external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

dtlogin: remove HP BLS B1 simple authentication support (BLS)

Browse source
This commit is contained in:
Jon Trulson 2022-08-06 15:57:35 -06:00
parent 37367d5e12
commit 6fddca178f
13 changed files with 2 additions and 1985 deletions
Download patch file Download diff file Expand all files Collapse all files

112
cde/programs/dtlogin/bls/bls.h
View file

@ -1,112 +0,0 @@
/*
* CDE - Common Desktop Environment
*
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
*
* These libraries and programs are free software; you can
* redistribute them and/or modify them under the terms of the GNU
* Lesser General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* These libraries and programs are distributed in the hope that
* they will be useful, but WITHOUT ANY WARRANTY; without even the
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with these libraries and programs; if not, write
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
* Floor, Boston, MA 02110-1301 USA
*/
/*
* xdm - display manager daemon
*
* $XConsortium: bls.h /main/4 1996/10/30 11:35:48 drk $
*
* Copyright 1988 Massachusetts Institute of Technology
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted, provided
* that the above copyright notice appear in all copies and that both that
* copyright notice and this permission notice appear in supporting
* documentation, and that the name of M.I.T. not be used in advertising or
* publicity pertaining to distribution of the software without specific,
* written prior permission. M.I.T. makes no representations about the
* suitability of this software for any purpose. It is provided "as is"
* without express or implied warranty.
*
* Author: Keith Packard, MIT X Consortium
*/
/*
* bls.h
*
* public interfaces for B1 greet/verify functionality
*/
#ifndef _BLS_H
#define _BLS_H
typedef unsigned char BOOL;
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#ifdef BLS
#include <sys/security.h>
#include <sys/audit.h> /* for passwd and pr_passwd */
#endif
#ifdef pegasus
#undef dirty /* Some bozo put a macro called dirty in sys/param.h */
#endif /* pegasus */
struct greet_info {
char *name; /* user name */
char *password; /* user password */
#ifdef BLS
char *b1security; /* user's b1 security */
#endif
char *string; /* random string */
};
struct verify_info {
int uid; /* user id */
#ifdef NGROUPS
int groups[NGROUPS];/* group list */
int ngroups; /* number of elements in groups */
#else
int gid; /* group id */
#endif
char **argv; /* arguments to session */
char **userEnviron; /* environment for session */
char **systemEnviron;/* environment for startup/reset */
#ifdef BLS
char *user_name;
struct mand_ir_t *sec_label_ir;
struct mand_ir_t *clearance_ir;
/* save these for logout time */
struct pr_passwd *prpwd;
struct passwd *pwd;
char terminal[16];
#endif
};
/***************************************************************************
*
* Global variables
*
***************************************************************************/
extern struct pr_passwd *b1_pwd;
extern struct verify_info *verify;
extern struct greet_info *greet;
#endif /* _BLS_H */

140
cde/programs/dtlogin/bls/debug.c
View file

@ -1,140 +0,0 @@
/*
* CDE - Common Desktop Environment
*
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
*
* These libraries and programs are free software; you can
* redistribute them and/or modify them under the terms of the GNU
* Lesser General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* These libraries and programs are distributed in the hope that
* they will be useful, but WITHOUT ANY WARRANTY; without even the
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with these libraries and programs; if not, write
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
* Floor, Boston, MA 02110-1301 USA
*/
/*
* xdm - display manager daemon
*
* $XConsortium: debug.c /main/3 1995/07/14 13:23:25 drk $
*
* Copyright 1988 Massachusetts Institute of Technology
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted, provided
* that the above copyright notice appear in all copies and that both that
* copyright notice and this permission notice appear in supporting
* documentation, and that the name of M.I.T. not be used in advertising or
* publicity pertaining to distribution of the software without specific,
* written prior permission. M.I.T. makes no representations about the
* suitability of this software for any purpose. It is provided "as is"
* without express or implied warranty.
*
* Author: Keith Packard, MIT X Consortium
*/
/***************
debug.c
****************/
#ifndef NDEBUG
/* don't compile anything in this file unless this is pre-release code */
#include <stdio.h>
#include <signal.h>
#include "../vg.h"
#include "bls.h"
# include <stdarg.h>
# define Va_start(a,b) va_start(a,b)
char *DisplayName=NULL;
/****************************************************************************
*
* Debug
*
* Write a debug message to stderr
*
****************************************************************************/
static int DoName=TRUE;
static int debugLevel=0;
int
BLS_ToggleDebug( int arg)
{
debugLevel = !debugLevel;
(void) signal(SIGHUP,BLS_ToggleDebug);
}
void
Debug( char *fmt, ...)
{
static int sentinel = 0;
static char *debugLog;
va_list args;
Va_start(args,fmt);
if ( !sentinel ) {
/*
* open up an error log for dtgreet
*/
if ((debugLog = getenv("VG_DEBUG")) == 0)
debugLog = "/usr/lib/X11/dt/Dtlogin/dtgreet.log";
if ( !freopen(debugLog,"a",stderr)) {
perror("Debug:");
}
DisplayName=dpyinfo.name;
sentinel = 1;
}
if (debugLevel > 0)
{
if ( strlen(DisplayName) > 0 && DoName)
fprintf(stderr, "(%s) ", DisplayName);
vfprintf (stderr,fmt, args);
fflush (stderr);
/*
* don't prepend the display name next time if this debug message
* does not contain a "new line" character...
*/
if ( strchr(fmt,'\n') == NULL )
DoName=FALSE;
else
DoName=TRUE;
}
va_end(args);
}
#else
/*
* Debug stub for product purposes
*/
void
Debug( )
{ }
#endif /* NDEBUG */

