From 6fddca178f836f11815ca94ac0a336dbb5ff19bb Mon Sep 17 00:00:00 2001 From: Jon Trulson Date: Sat, 6 Aug 2022 15:57:35 -0600 Subject: [PATCH] dtlogin: remove HP BLS B1 simple authentication support (BLS) --- cde/programs/dtlogin/bls/bls.h | 112 ---- cde/programs/dtlogin/bls/debug.c | 140 ----- cde/programs/dtlogin/bls/get_level.c | 666 --------------------- cde/programs/dtlogin/bls/validate.c | 830 --------------------------- cde/programs/dtlogin/dm.h | 12 - cde/programs/dtlogin/resource.c | 6 - cde/programs/dtlogin/session.c | 113 +--- cde/programs/dtlogin/sysauth.c | 2 - cde/programs/dtlogin/sysauth.h | 4 - cde/programs/dtlogin/vg.h | 4 - cde/programs/dtlogin/vgauth.c | 2 - cde/programs/dtlogin/vgcallback.c | 71 --- cde/programs/dtlogin/vgmain.c | 25 - 13 files changed, 2 insertions(+), 1985 deletions(-) delete mode 100644 cde/programs/dtlogin/bls/bls.h delete mode 100644 cde/programs/dtlogin/bls/debug.c delete mode 100644 cde/programs/dtlogin/bls/get_level.c delete mode 100644 cde/programs/dtlogin/bls/validate.c diff --git a/cde/programs/dtlogin/bls/bls.h b/cde/programs/dtlogin/bls/bls.h deleted file mode 100644 index 74f8a4164..000000000 --- a/cde/programs/dtlogin/bls/bls.h +++ /dev/null @@ -1,112 +0,0 @@ -/* - * CDE - Common Desktop Environment - * - * Copyright (c) 1993-2012, The Open Group. All rights reserved. - * - * These libraries and programs are free software; you can - * redistribute them and/or modify them under the terms of the GNU - * Lesser General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * These libraries and programs are distributed in the hope that - * they will be useful, but WITHOUT ANY WARRANTY; without even the - * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU Lesser General Public License for more - * details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with these libraries and programs; if not, write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth - * Floor, Boston, MA 02110-1301 USA - */ -/* - * xdm - display manager daemon - * - * $XConsortium: bls.h /main/4 1996/10/30 11:35:48 drk $ - * - * Copyright 1988 Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software and its - * documentation for any purpose and without fee is hereby granted, provided - * that the above copyright notice appear in all copies and that both that - * copyright notice and this permission notice appear in supporting - * documentation, and that the name of M.I.T. not be used in advertising or - * publicity pertaining to distribution of the software without specific, - * written prior permission. M.I.T. makes no representations about the - * suitability of this software for any purpose. It is provided "as is" - * without express or implied warranty. - * - * Author: Keith Packard, MIT X Consortium - */ - -/* - * bls.h - * - * public interfaces for B1 greet/verify functionality - */ - - -#ifndef _BLS_H -#define _BLS_H - -typedef unsigned char BOOL; - -#ifndef FALSE -#define FALSE 0 -#endif - -#ifndef TRUE -#define TRUE 1 -#endif - -#ifdef BLS -#include -#include /* for passwd and pr_passwd */ -#endif - -#ifdef pegasus -#undef dirty /* Some bozo put a macro called dirty in sys/param.h */ -#endif /* pegasus */ - -struct greet_info { - char *name; /* user name */ - char *password; /* user password */ -#ifdef BLS - char *b1security; /* user's b1 security */ -#endif - char *string; /* random string */ -}; - -struct verify_info { - int uid; /* user id */ -#ifdef NGROUPS - int groups[NGROUPS];/* group list */ - int ngroups; /* number of elements in groups */ -#else - int gid; /* group id */ -#endif - char **argv; /* arguments to session */ - char **userEnviron; /* environment for session */ - char **systemEnviron;/* environment for startup/reset */ -#ifdef BLS - char *user_name; - struct mand_ir_t *sec_label_ir; - struct mand_ir_t *clearance_ir; - /* save these for logout time */ - struct pr_passwd *prpwd; - struct passwd *pwd; - char terminal[16]; -#endif -}; - -/*************************************************************************** - * - * Global variables - * - ***************************************************************************/ -extern struct pr_passwd *b1_pwd; -extern struct verify_info *verify; -extern struct greet_info *greet; - -#endif /* _BLS_H */ diff --git a/cde/programs/dtlogin/bls/debug.c b/cde/programs/dtlogin/bls/debug.c deleted file mode 100644 index dd38c8ac8..000000000 --- a/cde/programs/dtlogin/bls/debug.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * CDE - Common Desktop Environment - * - * Copyright (c) 1993-2012, The Open Group. All rights reserved. - * - * These libraries and programs are free software; you can - * redistribute them and/or modify them under the terms of the GNU - * Lesser General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * These libraries and programs are distributed in the hope that - * they will be useful, but WITHOUT ANY WARRANTY; without even the - * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU Lesser General Public License for more - * details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with these libraries and programs; if not, write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth - * Floor, Boston, MA 02110-1301 USA - */ -/* - * xdm - display manager daemon - * - * $XConsortium: debug.c /main/3 1995/07/14 13:23:25 drk $ - * - * Copyright 1988 Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software and its - * documentation for any purpose and without fee is hereby granted, provided - * that the above copyright notice appear in all copies and that both that - * copyright notice and this permission notice appear in supporting - * documentation, and that the name of M.I.T. not be used in advertising or - * publicity pertaining to distribution of the software without specific, - * written prior permission. M.I.T. makes no representations about the - * suitability of this software for any purpose. It is provided "as is" - * without express or implied warranty. - * - * Author: Keith Packard, MIT X Consortium - */ - - /*************** - debug.c - ****************/ - -#ifndef NDEBUG -/* don't compile anything in this file unless this is pre-release code */ -#include -#include -#include "../vg.h" -#include "bls.h" - -# include -# define Va_start(a,b) va_start(a,b) - -char *DisplayName=NULL; - - -/**************************************************************************** - * - * Debug - * - * Write a debug message to stderr - * - ****************************************************************************/ - -static int DoName=TRUE; -static int debugLevel=0; - - -int -BLS_ToggleDebug( int arg) -{ - debugLevel = !debugLevel; - (void) signal(SIGHUP,BLS_ToggleDebug); -} - - - -void -Debug( char *fmt, ...) -{ - static int sentinel = 0; - static char *debugLog; - - va_list args; - - Va_start(args,fmt); - - - - if ( !sentinel ) { - /* - * open up an error log for dtgreet - */ - if ((debugLog = getenv("VG_DEBUG")) == 0) - debugLog = "/usr/lib/X11/dt/Dtlogin/dtgreet.log"; - - if ( !freopen(debugLog,"a",stderr)) { - perror("Debug:"); - } - DisplayName=dpyinfo.name; - sentinel = 1; - } - - if (debugLevel > 0) - { - if ( strlen(DisplayName) > 0 && DoName) - fprintf(stderr, "(%s) ", DisplayName); - - vfprintf (stderr,fmt, args); - fflush (stderr); - - /* - * don't prepend the display name next time if this debug message - * does not contain a "new line" character... - */ - - if ( strchr(fmt,'\n') == NULL ) - DoName=FALSE; - else - DoName=TRUE; - - } - - va_end(args); -} - -#else - -/* - * Debug stub for product purposes - */ - -void -Debug( ) -{ } - -#endif /* NDEBUG */ diff --git a/cde/programs/dtlogin/bls/get_level.c b/cde/programs/dtlogin/bls/get_level.c deleted file mode 100644 index 8f06d59d4..000000000 --- a/cde/programs/dtlogin/bls/get_level.c +++ /dev/null @@ -1,666 +0,0 @@ -/* - * CDE - Common Desktop Environment - * - * Copyright (c) 1993-2012, The Open Group. All rights reserved. - * - * These libraries and programs are free software; you can - * redistribute them and/or modify them under the terms of the GNU - * Lesser General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * These libraries and programs are distributed in the hope that - * they will be useful, but WITHOUT ANY WARRANTY; without even the - * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU Lesser General Public License for more - * details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with these libraries and programs; if not, write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth - * Floor, Boston, MA 02110-1301 USA - */ -/* $XConsortium: get_level.c /main/4 1995/10/27 16:19:39 rswiston $ */ -/* - * get_level.c - * last modified by: - * David Dolson June 7/92 - * - rewrote most of B1 security routines. Much of it is based on - * parallel routines in login. - * Ron Voll July 7/92 - * - rolled the xdm version of this file into dtlogin. - */ - -#ifdef BLS /* Brackets entire file */ -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef SEC_NET_TTY -#include -#include -#include -#endif - -#include -#include -#include -#include -#if defined(TAC3) && !defined(TPLOGIN) -#include -#include -#include -#endif -#include -#include -#include -#include -#include -#if 0 -#include -#endif -#include -#include - -/* - * Local include file for bls specific definitions. - * Also defines some of the structures from dm.h for bls usage. - */ -#include "bls.h" - -/* drop those privs from the base set which are not needed by xdm */ -void -drop_privs(void) -{ - priv_t privs[SEC_SPRIVVEC_SIZE]; - - getpriv(SEC_BASE_PRIV, privs); - RMBIT(privs, SEC_ALLOWNETACCESS); - RMBIT(privs, SEC_NETPRIVSESSION); - RMBIT(privs, SEC_NETNOAUTH); - RMBIT(privs, SEC_MULTILEVELDIR); - setpriv(SEC_BASE_PRIV, privs); - return; -} - -/* stuff to do at the start */ -void -init_security(void) -{ - /* set default file creation mode to be restrictive */ - umask(~SEC_DEFAULT_MODE); - drop_privs(); -} - -/* check that the requested security level is valid for this user, - * return 1 = success, return 0 is fail(fatal) - */ -int -verify_user_seclevel( struct verify_info verify, char *desired_label) -{ - int uid; - mand_ir_t *dl_ir, *clearance_ir; - struct pr_passwd *prpwd; - struct passwd *pwd; - - prpwd = verify->prpwd; - pwd = verify->pwd; - uid = verify->uid; - - /* check that desired_label falls within user's range */ - dl_ir = mand_er_to_ir(desired_label); - if (dl_ir ==NULL) { - audit_login(prpwd, pwd, verify->terminal, - "Unknown clearance level", ES_LOGIN_FAILED); - Debug("unable to translate clearance\n"); - return 0; - } - /* get user clearance from prpwd database */ - if (prpwd->uflg.fg_clearance) - clearance_ir = &prpwd->ufld.fd_clearance; - else if (prpwd->sflg.fg_clearance) - clearance_ir = &prpwd->sfld.fd_clearance; - else - clearance_ir = mand_syslo; - - /* make sure clearance dominates or equals desired_label */ - switch(mand_ir_relationship(/* subject */ dl_ir, - /* object */ clearance_ir)) { - case MAND_ODOM: - case MAND_EQUAL: - /* Within range */ - break; - default: - audit_login(prpwd, pwd, verify->terminal, - "Security label out of range", ES_LOGIN_FAILED); - Debug("Invalid clearance for this user\n"); - mand_free_ir(dl_ir); - return 0; - } - verify->clearance_ir = clearance_ir; - verify->sec_label_ir = dl_ir; - - return 1; -} - -/* check the proper structures to determine if the user has a password. - * If the nullpw field is set, the user does not need one, and this - * overrides the rest of the checking. - * return 1 means that a password exists (or is not needed) - */ -int -password_exists(struct verify_info *verify) -{ - struct pr_passwd *prpwd; - BOOL nocheck; - - Debug("password_exists()\n"); - prpwd = verify->prpwd; - if (prpwd->uflg.fg_nullpw) - nocheck=prpwd->ufld.fd_nullpw; - else if (prpwd->sflg.fg_nullpw) - nocheck=prpwd->sfld.fd_nullpw; - else - nocheck=FALSE; - - if (!nocheck) { /* user needs password */ - Debug("password required for user\n"); - if (!prpwd->uflg.fg_encrypt || - prpwd->ufld.fd_encrypt[0] == '\0' ) { - return 0; - } - } - return 1; -} - - -/* check that the requested security level can be used on this X terminal, - * and that it is not locked. - * Currently there is no support for locking xterms like there is for - * /dev/tty* terminals. - */ -int -verify_sec_xterm(struct verify_info *verify, char *desired_label) -{ - return 1; -} - - -/* set clearance and label for the user. Audit all failures. - * return 0=fail, 1=pass - */ -int -set_sec_label(struct verify_info *verify) -{ - struct pr_passwd *prpwd; - struct passwd *pwd; - /* set clearance */ - prpwd = verify->prpwd; - pwd = verify->pwd; - - if (setclrnce(verify->sec_label_ir)==-1) { - switch(errno) { - case EPERM: - audit_login(prpwd, pwd, verify->terminal, - "Insufficient privs to set clearance", ES_LOGIN_FAILED); - Debug ("login failed: EPERM on setclrnce()\n"); - break; - case EFAULT: - /* audit:login failed: xdm memory fault */ - default: - audit_login(prpwd, pwd, verify->terminal, - "Unable to set clearance", ES_LOGIN_FAILED); - Debug ("setclrnce failed: error: %d\n", errno); - break; - } - return 0; - } - /* set label */ - if (setslabel(verify->sec_label_ir)==-1) { - switch(errno) { - case EPERM: - audit_login(prpwd, pwd, verify->terminal, - "Insufficient privs to set sec label", ES_LOGIN_FAILED); - Debug ("login failed: insufficient priv. to setslabel()\n"); - break; - case EFAULT: - /* audit:login failed: xdm memory fault */ - default: - audit_login(prpwd, pwd, verify->terminal, - "Unable to set sec label", ES_LOGIN_FAILED); - Debug ("setslabel() failed: error: %d\n", errno); - break; - } - return 0; - } - return 1; -} - -/* set the effective, base, and maximum priv vectors for the - * new process, based on values from the