mirror of
git://git.code.sf.net/p/cdesktopenv/code
synced 2025-03-09 15:50:02 +00:00
dtlogin: remove HP BLS B1 simple authentication support (BLS)
This commit is contained in:
parent
37367d5e12
commit
6fddca178f
13 changed files with 2 additions and 1985 deletions
|
@ -1,112 +0,0 @@
|
|||
/*
|
||||
* CDE - Common Desktop Environment
|
||||
*
|
||||
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
|
||||
*
|
||||
* These libraries and programs are free software; you can
|
||||
* redistribute them and/or modify them under the terms of the GNU
|
||||
* Lesser General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option)
|
||||
* any later version.
|
||||
*
|
||||
* These libraries and programs are distributed in the hope that
|
||||
* they will be useful, but WITHOUT ANY WARRANTY; without even the
|
||||
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
* PURPOSE. See the GNU Lesser General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with these libraries and programs; if not, write
|
||||
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
|
||||
* Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
/*
|
||||
* xdm - display manager daemon
|
||||
*
|
||||
* $XConsortium: bls.h /main/4 1996/10/30 11:35:48 drk $
|
||||
*
|
||||
* Copyright 1988 Massachusetts Institute of Technology
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software and its
|
||||
* documentation for any purpose and without fee is hereby granted, provided
|
||||
* that the above copyright notice appear in all copies and that both that
|
||||
* copyright notice and this permission notice appear in supporting
|
||||
* documentation, and that the name of M.I.T. not be used in advertising or
|
||||
* publicity pertaining to distribution of the software without specific,
|
||||
* written prior permission. M.I.T. makes no representations about the
|
||||
* suitability of this software for any purpose. It is provided "as is"
|
||||
* without express or implied warranty.
|
||||
*
|
||||
* Author: Keith Packard, MIT X Consortium
|
||||
*/
|
||||
|
||||
/*
|
||||
* bls.h
|
||||
*
|
||||
* public interfaces for B1 greet/verify functionality
|
||||
*/
|
||||
|
||||
|
||||
#ifndef _BLS_H
|
||||
#define _BLS_H
|
||||
|
||||
typedef unsigned char BOOL;
|
||||
|
||||
#ifndef FALSE
|
||||
#define FALSE 0
|
||||
#endif
|
||||
|
||||
#ifndef TRUE
|
||||
#define TRUE 1
|
||||
#endif
|
||||
|
||||
#ifdef BLS
|
||||
#include <sys/security.h>
|
||||
#include <sys/audit.h> /* for passwd and pr_passwd */
|
||||
#endif
|
||||
|
||||
#ifdef pegasus
|
||||
#undef dirty /* Some bozo put a macro called dirty in sys/param.h */
|
||||
#endif /* pegasus */
|
||||
|
||||
struct greet_info {
|
||||
char *name; /* user name */
|
||||
char *password; /* user password */
|
||||
#ifdef BLS
|
||||
char *b1security; /* user's b1 security */
|
||||
#endif
|
||||
char *string; /* random string */
|
||||
};
|
||||
|
||||
struct verify_info {
|
||||
int uid; /* user id */
|
||||
#ifdef NGROUPS
|
||||
int groups[NGROUPS];/* group list */
|
||||
int ngroups; /* number of elements in groups */
|
||||
#else
|
||||
int gid; /* group id */
|
||||
#endif
|
||||
char **argv; /* arguments to session */
|
||||
char **userEnviron; /* environment for session */
|
||||
char **systemEnviron;/* environment for startup/reset */
|
||||
#ifdef BLS
|
||||
char *user_name;
|
||||
struct mand_ir_t *sec_label_ir;
|
||||
struct mand_ir_t *clearance_ir;
|
||||
/* save these for logout time */
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
char terminal[16];
|
||||
#endif
|
||||
};
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* Global variables
|
||||
*
|
||||
***************************************************************************/
|
||||
extern struct pr_passwd *b1_pwd;
|
||||
extern struct verify_info *verify;
|
||||
extern struct greet_info *greet;
|
||||
|
||||
#endif /* _BLS_H */
|
|
@ -1,140 +0,0 @@
|
|||
/*
|
||||
* CDE - Common Desktop Environment
|
||||
*
|
||||
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
|
||||
*
|
||||
* These libraries and programs are free software; you can
|
||||
* redistribute them and/or modify them under the terms of the GNU
|
||||
* Lesser General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option)
|
||||
* any later version.
|
||||
*
|
||||
* These libraries and programs are distributed in the hope that
|
||||
* they will be useful, but WITHOUT ANY WARRANTY; without even the
|
||||
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
* PURPOSE. See the GNU Lesser General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with these libraries and programs; if not, write
|
||||
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
|
||||
* Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
/*
|
||||
* xdm - display manager daemon
|
||||
*
|
||||
* $XConsortium: debug.c /main/3 1995/07/14 13:23:25 drk $
|
||||
*
|
||||
* Copyright 1988 Massachusetts Institute of Technology
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software and its
|
||||
* documentation for any purpose and without fee is hereby granted, provided
|
||||
* that the above copyright notice appear in all copies and that both that
|
||||
* copyright notice and this permission notice appear in supporting
|
||||
* documentation, and that the name of M.I.T. not be used in advertising or
|
||||
* publicity pertaining to distribution of the software without specific,
|
||||
* written prior permission. M.I.T. makes no representations about the
|
||||
* suitability of this software for any purpose. It is provided "as is"
|
||||
* without express or implied warranty.
|
||||
*
|
||||
* Author: Keith Packard, MIT X Consortium
|
||||
*/
|
||||
|
||||
/***************
|
||||
debug.c
|
||||
****************/
|
||||
|
||||
#ifndef NDEBUG
|
||||
/* don't compile anything in this file unless this is pre-release code */
|
||||
#include <stdio.h>
|
||||
#include <signal.h>
|
||||
#include "../vg.h"
|
||||
#include "bls.h"
|
||||
|
||||
# include <stdarg.h>
|
||||
# define Va_start(a,b) va_start(a,b)
|
||||
|
||||
char *DisplayName=NULL;
|
||||
|
||||
|
||||
/****************************************************************************
|
||||
*
|
||||
* Debug
|
||||
*
|
||||
* Write a debug message to stderr
|
||||
*
|
||||
****************************************************************************/
|
||||
|
||||
static int DoName=TRUE;
|
||||
static int debugLevel=0;
|
||||
|
||||
|
||||
int
|
||||
BLS_ToggleDebug( int arg)
|
||||
{
|
||||
debugLevel = !debugLevel;
|
||||
(void) signal(SIGHUP,BLS_ToggleDebug);
|
||||
}
|
||||
|
||||
|
||||
|
||||
void
|
||||
Debug( char *fmt, ...)
|
||||
{
|
||||
static int sentinel = 0;
|
||||
static char *debugLog;
|
||||
|
||||
va_list args;
|
||||
|
||||
Va_start(args,fmt);
|
||||
|
||||
|
||||
|
||||
if ( !sentinel ) {
|
||||
/*
|
||||
* open up an error log for dtgreet
|
||||
*/
|
||||
if ((debugLog = getenv("VG_DEBUG")) == 0)
|
||||
debugLog = "/usr/lib/X11/dt/Dtlogin/dtgreet.log";
|
||||
|
||||
if ( !freopen(debugLog,"a",stderr)) {
|
||||
perror("Debug:");
|
||||
}
|
||||
DisplayName=dpyinfo.name;
|
||||
sentinel = 1;
|
||||
}
|
||||
|
||||
if (debugLevel > 0)
|
||||
{
|
||||
if ( strlen(DisplayName) > 0 && DoName)
|
||||
fprintf(stderr, "(%s) ", DisplayName);
|
||||
|
||||
vfprintf (stderr,fmt, args);
|
||||
fflush (stderr);
|
||||
|
||||
/*
|
||||
* don't prepend the display name next time if this debug message
|
||||
* does not contain a "new line" character...