666
cde/programs/dtlogin/bls/get_level.c
View file

@ -1,666 +0,0 @@
/*
* CDE - Common Desktop Environment
*
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
*
* These libraries and programs are free software; you can
* redistribute them and/or modify them under the terms of the GNU
* Lesser General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* These libraries and programs are distributed in the hope that
* they will be useful, but WITHOUT ANY WARRANTY; without even the
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with these libraries and programs; if not, write
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
* Floor, Boston, MA 02110-1301 USA
*/
/* $XConsortium: get_level.c /main/4 1995/10/27 16:19:39 rswiston $ */
/*
* get_level.c
* last modified by:
* David Dolson June 7/92
* - rewrote most of B1 security routines. Much of it is based on
* parallel routines in login.
* Ron Voll July 7/92
* - rolled the xdm version of this file into dtlogin.
*/
#ifdef BLS /* Brackets entire file */
#include <sys/types.h>
#include <sys/stat.h>
#include <signal.h>
#include <pwd.h>
#include <grp.h>
#include <stdio.h>
#include <termio.h>
#include <errno.h>
#ifdef SEC_NET_TTY
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>
#include <protcmd.h>
#if defined(TAC3) && !defined(TPLOGIN)
#include <sys/secpolicy.h>
#include <mandatory.h>
#include <fcntl.h>
#endif
#include <stdlib.h>
#include <time.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <string.h>
#if 0
#include <strings.h>
#endif
#include <sys/wait.h>
#include <grp.h>
/*
* Local include file for bls specific definitions.
* Also defines some of the structures from dm.h for bls usage.
*/
#include "bls.h"
/* drop those privs from the base set which are not needed by xdm */
void
drop_privs(void)
{
priv_t privs[SEC_SPRIVVEC_SIZE];
getpriv(SEC_BASE_PRIV, privs);
RMBIT(privs, SEC_ALLOWNETACCESS);
RMBIT(privs, SEC_NETPRIVSESSION);
RMBIT(privs, SEC_NETNOAUTH);
RMBIT(privs, SEC_MULTILEVELDIR);
setpriv(SEC_BASE_PRIV, privs);
return;
}
/* stuff to do at the start */
void
init_security(void)
{
/* set default file creation mode to be restrictive */
umask(~SEC_DEFAULT_MODE);
drop_privs();
}
/* check that the requested security level is valid for this user,
* return 1 = success, return 0 is fail(fatal)
*/
int
verify_user_seclevel( struct verify_info verify, char *desired_label)
{
int uid;
mand_ir_t *dl_ir, *clearance_ir;
struct pr_passwd *prpwd;
struct passwd *pwd;
prpwd = verify->prpwd;
pwd = verify->pwd;
uid = verify->uid;
/* check that desired_label falls within user's range */
dl_ir = mand_er_to_ir(desired_label);
if (dl_ir ==NULL) {
audit_login(prpwd, pwd, verify->terminal,
"Unknown clearance level", ES_LOGIN_FAILED);
Debug("unable to translate clearance\n");
return 0;
}
/* get user clearance from prpwd database */
if (prpwd->uflg.fg_clearance)
clearance_ir = &prpwd->ufld.fd_clearance;
else if (prpwd->sflg.fg_clearance)
clearance_ir = &prpwd->sfld.fd_clearance;
else
clearance_ir = mand_syslo;
/* make sure clearance dominates or equals desired_label */
switch(mand_ir_relationship(/* subject */ dl_ir,
/* object */ clearance_ir)) {
case MAND_ODOM:
case MAND_EQUAL:
/* Within range */
break;
default:
audit_login(prpwd, pwd, verify->terminal,
"Security label out of range", ES_LOGIN_FAILED);
Debug("Invalid clearance for this user\n");
mand_free_ir(dl_ir);
return 0;
}
verify->clearance_ir = clearance_ir;
verify->sec_label_ir = dl_ir;
return 1;
}
/* check the proper structures to determine if the user has a password.
* If the nullpw field is set, the user does not need one, and this
* overrides the rest of the checking.
* return 1 means that a password exists (or is not needed)
*/
int
password_exists(struct verify_info *verify)
{
struct pr_passwd *prpwd;
BOOL nocheck;
Debug("password_exists()\n");
prpwd = verify->prpwd;
if (prpwd->uflg.fg_nullpw)
nocheck=prpwd->ufld.fd_nullpw;
else if (prpwd->sflg.fg_nullpw)
nocheck=prpwd->sfld.fd_nullpw;
else
nocheck=FALSE;
if (!nocheck) { /* user needs password */
Debug("password required for user\n");
if (!prpwd->uflg.fg_encrypt ||
prpwd->ufld.fd_encrypt[0] == '\0' ) {
return 0;
}
}
return 1;
}
/* check that the requested security level can be used on this X terminal,
* and that it is not locked.
* Currently there is no support for locking xterms like there is for
* /dev/tty* terminals.
*/
int
verify_sec_xterm(struct verify_info *verify, char *desired_label)
{
return 1;
}
/* set clearance and label for the user. Audit all failures.
* return 0=fail, 1=pass
*/
int
set_sec_label(struct verify_info *verify)
{
struct pr_passwd *prpwd;
struct passwd *pwd;
/* set clearance */
prpwd = verify->prpwd;
pwd = verify->pwd;
if (setclrnce(verify->sec_label_ir)==-1) {
switch(errno) {
case EPERM:
audit_login(prpwd, pwd, verify->terminal,
"Insufficient privs to set clearance", ES_LOGIN_FAILED);
Debug ("login failed: EPERM on setclrnce()\n");
break;
case EFAULT:
/* audit:login failed: xdm memory fault */
default:
audit_login(prpwd, pwd, verify->terminal,
"Unable to set clearance", ES_LOGIN_FAILED);
Debug ("setclrnce failed: error: %d\n", errno);
break;
}
return 0;
}
/* set label */
if (setslabel(verify->sec_label_ir)==-1) {
switch(errno) {
case EPERM:
audit_login(prpwd, pwd, verify->terminal,