pr_passwd entry. - * Inability to find either user priv's or default priv's - * results in failure. One or the other must be there. - * Function returns 1 for success, 0 for failure. - * A failure of this function should be considered fatal. - */ -int -set_sec_privs(struct verify_info *verify) -{ - - priv_t *maxprivs, *bprivs; - priv_t curr_bprivs[SEC_SPRIVVEC_SIZE]; - priv_t curr_sprivs[SEC_SPRIVVEC_SIZE]; - - struct pr_passwd *prpwd; - struct passwd *pwd; - int bit; - - prpwd = verify->prpwd; - pwd = verify->pwd; - - /* kernel authorizations */ - if (prpwd->uflg.fg_sprivs) { - maxprivs = &prpwd->ufld.fd_sprivs[0]; - }else if(prpwd->sflg.fg_sprivs) { - maxprivs = &prpwd->sfld.fd_sprivs[0]; - Debug("Using default kernel priv's\n"); - }else { - audit_login(prpwd, pwd, verify->terminal, - "Unable to find kernel priv set for user", - ES_LOGIN_FAILED); - Debug("Can't find max. priv set for user-quitting\n"); - return 0; - } - - /* base priv's and initial effective priv's */ - if (verify->prpwd->uflg.fg_bprivs) { - bprivs = &verify->prpwd->ufld.fd_bprivs[0]; - }else if (verify->prpwd->sflg.fg_bprivs) { /* use system defaults */ - bprivs = &verify->prpwd->sfld.fd_bprivs[0]; - Debug("Using default base priv's\n"); - }else{ - audit_login(prpwd, pwd, verify->terminal, - "Unable to find base priv set for user", - ES_LOGIN_FAILED); - Debug("Can't find base priv set for user-quitting\n"); - return 0; - } - - getpriv(SEC_MAXIMUM_PRIV, curr_sprivs); - getpriv(SEC_BASE_PRIV, curr_bprivs); - - /* remove those privs which the current process does not have, - * to avoid any error in the following system calls - */ - for (bit=0; bit<=SEC_MAX_SPRIV; bit++) { - if (!ISBITSET(curr_sprivs, bit)) - RMBIT(maxprivs, bit); - if (!ISBITSET(curr_bprivs, bit)) - RMBIT(bprivs, bit); - } - - /* login removes those bits from maxprivs which the current process - * does not have. - This program assumes the system config - * utilities will enforce the rules for setpriv(3). Any failure - * of setpriv will indicate a corrupt database. - */ - - if (setpriv(SEC_MAXIMUM_PRIV, maxprivs)==-1) { - switch(errno) { - case EPERM: - Debug("setpriv (max) failed: EPERM\n"); - break; - case EINVAL: - Debug("setpriv (max) failed: EINVAL\n"); - break; - case EFAULT: - Debug("setpriv (max) failed: EFAULT\n"); - break; - default: - Debug("setpriv (max) failed for unknown error: %d\n",errno); - break; - } - audit_login(prpwd, pwd, verify->terminal, - "Unable to set Kernel privs", ES_LOGIN_FAILED); - Debug("Unable to set Kernel privs (error %d): aborting\n",errno); - return 0; - } - - if (setpriv(SEC_BASE_PRIV, bprivs)==-1) { - switch(errno) { - case EPERM: - Debug("setpriv (base) failed: EPERM\n"); - break; - case EINVAL: - Debug("setpriv (base) failed: EINVAL\n"); - break; - case EFAULT: - Debug("setpriv (base) failed: EFAULT\n"); - break; - default: - Debug("setpriv (base) failed for unknown error: %d\n",errno); - break; - } - audit_login(prpwd, pwd, verify->terminal, - "Unable to set base privs", ES_LOGIN_FAILED); - return 0; - } - - if (setpriv(SEC_EFFECTIVE_PRIV, bprivs)==-1) { - switch(errno) { - case EPERM: - Debug("setpriv (effective) failed: EPERM\n"); - break; - case EINVAL: - Debug("setpriv (effective) failed: EINVAL\n"); - break; - case EFAULT: - Debug("setpriv (effective) failed: EFAULT\n"); - break; - default: - Debug("setpriv (effective) failed for unknown error: %d\n", - errno); - break; - } - audit_login(prpwd, pwd, verify->terminal, - "Unable to set effective privs", ES_LOGIN_FAILED); - Debug("Unable to set effective privs (error %d): aborting\n",errno); - return 0; - } - return 1; - -} - - -/* change the current process over to be owned by the user verify->uid. - * Also properly set the privs, sec label, etc. - * Also audits failures. - * return=1 for success, 0 for fail. A failure should be considered fatal. - */ -int -change_to_user(struct verify_info *verify) -{ - struct pr_passwd *prpwd; - struct passwd *pwd; - int new_nice; - - prpwd = verify->prpwd; - pwd = verify->pwd; - - Debug("change_to_user()\n"); - /* 1. set the login user id - settable only once */ - if (setluid(verify->uid)==-1) { - switch(errno) { - case EPERM: - Debug("Unable to set luid - EPERM\n"); - audit_login(prpwd, pwd, verify->terminal, - "Unable to set luid - insufficient privs", - ES_LOGIN_FAILED); - break; - case EINVAL: - Debug("Unable to set luid - suspicious of pwd db.\n"); - audit_login(prpwd, pwd, verify->terminal, - "Unable to set luid - out of range", ES_LOGIN_FAILED); - break; - default: - Debug("Can't set luid-Unknown error %d\n",errno); - audit_login(prpwd, pwd, verify->terminal, - "Unable to set luid-unknown error", ES_LOGIN_FAILED); - break; - } - return 0; - } - - /* - * Set the 'nice' priority if necessary. Since the return value - * of nice(2) can normally be -1 from the documentation, and - * -1 is the error condition, we key off of errno, not the - * return value to find if the change were successful. - * Note we must do this before the setuid(2) below. - */ - errno = 0; - prpwd = verify->prpwd; - if (prpwd->uflg.fg_nice) - new_nice = prpwd->ufld.fd_nice; - else if (prpwd->sflg.fg_nice) - new_nice = prpwd->sfld.fd_nice; - - if (prpwd->uflg.fg_nice || prpwd->sflg.fg_nice) { - (void) nice(new_nice); - if (errno != 0) { - audit_login(prpwd, verify->pwd, NULL, - "bad 'nice' setting", ES_LOGIN_FAILED); - Debug("Bad priority setting.\n"); - return 0; - } - } - - - /* 2. set the group(s) id and - * 3. set the regular user id */ - -#ifdef NGROUPS - - /* setgroups (verify->ngroups, verify->groups); - */ - if(setgid (verify->groups[0])) { - switch(errno) { - case EPERM: - Debug("setgid EPERM\n"); - break; - case EINVAL: - Debug("setgid EINVAL\n"); - break; - default: - Debug("setgid unknown error: %d\n",errno); - break; - } - return 0; - } - initgroups(verify->user_name, verify->groups[0]); -#else - if(setgid (verify->gid)) { - switch(errno) { - case EPERM: Debug("setgid EPERM\n");break; - case EINVAL: Debug("setgid EINVAL\n");break; - default: Debug("setgid unknown error\n");break; - } - return 0; - } -#endif - - if(setuid (verify->uid)) { - switch(errno) { - case EPERM: Debug("setgid EPERM\n");break; - case EINVAL: Debug("setgid EINVAL\n");break; - default: Debug("setgid unknown error\n");break; - } - return 0; - } - - /* 4. set security clearance and label for the new process */ - if (!set_sec_label(verify)) - return 0; - - /* 5. set audit parameters */ - audit_adjust_mask(prpwd); - - /* 6. set privlege levels - maximum, base, and effective */ - if (!set_sec_privs(verify)) - return 0; - - return 1; -} - - -/* - * Try to read back everything, and print it. If a fatal error occurs, - * return code is 0. 