|
||||
*/
|
||||
|
||||
if ( strchr(fmt,'\n') == NULL )
|
||||
DoName=FALSE;
|
||||
else
|
||||
DoName=TRUE;
|
||||
|
||||
}
|
||||
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
/*
|
||||
* Debug stub for product purposes
|
||||
*/
|
||||
|
||||
void
|
||||
Debug( )
|
||||
{ }
|
||||
|
||||
#endif /* NDEBUG */
|
|
@ -1,666 +0,0 @@
|
|||
/*
|
||||
* CDE - Common Desktop Environment
|
||||
*
|
||||
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
|
||||
*
|
||||
* These libraries and programs are free software; you can
|
||||
* redistribute them and/or modify them under the terms of the GNU
|
||||
* Lesser General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option)
|
||||
* any later version.
|
||||
*
|
||||
* These libraries and programs are distributed in the hope that
|
||||
* they will be useful, but WITHOUT ANY WARRANTY; without even the
|
||||
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
* PURPOSE. See the GNU Lesser General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with these libraries and programs; if not, write
|
||||
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
|
||||
* Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
/* $XConsortium: get_level.c /main/4 1995/10/27 16:19:39 rswiston $ */
|
||||
/*
|
||||
* get_level.c
|
||||
* last modified by:
|
||||
* David Dolson June 7/92
|
||||
* - rewrote most of B1 security routines. Much of it is based on
|
||||
* parallel routines in login.
|
||||
* Ron Voll July 7/92
|
||||
* - rolled the xdm version of this file into dtlogin.
|
||||
*/
|
||||
|
||||
#ifdef BLS /* Brackets entire file */
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <signal.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <stdio.h>
|
||||
#include <termio.h>
|
||||
#include <errno.h>
|
||||
#ifdef SEC_NET_TTY
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netdb.h>
|
||||
#endif
|
||||
|
||||
#include <sys/security.h>
|
||||
#include <sys/audit.h>
|
||||
#include <prot.h>
|
||||
#include <protcmd.h>
|
||||
#if defined(TAC3) && !defined(TPLOGIN)
|
||||
#include <sys/secpolicy.h>
|
||||
#include <mandatory.h>
|
||||
#include <fcntl.h>
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#if 0
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/wait.h>
|
||||
#include <grp.h>
|
||||
|
||||
/*
|
||||
* Local include file for bls specific definitions.
|
||||
* Also defines some of the structures from dm.h for bls usage.
|
||||
*/
|
||||
#include "bls.h"
|
||||
|
||||
/* drop those privs from the base set which are not needed by xdm */
|
||||
void
|
||||
drop_privs(void)
|
||||
{
|
||||
priv_t privs[SEC_SPRIVVEC_SIZE];
|
||||
|
||||
getpriv(SEC_BASE_PRIV, privs);
|
||||
RMBIT(privs, SEC_ALLOWNETACCESS);
|
||||
RMBIT(privs, SEC_NETPRIVSESSION);
|
||||
RMBIT(privs, SEC_NETNOAUTH);
|
||||
RMBIT(privs, SEC_MULTILEVELDIR);
|
||||
setpriv(SEC_BASE_PRIV, privs);
|
||||
return;
|
||||
}
|
||||
|
||||
/* stuff to do at the start */
|
||||
void
|
||||
init_security(void)
|
||||
{
|
||||
/* set default file creation mode to be restrictive */
|
||||
umask(~SEC_DEFAULT_MODE);
|
||||
drop_privs();
|
||||
}
|
||||
|
||||
/* check that the requested security level is valid for this user,
|
||||
* return 1 = success, return 0 is fail(fatal)
|
||||
*/
|
||||
int
|
||||
verify_user_seclevel( struct verify_info verify, char *desired_label)
|
||||
{
|
||||
int uid;
|
||||
mand_ir_t *dl_ir, *clearance_ir;
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
|
||||
prpwd = verify->prpwd;
|
||||
pwd = verify->pwd;
|
||||
uid = verify->uid;
|
||||
|
||||
/* check that desired_label falls within user's range */
|
||||
dl_ir = mand_er_to_ir(desired_label);
|
||||
if (dl_ir ==NULL) {
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unknown clearance level", ES_LOGIN_FAILED);
|
||||
Debug("unable to translate clearance\n");
|
||||
return 0;
|
||||
}
|
||||
/* get user clearance from prpwd database */
|
||||
if (prpwd->uflg.fg_clearance)
|
||||
clearance_ir = &prpwd->ufld.fd_clearance;
|
||||
else if (prpwd->sflg.fg_clearance)
|
||||
clearance_ir = &prpwd->sfld.fd_clearance;
|
||||
else
|
||||
clearance_ir = mand_syslo;
|
||||
|
||||
/* make sure clearance dominates or equals desired_label */
|
||||
switch(mand_ir_relationship(/* subject */ dl_ir,
|
||||
/* object */ clearance_ir)) {
|
||||
case MAND_ODOM:
|
||||
case MAND_EQUAL:
|
||||
/* Within range */
|
||||
break;
|
||||
default:
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Security label out of range", ES_LOGIN_FAILED);
|
||||
Debug("Invalid clearance for this user\n");
|
||||
mand_free_ir(dl_ir);
|
||||
return 0;
|
||||
}
|
||||
verify->clearance_ir = clearance_ir;
|
||||
verify->sec_label_ir = dl_ir;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* check the proper structures to determine if the user has a password.
|
||||
* If the nullpw field is set, the user does not need one, and this
|
||||
* overrides the rest of the checking.
|
||||
* return 1 means that a password exists (or is not needed)
|
||||
*/
|
||||
int
|
||||
password_exists(struct verify_info *verify)
|
||||
{
|
||||
struct pr_passwd *prpwd;
|
||||
BOOL nocheck;
|
||||
|
||||
Debug("password_exists()\n");
|
||||
prpwd = verify->prpwd;
|
||||
if (prpwd->uflg.fg_nullpw)
|
||||
nocheck=prpwd->ufld.fd_nullpw;
|
||||
else if (prpwd->sflg.fg_nullpw)
|
||||
nocheck=prpwd->sfld.fd_nullpw;
|
||||
else
|
||||
nocheck=FALSE;
|
||||
|
||||
if (!nocheck) { /* user needs password */
|
||||
Debug("password required for user\n");
|
||||
if (!prpwd->uflg.fg_encrypt ||
|
||||
prpwd->ufld.fd_encrypt[0] == '\0' ) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
/* check that the requested security level can be used on this X terminal,
|
||||
* and that it is not locked.
|
||||
* Currently there is no support for locking xterms like there is for
|
||||
* /dev/tty* terminals.
|
||||
*/
|
||||
int
|
||||
verify_sec_xterm(struct verify_info *verify, char *desired_label)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
/* set clearance and label for the user. Audit all failures.
|
||||
* return 0=fail, 1=pass
|
||||
*/
|
||||
int
|
||||
set_sec_label(struct verify_info *verify)
|
||||
{
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
/* set clearance */
|
||||
prpwd = verify->prpwd;
|
||||
pwd = verify->pwd;
|
||||
|
||||
if (setclrnce(verify->sec_label_ir)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Insufficient privs to set clearance", ES_LOGIN_FAILED);
|
||||
Debug ("login failed: EPERM on setclrnce()\n");
|
||||
break;
|
||||
case EFAULT:
|
||||
/* audit:login failed: xdm memory fault */
|
||||
default:
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set clearance", ES_LOGIN_FAILED);
|
||||
Debug ("setclrnce failed: error: %d\n", errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
/* set label */
|
||||
if (setslabel(verify->sec_label_ir)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Insufficient privs to set sec label", ES_LOGIN_FAILED);
|
||||
Debug ("login failed: insufficient priv. to setslabel()\n");
|
||||
break;
|
||||
case EFAULT:
|
||||
/* audit:login failed: xdm memory fault */
|
||||
default:
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set sec label", ES_LOGIN_FAILED);
|
||||
Debug ("setslabel() failed: error: %d\n", errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* set the effective, base, and maximum priv vectors for the
|
||||
* new process, based on values from the pr_passwd entry.