"Insufficient privs to set sec label", ES_LOGIN_FAILED);
Debug ("login failed: insufficient priv. to setslabel()\n");
break;
case EFAULT:
/* audit:login failed: xdm memory fault */
default:
audit_login(prpwd, pwd, verify->terminal,
"Unable to set sec label", ES_LOGIN_FAILED);
Debug ("setslabel() failed: error: %d\n", errno);
break;
}
return 0;
}
return 1;
}
/* set the effective, base, and maximum priv vectors for the
* new process, based on values from the pr_passwd entry.
* Inability to find either user priv's or default priv's
* results in failure. One or the other must be there.
* Function returns 1 for success, 0 for failure.
* A failure of this function should be considered fatal.
*/
int
set_sec_privs(struct verify_info *verify)
{
priv_t *maxprivs, *bprivs;
priv_t curr_bprivs[SEC_SPRIVVEC_SIZE];
priv_t curr_sprivs[SEC_SPRIVVEC_SIZE];
struct pr_passwd *prpwd;
struct passwd *pwd;
int bit;
prpwd = verify->prpwd;
pwd = verify->pwd;
/* kernel authorizations */
if (prpwd->uflg.fg_sprivs) {
maxprivs = &prpwd->ufld.fd_sprivs[0];
}else if(prpwd->sflg.fg_sprivs) {
maxprivs = &prpwd->sfld.fd_sprivs[0];
Debug("Using default kernel priv's\n");
}else {
audit_login(prpwd, pwd, verify->terminal,
"Unable to find kernel priv set for user",
ES_LOGIN_FAILED);
Debug("Can't find max. priv set for user-quitting\n");
return 0;
}
/* base priv's and initial effective priv's */
if (verify->prpwd->uflg.fg_bprivs) {
bprivs = &verify->prpwd->ufld.fd_bprivs[0];
}else if (verify->prpwd->sflg.fg_bprivs) { /* use system defaults */
bprivs = &verify->prpwd->sfld.fd_bprivs[0];
Debug("Using default base priv's\n");
}else{
audit_login(prpwd, pwd, verify->terminal,
"Unable to find base priv set for user",
ES_LOGIN_FAILED);
Debug("Can't find base priv set for user-quitting\n");
return 0;
}
getpriv(SEC_MAXIMUM_PRIV, curr_sprivs);
getpriv(SEC_BASE_PRIV, curr_bprivs);
/* remove those privs which the current process does not have,
* to avoid any error in the following system calls
*/
for (bit=0; bit<=SEC_MAX_SPRIV; bit++) {
if (!ISBITSET(curr_sprivs, bit))
RMBIT(maxprivs, bit);
if (!ISBITSET(curr_bprivs, bit))
RMBIT(bprivs, bit);
}
/* login removes those bits from maxprivs which the current process
* does not have. - This program assumes the system config
* utilities will enforce the rules for setpriv(3). Any failure
* of setpriv will indicate a corrupt database.
*/
if (setpriv(SEC_MAXIMUM_PRIV, maxprivs)==-1) {
switch(errno) {
case EPERM:
Debug("setpriv (max) failed: EPERM\n");
break;
case EINVAL:
Debug("setpriv (max) failed: EINVAL\n");
break;
case EFAULT:
Debug("setpriv (max) failed: EFAULT\n");
break;
default:
Debug("setpriv (max) failed for unknown error: %d\n",errno);
break;
}
audit_login(prpwd, pwd, verify->terminal,
"Unable to set Kernel privs", ES_LOGIN_FAILED);
Debug("Unable to set Kernel privs (error %d): aborting\n",errno);
return 0;
}
if (setpriv(SEC_BASE_PRIV, bprivs)==-1) {
switch(errno) {
case EPERM:
Debug("setpriv (base) failed: EPERM\n");
break;
case EINVAL:
Debug("setpriv (base) failed: EINVAL\n");
break;
case EFAULT:
Debug("setpriv (base) failed: EFAULT\n");
break;
default:
Debug("setpriv (base) failed for unknown error: %d\n",errno);
break;
}
audit_login(prpwd, pwd, verify->terminal,
"Unable to set base privs", ES_LOGIN_FAILED);
return 0;
}
if (setpriv(SEC_EFFECTIVE_PRIV, bprivs)==-1) {
switch(errno) {
case EPERM:
Debug("setpriv (effective) failed: EPERM\n");
break;
case EINVAL:
Debug("setpriv (effective) failed: EINVAL\n");
break;
case EFAULT:
Debug("setpriv (effective) failed: EFAULT\n");
break;
default:
Debug("setpriv (effective) failed for unknown error: %d\n",
errno);
break;
}
audit_login(prpwd, pwd, verify->terminal,
"Unable to set effective privs", ES_LOGIN_FAILED);
Debug("Unable to set effective privs (error %d): aborting\n",errno);
return 0;
}
return 1;
}
/* change the current process over to be owned by the user verify->uid.
* Also properly set the privs, sec label, etc.
* Also audits failures.
* return=1 for success, 0 for fail. A failure should be considered fatal.
*/
int
change_to_user(struct verify_info *verify)
{
struct pr_passwd *prpwd;
struct passwd *pwd;
int new_nice;
prpwd = verify->prpwd;
pwd = verify->pwd;
Debug("change_to_user()\n");
/* 1. set the login user id - settable only once */
if (setluid(verify->uid)==-1) {
switch(errno) {
case EPERM:
Debug("Unable to set luid - EPERM\n");
audit_login(prpwd, pwd, verify->terminal,
"Unable to set luid - insufficient privs",
ES_LOGIN_FAILED);
break;
case EINVAL:
Debug("Unable to set luid - suspicious of pwd db.\n");
audit_login(prpwd, pwd, verify->terminal,
"Unable to set luid - out of range", ES_LOGIN_FAILED);
break;
default:
Debug("Can't set luid-Unknown error %d\n",errno);
audit_login(prpwd, pwd, verify->terminal,
"Unable to set luid-unknown error", ES_LOGIN_FAILED);
break;
}
return 0;
}
/*
* Set the 'nice' priority if necessary. Since the return value
* of nice(2) can normally be -1 from the documentation, and
* -1 is the error condition, we key off of errno, not the
* return value to find if the change were successful.
* Note we must do this before the setuid(2) below.
*/
errno = 0;
prpwd = verify->prpwd;
if (prpwd->uflg.fg_nice)
new_nice = prpwd->ufld.fd_nice;
else if (prpwd->sflg.fg_nice)
new_nice = prpwd->sfld.fd_nice;
if (prpwd->uflg.fg_nice || prpwd->sflg.fg_nice) {
