3(pamh);
}
- _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
-
- TALLOC_FREE(ctx);
+ if (ctx != NULL) {
+ _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
+ TALLOC_FREE(ctx);
+ }
return retval;
}
{
const char *username;
int ret = PAM_USER_UNKNOWN;
- void *tmp = NULL;
+ const char *tmp = NULL;
struct pwb_context *ctx = NULL;
ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
(const void **)&tmp);
if (tmp != NULL) {
- ret = atoi((const char *)tmp);
+ ret = atoi(tmp);
switch (ret) {
case PAM_AUTHTOK_EXPIRED:
/* fall through, since new token is required in this case */
char *new_authtok_reqd_during_auth = NULL;
struct passwd *pwd = NULL;
- _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
- &new_authtok_reqd_during_auth);
+ pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
+ (const void **) &new_authtok_reqd_during_auth);
pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
NULL, NULL);
/* <DO NOT free() THESE> */
const char *user;
- char *pass_old, *pass_new;
+ const char *pass_old;
+ const char *pass_new;
/* </DO NOT free() THESE> */
char *Announce;
* get the old token back.
*/
- ret = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
+ ret = pam_get_item(pamh, PAM_OLDAUTHTOK, (const void **) &pass_old);
if (ret != PAM_SUCCESS) {
_pam_log(ctx, LOG_NOTICE,
* By reaching here we have approved the passwords and must now
* rebuild the password database file.
*/
- _pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
- &pwdlastset_update);
+ pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
+ (const void **) &pwdlastset_update);
/*
* if cached creds were enabled, make sure to set the