|
||||
* Inability to find either user priv's or default priv's
|
||||
* results in failure. One or the other must be there.
|
||||
* Function returns 1 for success, 0 for failure.
|
||||
* A failure of this function should be considered fatal.
|
||||
*/
|
||||
int
|
||||
set_sec_privs(struct verify_info *verify)
|
||||
{
|
||||
|
||||
priv_t *maxprivs, *bprivs;
|
||||
priv_t curr_bprivs[SEC_SPRIVVEC_SIZE];
|
||||
priv_t curr_sprivs[SEC_SPRIVVEC_SIZE];
|
||||
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
int bit;
|
||||
|
||||
prpwd = verify->prpwd;
|
||||
pwd = verify->pwd;
|
||||
|
||||
/* kernel authorizations */
|
||||
if (prpwd->uflg.fg_sprivs) {
|
||||
maxprivs = &prpwd->ufld.fd_sprivs[0];
|
||||
}else if(prpwd->sflg.fg_sprivs) {
|
||||
maxprivs = &prpwd->sfld.fd_sprivs[0];
|
||||
Debug("Using default kernel priv's\n");
|
||||
}else {
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to find kernel priv set for user",
|
||||
ES_LOGIN_FAILED);
|
||||
Debug("Can't find max. priv set for user-quitting\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* base priv's and initial effective priv's */
|
||||
if (verify->prpwd->uflg.fg_bprivs) {
|
||||
bprivs = &verify->prpwd->ufld.fd_bprivs[0];
|
||||
}else if (verify->prpwd->sflg.fg_bprivs) { /* use system defaults */
|
||||
bprivs = &verify->prpwd->sfld.fd_bprivs[0];
|
||||
Debug("Using default base priv's\n");
|
||||
}else{
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to find base priv set for user",
|
||||
ES_LOGIN_FAILED);
|
||||
Debug("Can't find base priv set for user-quitting\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
getpriv(SEC_MAXIMUM_PRIV, curr_sprivs);
|
||||
getpriv(SEC_BASE_PRIV, curr_bprivs);
|
||||
|
||||
/* remove those privs which the current process does not have,
|
||||
* to avoid any error in the following system calls
|
||||
*/
|
||||
for (bit=0; bit<=SEC_MAX_SPRIV; bit++) {
|
||||
if (!ISBITSET(curr_sprivs, bit))
|
||||
RMBIT(maxprivs, bit);
|
||||
if (!ISBITSET(curr_bprivs, bit))
|
||||
RMBIT(bprivs, bit);
|
||||
}
|
||||
|
||||
/* login removes those bits from maxprivs which the current process
|
||||
* does not have. - This program assumes the system config
|
||||
* utilities will enforce the rules for setpriv(3). Any failure
|
||||
* of setpriv will indicate a corrupt database.
|
||||
*/
|
||||
|
||||
if (setpriv(SEC_MAXIMUM_PRIV, maxprivs)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
Debug("setpriv (max) failed: EPERM\n");
|
||||
break;
|
||||
case EINVAL:
|
||||
Debug("setpriv (max) failed: EINVAL\n");
|
||||
break;
|
||||
case EFAULT:
|
||||
Debug("setpriv (max) failed: EFAULT\n");
|
||||
break;
|
||||
default:
|
||||
Debug("setpriv (max) failed for unknown error: %d\n",errno);
|
||||
break;
|
||||
}
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set Kernel privs", ES_LOGIN_FAILED);
|
||||
Debug("Unable to set Kernel privs (error %d): aborting\n",errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (setpriv(SEC_BASE_PRIV, bprivs)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
Debug("setpriv (base) failed: EPERM\n");
|
||||
break;
|
||||
case EINVAL:
|
||||
Debug("setpriv (base) failed: EINVAL\n");
|
||||
break;
|
||||
case EFAULT:
|
||||
Debug("setpriv (base) failed: EFAULT\n");
|
||||
break;
|
||||
default:
|
||||
Debug("setpriv (base) failed for unknown error: %d\n",errno);
|
||||
break;
|
||||
}
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set base privs", ES_LOGIN_FAILED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (setpriv(SEC_EFFECTIVE_PRIV, bprivs)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
Debug("setpriv (effective) failed: EPERM\n");
|
||||
break;
|
||||
case EINVAL:
|
||||
Debug("setpriv (effective) failed: EINVAL\n");
|
||||
break;
|
||||
case EFAULT:
|
||||
Debug("setpriv (effective) failed: EFAULT\n");
|
||||
break;
|
||||
default:
|
||||
Debug("setpriv (effective) failed for unknown error: %d\n",
|
||||
errno);
|
||||
break;
|
||||
}
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set effective privs", ES_LOGIN_FAILED);
|
||||
Debug("Unable to set effective privs (error %d): aborting\n",errno);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
||||
}
|
||||
|
||||
|
||||
/* change the current process over to be owned by the user verify->uid.
|
||||
* Also properly set the privs, sec label, etc.
|
||||
* Also audits failures.
|
||||
* return=1 for success, 0 for fail. A failure should be considered fatal.
|
||||
*/
|
||||
int
|
||||
change_to_user(struct verify_info *verify)
|
||||
{
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
int new_nice;
|
||||
|
||||
prpwd = verify->prpwd;
|
||||
pwd = verify->pwd;
|
||||
|
||||
Debug("change_to_user()\n");
|
||||
/* 1. set the login user id - settable only once */
|
||||
if (setluid(verify->uid)==-1) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
Debug("Unable to set luid - EPERM\n");
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set luid - insufficient privs",
|
||||
ES_LOGIN_FAILED);
|
||||
break;
|
||||
case EINVAL:
|
||||
Debug("Unable to set luid - suspicious of pwd db.\n");
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set luid - out of range", ES_LOGIN_FAILED);
|
||||
break;
|
||||
default:
|
||||
Debug("Can't set luid-Unknown error %d\n",errno);
|
||||
audit_login(prpwd, pwd, verify->terminal,
|
||||
"Unable to set luid-unknown error", ES_LOGIN_FAILED);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set the 'nice' priority if necessary. Since the return value
|
||||
* of nice(2) can normally be -1 from the documentation, and
|
||||
* -1 is the error condition, we key off of errno, not the
|
||||
* return value to find if the change were successful.
|
||||
* Note we must do this before the setuid(2) below.