1=success. - */ -int -dump_sec_debug_info(struct verify_info *verify) -{ - mand_ir_t *level_ir; - priv_t privs[SEC_SPRIVVEC_SIZE]; - - Debug ("luid: %d, real uid: %d, effective uid:%d,\n", - getluid(),getuid(),geteuid()); - Debug ("real gid:%d, effective gid: %d\n", getgid(),getegid()); - level_ir = mand_alloc_ir(); - if (getclrnce(level_ir)==-1) { - switch(errno) { - case EFAULT: Debug("getclrnce EFAULT\n");break; - case EINVAL: Debug("getclrnce EINVAL\n");break; - default: Debug("getclrnce unknown error:%d\n",errno);break; - } - return 0; - }else Debug ("Clearance: %s\n", mand_ir_to_er(level_ir) ); - if (getslabel(level_ir)==-1) { - switch(errno) { - case EFAULT: Debug("getslabel EFAULT\n");break; - case EINVAL: Debug("getslabel EINVAL\n");break; - default: Debug("getslabel unknown error:%d\n",errno);break; - } - return 0; - }else Debug ("Level: %s\n", mand_ir_to_er(level_ir)); - mand_free_ir(level_ir); - if(getpriv(SEC_MAXIMUM_PRIV, privs)==-1) { - switch(errno) { - case EFAULT: Debug("getpriv max EFAULT\n");break; - case EINVAL: Debug("getpriv max EINVAL\n");break; - default: Debug("getpriv max unknown error:%d\n",errno); - break; - } - return 0; - }else Debug ("max priv: %x.%x\n", privs[0],privs[1]); - if(getpriv(SEC_EFFECTIVE_PRIV, privs)==-1) { - switch(errno) { - case EFAULT: Debug("getpriv eff EFAULT\n");break; - case EINVAL: Debug("getpriv eff EINVAL\n");break; - default: Debug("getpriv eff unknown error:%d\n",errno); - break; - } - return 0; - }else Debug ("eff priv: %x.%x\n", privs[0],privs[1]); - if(getpriv(SEC_BASE_PRIV, privs)==-1) { - switch(errno) { - case EFAULT: Debug("getpriv base EFAULT\n");break; - case EINVAL: Debug("getpriv base EINVAL\n");break; - default: Debug("getpriv base unknown error:%d\n",errno); - break; - } - return 0; - }else Debug ("base priv: %x.%x\n", privs[0],privs[1]); - return 1; -} - -/* - * writeLoginInfo - * Input: file name string (ex. $HOME/.dtlogininfo) - * verify structure with password stuff - * Write login information to a file to be displayed later, after a - * successful login. - * - * Xsession will need to be modified something like this... - * DTHELLO="$DTDIR/bin/dthello -f /etc/copyright -f $HOME/.dtlogininfo" - */ - -int -writeLoginInfo( char *filename, struct verify_info *verify) -{ - char *s1="Last successful login: %s"; - char *s2="Last unsuccessful login: %s"; - char *s3; - char s[80]; - char term[15]; - char *label; - char *message="Sensitivity level for process: "; - int i; - int nl; - time_t slogin, ulogin; - char *slabel; - char *uterminal, *sterminal; - - FILE *fp; - - Debug("Writing login info\n"); - if ((fp = fopen (filename, "w")) == 0 ) - return 0; - - if (verify->prpwd->uflg.fg_slogin) - slogin=verify->prpwd->ufld.fd_slogin; - else - slogin=(time_t)0; - - if (verify->prpwd->uflg.fg_ulogin) - ulogin=verify->prpwd->ufld.fd_ulogin; - else - ulogin=(time_t)0; - - if (verify->prpwd->uflg.fg_suctty) - sterminal=verify->prpwd->ufld.fd_suctty; - else - sterminal="UNKNOWN"; - - if (verify->prpwd->uflg.fg_unsuctty) - uterminal=verify->prpwd->ufld.fd_unsuctty; - else - uterminal="UNKNOWN"; - - slabel = mand_ir_to_er(verify->sec_label_ir); - - fprintf(fp,"-----------------------------------\n"); - fprintf(fp,"\nPrevious login information:\n\n"); - - /* tricky formatting */ - if (slogin != 0) { - sprintf(s, s1, ctime(&slogin)); - nl=strlen(s)-1; - s[nl]='\0'; /* remove new-line */ - }else{ - sprintf(s,s1,"NEVER"); - } - strcat(s, " from "); - strncpy(term, sterminal, 14); - term[14]='\0'; - strcat(s, term); - fprintf(fp,"%s\n",s); - - if (ulogin != 0) { - sprintf(s, s2, ctime(&ulogin)); - nl=strlen(s)-1; - s[nl]='\0'; /* remove new-line */ - }else{ - sprintf(s,s2,"NEVER"); - } - strcat(s, " from "); - strncpy(term, uterminal, 14); - term[14]='\0'; - strcat(s, term); - fprintf(fp,"%s\n",s); - - label = (char*)malloc(strlen(message)+strlen(slabel)+1); - sprintf(label, "%s%s", message, slabel); - if (strlen (label) > 77) { - for(i=75; label[i]!=',' && i>0; i--); - if (i==0) for(i=75; label[i]!=' ' && i>0; i--); - if (i==0) i=75; - strncpy(s, label, i+1); - s[i+1]='\0'; - fprintf(fp,"%s\n",s); - strncpy(s, &label[i+1], 75); - s[75]='\0'; - fprintf(fp,"%s\n",s); - }else{ - fprintf(fp,"%s\n",label); - } - - fclose(fp); - return 1; -} - -#endif /* BLS */ diff --git a/cde/programs/dtlogin/bls/validate.c b/cde/programs/dtlogin/bls/validate.c deleted file mode 100644 index 26da467b8..000000000 --- a/cde/programs/dtlogin/bls/validate.c +++ /dev/null @@ -1,830 +0,0 @@ -/* - * CDE - Common Desktop Environment - * - * Copyright (c) 1993-2012, The Open Group. All rights reserved. - * - * These libraries and programs are free software; you can - * redistribute them and/or modify them under the terms of the GNU - * Lesser General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * These libraries and programs are distributed in the hope that - * they will be useful, but WITHOUT ANY WARRANTY; without even the - * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU Lesser General Public License for more - * details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with these libraries and programs; if not, write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth - * Floor, Boston, MA 02110-1301 USA - */ -/* $XConsortium: validate.c /main/4 1995/10/27 16:19:47 rswiston $ */ -/************************************<+>************************************* - **************************************************************************** - ** - ** File: validate.c - ** - ** Project: HP Visual User Environment (DT) - ** - ** Description: Dtgreet BLS user authentication routines - ** - ** These routines validate the user; checking name, password, - ** number of users on the system, password aging, etc. - ** - ** - ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company - ** - ** - ** Conditional compiles: - ** - ** OSMAJORVERSION < 8 - ** HP-UX 7.0/7.03 restricted license counting algorithms - ** are used. Otherwise HP-UX 8.0 and beyond is used - ** - ** BLS HP BLS B1 simple authentication. - ** - ** - **************************************************************************** - ************************************<+>*************************************/ - -#ifdef BLS - -/*************************************************************************** - * - * Includes & Defines - * - ***************************************************************************/ - -#include -#include -#include -#include - -#include "../vg.h" - - - -/*************************************************************************** - * - * HP-UX BLS authentication routines - * - ***************************************************************************/ - -#include /* for MAXUID macro */ -#include -#include -#include -#include -#include -#include - - -/* BLS only headers */ -# include -# include -# include "bls.h" - - -#define how_to_count ut_exit.e_exit - -#ifdef __hp9000s300 -static int num_users[] = { 2, 32767 }; -# define MIN_VERSION 'A' -# define UNLIMITED 'B' -#else -static int num_users[] = { 2, 16, 32, 64 , 8 }; -# define MIN_VERSION 