(void) nice(new_nice);
if (errno != 0) {
audit_login(prpwd, verify->pwd, NULL,
"bad 'nice' setting", ES_LOGIN_FAILED);
Debug("Bad priority setting.\n");
return 0;
}
}
/* 2. set the group(s) id and
* 3. set the regular user id */
#ifdef NGROUPS
/* setgroups (verify->ngroups, verify->groups);
*/
if(setgid (verify->groups[0])) {
switch(errno) {
case EPERM:
Debug("setgid EPERM\n");
break;
case EINVAL:
Debug("setgid EINVAL\n");
break;
default:
Debug("setgid unknown error: %d\n",errno);
break;
}
return 0;
}
initgroups(verify->user_name, verify->groups[0]);
#else
if(setgid (verify->gid)) {
switch(errno) {
case EPERM: Debug("setgid EPERM\n");break;
case EINVAL: Debug("setgid EINVAL\n");break;
default: Debug("setgid unknown error\n");break;
}
return 0;
}
#endif
if(setuid (verify->uid)) {
switch(errno) {
case EPERM: Debug("setgid EPERM\n");break;
case EINVAL: Debug("setgid EINVAL\n");break;
default: Debug("setgid unknown error\n");break;
}
return 0;
}
/* 4. set security clearance and label for the new process */
if (!set_sec_label(verify))
return 0;
/* 5. set audit parameters */
audit_adjust_mask(prpwd);
/* 6. set privlege levels - maximum, base, and effective */
if (!set_sec_privs(verify))
return 0;
return 1;
}
/*
* Try to read back everything, and print it. If a fatal error occurs,
* return code is 0. 1=success.
*/
int
dump_sec_debug_info(struct verify_info *verify)
{
mand_ir_t *level_ir;
priv_t privs[SEC_SPRIVVEC_SIZE];
Debug ("luid: %d, real uid: %d, effective uid:%d,\n",
getluid(),getuid(),geteuid());
Debug ("real gid:%d, effective gid: %d\n", getgid(),getegid());
level_ir = mand_alloc_ir();
if (getclrnce(level_ir)==-1) {
switch(errno) {
case EFAULT: Debug("getclrnce EFAULT\n");break;
case EINVAL: Debug("getclrnce EINVAL\n");break;
default: Debug("getclrnce unknown error:%d\n",errno);break;
}
return 0;
}else Debug ("Clearance: %s\n", mand_ir_to_er(level_ir) );
if (getslabel(level_ir)==-1) {
switch(errno) {
case EFAULT: Debug("getslabel EFAULT\n");break;
case EINVAL: Debug("getslabel EINVAL\n");break;
default: Debug("getslabel unknown error:%d\n",errno);break;
}
return 0;
}else Debug ("Level: %s\n", mand_ir_to_er(level_ir));
mand_free_ir(level_ir);
if(getpriv(SEC_MAXIMUM_PRIV, privs)==-1) {
switch(errno) {
case EFAULT: Debug("getpriv max EFAULT\n");break;
case EINVAL: Debug("getpriv max EINVAL\n");break;
default: Debug("getpriv max unknown error:%d\n",errno);
break;
}
return 0;
}else Debug ("max priv: %x.%x\n", privs[0],privs[1]);
if(getpriv(SEC_EFFECTIVE_PRIV, privs)==-1) {
switch(errno) {
case EFAULT: Debug("getpriv eff EFAULT\n");break;
case EINVAL: Debug("getpriv eff EINVAL\n");break;
default: Debug("getpriv eff unknown error:%d\n",errno);
break;
}
return 0;
}else Debug ("eff priv: %x.%x\n", privs[0],privs[1]);
if(getpriv(SEC_BASE_PRIV, privs)==-1) {
switch(errno) {
case EFAULT: Debug("getpriv base EFAULT\n");break;
case EINVAL: Debug("getpriv base EINVAL\n");break;
default: Debug("getpriv base unknown error:%d\n",errno);
break;
}
return 0;
}else Debug ("base priv: %x.%x\n", privs[0],privs[1]);
return 1;
}
/*
* writeLoginInfo
* Input: file name string (ex. $HOME/.dtlogininfo)
* verify structure with password stuff
* Write login information to a file to be displayed later, after a
* successful login.
*
* Xsession will need to be modified something like this...
* DTHELLO="$DTDIR/bin/dthello -f /etc/copyright -f $HOME/.dtlogininfo"
*/
int
writeLoginInfo( char *filename, struct verify_info *verify)
{
char *s1="Last successful login: %s";
char *s2="Last unsuccessful login: %s";
char *s3;
char s[80];
char term[15];
char *label;
char *message="Sensitivity level for process: ";
int i;
int nl;
time_t slogin, ulogin;
char *slabel;
char *uterminal, *sterminal;
FILE *fp;
Debug("Writing login info\n");
if ((fp = fopen (filename, "w")) == 0 )
return 0;
if (verify->prpwd->uflg.fg_slogin)
slogin=verify->prpwd->ufld.fd_slogin;
else
slogin=(time_t)0;
if (verify->prpwd->uflg.fg_ulogin)
ulogin=verify->prpwd->ufld.fd_ulogin;
else
ulogin=(time_t)0;
if (verify->prpwd->uflg.fg_suctty)
sterminal=verify->prpwd->ufld.fd_suctty;
else
sterminal="UNKNOWN";
if (verify->prpwd->uflg.fg_unsuctty)
uterminal=verify->prpwd->ufld.fd_unsuctty;
else
uterminal="UNKNOWN";
slabel = mand_ir_to_er(verify->sec_label_ir);
fprintf(fp,"-----------------------------------\n");
fprintf(fp,"\nPrevious login information:\n\n");
/* tricky formatting */
if (slogin != 0) {
sprintf(s, s1, ctime(&slogin));
nl=strlen(s)-1;
s[nl]='\0'; /* remove new-line */
}else{
sprintf(s,s1,"NEVER");
}
strcat(s, " from ");
strncpy(term, sterminal, 14);
term[14]='\0';
strcat(s, term);
fprintf(fp,"%s\n",s);
if (ulogin != 0) {
sprintf(s, s2, ctime(&ulogin));
nl=strlen(s)-1;
s[nl]='\0'; /* remove new-line */
}else{
sprintf(s,s2,"NEVER");
}
strcat(s, " from ");
strncpy(term, uterminal, 14);
term[14]='\0';
strcat(s, term);
fprintf(fp,"%s\n",s);
label = (char*)malloc(strlen(message)+strlen(slabel)+1);
sprintf(label, "%s%s", message, slabel);
if (strlen (label) > 77) {
for(i=75; label[i]!=',' && i>0; i--);
if (i==0) for(i=75; label[i]!=' ' && i>0; i--);
if (i==0) i=75;
strncpy(s, label, i+1);
s[i+1]='\0';
fprintf(fp,"%s\n",s);
strncpy(s, &label[i+1], 75);
s[75]='\0';
fprintf(fp,"%s\n",s);
}else{
fprintf(fp,"%s\n",label);
}
fclose(fp);
return 1;
}
#endif /* BLS */