|
||||
*/
|
||||
errno = 0;
|
||||
prpwd = verify->prpwd;
|
||||
if (prpwd->uflg.fg_nice)
|
||||
new_nice = prpwd->ufld.fd_nice;
|
||||
else if (prpwd->sflg.fg_nice)
|
||||
new_nice = prpwd->sfld.fd_nice;
|
||||
|
||||
if (prpwd->uflg.fg_nice || prpwd->sflg.fg_nice) {
|
||||
(void) nice(new_nice);
|
||||
if (errno != 0) {
|
||||
audit_login(prpwd, verify->pwd, NULL,
|
||||
"bad 'nice' setting", ES_LOGIN_FAILED);
|
||||
Debug("Bad priority setting.\n");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* 2. set the group(s) id and
|
||||
* 3. set the regular user id */
|
||||
|
||||
#ifdef NGROUPS
|
||||
|
||||
/* setgroups (verify->ngroups, verify->groups);
|
||||
*/
|
||||
if(setgid (verify->groups[0])) {
|
||||
switch(errno) {
|
||||
case EPERM:
|
||||
Debug("setgid EPERM\n");
|
||||
break;
|
||||
case EINVAL:
|
||||
Debug("setgid EINVAL\n");
|
||||
break;
|
||||
default:
|
||||
Debug("setgid unknown error: %d\n",errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
initgroups(verify->user_name, verify->groups[0]);
|
||||
#else
|
||||
if(setgid (verify->gid)) {
|
||||
switch(errno) {
|
||||
case EPERM: Debug("setgid EPERM\n");break;
|
||||
case EINVAL: Debug("setgid EINVAL\n");break;
|
||||
default: Debug("setgid unknown error\n");break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
if(setuid (verify->uid)) {
|
||||
switch(errno) {
|
||||
case EPERM: Debug("setgid EPERM\n");break;
|
||||
case EINVAL: Debug("setgid EINVAL\n");break;
|
||||
default: Debug("setgid unknown error\n");break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* 4. set security clearance and label for the new process */
|
||||
if (!set_sec_label(verify))
|
||||
return 0;
|
||||
|
||||
/* 5. set audit parameters */
|
||||
audit_adjust_mask(prpwd);
|
||||
|
||||
/* 6. set privlege levels - maximum, base, and effective */
|
||||
if (!set_sec_privs(verify))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Try to read back everything, and print it. If a fatal error occurs,
|
||||
* return code is 0. 1=success.
|
||||
*/
|
||||
int
|
||||
dump_sec_debug_info(struct verify_info *verify)
|
||||
{
|
||||
mand_ir_t *level_ir;
|
||||
priv_t privs[SEC_SPRIVVEC_SIZE];
|
||||
|
||||
Debug ("luid: %d, real uid: %d, effective uid:%d,\n",
|
||||
getluid(),getuid(),geteuid());
|
||||
Debug ("real gid:%d, effective gid: %d\n", getgid(),getegid());
|
||||
level_ir = mand_alloc_ir();
|
||||
if (getclrnce(level_ir)==-1) {
|
||||
switch(errno) {
|
||||
case EFAULT: Debug("getclrnce EFAULT\n");break;
|
||||
case EINVAL: Debug("getclrnce EINVAL\n");break;
|
||||
default: Debug("getclrnce unknown error:%d\n",errno);break;
|
||||
}
|
||||
return 0;
|
||||
}else Debug ("Clearance: %s\n", mand_ir_to_er(level_ir) );
|
||||
if (getslabel(level_ir)==-1) {
|
||||
switch(errno) {
|
||||
case EFAULT: Debug("getslabel EFAULT\n");break;
|
||||
case EINVAL: Debug("getslabel EINVAL\n");break;
|
||||
default: Debug("getslabel unknown error:%d\n",errno);break;
|
||||
}
|
||||
return 0;
|
||||
}else Debug ("Level: %s\n", mand_ir_to_er(level_ir));
|
||||
mand_free_ir(level_ir);
|
||||
if(getpriv(SEC_MAXIMUM_PRIV, privs)==-1) {
|
||||
switch(errno) {
|
||||
case EFAULT: Debug("getpriv max EFAULT\n");break;
|
||||
case EINVAL: Debug("getpriv max EINVAL\n");break;
|
||||
default: Debug("getpriv max unknown error:%d\n",errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}else Debug ("max priv: %x.%x\n", privs[0],privs[1]);
|
||||
if(getpriv(SEC_EFFECTIVE_PRIV, privs)==-1) {
|
||||
switch(errno) {
|
||||
case EFAULT: Debug("getpriv eff EFAULT\n");break;
|
||||
case EINVAL: Debug("getpriv eff EINVAL\n");break;
|
||||
default: Debug("getpriv eff unknown error:%d\n",errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}else Debug ("eff priv: %x.%x\n", privs[0],privs[1]);
|
||||
if(getpriv(SEC_BASE_PRIV, privs)==-1) {
|
||||
switch(errno) {
|
||||
case EFAULT: Debug("getpriv base EFAULT\n");break;
|
||||
case EINVAL: Debug("getpriv base EINVAL\n");break;
|
||||
default: Debug("getpriv base unknown error:%d\n",errno);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}else Debug ("base priv: %x.%x\n", privs[0],privs[1]);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* writeLoginInfo
|
||||
* Input: file name string (ex. $HOME/.dtlogininfo)
|
||||
* verify structure with password stuff
|
||||
* Write login information to a file to be displayed later, after a
|
||||
* successful login.
|
||||
*
|
||||
* Xsession will need to be modified something like this...
|
||||
* DTHELLO="$DTDIR/bin/dthello -f /etc/copyright -f $HOME/.dtlogininfo"
|
||||
*/
|
||||
|
||||
int
|
||||
writeLoginInfo( char *filename, struct verify_info *verify)
|
||||
{
|
||||
char *s1="Last successful login: %s";
|
||||
char *s2="Last unsuccessful login: %s";
|
||||
char *s3;
|
||||
char s[80];
|
||||
char term[15];
|
||||
char *label;
|
||||
char *message="Sensitivity level for process: ";
|
||||
int i;
|
||||
int nl;
|
||||
time_t slogin, ulogin;
|
||||
char *slabel;
|
||||
char *uterminal, *sterminal;
|
||||
|
||||
FILE *fp;
|
||||
|
||||
Debug("Writing login info\n");
|
||||
if ((fp = fopen (filename, "w")) == 0 )
|
||||
return 0;
|
||||
|
||||
if (verify->prpwd->uflg.fg_slogin)
|
||||
slogin=verify->prpwd->ufld.fd_slogin;
|
||||
else
|
||||
slogin=(time_t)0;
|
||||
|
||||
if (verify->prpwd->uflg.fg_ulogin)
|
||||
ulogin=verify->prpwd->ufld.fd_ulogin;
|
||||
else
|
||||
ulogin=(time_t)0;
|
||||
|
||||
if (verify->prpwd->uflg.fg_suctty)
|
||||
sterminal=verify->prpwd->ufld.fd_suctty;
|
||||
else
|
||||
sterminal="UNKNOWN";
|
||||
|
||||
if (verify->prpwd->uflg.fg_unsuctty)
|
||||
uterminal=verify->prpwd->ufld.fd_unsuctty;
|
||||
else
|
||||
uterminal="UNKNOWN";
|
||||
|
||||
slabel = mand_ir_to_er(verify->sec_label_ir);
|
||||
|
||||
fprintf(fp,"-----------------------------------\n");
|
||||
fprintf(fp,"\nPrevious login information:\n\n");
|
||||
|
||||
/* tricky formatting */
|
||||
if (slogin != 0) {
|
||||
sprintf(s, s1, ctime(&slogin));
|
||||
nl=strlen(s)-1;
|
||||
s[nl]='\0'; /* remove new-line */
|
||||
}else{
|
||||
sprintf(s,s1,"NEVER");
|
||||
}
|
||||
strcat(s, " from ");
|
||||
strncpy(term, sterminal, 14);
|
||||
term[14]='\0';
|
||||
strcat(s, term);
|
||||
fprintf(fp,"%s\n",s);
|
||||
|
||||
if (ulogin != 0) {
|
||||
sprintf(s, s2, ctime(&ulogin));
|
||||
nl=strlen(s)-1;
|
||||
s[nl]='\0'; /* remove new-line */
|
||||
}else{
|
||||
sprintf(s,s2,"NEVER");
|
||||
}
|
||||
strcat(s, " from ");
|
||||
strncpy(term, uterminal, 14);
|
||||
term[14]='\0';
|
||||
strcat(s, term);
|
||||
fprintf(fp,"%s\n",s);
|
||||
|
||||
label = (char*)malloc(strlen(message)+strlen(slabel)+1);
|
||||
sprintf(label, "%s%s", message, slabel);
|
||||
if (strlen (label) > 77) {
|
||||
for(i=75; label[i]!=',' && i>0; i--);
|
||||
if (i==0) for(i=75; label[i]!=' ' && i>0; i--);
|
||||
if (i==0) i=75;
|
||||
strncpy(s, label, i+1);
|
||||
s[i+1]='\0';
|
||||
fprintf(fp,"%s\n",s);
|
||||
strncpy(s, &label[i+1], 75);
|
||||
s[75]='\0';
|
||||
fprintf(fp,"%s\n",s);
|
||||
}else{
|
||||
fprintf(fp,"%s\n",label);
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
return 1;
|
||||
}
|
||||
|
||||
#endif /* BLS */
|
|
@ -1,830 +0,0 @@
|
|||
/*
|
||||
* CDE - Common Desktop Environment
|
||||
*
|
||||
* Copyright (c) 1993-2012, The Open Group. All rights reserved.