'A' -# define UNLIMITED 'U' -#endif - -/* Maximum number of users allowed with restricted license */ -#if OSMAJORVERSION < 8 -# define MAX_STRICT_USERS 2 -#else -# define MAX_STRICT_USERS 8 -#endif - -#define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1 - - - -/*************************************************************************** - * - * External declarations - * - ***************************************************************************/ - -extern Widget focusWidget; /* login or password text field */ - -extern long groups[NGROUPS]; - - -/*************************************************************************** - * - * Procedure declarations - * - ***************************************************************************/ - -static int CheckPassword( char *name, char *passwd ); -static int CountUsers( int added_users) ; -static int CountUsersStrict( char *new_user) ; -static void WriteBtmp( char *name) ; - - - - -/*************************************************************************** - * - * Global variables - * - ***************************************************************************/ - -/* BLS only data */ - struct pr_passwd *b1_pwd; - struct verify_info verify_data; - struct verify_info *verify = &verify_data; - struct greet_info greet_data; - struct greet_info *greet = &greet_data; - static int UserHasPassword = 1; - - -/*************************************************************************** - * - * CountUsers - * - * see if new user has exceeded the maximum. - ***************************************************************************/ - -#define NCOUNT 16 - -static int -CountUsers( int added_users ) -{ - int count[NCOUNT], nusers, i; - struct utmp *entry; - - for (i=0; iut_type == USER_PROCESS) { - i = entry->how_to_count; - if (i < 0 || i >= NCOUNT) - i = 1; /* if out of range, then count */ - /* as ordinary user */ - count[i]++; - } - } - endutent(); - - /* - * KEY: - * [0] does not count at all - * [1] counts as real user - * [2] logins via a pty which have not gone trough login. These - * collectively count as 1 user IF count[3] is 0, otherwise, - * they are not counted. Starting with HP-UX 8.0 they are - * no longer counted at all. - * [3] logins via a pty which have been logged through login (i.e. - * rlogin and telnet). these count as 1 "real" user per - * unique user name. - * [4-15] may be used for groups of users which collectively - * count as 1 - */ - nusers = count[1]; - -#if OSMAJORVERSION < 8 - for (i=2; i 0) - nusers++; - - return(nusers); -} - - - - -/*************************************************************************** - * - * CountUsersStrict - * - * see if new user has exceeded the maximum. - ***************************************************************************/ - -static int -CountUsersStrict( char *new_user ) -{ - char pty_users[MAX_STRICT_USERS][8]; - int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off; - struct utmp *entry; - - /* - * Initialize count array... - */ - for (i = 0; i < NCOUNT; i++) - count[i] = 0; - - /* - * Add in the new user (we know it's not a pty)... - */ - count[1]++; - - while ( (entry = getutent()) != NULL ) { - if (entry->ut_type == USER_PROCESS) { - i = entry->how_to_count; - - /* if out of range, then count as ordinary user logged in - via a tty */ - if (i == 1 || (i < 0 || i >= NCOUNT)) - count[1]++; - /* See if it is a pty login granted by login program */ - else if (i == 3) { - count[3]++; - /* See if user is already logged in via login pty */ - uname_off = -1; - for (cnt = 0; cnt <= pty_off; cnt++) - if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0) - uname_off = cnt; - - if (uname_off == -1) { /* user is not logged in via pty yet */ - - if (pty_off >= MAX_STRICT_USERS) /* cannot add any - more users */ - return(MAX_STRICT_USERS + 1); - /* add the user name to the array of pty users */ - else - strncpy(pty_users[++pty_off], entry->ut_user, 8); - } - } /* end if (i == 3) */ - else - count[i]++; - } /* end if entry->ut_type == USER_PROCESS */ - } /* end while (entry = getutent()) */ - - endutent(); - /* - * KEY: - * [0] does not count at all - * [1] counts as "real" user - * [2] logins via a pty which have not gone trough login. These - * collectively count as 1 user IF count[3] is 0, otherwise, - * they are not counted. Starting with HP-UX 8.0 they are - * no longer counted at all. - * [3] logins via a pty which have been logged through login (i.e. - * rlogin and telnet). these count as 1 "real" user per - * unique user name. - * [4-15] may be used for groups of users which collectively count - * as 1 - */ - - nusers = pty_off + 1 + count[1]; /* Current number of users is sum of - users logged in via tty + the - number of unique users logged in - via pty which have gone through - login */ - -#if OSMAJORVERSION < 8 - if ((count[3] == 0) && (count[2] != 0)) - nusers++; /* Add 1 user for all pty logins IF - none of pty logins have been - granted by the login program */ -#else - /* - * Don't count any hpterm logins (exit status of 2). We already - * counted all pty logins granted by the login program. - */ -#endif - - for (i = 4; i < NCOUNT; i++) - if (count[i] > 0) - nusers++; - return(nusers); -} - - - -/*************************************************************************** - * - * CheckPassword - * - * Check validity of user password. - * - ***************************************************************************/ - -static int -CheckPassword( char *name, char *passwd ) -{ - - char *crypt(); - struct passwd *p; - char *reason; - - /* - * HP BLS B1 password authentication... - */ - - if ( ISSECURE ) { - b1_pwd = getprpwnam(name); - - if ( b1_pwd == NULL || strlen(name) == 0 ) { - Debug("unknown user '%s'\n", name); - audit_login((struct pr_passwd *)0, (struct passwd *)0, - dpyinfo.name, "No entry in protected password db", - ES_LOGIN_FAILED); - return(FALSE); - } - - /* - * look up user's regular account information... - */ - - p = getpwnam(name); - - if ( p == NULL || strlen(name) == 0 ) { - Debug("unknown user '%s'\n", name); - audit_login((struct pr_passwd *)0, (struct passwd *)0, - dpyinfo.name, "No entry in password file", - ES_LOGIN_FAILED); - return(FALSE); - } - - /* verify_info has become a catchall for info needed later */ - verify->user_name = name; - verify->prpwd = b1_pwd; - verify->pwd = p; - strncpy(verify->terminal, dpyinfo.name, 15); - verify->terminal[15]='\0'; - - } - - Debug("Verify %s \n",name); - - /* if the password doesn't exists, we can't check it, but - * the user will be forced to change it later */ - if ( (UserHasPassword = password_exists(verify)) != 0 ) - if ( strcmp(bigcrypt(passwd,b1_pwd->ufld.fd_encrypt), - b1_pwd->ufld.fd_encrypt) ) { - Debug("verify failed\n"); - audit_login( b1_pwd, p ,dpyinfo.name, - "Password incorrect", - ES_LOGIN_FAILED); - return(FALSE); - } else { - Debug ("username/password