830
cde/programs/dtlogin/bls/validate.c
View file

@ -1,830 +0,0 @@
/*
* CDE - Common Desktop Environment
*
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
*
* These libraries and programs are free software; you can
* redistribute them and/or modify them under the terms of the GNU
* Lesser General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* These libraries and programs are distributed in the hope that
* they will be useful, but WITHOUT ANY WARRANTY; without even the
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with these libraries and programs; if not, write
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
* Floor, Boston, MA 02110-1301 USA
*/
/* $XConsortium: validate.c /main/4 1995/10/27 16:19:47 rswiston $ */
/************************************<+>*************************************
****************************************************************************
**
** File: validate.c
**
** Project: HP Visual User Environment (DT)
**
** Description: Dtgreet BLS user authentication routines
**
** These routines validate the user; checking name, password,
** number of users on the system, password aging, etc.
**
**
** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
**
**
** Conditional compiles:
**
** OSMAJORVERSION < 8
** HP-UX 7.0/7.03 restricted license counting algorithms
** are used. Otherwise HP-UX 8.0 and beyond is used
**
** BLS HP BLS B1 simple authentication.
**
**
****************************************************************************
************************************<+>*************************************/
#ifdef BLS
/***************************************************************************
*
* Includes & Defines
*
***************************************************************************/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <pwd.h>
#include "../vg.h"
/***************************************************************************
*
* HP-UX BLS authentication routines
*
***************************************************************************/
#include <sys/param.h> /* for MAXUID macro */
#include <sys/types.h>
#include <sys/utsname.h>
#include <string.h>
#include <utmp.h>
#include <time.h>
#include <grp.h>
/* BLS only headers */
# include <sys/security.h>
# include <prot.h>
# include "bls.h"
#define how_to_count ut_exit.e_exit
#ifdef __hp9000s300
static int num_users[] = { 2, 32767 };
# define MIN_VERSION 'A'
# define UNLIMITED 'B'
#else
static int num_users[] = { 2, 16, 32, 64 , 8 };
# define MIN_VERSION 'A'
# define UNLIMITED 'U'
#endif
/* Maximum number of users allowed with restricted license */
#if OSMAJORVERSION < 8
# define MAX_STRICT_USERS 2
#else
# define MAX_STRICT_USERS 8
#endif
#define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1
/***************************************************************************
*
* External declarations
*
***************************************************************************/
extern Widget focusWidget; /* login or password text field */
extern long groups[NGROUPS];
/***************************************************************************
*
* Procedure declarations
*
***************************************************************************/
static int CheckPassword( char *name, char *passwd );
static int CountUsers( int added_users) ;
static int CountUsersStrict( char *new_user) ;
static void WriteBtmp( char *name) ;
/***************************************************************************
*
* Global variables
*
***************************************************************************/
/* BLS only data */
struct pr_passwd *b1_pwd;
struct verify_info verify_data;
struct verify_info *verify = &verify_data;
struct greet_info greet_data;
struct greet_info *greet = &greet_data;
static int UserHasPassword = 1;
/***************************************************************************
*
* CountUsers
*
* see if new user has exceeded the maximum.
***************************************************************************/
#define NCOUNT 16
static int
CountUsers( int added_users )
{
int count[NCOUNT], nusers, i;
struct utmp *entry;
for (i=0; i<NCOUNT; i++)
count[i] = 0;
count[added_users]++;
while ( (entry = getutent()) != NULL) {
if (entry->ut_type == USER_PROCESS) {
i = entry->how_to_count;
if (i < 0 || i >= NCOUNT)
i = 1; /* if out of range, then count */
/* as ordinary user */
count[i]++;
}
}
endutent();
/*
* KEY:
* [0] does not count at all
* [1] counts as real user
* [2] logins via a pty which have not gone trough login. These
* collectively count as 1 user IF count[3] is 0, otherwise,
* they are not counted. Starting with HP-UX 8.0 they are
* no longer counted at all.
* [3] logins via a pty which have been logged through login (i.e.
* rlogin and telnet). these count as 1 "real" user per
* unique user name.
* [4-15] may be used for groups of users which collectively
* count as 1
*/
nusers = count[1];
#if OSMAJORVERSION < 8
for (i=2; i<NCOUNT; i++)
#else
for (i=3; i<NCOUNT; i++)
#endif
if (count[i] > 0)
nusers++;
return(nusers);
}
/***************************************************************************
*
* CountUsersStrict
*
* see if new user has exceeded the maximum.
***************************************************************************/
static int
CountUsersStrict( char *new_user )
{
char pty_users[MAX_STRICT_USERS][8];
int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off;
struct utmp *entry;
/*
* Initialize count array...
*/
for (i = 0; i < NCOUNT; i++)
count[i] = 0;
/*
* Add in the new user (we know it's not a pty)...
*/
count[1]++;
while ( (entry = getutent()) != NULL ) {
if (entry->ut_type == USER_PROCESS) {
i = entry->how_to_count;
/* if out of range, then count as ordinary user logged in
via a tty */
if (i == 1 || (i < 0 || i >= NCOUNT))
count[1]++;
/* See if it is a pty login granted by login program */
else if (i == 3) {
count[3]++;
/* See if user is already logged in via login pty */
uname_off = -1;
for (cnt = 0; cnt <= pty_off; cnt++)
if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0)
uname_off = cnt;
if (uname_off == -1) { /* user is not logged in via pty yet */
if (pty_off >= MAX_STRICT_USERS) /* cannot add any
more users */
return(MAX_STRICT_USERS + 1);
/* add the user name to the array of pty users */
else
strncpy(pty_users[++pty_off], entry->ut_user, 8);
}
} /* end if (i == 3) */
else
count[i]++;
} /* end if entry->ut_type == USER_PROCESS */
} /* end while (entry = getutent()) */
endutent();
/*
* KEY:
* [0] does not count at all
* [1] counts as "real" user
* [2] logins via a pty which have not gone trough login. These
* collectively count as 1 user IF count[3] is 0, otherwise,
* they are not counted. Starting with HP-UX 8.0 they are
* no longer counted at all.
* [3] logins via a pty which have been logged through login (i.e.
* rlogin and telnet). these count as 1 "real" user per
* unique user name.
* [4-15] may be used for groups of users which collectively count
* as 1
*/
nusers = pty_off + 1 + count[1]; /* Current number of users is sum of
users logged in via tty + the
number of unique users logged in
via pty which have gone through
login */
#if OSMAJORVERSION < 8
if ((count[3] == 0) && (count[2] != 0))
nusers++; /* Add 1 user for all pty logins IF
none of pty logins have been
granted by the login program */
#else
/*
* Don't count any hpterm logins (exit status of 2). We already
* counted all pty logins granted by the login program.
*/
#endif
for (i = 4; i < NCOUNT; i++)
if (count[i] > 0)
nusers++;
return(nusers);
}
/***************************************************************************
*
* CheckPassword
*
* Check validity of user password.
*
***************************************************************************/
static int
CheckPassword( char *name, char *passwd )
{
char *crypt();
struct passwd *p;
char *reason;
/*
* HP BLS B1 password authentication...
*/
if ( ISSECURE ) {
b1_pwd = getprpwnam(name);
if ( b1_pwd == NULL || strlen(name) == 0 ) {
Debug("unknown user '%s'\n", name);
audit_login((struct pr_passwd *)0, (struct passwd *)0,
dpyinfo.name, "No entry in protected password db",
ES_LOGIN_FAILED);
return(FALSE);
}
/*
* look up user's regular account information...
*/
p = getpwnam(name);
if ( p == NULL || strlen(name) == 0 ) {
Debug("unknown user '%s'\n", name);
audit_login((struct pr_passwd *)0, (struct passwd *)0,
dpyinfo.name, "No entry in password file",
ES_LOGIN_FAILED);
return(FALSE);
}
/* verify_info has become a catchall for info needed later */
verify->user_name = name;
verify->prpwd = b1_pwd;
verify->pwd = p;
strncpy(verify->terminal, dpyinfo.name, 15);
verify->terminal[15]='\0';
}
Debug("Verify %s \n",name);
/* if the password doesn't exists, we can't check it, but
* the user will be forced to change it later */
if ( (UserHasPassword = password_exists(verify)) != 0 )
if ( strcmp(bigcrypt(passwd,b1_pwd->ufld.fd_encrypt),
b1_pwd->ufld.fd_encrypt) ) {
Debug("verify failed\n");
audit_login( b1_pwd, p ,dpyinfo.name,
"Password incorrect",