|
||||
*
|
||||
* These libraries and programs are free software; you can
|
||||
* redistribute them and/or modify them under the terms of the GNU
|
||||
* Lesser General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option)
|
||||
* any later version.
|
||||
*
|
||||
* These libraries and programs are distributed in the hope that
|
||||
* they will be useful, but WITHOUT ANY WARRANTY; without even the
|
||||
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
* PURPOSE. See the GNU Lesser General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with these libraries and programs; if not, write
|
||||
* to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
|
||||
* Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
/* $XConsortium: validate.c /main/4 1995/10/27 16:19:47 rswiston $ */
|
||||
/************************************<+>*************************************
|
||||
****************************************************************************
|
||||
**
|
||||
** File: validate.c
|
||||
**
|
||||
** Project: HP Visual User Environment (DT)
|
||||
**
|
||||
** Description: Dtgreet BLS user authentication routines
|
||||
**
|
||||
** These routines validate the user; checking name, password,
|
||||
** number of users on the system, password aging, etc.
|
||||
**
|
||||
**
|
||||
** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
|
||||
**
|
||||
**
|
||||
** Conditional compiles:
|
||||
**
|
||||
** OSMAJORVERSION < 8
|
||||
** HP-UX 7.0/7.03 restricted license counting algorithms
|
||||
** are used. Otherwise HP-UX 8.0 and beyond is used
|
||||
**
|
||||
** BLS HP BLS B1 simple authentication.
|
||||
**
|
||||
**
|
||||
****************************************************************************
|
||||
************************************<+>*************************************/
|
||||
|
||||
#ifdef BLS
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* Includes & Defines
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <pwd.h>
|
||||
|
||||
#include "../vg.h"
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* HP-UX BLS authentication routines
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
#include <sys/param.h> /* for MAXUID macro */
|
||||
#include <sys/types.h>
|
||||
#include <sys/utsname.h>
|
||||
#include <string.h>
|
||||
#include <utmp.h>
|
||||
#include <time.h>
|
||||
#include <grp.h>
|
||||
|
||||
|
||||
/* BLS only headers */
|
||||
# include <sys/security.h>
|
||||
# include <prot.h>
|
||||
# include "bls.h"
|
||||
|
||||
|
||||
#define how_to_count ut_exit.e_exit
|
||||
|
||||
#ifdef __hp9000s300
|
||||
static int num_users[] = { 2, 32767 };
|
||||
# define MIN_VERSION 'A'
|
||||
# define UNLIMITED 'B'
|
||||
#else
|
||||
static int num_users[] = { 2, 16, 32, 64 , 8 };
|
||||
# define MIN_VERSION 'A'
|
||||
# define UNLIMITED 'U'
|
||||
#endif
|
||||
|
||||
/* Maximum number of users allowed with restricted license */
|
||||
#if OSMAJORVERSION < 8
|
||||
# define MAX_STRICT_USERS 2
|
||||
#else
|
||||
# define MAX_STRICT_USERS 8
|
||||
#endif
|
||||
|
||||
#define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* External declarations
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
extern Widget focusWidget; /* login or password text field */
|
||||
|
||||
extern long groups[NGROUPS];
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* Procedure declarations
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
static int CheckPassword( char *name, char *passwd );
|
||||
static int CountUsers( int added_users) ;
|
||||
static int CountUsersStrict( char *new_user) ;
|
||||
static void WriteBtmp( char *name) ;
|
||||
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* Global variables
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
/* BLS only data */
|
||||
struct pr_passwd *b1_pwd;
|
||||
struct verify_info verify_data;
|
||||
struct verify_info *verify = &verify_data;
|
||||
struct greet_info greet_data;
|
||||
struct greet_info *greet = &greet_data;
|
||||
static int UserHasPassword = 1;
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* CountUsers
|
||||
*
|
||||
* see if new user has exceeded the maximum.
|
||||
***************************************************************************/
|
||||
|
||||
#define NCOUNT 16
|
||||
|
||||
static int
|
||||
CountUsers( int added_users )
|
||||
{
|
||||
int count[NCOUNT], nusers, i;
|
||||
struct utmp *entry;
|
||||
|
||||
for (i=0; i<NCOUNT; i++)
|
||||
count[i] = 0;
|
||||
|
||||
count[added_users]++;
|
||||
|
||||
while ( (entry = getutent()) != NULL) {
|
||||
if (entry->ut_type == USER_PROCESS) {
|
||||
i = entry->how_to_count;
|
||||
if (i < 0 || i >= NCOUNT)
|
||||
i = 1; /* if out of range, then count */
|
||||
/* as ordinary user */
|
||||
count[i]++;
|
||||
}
|
||||
}
|
||||
endutent();
|
||||
|
||||
/*
|
||||
* KEY:
|
||||
* [0] does not count at all
|
||||
* [1] counts as real user
|
||||
* [2] logins via a pty which have not gone trough login. These
|
||||
* collectively count as 1 user IF count[3] is 0, otherwise,
|
||||
* they are not counted. Starting with HP-UX 8.0 they are
|
||||
* no longer counted at all.
|
||||
* [3] logins via a pty which have been logged through login (i.e.
|
||||
* rlogin and telnet). these count as 1 "real" user per
|
||||
* unique user name.
|
||||
* [4-15] may be used for groups of users which collectively
|
||||
* count as 1
|
||||
*/
|
||||
nusers = count[1];
|
||||
|
||||
#if OSMAJORVERSION < 8
|
||||
for (i=2; i<NCOUNT; i++)
|
||||
#else
|
||||
for (i=3; i<NCOUNT; i++)
|
||||
#endif
|
||||
if (count[i] > 0)
|
||||
nusers++;
|
||||
|
||||
return(nusers);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* CountUsersStrict
|
||||
*
|
||||
* see if new user has exceeded the maximum.
|
||||
***************************************************************************/
|
||||
|
||||
static int
|
||||
CountUsersStrict( char *new_user )
|
||||
{
|
||||
char pty_users[MAX_STRICT_USERS][8];
|
||||
int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off;
|
||||
struct utmp *entry;
|
||||
|
||||
/*
|
||||
* Initialize count array...
|
||||
*/
|
||||
for (i = 0; i < NCOUNT; i++)
|
||||
count[i] = 0;
|
||||
|
||||
/*
|
||||
* Add in the new user (we know it's not a pty)...