verify succeeded\n"); - return(TRUE); - } - /* - * all password checks failed... - */ - - return (FALSE); - -} - - - - -/*************************************************************************** - * - * BLS_Verify - * - * verify the user - * - * return codes indicate authentication results. - ***************************************************************************/ - -#define MAXATTEMPTS 3 - -static struct passwd nouser = {"", "nope"}; /* invalid user password struct */ - -int -BLS_Verify( char *name, char *passwd ) -{ - - static int login_attempts = 0; /* # failed authentications */ - - struct passwd *p; /* password structure */ - struct pr_passwd *prpwd; - - struct utsname utsnam; - int n; - int uid; - - /* - * Desparate maneuvre to give dtgreet the privledges it needs - */ - if ( login_attempts == 0 ) { - Debug("Setting luid for dtgreet\n"); - if ( getluid() == -1 ) - setluid(getuid()); - } - - /* - * validate password... - */ - - if ( CheckPassword(name, passwd) == FALSE) { - p = verify->pwd; - if ( focusWidget == passwd_text ) { - - WriteBtmp(name); - - if ((++login_attempts % MAXATTEMPTS) == 0 ) { - - if (p->pw_name == NULL ) - p = &nouser; - - audit_login( b1_pwd, p ,dpyinfo.name, - "Failed login(bailout)", - ES_LOGIN_FAILED); - } - - } else if ( !UserHasPassword ) { - /* - * The user has not password -- this must be the initial login for this - * user. Treat it like an expired password. This should invoke the - * password program on behalf of the user. - */ - UserHasPassword = 1; - return VF_PASSWD_AGED; - } - - return(VF_INVALID); - } - prpwd = verify->prpwd; - p = verify->pwd; - - /* check that the uid of both passwd and pr_passwd struct's agree */ - uid = p->pw_uid; - if (uid != prpwd->ufld.fd_uid) { - audit_login(prpwd, p, verify->terminal, - "User id's inconsistent across password database\n", - ES_LOGIN_FAILED); - Debug("login failed - uid's do not match\n"); - return VF_BAD_UID; - } - verify->uid = uid; - - /* check if user's account is locked - * This can be by dead password (lifetime exceeded), - * fd_lock is set, or fd_max_tries is exceeded. - * locked_out is from libsec, but is poorly documented. - */ - if (locked_out(prpwd)) { - Debug("Account locked\n"); - audit_login(prpwd, p, verify->terminal, - "Account locked", ES_LOGIN_FAILED); - return VF_INVALID; - } - /* can user log in at this time? - * time_lock is in libsec, but poorly documented - */ - if (time_lock(prpwd)) { - Debug("Account time-locked\n"); - audit_login(prpwd, p, verify->terminal, - "Account time-locked", ES_LOGIN_FAILED); - return VF_INVALID; - } - - /**************************************************** - xdm checks the security level here using - verify_sec_user - We do it later from the dtgreet callback rountine - VerifySensitivityLevel() - ****************************************************/ - -#if 0 - /* - * check restricted license... - * - * Note: This only applies to local displays. Foreign displays - * (i.e. X-terminals) apparently do not count. - */ - - /* Get the version info via uname. If it doesn't look right, - * assume the smallest user configuration - */ - - if (getenv(LOCATION) != NULL) { - if (uname(&utsnam) < 0) - utsnam.version[0] = MIN_VERSION; - - /* - * Mappings: - * 834 -> 834 - * 844 -> 844 - * 836 -> 635 - * 846 -> 645 - * 843 -> 642 - * 853 -> 652 - */ - - if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) || - (!strncmp(utsnam.machine, "9000/844", UTSLEN)) || - (!strncmp(utsnam.machine, "9000/836", UTSLEN)) || - (!strncmp(utsnam.machine, "9000/846", UTSLEN)) || - (!strncmp(utsnam.machine, "9000/843", UTSLEN)) || - (!strncmp(utsnam.machine, "9000/853", UTSLEN))) { - -/* strict_count = 1;*/ - if (CountUsersStrict(name) > MAX_STRICT_USERS) { - audit_login( b1_pwd, p ,dpyinfo.name, - "Attempted to login - too many users on the system", - ES_LOGIN_FAILED); - return(VF_MAX_USERS); - } - } - else { - if (utsnam.version[0] != UNLIMITED) { - if ((utsnam.version[0]-'A' < 0) || - (utsnam.version[0]-'A' > NUM_VERSIONS)) - utsnam.version[0] = MIN_VERSION; - - n = (int) utsnam.version[0] - 'A'; - if (CountUsers(1) > num_users[n]) { - audit_login( b1_pwd, p ,dpyinfo.name, - "Attempted to login - too many users on the system", - ES_LOGIN_FAILED); - return(VF_MAX_USERS); - } - } - } - } - -#endif /* 0 */ - - /* - * check password aging... - */ - - if ( passwordExpired(verify)) { - audit_login( b1_pwd, p ,dpyinfo.name, - "Password expired", - ES_LOGIN_FAILED); - return(VF_PASSWD_AGED); - } - - - /* - * verify home directory exists... - */ - - if(chdir(p->pw_dir) < 0) { - Debug("Attempted to login -- no home directory\n"); - audit_login( b1_pwd, p ,dpyinfo.name, - " Attempted to login - no home directory", - ES_LOGIN_FAILED); - return(VF_HOME); - } - - /* - * validate uid and gid... - */ -#ifdef NGROUPS - getGroups(greet->name, verify, p->pw_gid); -#else - verify->gid = pwd->pw_gid; - - if ((p->pw_gid < 0) || - (p->pw_gid > MAXUID) || - (setgid(p->pw_gid) == -1)) { - - Debug("Attempted to login -- bad group id"); - audit_login( b1_pwd, p ,dpyinfo.name, - "Attempted to login - bad group id", - ES_LOGIN_FAILED); - return(VF_BAD_GID); - } -#endif /* NGROUPS */ - - if ((p->pw_uid < 0) || - (p->pw_uid > MAXUID) || - (setresuid(p->pw_uid, p->pw_uid, 0) == -1)) { - - Debug("Attempted to login -- bad user id\n"); - audit_login( b1_pwd, p ,dpyinfo.name, - "Attempted to login - bad user id", - ES_LOGIN_FAILED); - return(VF_BAD_UID); - } - - - /* - * verify ok... - */ - - Debug ("Successful login\n"); - audit_login( b1_pwd, p ,dpyinfo.name, - "Successful login", - ES_LOGIN_REMOTE); - return(VF_OK); -} - - - - -/*************************************************************************** - * - * WriteBtmp - * - * log bad login attempts - * - ***************************************************************************/ - -static void -WriteBtmp( char *name ) -{ - int fd; - struct utmp utmp, *u; - - Boolean found=FALSE; - - bzero(&utmp, sizeof(struct utmp)); - - utmp.ut_pid = getppid(); - while ((u = getutent()) != NULL) { - if ( (u->ut_type == INIT_PROCESS || - u->ut_type == LOGIN_PROCESS || - u->ut_type == USER_PROCESS) && - u->ut_pid == utmp.ut_pid ) { - - found = TRUE; - break; - } - } - - - /* - * if no utmp entry, this may be an X-terminal. Construct a utmp - * entry for it... - */ - - if ( ! found ) { - strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id)); - strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line)); - utmp.ut_type = LOGIN_PROCESS; - strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host)); - u = &utmp; - } - - - /* - * If btmp exists, then record the bad attempt - */ - if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) { - strncpy(u->ut_user, name, sizeof(u->ut_user)); - (void) time(&u->ut_time); - write(fd, (char *)u, sizeof(utmp)); - (void) close(fd); - } - - endutent(); /* Close utmp file */ -} - - -/*************************************************************************** - * - * VerifySensitivityLevel - * - * verify B1 Sensitivity Level - **************************************************************************/ -extern char *sensitivityLevel; - -int -VerifySensitivityLevel( void) -{ - - int i; - - greet->b1security = sensitivityLevel = - (char *) XmTextFieldGetString(passwd_text); - - /* new functions: (side effects: auditing, change verify) */ - if (verify_user_seclevel(verify, sensitivityLevel) - && verify_sec_xterm(verify, sensitivityLevel)) { - - Debug("verify_user_seclevel succeeded.