ES_LOGIN_FAILED);
return(FALSE);
} else {
Debug ("username/password verify succeeded\n");
return(TRUE);
}
/*
* all password checks failed...
*/
return (FALSE);
}
/***************************************************************************
*
* BLS_Verify
*
* verify the user
*
* return codes indicate authentication results.
***************************************************************************/
#define MAXATTEMPTS 3
static struct passwd nouser = {"", "nope"}; /* invalid user password struct */
int
BLS_Verify( char *name, char *passwd )
{
static int login_attempts = 0; /* # failed authentications */
struct passwd *p; /* password structure */
struct pr_passwd *prpwd;
struct utsname utsnam;
int n;
int uid;
/*
* Desparate maneuvre to give dtgreet the privledges it needs
*/
if ( login_attempts == 0 ) {
Debug("Setting luid for dtgreet\n");
if ( getluid() == -1 )
setluid(getuid());
}
/*
* validate password...
*/
if ( CheckPassword(name, passwd) == FALSE) {
p = verify->pwd;
if ( focusWidget == passwd_text ) {
WriteBtmp(name);
if ((++login_attempts % MAXATTEMPTS) == 0 ) {
if (p->pw_name == NULL )
p = &nouser;
audit_login( b1_pwd, p ,dpyinfo.name,
"Failed login(bailout)",
ES_LOGIN_FAILED);
}
} else if ( !UserHasPassword ) {
/*
* The user has not password -- this must be the initial login for this
* user. Treat it like an expired password. This should invoke the
* password program on behalf of the user.
*/
UserHasPassword = 1;
return VF_PASSWD_AGED;
}
return(VF_INVALID);
}
prpwd = verify->prpwd;
p = verify->pwd;
/* check that the uid of both passwd and pr_passwd struct's agree */
uid = p->pw_uid;
if (uid != prpwd->ufld.fd_uid) {
audit_login(prpwd, p, verify->terminal,
"User id's inconsistent across password database\n",
ES_LOGIN_FAILED);
Debug("login failed - uid's do not match\n");
return VF_BAD_UID;
}
verify->uid = uid;
/* check if user's account is locked
* This can be by dead password (lifetime exceeded),
* fd_lock is set, or fd_max_tries is exceeded.
* locked_out is from libsec, but is poorly documented.
*/
if (locked_out(prpwd)) {
Debug("Account locked\n");
audit_login(prpwd, p, verify->terminal,
"Account locked", ES_LOGIN_FAILED);
return VF_INVALID;
}
/* can user log in at this time?
* time_lock is in libsec, but poorly documented
*/
if (time_lock(prpwd)) {
Debug("Account time-locked\n");
audit_login(prpwd, p, verify->terminal,
"Account time-locked", ES_LOGIN_FAILED);
return VF_INVALID;
}
/****************************************************
xdm checks the security level here using
verify_sec_user
We do it later from the dtgreet callback rountine
VerifySensitivityLevel()
****************************************************/
#if 0
/*
* check restricted license...
*
* Note: This only applies to local displays. Foreign displays
* (i.e. X-terminals) apparently do not count.
*/
/* Get the version info via uname. If it doesn't look right,
* assume the smallest user configuration
*/
if (getenv(LOCATION) != NULL) {
if (uname(&utsnam) < 0)
utsnam.version[0] = MIN_VERSION;
/*
* Mappings:
* 834 -> 834
* 844 -> 844
* 836 -> 635
* 846 -> 645
* 843 -> 642
* 853 -> 652
*/
if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) ||
(!strncmp(utsnam.machine, "9000/844", UTSLEN)) ||
(!strncmp(utsnam.machine, "9000/836", UTSLEN)) ||
(!strncmp(utsnam.machine, "9000/846", UTSLEN)) ||
(!strncmp(utsnam.machine, "9000/843", UTSLEN)) ||
(!strncmp(utsnam.machine, "9000/853", UTSLEN))) {
/* strict_count = 1;*/
if (CountUsersStrict(name) > MAX_STRICT_USERS) {
audit_login( b1_pwd, p ,dpyinfo.name,
"Attempted to login - too many users on the system",
ES_LOGIN_FAILED);
return(VF_MAX_USERS);
}
}
else {
if (utsnam.version[0] != UNLIMITED) {
if ((utsnam.version[0]-'A' < 0) ||
(utsnam.version[0]-'A' > NUM_VERSIONS))
utsnam.version[0] = MIN_VERSION;
n = (int) utsnam.version[0] - 'A';
if (CountUsers(1) > num_users[n]) {
audit_login( b1_pwd, p ,dpyinfo.name,
"Attempted to login - too many users on the system",
ES_LOGIN_FAILED);
return(VF_MAX_USERS);
}
}
}
}
#endif /* 0 */
/*
* check password aging...
*/
if ( passwordExpired(verify)) {
audit_login( b1_pwd, p ,dpyinfo.name,
"Password expired",
ES_LOGIN_FAILED);
return(VF_PASSWD_AGED);
}
/*
* verify home directory exists...
*/
if(chdir(p->pw_dir) < 0) {
Debug("Attempted to login -- no home directory\n");
audit_login( b1_pwd, p ,dpyinfo.name,
" Attempted to login - no home directory",
ES_LOGIN_FAILED);
return(VF_HOME);
}
/*
* validate uid and gid...
*/
#ifdef NGROUPS
getGroups(greet->name, verify, p->pw_gid);
#else
verify->gid = pwd->pw_gid;
if ((p->pw_gid < 0) ||
(p->pw_gid > MAXUID) ||
(setgid(p->pw_gid) == -1)) {
Debug("Attempted to login -- bad group id");
audit_login( b1_pwd, p ,dpyinfo.name,
"Attempted to login - bad group id",
ES_LOGIN_FAILED);
return(VF_BAD_GID);
}
#endif /* NGROUPS */
if ((p->pw_uid < 0) ||
(p->pw_uid > MAXUID) ||
(setresuid(p->pw_uid, p->pw_uid, 0) == -1)) {
Debug("Attempted to login -- bad user id\n");
audit_login( b1_pwd, p ,dpyinfo.name,
"Attempted to login - bad user id",
ES_LOGIN_FAILED);
return(VF_BAD_UID);
}
/*
* verify ok...
*/
Debug ("Successful login\n");
audit_login( b1_pwd, p ,dpyinfo.name,
"Successful login",
ES_LOGIN_REMOTE);
return(VF_OK);
}
/***************************************************************************
*
* WriteBtmp
*
* log bad login attempts
*
***************************************************************************/
static void
WriteBtmp( char *name )
{
int fd;
struct utmp utmp, *u;
Boolean found=FALSE;
bzero(&utmp, sizeof(struct utmp));
utmp.ut_pid = getppid();
while ((u = getutent()) != NULL) {
if ( (u->ut_type == INIT_PROCESS ||
u->ut_type == LOGIN_PROCESS ||
u->ut_type == USER_PROCESS) &&
u->ut_pid == utmp.ut_pid ) {
found = TRUE;
break;
}
}
/*
* if no utmp entry, this may be an X-terminal. Construct a utmp
* entry for it...
*/
if ( ! found ) {
strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id));
strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line));
utmp.ut_type = LOGIN_PROCESS;
strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host));
u = &utmp;
}
/*
* If btmp exists, then record the bad attempt
*/
if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) {
strncpy(u->ut_user, name, sizeof(u->ut_user));
(void) time(&u->ut_time);
write(fd, (char *)u, sizeof(utmp));
(void) close(fd);
}
endutent(); /* Close utmp file */
}
/***************************************************************************
*
* VerifySensitivityLevel
*
* verify B1 Sensitivity Level
**************************************************************************/
extern char *sensitivityLevel;
int
VerifySensitivityLevel( void)
{
int i;
greet->b1security = sensitivityLevel =
(char *) XmTextFieldGetString(passwd_text);
/* new functions: (side effects: auditing, change verify) */
if (verify_user_seclevel(verify, sensitivityLevel)
&& verify_sec_xterm(verify, sensitivityLevel)) {
Debug("verify_user_seclevel succeeded.\n");
return VF_OK;
}
Debug("verify_user_seclevel failed\n");
return (VF_BAD_SEN_LEVEL);
}
#ifdef NGROUPS
groupMember ( char *name, char **members )
{
while (*members) {
if (!strcmp (name, *members))
return 1;
++members;
}
return 0;
}
getGroups ( char *name, struct verify_info *verify, int gid)
{
int ngroups;
struct group *g;
int i;
ngroups = 0;
verify->groups[ngroups++] = gid;
setgrent ();
while (g = getgrent()) {
/*
* make the list unique
*/
for (i = 0; i < ngroups; i++)
if (verify->groups[i] == g->gr_gid)
break;
if (i != ngroups)
continue;
if (groupMember (name, g->gr_mem)) {
if (ngroups >= NGROUPS)
LogError ("%s belongs to more than %d groups, %s ignored\n",
name, NGROUPS, g->gr_name);
else
verify->groups[ngroups++] = g->gr_gid;
}
}
verify->ngroups = ngroups;
endgrent ();
}
#endif
/* check whether the password has expired or not.
* return 1 means that the password has expired.
*/
int
passwordExpired( struct verify_info *verify)
{
struct pr_passwd *pr;
time_t expiration;
time_t last_change;
time_t expiration_time;
time_t now;
int passwd_status;
struct pr_passwd save_data;
struct pr_default *df;
char *ttime;
char ptime[64];
pr = verify->prpwd;
/*
* If null password, do not check expiration.
*/
if (!pr->uflg.fg_encrypt || (pr->ufld.fd_encrypt[0] == '\0'))
return 0;
now = time((long *) 0);
if (pr->uflg.fg_schange)
last_change = pr->ufld.fd_schange;
else
last_change = (time_t) 0;
if (pr->uflg.fg_expire)
expiration = pr->ufld.fd_expire;
else if (pr->sflg.fg_expire)
expiration = pr->sfld.fd_expire;
else
expiration = (time_t) 0;
df = getprdfnam(AUTH_DEFAULT);
/*
* A 0 or missing expiration field means there is no
* expiration.
*/
expiration_time = expiration ? last_change + expiration : 0;
if (expiration_time && now > expiration_time ) {
/*
* The password has expired
*/
Debug("The password is expired\n");
return 1;
}
Debug("The password is not expired\n");
return 0;
}
/***************************************************************************
*
* end HP-UX authentication routines
*
***************************************************************************/
#endif /* BLS */