|
||||
*/
|
||||
count[1]++;
|
||||
|
||||
while ( (entry = getutent()) != NULL ) {
|
||||
if (entry->ut_type == USER_PROCESS) {
|
||||
i = entry->how_to_count;
|
||||
|
||||
/* if out of range, then count as ordinary user logged in
|
||||
via a tty */
|
||||
if (i == 1 || (i < 0 || i >= NCOUNT))
|
||||
count[1]++;
|
||||
/* See if it is a pty login granted by login program */
|
||||
else if (i == 3) {
|
||||
count[3]++;
|
||||
/* See if user is already logged in via login pty */
|
||||
uname_off = -1;
|
||||
for (cnt = 0; cnt <= pty_off; cnt++)
|
||||
if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0)
|
||||
uname_off = cnt;
|
||||
|
||||
if (uname_off == -1) { /* user is not logged in via pty yet */
|
||||
|
||||
if (pty_off >= MAX_STRICT_USERS) /* cannot add any
|
||||
more users */
|
||||
return(MAX_STRICT_USERS + 1);
|
||||
/* add the user name to the array of pty users */
|
||||
else
|
||||
strncpy(pty_users[++pty_off], entry->ut_user, 8);
|
||||
}
|
||||
} /* end if (i == 3) */
|
||||
else
|
||||
count[i]++;
|
||||
} /* end if entry->ut_type == USER_PROCESS */
|
||||
} /* end while (entry = getutent()) */
|
||||
|
||||
endutent();
|
||||
/*
|
||||
* KEY:
|
||||
* [0] does not count at all
|
||||
* [1] counts as "real" user
|
||||
* [2] logins via a pty which have not gone trough login. These
|
||||
* collectively count as 1 user IF count[3] is 0, otherwise,
|
||||
* they are not counted. Starting with HP-UX 8.0 they are
|
||||
* no longer counted at all.
|
||||
* [3] logins via a pty which have been logged through login (i.e.
|
||||
* rlogin and telnet). these count as 1 "real" user per
|
||||
* unique user name.
|
||||
* [4-15] may be used for groups of users which collectively count
|
||||
* as 1
|
||||
*/
|
||||
|
||||
nusers = pty_off + 1 + count[1]; /* Current number of users is sum of
|
||||
users logged in via tty + the
|
||||
number of unique users logged in
|
||||
via pty which have gone through
|
||||
login */
|
||||
|
||||
#if OSMAJORVERSION < 8
|
||||
if ((count[3] == 0) && (count[2] != 0))
|
||||
nusers++; /* Add 1 user for all pty logins IF
|
||||
none of pty logins have been
|
||||
granted by the login program */
|
||||
#else
|
||||
/*
|
||||
* Don't count any hpterm logins (exit status of 2). We already
|
||||
* counted all pty logins granted by the login program.
|
||||
*/
|
||||
#endif
|
||||
|
||||
for (i = 4; i < NCOUNT; i++)
|
||||
if (count[i] > 0)
|
||||
nusers++;
|
||||
return(nusers);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* CheckPassword
|
||||
*
|
||||
* Check validity of user password.
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
static int
|
||||
CheckPassword( char *name, char *passwd )
|
||||
{
|
||||
|
||||
char *crypt();
|
||||
struct passwd *p;
|
||||
char *reason;
|
||||
|
||||
/*
|
||||
* HP BLS B1 password authentication...
|
||||
*/
|
||||
|
||||
if ( ISSECURE ) {
|
||||
b1_pwd = getprpwnam(name);
|
||||
|
||||
if ( b1_pwd == NULL || strlen(name) == 0 ) {
|
||||
Debug("unknown user '%s'\n", name);
|
||||
audit_login((struct pr_passwd *)0, (struct passwd *)0,
|
||||
dpyinfo.name, "No entry in protected password db",
|
||||
ES_LOGIN_FAILED);
|
||||
return(FALSE);
|
||||
}
|
||||
|
||||
/*
|
||||
* look up user's regular account information...
|
||||
*/
|
||||
|
||||
p = getpwnam(name);
|
||||
|
||||
if ( p == NULL || strlen(name) == 0 ) {
|
||||
Debug("unknown user '%s'\n", name);
|
||||
audit_login((struct pr_passwd *)0, (struct passwd *)0,
|
||||
dpyinfo.name, "No entry in password file",
|
||||
ES_LOGIN_FAILED);
|
||||
return(FALSE);
|
||||
}
|
||||
|
||||
/* verify_info has become a catchall for info needed later */
|
||||
verify->user_name = name;
|
||||
verify->prpwd = b1_pwd;
|
||||
verify->pwd = p;
|
||||
strncpy(verify->terminal, dpyinfo.name, 15);
|
||||
verify->terminal[15]='\0';
|
||||
|
||||
}
|
||||
|
||||
Debug("Verify %s \n",name);
|
||||
|
||||
/* if the password doesn't exists, we can't check it, but
|
||||
* the user will be forced to change it later */
|
||||
if ( (UserHasPassword = password_exists(verify)) != 0 )
|
||||
if ( strcmp(bigcrypt(passwd,b1_pwd->ufld.fd_encrypt),
|
||||
b1_pwd->ufld.fd_encrypt) ) {
|
||||
Debug("verify failed\n");
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Password incorrect",
|
||||
ES_LOGIN_FAILED);
|
||||
return(FALSE);
|
||||
} else {
|
||||
Debug ("username/password verify succeeded\n");
|
||||
return(TRUE);
|
||||
}
|
||||
/*
|
||||
* all password checks failed...
|
||||
*/
|
||||
|
||||
return (FALSE);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* BLS_Verify
|
||||
*
|
||||
* verify the user
|
||||
*
|
||||
* return codes indicate authentication results.
|
||||
***************************************************************************/
|
||||
|
||||
#define MAXATTEMPTS 3
|
||||
|
||||
static struct passwd nouser = {"", "nope"}; /* invalid user password struct */
|
||||
|
||||
int
|
||||
BLS_Verify( char *name, char *passwd )
|
||||
{
|
||||
|
||||
static int login_attempts = 0; /* # failed authentications */
|
||||
|
||||
struct passwd *p; /* password structure */
|
||||
struct pr_passwd *prpwd;
|
||||
|
||||
struct utsname utsnam;
|
||||
int n;
|
||||
int uid;
|
||||
|
||||
/*
|
||||
* Desparate maneuvre to give dtgreet the privledges it needs
|
||||
*/
|
||||
if ( login_attempts == 0 ) {
|
||||
Debug("Setting luid for dtgreet\n");
|
||||
if ( getluid() == -1 )
|
||||
setluid(getuid());
|
||||
}
|
||||
|
||||
/*
|
||||
* validate password...
|
||||
*/
|
||||
|
||||
if ( CheckPassword(name, passwd) == FALSE) {
|
||||
p = verify->pwd;
|
||||
if ( focusWidget == passwd_text ) {
|
||||
|
||||
WriteBtmp(name);
|
||||
|
||||
if ((++login_attempts % MAXATTEMPTS) == 0 ) {
|
||||
|
||||
if (p->pw_name == NULL )
|
||||
p = &nouser;
|
||||
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Failed login(bailout)",
|
||||
ES_LOGIN_FAILED);
|
||||
}
|
||||
|
||||
} else if ( !UserHasPassword ) {
|
||||
/*
|
||||
* The user has not password -- this must be the initial login for this
|
||||
* user. Treat it like an expired password. This should invoke the
|
||||
* password program on behalf of the user.