\n"); - return VF_OK; - } - - Debug("verify_user_seclevel failed\n"); - return (VF_BAD_SEN_LEVEL); -} - - -#ifdef NGROUPS -groupMember ( char *name, char **members ) -{ - while (*members) { - if (!strcmp (name, *members)) - return 1; - ++members; - } - return 0; -} - -getGroups ( char *name, struct verify_info *verify, int gid) -{ - int ngroups; - struct group *g; - int i; - - ngroups = 0; - verify->groups[ngroups++] = gid; - setgrent (); - while (g = getgrent()) { - /* - * make the list unique - */ - for (i = 0; i < ngroups; i++) - if (verify->groups[i] == g->gr_gid) - break; - if (i != ngroups) - continue; - if (groupMember (name, g->gr_mem)) { - if (ngroups >= NGROUPS) - LogError ("%s belongs to more than %d groups, %s ignored\n", - name, NGROUPS, g->gr_name); - else - verify->groups[ngroups++] = g->gr_gid; - } - } - verify->ngroups = ngroups; - endgrent (); -} -#endif - -/* check whether the password has expired or not. - * return 1 means that the password has expired. - */ -int -passwordExpired( struct verify_info *verify) -{ - struct pr_passwd *pr; - time_t expiration; - time_t last_change; - time_t expiration_time; - time_t now; - int passwd_status; - struct pr_passwd save_data; - struct pr_default *df; - char *ttime; - char ptime[64]; - - pr = verify->prpwd; - - /* - * If null password, do not check expiration. - */ - - if (!pr->uflg.fg_encrypt || (pr->ufld.fd_encrypt[0] == '\0')) - return 0; - - now = time((long *) 0); - - if (pr->uflg.fg_schange) - last_change = pr->ufld.fd_schange; - else - last_change = (time_t) 0; - - if (pr->uflg.fg_expire) - expiration = pr->ufld.fd_expire; - else if (pr->sflg.fg_expire) - expiration = pr->sfld.fd_expire; - else - expiration = (time_t) 0; - - df = getprdfnam(AUTH_DEFAULT); - - /* - * A 0 or missing expiration field means there is no - * expiration. - */ - expiration_time = expiration ? last_change + expiration : 0; - - if (expiration_time && now > expiration_time ) { - /* - * The password has expired - */ - Debug("The password is expired\n"); - return 1; - } - - Debug("The password is not expired\n"); - return 0; -} - - -/*************************************************************************** - * - * end HP-UX authentication routines - * - ***************************************************************************/ -#endif /* BLS */ diff --git a/cde/programs/dtlogin/dm.h b/cde/programs/dtlogin/dm.h index 3ae26e1e1..57cc1b5a5 100644 --- a/cde/programs/dtlogin/dm.h +++ b/cde/programs/dtlogin/dm.h @@ -404,9 +404,6 @@ struct protoDisplay { struct greet_info { char *name; /* user name */ char *password; /* user password */ -#ifdef BLS - char *b1security; /* user's b1 security */ -#endif char *string; /* random string */ #ifdef __PASSWD_ETC char *name_full; /* full SID */ @@ -428,15 +425,6 @@ struct verify_info { long audid; /* audit id */ int audflg; /* audit flag */ #endif -#ifdef BLS - char *user_name; - struct mand_ir_t *sec_label_ir; - struct mand_ir_t *clearance_ir; - /* save these for logout time */ - struct pr_passwd *prpwd; - struct passwd *pwd; - char terminal[16]; -#endif }; diff --git a/cde/programs/dtlogin/resource.c b/cde/programs/dtlogin/resource.c index cfd70f19e..8a0d7f980 100644 --- a/cde/programs/dtlogin/resource.c +++ b/cde/programs/dtlogin/resource.c @@ -110,12 +110,6 @@ static char AppName[16] = DTLOGIN; # define DM_BOOL 2 # define DM_ARGV 3 -#ifdef BLS -# define DEF_XDM_CONFIG CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xconfig" -# define DEF_AUTH_DIR CDE_INSTALLATION_TOP "/lib/X11/Dtlogin" -# define DEF_KEY_FILE CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xkeys" -#endif - /* * the following constants are supposed to be set in the makefile from diff --git a/cde/programs/dtlogin/session.c b/cde/programs/dtlogin/session.c index 6311c7a30..4e624a97e 100644 --- a/cde/programs/dtlogin/session.c +++ b/cde/programs/dtlogin/session.c @@ -95,11 +95,6 @@ # include "solaris.h" #endif -#ifdef BLS -# include -# include -#endif - #ifdef __KERBEROS # include #endif /* __KERBEROS */ @@ -241,10 +236,6 @@ static char *defaultLanguage = NULL; static sigjmp_buf abortSession; -#ifdef BLS - static char *sensitivityLevel; -#endif - #ifdef __KERBEROS static char krb_ticket_string[MAXPATHLEN]; #endif /* __KERBEROS */ @@ -1189,10 +1180,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp ) FILE *lastsession; char lastsessfile[MAXPATHLEN]; -#ifdef BLS - struct pr_passwd *b1_pwd; -#endif - #ifdef __AFS #define NOPAG 0xffffffff long pagval, j; @@ -1387,63 +1374,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp ) #ifndef sun -#ifdef BLS - /* - * HP BLS B1 session setup... - * - * 1. look up user's protected account information. - * 2. set the session sensitivity/clearance levels - * 3. set the logical UID (LUID) - */ - - if ( ISSECURE ) { - Debug("BLS - Setting user's clearance, security level and luid.\n"); - set_auth_parameters(1, verify->argv); - init_security(); - - verify->user_name = user; - strncpy(verify->terminal,d->name,15); - verify->terminal[15]='\0'; - verify->pwd = getpwnam(user); - - if ( verify->pwd == NULL || strlen(user) == 0 ) { - LogError(ReadCatalog( - MC_LOG_SET,MC_LOG_NO_BLSACCT,MC_DEF_LOG_NO_BLSACCT)); - exit (1); - } - verify->prpwd= b1_pwd = getprpwnam(user); - verify->uid = b1_pwd->ufld.fd_uid; - - if ( b1_pwd == NULL || strlen(user) == 0 ) { - LogError(ReadCatalog( - MC_LOG_SET,MC_LOG_NO_BLSPACCT,MC_DEF_LOG_NO_BLSPACCT)); - exit (1); - } - - /* - * This has already been done successfully by dtgreet - * but we need to get all the information again for the - * dtlogin process. - */ - if ( verify_user_seclevel(verify,sensitivityLevel) != 1 ) { - Debug("BLS - Could not verify sensitivity level.\n"); - LogError(ReadCatalog( - MC_LOG_SET,MC_LOG_NO_VFYLVL,MC_DEF_LOG_NO_VFYLVL)); - exit (1); - } - - if ( change_to_user(verify) != 1 ) { - Debug("BLS - Could not change to user: %s.\n",verify->user_name); - LogError(ReadCatalog( - MC_LOG_SET,MC_LOG_NO_BLSUSR,MC_DEF_LOG_NO_BLSUSR), - verify->user_name); - exit (1); - } - - Debug("BLS - Session setup complete.