12
cde/programs/dtlogin/dm.h
View file

@ -404,9 +404,6 @@ struct protoDisplay {
struct greet_info {
char *name; /* user name */
char *password; /* user password */
#ifdef BLS
char *b1security; /* user's b1 security */
#endif
char *string; /* random string */
#ifdef __PASSWD_ETC
char *name_full; /* full SID */
@ -428,15 +425,6 @@ struct verify_info {
long audid; /* audit id */
int audflg; /* audit flag */
#endif
#ifdef BLS
char *user_name;
struct mand_ir_t *sec_label_ir;
struct mand_ir_t *clearance_ir;
/* save these for logout time */
struct pr_passwd *prpwd;
struct passwd *pwd;
char terminal[16];
#endif
};

6
cde/programs/dtlogin/resource.c
View file

@ -110,12 +110,6 @@ static char AppName[16] = DTLOGIN;
# define DM_BOOL 2
# define DM_ARGV 3
#ifdef BLS
# define DEF_XDM_CONFIG CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xconfig"
# define DEF_AUTH_DIR CDE_INSTALLATION_TOP "/lib/X11/Dtlogin"
# define DEF_KEY_FILE CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xkeys"
#endif
/*
* the following constants are supposed to be set in the makefile from

113
cde/programs/dtlogin/session.c
View file

@ -95,11 +95,6 @@
# include "solaris.h"
#endif
#ifdef BLS
# include <sys/security.h>
# include <prot.h>
#endif
#ifdef __KERBEROS
# include <krb.h>
#endif /* __KERBEROS */
@ -241,10 +236,6 @@ static char *defaultLanguage = NULL;
static sigjmp_buf abortSession;
#ifdef BLS
static char *sensitivityLevel;
#endif
#ifdef __KERBEROS
static char krb_ticket_string[MAXPATHLEN];
#endif /* __KERBEROS */
@ -1189,10 +1180,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
FILE *lastsession;
char lastsessfile[MAXPATHLEN];
#ifdef BLS
struct pr_passwd *b1_pwd;
#endif
#ifdef __AFS
#define NOPAG 0xffffffff
long pagval, j;
@ -1387,63 +1374,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
#ifndef sun
#ifdef BLS
/*
* HP BLS B1 session setup...
*
* 1. look up user's protected account information.
* 2. set the session sensitivity/clearance levels
* 3. set the logical UID (LUID)
*/
if ( ISSECURE ) {
Debug("BLS - Setting user's clearance, security level and luid.\n");
set_auth_parameters(1, verify->argv);
init_security();
verify->user_name = user;
strncpy(verify->terminal,d->name,15);
verify->terminal[15]='\0';
verify->pwd = getpwnam(user);
if ( verify->pwd == NULL || strlen(user) == 0 ) {
LogError(ReadCatalog(
MC_LOG_SET,MC_LOG_NO_BLSACCT,MC_DEF_LOG_NO_BLSACCT));
exit (1);
}
verify->prpwd= b1_pwd = getprpwnam(user);
verify->uid = b1_pwd->ufld.fd_uid;
if ( b1_pwd == NULL || strlen(user) == 0 ) {
LogError(ReadCatalog(
MC_LOG_SET,MC_LOG_NO_BLSPACCT,MC_DEF_LOG_NO_BLSPACCT));
exit (1);
}
/*
* This has already been done successfully by dtgreet
* but we need to get all the information again for the
* dtlogin process.
*/
if ( verify_user_seclevel(verify,sensitivityLevel) != 1 ) {
Debug("BLS - Could not verify sensitivity level.\n");
LogError(ReadCatalog(
MC_LOG_SET,MC_LOG_NO_VFYLVL,MC_DEF_LOG_NO_VFYLVL));
exit (1);
}
if ( change_to_user(verify) != 1 ) {
Debug("BLS - Could not change to user: %s.\n",verify->user_name);
LogError(ReadCatalog(
MC_LOG_SET,MC_LOG_NO_BLSUSR,MC_DEF_LOG_NO_BLSUSR),
verify->user_name);
exit (1);
}
Debug("BLS - Session setup complete.\n");
} else {
#endif /* BLS */
# ifdef __AFS
if ( IsVerifyName(VN_AFS) ) {
pagval = get_pag_from_groups(verify->groups[0], verify->groups[1]);
@ -1522,10 +1452,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
}
#endif
#ifdef BLS
} /* ends the else clause of if ( ISSECURE ) */
#endif /* BLS */
#endif /* ! sun */
/*
@ -1569,23 +1495,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
if (greet.password)
bzero(greet.password, strlen(greet.password));
#ifdef BLS
/*
* Write login information to a file
* The file name should really be settable by some kind of resource
* but time is short so we hard-wire it to ".dtlogininfo".
*/
if ( ! writeLoginInfo( ".dtlogininfo" , verify ) )
Debug("Unable to write \".dtlogininfo\"\n");
# ifndef NDEBUG
/* extra debugging */
if(!dump_sec_debug_info(verify)) {
Debug("Something wrong with environment\n");
exit(1);
}
# endif /* ! NDEBUG */
#endif /* BLS */
/*
* exec session...
*/
@ -2268,11 +2177,7 @@ RunGreeter( struct display *d, struct greet_info *greet,
*/
if (d->authorizations && d->authFile &&
waitVal(status) != NOTIFY_LANG_CHANGE
#ifdef BLS
&& waitVal(status) != NOTIFY_BAD_SECLEVEL
#endif
) {
waitVal(status) != NOTIFY_LANG_CHANGE) {
/***
Debug ("Done with authorization file %s, removing\n",
@ -2351,13 +2256,6 @@ RunGreeter( struct display *d, struct greet_info *greet,
}
#endif
#ifdef BLS
/*
* sensitivityLevel set in BLS_Verify()
*/
greet->b1security = sensitivityLevel;
#endif
Verify(d, greet, verify);
return;
@ -2405,14 +2303,10 @@ RunGreeter( struct display *d, struct greet_info *greet,
LANGUAGESIZE) = '\0';
return;
#ifdef BLS
case NOTIFY_BAD_SECLEVEL:
return;
#endif
case waitCompose (SIGTERM,0,0):
Debug ("Greeter exited on SIGTERM\n");
SessionExit(d, OPENFAILED_DISPLAY);
default:
Debug ("Greeter returned unknown status %d\n",
waitVal(status));
@ -2769,9 +2663,6 @@ ManageGreeter( struct display *d, struct greet_info *greet,
case VF_BAD_AID: SETMC(msg, BAD_AID); break;
case VF_BAD_AFLAG: SETMC(msg, BAD_AFLAG); break;
case VF_NO_LOGIN: SETMC(msg, NO_LOGIN); break;
#ifdef BLS
case VF_BAD_SEN_LEVEL: SETMC(msg, BAD_SEN_LEVEL); break;
#endif
case VF_MESSAGE: msg.id=0; msg.def=state->msg; break;
default: msg.id=0; msg.def=""; break;
}