|
||||
*/
|
||||
UserHasPassword = 1;
|
||||
return VF_PASSWD_AGED;
|
||||
}
|
||||
|
||||
return(VF_INVALID);
|
||||
}
|
||||
prpwd = verify->prpwd;
|
||||
p = verify->pwd;
|
||||
|
||||
/* check that the uid of both passwd and pr_passwd struct's agree */
|
||||
uid = p->pw_uid;
|
||||
if (uid != prpwd->ufld.fd_uid) {
|
||||
audit_login(prpwd, p, verify->terminal,
|
||||
"User id's inconsistent across password database\n",
|
||||
ES_LOGIN_FAILED);
|
||||
Debug("login failed - uid's do not match\n");
|
||||
return VF_BAD_UID;
|
||||
}
|
||||
verify->uid = uid;
|
||||
|
||||
/* check if user's account is locked
|
||||
* This can be by dead password (lifetime exceeded),
|
||||
* fd_lock is set, or fd_max_tries is exceeded.
|
||||
* locked_out is from libsec, but is poorly documented.
|
||||
*/
|
||||
if (locked_out(prpwd)) {
|
||||
Debug("Account locked\n");
|
||||
audit_login(prpwd, p, verify->terminal,
|
||||
"Account locked", ES_LOGIN_FAILED);
|
||||
return VF_INVALID;
|
||||
}
|
||||
/* can user log in at this time?
|
||||
* time_lock is in libsec, but poorly documented
|
||||
*/
|
||||
if (time_lock(prpwd)) {
|
||||
Debug("Account time-locked\n");
|
||||
audit_login(prpwd, p, verify->terminal,
|
||||
"Account time-locked", ES_LOGIN_FAILED);
|
||||
return VF_INVALID;
|
||||
}
|
||||
|
||||
/****************************************************
|
||||
xdm checks the security level here using
|
||||
verify_sec_user
|
||||
We do it later from the dtgreet callback rountine
|
||||
VerifySensitivityLevel()
|
||||
****************************************************/
|
||||
|
||||
#if 0
|
||||
/*
|
||||
* check restricted license...
|
||||
*
|
||||
* Note: This only applies to local displays. Foreign displays
|
||||
* (i.e. X-terminals) apparently do not count.
|
||||
*/
|
||||
|
||||
/* Get the version info via uname. If it doesn't look right,
|
||||
* assume the smallest user configuration
|
||||
*/
|
||||
|
||||
if (getenv(LOCATION) != NULL) {
|
||||
if (uname(&utsnam) < 0)
|
||||
utsnam.version[0] = MIN_VERSION;
|
||||
|
||||
/*
|
||||
* Mappings:
|
||||
* 834 -> 834
|
||||
* 844 -> 844
|
||||
* 836 -> 635
|
||||
* 846 -> 645
|
||||
* 843 -> 642
|
||||
* 853 -> 652
|
||||
*/
|
||||
|
||||
if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) ||
|
||||
(!strncmp(utsnam.machine, "9000/844", UTSLEN)) ||
|
||||
(!strncmp(utsnam.machine, "9000/836", UTSLEN)) ||
|
||||
(!strncmp(utsnam.machine, "9000/846", UTSLEN)) ||
|
||||
(!strncmp(utsnam.machine, "9000/843", UTSLEN)) ||
|
||||
(!strncmp(utsnam.machine, "9000/853", UTSLEN))) {
|
||||
|
||||
/* strict_count = 1;*/
|
||||
if (CountUsersStrict(name) > MAX_STRICT_USERS) {
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Attempted to login - too many users on the system",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_MAX_USERS);
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (utsnam.version[0] != UNLIMITED) {
|
||||
if ((utsnam.version[0]-'A' < 0) ||
|
||||
(utsnam.version[0]-'A' > NUM_VERSIONS))
|
||||
utsnam.version[0] = MIN_VERSION;
|
||||
|
||||
n = (int) utsnam.version[0] - 'A';
|
||||
if (CountUsers(1) > num_users[n]) {
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Attempted to login - too many users on the system",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_MAX_USERS);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* 0 */
|
||||
|
||||
/*
|
||||
* check password aging...
|
||||
*/
|
||||
|
||||
if ( passwordExpired(verify)) {
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Password expired",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_PASSWD_AGED);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* verify home directory exists...
|
||||
*/
|
||||
|
||||
if(chdir(p->pw_dir) < 0) {
|
||||
Debug("Attempted to login -- no home directory\n");
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
" Attempted to login - no home directory",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_HOME);
|
||||
}
|
||||
|
||||
/*
|
||||
* validate uid and gid...
|
||||
*/
|
||||
#ifdef NGROUPS
|
||||
getGroups(greet->name, verify, p->pw_gid);
|
||||
#else
|
||||
verify->gid = pwd->pw_gid;
|
||||
|
||||
if ((p->pw_gid < 0) ||
|
||||
(p->pw_gid > MAXUID) ||
|
||||
(setgid(p->pw_gid) == -1)) {
|
||||
|
||||
Debug("Attempted to login -- bad group id");
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Attempted to login - bad group id",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_BAD_GID);
|
||||
}
|
||||
#endif /* NGROUPS */
|
||||
|
||||
if ((p->pw_uid < 0) ||
|
||||
(p->pw_uid > MAXUID) ||
|
||||
(setresuid(p->pw_uid, p->pw_uid, 0) == -1)) {
|
||||
|
||||
Debug("Attempted to login -- bad user id\n");
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Attempted to login - bad user id",
|
||||
ES_LOGIN_FAILED);
|
||||
return(VF_BAD_UID);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* verify ok...
|
||||
*/
|
||||
|
||||
Debug ("Successful login\n");
|
||||
audit_login( b1_pwd, p ,dpyinfo.name,
|
||||
"Successful login",
|
||||
ES_LOGIN_REMOTE);
|
||||
return(VF_OK);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* WriteBtmp
|
||||
*
|
||||
* log bad login attempts
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
static void
|
||||
WriteBtmp( char *name )
|
||||
{
|
||||
int fd;
|
||||
struct utmp utmp, *u;
|
||||
|
||||
Boolean found=FALSE;
|
||||
|
||||
bzero(&utmp, sizeof(struct utmp));
|
||||
|
||||
utmp.ut_pid = getppid();
|
||||
while ((u = getutent()) != NULL) {
|
||||
if ( (u->ut_type == INIT_PROCESS ||
|
||||
u->ut_type == LOGIN_PROCESS ||
|
||||
u->ut_type == USER_PROCESS) &&
|
||||
u->ut_pid == utmp.ut_pid ) {
|
||||
|
||||
found = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* if no utmp entry, this may be an X-terminal. Construct a utmp
|
||||
* entry for it...