\n"); - } else { -#endif /* BLS */ - # ifdef __AFS if ( IsVerifyName(VN_AFS) ) { pagval = get_pag_from_groups(verify->groups[0], verify->groups[1]); @@ -1522,10 +1452,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp ) } #endif -#ifdef BLS - } /* ends the else clause of if ( ISSECURE ) */ -#endif /* BLS */ - #endif /* ! sun */ /* @@ -1569,23 +1495,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp ) if (greet.password) bzero(greet.password, strlen(greet.password)); -#ifdef BLS - /* - * Write login information to a file - * The file name should really be settable by some kind of resource - * but time is short so we hard-wire it to ".dtlogininfo". - */ - if ( ! writeLoginInfo( ".dtlogininfo" , verify ) ) - Debug("Unable to write \".dtlogininfo\"\n"); -# ifndef NDEBUG - /* extra debugging */ - if(!dump_sec_debug_info(verify)) { - Debug("Something wrong with environment\n"); - exit(1); - } -# endif /* ! NDEBUG */ -#endif /* BLS */ - /* * exec session... */ @@ -2268,11 +2177,7 @@ RunGreeter( struct display *d, struct greet_info *greet, */ if (d->authorizations && d->authFile && - waitVal(status) != NOTIFY_LANG_CHANGE -#ifdef BLS - && waitVal(status) != NOTIFY_BAD_SECLEVEL -#endif - ) { + waitVal(status) != NOTIFY_LANG_CHANGE) { /*** Debug ("Done with authorization file %s, removing\n", @@ -2351,13 +2256,6 @@ RunGreeter( struct display *d, struct greet_info *greet, } #endif -#ifdef BLS - /* - * sensitivityLevel set in BLS_Verify() - */ - greet->b1security = sensitivityLevel; -#endif - Verify(d, greet, verify); return; @@ -2405,14 +2303,10 @@ RunGreeter( struct display *d, struct greet_info *greet, LANGUAGESIZE) = '\0'; return; -#ifdef BLS - case NOTIFY_BAD_SECLEVEL: - return; -#endif case waitCompose (SIGTERM,0,0): Debug ("Greeter exited on SIGTERM\n"); SessionExit(d, OPENFAILED_DISPLAY); - + default: Debug ("Greeter returned unknown status %d\n", waitVal(status)); @@ -2769,9 +2663,6 @@ ManageGreeter( struct display *d, struct greet_info *greet, case VF_BAD_AID: SETMC(msg, BAD_AID); break; case VF_BAD_AFLAG: SETMC(msg, BAD_AFLAG); break; case VF_NO_LOGIN: SETMC(msg, NO_LOGIN); break; -#ifdef BLS - case VF_BAD_SEN_LEVEL: SETMC(msg, BAD_SEN_LEVEL); break; -#endif case VF_MESSAGE: msg.id=0; msg.def=state->msg; break; default: msg.id=0; msg.def=""; break; } diff --git a/cde/programs/dtlogin/sysauth.c b/cde/programs/dtlogin/sysauth.c index 466aefda5..6d409fa5a 100644 --- a/cde/programs/dtlogin/sysauth.c +++ b/cde/programs/dtlogin/sysauth.c @@ -55,8 +55,6 @@ ** self-auditing of login actions. Incompatible with ** #ifdef SecureWare ** - ** BLS HP BLS B1 simple authentication. - ** ** __AFS AFS 3 authentication mechanism ** __KERBEROS Kerberos authentication mechanism ** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism diff --git a/cde/programs/dtlogin/sysauth.h b/cde/programs/dtlogin/sysauth.h index 2cbf8ff0a..5612a6ca3 100644 --- a/cde/programs/dtlogin/sysauth.h +++ b/cde/programs/dtlogin/sysauth.h @@ -74,10 +74,6 @@ #define VF_CHALLENGE 12 #define VF_MESSAGE 13 -#ifdef BLS -#define VF_BAD_SEN_LEVEL 14 -#endif - /**************************************************************************** * * External procedure declarations diff --git a/cde/programs/dtlogin/vg.h b/cde/programs/dtlogin/vg.h index 7a34eaefd..39de37284 100644 --- a/cde/programs/dtlogin/vg.h +++ b/cde/programs/dtlogin/vg.h @@ -62,10 +62,6 @@ extern int errno; #include #include "vgproto.h" -#ifdef BLS -# include -#endif - #ifdef USE_XINERAMA # include
#endif diff --git a/cde/programs/dtlogin/vgauth.c b/cde/programs/dtlogin/vgauth.c index 56521c9a4..5dbb0cf41 100644 --- a/cde/programs/dtlogin/vgauth.c +++ b/cde/programs/dtlogin/vgauth.c @@ -55,8 +55,6 @@ ** self-auditing of login actions. Incompatible with ** #ifdef SecureWare ** - ** BLS HP BLS B1 simple authentication. - ** ** __AFS AFS 3 authentication mechanism ** __KERBEROS Kerberos authentication mechanism ** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism diff --git a/cde/programs/dtlogin/vgcallback.c b/cde/programs/dtlogin/vgcallback.c index 9ff1a48bb..df8e35aba 100644 --- a/cde/programs/dtlogin/vgcallback.c +++ b/cde/programs/dtlogin/vgcallback.c @@ -110,11 +110,6 @@ static void ProcessTraversal( Widget w, int direction) ; static void _DtShowDialog(DialogType dtype, XmString msg); static void TellRequester(char * buf, size_t nbytes); -# ifdef BLS -static void PromptSensitivityLevel(void); /* prompt for B1 Sen. Level */ - int VerifySensitivityLevel(void); /* verify B1 Sensitivity Level */ -# endif - static int session_selected = False; static Widget default_dt = NULL; @@ -131,11 +126,6 @@ char *userName = "\0"; struct passwd *user_p; -#ifdef BLS -static int normalPasswordWidget = True; - char *sensitivityLevel = NULL; -#endif - #ifndef SVR4 long groups[NGROUPS]; #endif @@ -1877,67 +1867,6 @@ GetLoginTextPtr( Widget w ) } -#ifdef BLS -/*************************************************************************** - * - * PromptSensitivityLevel - * - * Prompt for B1 Sensitivity Level. The password widget set is reused for - * this purpose rather than creating another complete widget set. It already - * has most of the proper size and alignment specifications needed. Using - * the password set also allows the B1 code changes to be more localized. - * - ***************************************************************************/ - -static void -PromptSensitivityLevel( void) -{ - - Dimension width; - int i, width1, width2; - - /* - * Use the password widget set to prompt for the B1 Sensitivity Level. - * Remember to put it back to normal if the user presses [Clear]. - */ - - normalPasswordWidget = False; - - XtRemoveAllCallbacks(_text, XmNmodifyVerifyCallback); - XmTextFieldSetString(_text,""); - - - /* - * Change the label and resize the password form... - */ - - i = 0; - XtSetArg(argt[i], XmNresizable, True ); i++; - XtSetArg(argt[i], XmNresizePolicy, XmRESIZE_ANY ); i++; - XtSetValues(_form, argt, i); - - i = 0; - xmstr = ReadCatalogXms(MC_LABEL_SET, -1, "Sensitivity Level:"); - XtSetArg(argt[i], XmNrecomputeSize, True ); i++; - XtSetArg(argt[i], XmNlabelString, xmstr ); i++; - XtSetValues(_label, argt, i); - - XmStringFree(xmstr); - - /* - * Center the form horizontally in the login_matte... - * - */ - - CenterForm(matte1, _form); - - ProcessTraversal(_text, XmTRAVERSE_CURRENT); - -} - -#endif /* BLS */ - - static void TellRequester(char * buf, size_t nbytes) { diff --git a/cde/programs/dtlogin/vgmain.c b/cde/programs/dtlogin/vgmain.c index 33bb00fd0..53b26a017 100644 --- a/cde/programs/dtlogin/vgmain.c +++ b/cde/programs/dtlogin/vgmain.c @@ -371,31 +371,6 @@ main( int argc, char **argv ) (void) signal(SIGTERM, Terminate); - -#ifdef BLS -# ifndef NDEBUG - { - extern SIGVAL BLS_ToggleDebug( int arg ); - - /* - * Allow debug output to be turned on for dtgreet. - */ - - (void) signal(SIGHUP, BLS_ToggleDebug); - - } -# endif /* NDEBUG */ - /* - * set up authorization parameters, see the identity(3) man page... - */ - - if (ISSECURE) { - set_auth_parameters(1, argv); - init_security(); - } -#endif /* BLS */ - - /* * check some environment variables... */