2
cde/programs/dtlogin/sysauth.c
View file

@ -55,8 +55,6 @@
** self-auditing of login actions. Incompatible with
** #ifdef SecureWare
**
** BLS HP BLS B1 simple authentication.
**
** __AFS AFS 3 authentication mechanism
** __KERBEROS Kerberos authentication mechanism
** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism

4
cde/programs/dtlogin/sysauth.h
View file

@ -74,10 +74,6 @@
#define VF_CHALLENGE 12
#define VF_MESSAGE 13
#ifdef BLS
#define VF_BAD_SEN_LEVEL 14
#endif
/****************************************************************************
*
* External procedure declarations

4
cde/programs/dtlogin/vg.h
View file

@ -62,10 +62,6 @@ extern int errno;
#include <Xm/Xm.h>
#include "vgproto.h"
#ifdef BLS
# include <sys/security.h>
#endif
#ifdef USE_XINERAMA
# include <Dt/DtXinerama.h>
#endif

2
cde/programs/dtlogin/vgauth.c
View file

@ -55,8 +55,6 @@
** self-auditing of login actions. Incompatible with
** #ifdef SecureWare
**
** BLS HP BLS B1 simple authentication.
**
** __AFS AFS 3 authentication mechanism
** __KERBEROS Kerberos authentication mechanism
** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism

71
cde/programs/dtlogin/vgcallback.c
View file

@ -110,11 +110,6 @@ static void ProcessTraversal( Widget w, int direction) ;
static void _DtShowDialog(DialogType dtype, XmString msg);
static void TellRequester(char * buf, size_t nbytes);
# ifdef BLS
static void PromptSensitivityLevel(void); /* prompt for B1 Sen. Level */
int VerifySensitivityLevel(void); /* verify B1 Sensitivity Level */
# endif
static int session_selected = False;
static Widget default_dt = NULL;
@ -131,11 +126,6 @@ char *userName = "\0";
struct passwd *user_p;
#ifdef BLS
static int normalPasswordWidget = True;
char *sensitivityLevel = NULL;
#endif
#ifndef SVR4
long groups[NGROUPS];
#endif
@ -1877,67 +1867,6 @@ GetLoginTextPtr( Widget w )
}
#ifdef BLS
/***************************************************************************
*
* PromptSensitivityLevel
*
* Prompt for B1 Sensitivity Level. The password widget set is reused for
* this purpose rather than creating another complete widget set. It already
* has most of the proper size and alignment specifications needed. Using
* the password set also allows the B1 code changes to be more localized.
*
***************************************************************************/
static void
PromptSensitivityLevel( void)
{
Dimension width;
int i, width1, width2;
/*
* Use the password widget set to prompt for the B1 Sensitivity Level.
* Remember to put it back to normal if the user presses [Clear].
*/
normalPasswordWidget = False;
XtRemoveAllCallbacks(_text, XmNmodifyVerifyCallback);
XmTextFieldSetString(_text,"");
/*
* Change the label and resize the password form...
*/
i = 0;
XtSetArg(argt[i], XmNresizable, True ); i++;
XtSetArg(argt[i], XmNresizePolicy, XmRESIZE_ANY ); i++;
XtSetValues(_form, argt, i);
i = 0;
xmstr = ReadCatalogXms(MC_LABEL_SET, -1, "Sensitivity Level:");
XtSetArg(argt[i], XmNrecomputeSize, True ); i++;
XtSetArg(argt[i], XmNlabelString, xmstr ); i++;
XtSetValues(_label, argt, i);
XmStringFree(xmstr);
/*
* Center the form horizontally in the login_matte...
*
*/
CenterForm(matte1, _form);
ProcessTraversal(_text, XmTRAVERSE_CURRENT);
}
#endif /* BLS */
static void
TellRequester(char * buf, size_t nbytes)
{

25
cde/programs/dtlogin/vgmain.c
View file

@ -371,31 +371,6 @@ main( int argc, char **argv )
(void) signal(SIGTERM, Terminate);
#ifdef BLS
# ifndef NDEBUG
{
extern SIGVAL BLS_ToggleDebug( int arg );
/*
* Allow debug output to be turned on for dtgreet.
*/
(void) signal(SIGHUP, BLS_ToggleDebug);
}
# endif /* NDEBUG */
/*
* set up authorization parameters, see the identity(3) man page...
*/
if (ISSECURE) {
set_auth_parameters(1, argv);
init_security();
}
#endif /* BLS */
/*
* check some environment variables...
*/