|
||||
*/
|
||||
|
||||
if ( ! found ) {
|
||||
strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id));
|
||||
strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line));
|
||||
utmp.ut_type = LOGIN_PROCESS;
|
||||
strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host));
|
||||
u = &utmp;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* If btmp exists, then record the bad attempt
|
||||
*/
|
||||
if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) {
|
||||
strncpy(u->ut_user, name, sizeof(u->ut_user));
|
||||
(void) time(&u->ut_time);
|
||||
write(fd, (char *)u, sizeof(utmp));
|
||||
(void) close(fd);
|
||||
}
|
||||
|
||||
endutent(); /* Close utmp file */
|
||||
}
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* VerifySensitivityLevel
|
||||
*
|
||||
* verify B1 Sensitivity Level
|
||||
**************************************************************************/
|
||||
extern char *sensitivityLevel;
|
||||
|
||||
int
|
||||
VerifySensitivityLevel( void)
|
||||
{
|
||||
|
||||
int i;
|
||||
|
||||
greet->b1security = sensitivityLevel =
|
||||
(char *) XmTextFieldGetString(passwd_text);
|
||||
|
||||
/* new functions: (side effects: auditing, change verify) */
|
||||
if (verify_user_seclevel(verify, sensitivityLevel)
|
||||
&& verify_sec_xterm(verify, sensitivityLevel)) {
|
||||
|
||||
Debug("verify_user_seclevel succeeded.\n");
|
||||
return VF_OK;
|
||||
}
|
||||
|
||||
Debug("verify_user_seclevel failed\n");
|
||||
return (VF_BAD_SEN_LEVEL);
|
||||
}
|
||||
|
||||
|
||||
#ifdef NGROUPS
|
||||
groupMember ( char *name, char **members )
|
||||
{
|
||||
while (*members) {
|
||||
if (!strcmp (name, *members))
|
||||
return 1;
|
||||
++members;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
getGroups ( char *name, struct verify_info *verify, int gid)
|
||||
{
|
||||
int ngroups;
|
||||
struct group *g;
|
||||
int i;
|
||||
|
||||
ngroups = 0;
|
||||
verify->groups[ngroups++] = gid;
|
||||
setgrent ();
|
||||
while (g = getgrent()) {
|
||||
/*
|
||||
* make the list unique
|
||||
*/
|
||||
for (i = 0; i < ngroups; i++)
|
||||
if (verify->groups[i] == g->gr_gid)
|
||||
break;
|
||||
if (i != ngroups)
|
||||
continue;
|
||||
if (groupMember (name, g->gr_mem)) {
|
||||
if (ngroups >= NGROUPS)
|
||||
LogError ("%s belongs to more than %d groups, %s ignored\n",
|
||||
name, NGROUPS, g->gr_name);
|
||||
else
|
||||
verify->groups[ngroups++] = g->gr_gid;
|
||||
}
|
||||
}
|
||||
verify->ngroups = ngroups;
|
||||
endgrent ();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* check whether the password has expired or not.
|
||||
* return 1 means that the password has expired.
|
||||
*/
|
||||
int
|
||||
passwordExpired( struct verify_info *verify)
|
||||
{
|
||||
struct pr_passwd *pr;
|
||||
time_t expiration;
|
||||
time_t last_change;
|
||||
time_t expiration_time;
|
||||
time_t now;
|
||||
int passwd_status;
|
||||
struct pr_passwd save_data;
|
||||
struct pr_default *df;
|
||||
char *ttime;
|
||||
char ptime[64];
|
||||
|
||||
pr = verify->prpwd;
|
||||
|
||||
/*
|
||||
* If null password, do not check expiration.
|
||||
*/
|
||||
|
||||
if (!pr->uflg.fg_encrypt || (pr->ufld.fd_encrypt[0] == '\0'))
|
||||
return 0;
|
||||
|
||||
now = time((long *) 0);
|
||||
|
||||
if (pr->uflg.fg_schange)
|
||||
last_change = pr->ufld.fd_schange;
|
||||
else
|
||||
last_change = (time_t) 0;
|
||||
|
||||
if (pr->uflg.fg_expire)
|
||||
expiration = pr->ufld.fd_expire;
|
||||
else if (pr->sflg.fg_expire)
|
||||
expiration = pr->sfld.fd_expire;
|
||||
else
|
||||
expiration = (time_t) 0;
|
||||
|
||||
df = getprdfnam(AUTH_DEFAULT);
|
||||
|
||||
/*
|
||||
* A 0 or missing expiration field means there is no
|
||||
* expiration.
|
||||
*/
|
||||
expiration_time = expiration ? last_change + expiration : 0;
|
||||
|
||||
if (expiration_time && now > expiration_time ) {
|
||||
/*
|
||||
* The password has expired
|
||||
*/
|
||||
Debug("The password is expired\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
Debug("The password is not expired\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/***************************************************************************
|
||||
*
|
||||
* end HP-UX authentication routines
|
||||
*
|
||||
***************************************************************************/
|
||||
#endif /* BLS */
|
|
@ -404,9 +404,6 @@ struct protoDisplay {
|
|||
struct greet_info {
|
||||
char *name; /* user name */
|
||||
char *password; /* user password */
|
||||
#ifdef BLS
|
||||
char *b1security; /* user's b1 security */
|
||||
#endif
|
||||
char *string; /* random string */
|
||||
#ifdef __PASSWD_ETC
|
||||
char *name_full; /* full SID */
|
||||
|
@ -428,15 +425,6 @@ struct verify_info {
|
|||
long audid; /* audit id */
|
||||
int audflg; /* audit flag */
|
||||
#endif
|
||||
#ifdef BLS
|
||||
char *user_name;
|
||||
struct mand_ir_t *sec_label_ir;
|
||||
struct mand_ir_t *clearance_ir;
|
||||
/* save these for logout time */
|
||||
struct pr_passwd *prpwd;
|
||||
struct passwd *pwd;
|
||||
char terminal[16];
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -110,12 +110,6 @@ static char AppName[16] = DTLOGIN;
|
|||
# define DM_BOOL 2
|
||||
# define DM_ARGV 3
|
||||
|
||||
#ifdef BLS
|
||||
# define DEF_XDM_CONFIG CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xconfig"
|
||||
# define DEF_AUTH_DIR CDE_INSTALLATION_TOP "/lib/X11/Dtlogin"
|
||||
# define DEF_KEY_FILE CDE_INSTALLATION_TOP "/lib/X11/Dtlogin/Xkeys"
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* the following constants are supposed to be set in the makefile from
|
||||
|
|
|
@ -95,11 +95,6 @@
|
|||
# include "solaris.h"
|
||||
#endif
|
||||
|
||||
#ifdef BLS
|
||||
# include <sys/security.h>
|
||||
# include <prot.h>
|
||||
#endif
|
||||
|
||||
#ifdef __KERBEROS
|
||||
# include <krb.h>
|
||||
#endif /* __KERBEROS */
|
||||
|
@ -241,10 +236,6 @@ static char *defaultLanguage = NULL;
|
|||
|
||||
static sigjmp_buf abortSession;
|
||||
|
||||
#ifdef BLS
|
||||
static char *sensitivityLevel;
|
||||
#endif
|
||||
|
||||
#ifdef __KERBEROS
|
||||
static char krb_ticket_string[MAXPATHLEN];
|
||||
#endif /* __KERBEROS */
|
||||
|
@ -1189,10 +1180,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
|
|||
FILE *lastsession;
|
||||
char lastsessfile[MAXPATHLEN];
|
||||
|
||||
#ifdef BLS
|
||||
struct pr_passwd *b1_pwd;
|
||||
#endif
|
||||
|
||||
#ifdef __AFS
|
||||
#define NOPAG 0xffffffff
|
||||
long pagval, j;
|
||||
|
@ -1387,63 +1374,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
|
|||
|
||||
#ifndef sun
|
||||
|
||||
#ifdef BLS
|
||||
/*
|
||||
* HP BLS B1 session setup...
|
||||
*
|
||||
* 1. look up user's protected account information.
|
||||
* 2. set the session sensitivity/clearance levels
|
||||
* 3. set the logical UID (LUID)
|
||||
*/
|
||||
|
||||
if ( ISSECURE ) {
|
||||
Debug("BLS - Setting user's clearance, security level and luid.\n");
|
||||
set_auth_parameters(1, verify->argv);
|
||||
init_security();
|
||||
|
||||
verify->user_name = user;
|
||||
strncpy(verify->terminal,d->name,15);
|
||||
verify->terminal[15]='\0';
|
||||
verify->pwd = getpwnam(user);
|
||||
|
||||
if ( verify->pwd == NULL || strlen(user) == 0 ) {
|
||||
LogError(ReadCatalog(
|
||||
MC_LOG_SET,MC_LOG_NO_BLSACCT,MC_DEF_LOG_NO_BLSACCT));
|
||||
exit (1);
|
||||
}
|
||||
verify->prpwd= b1_pwd = getprpwnam(user);
|
||||
verify->uid = b1_pwd->ufld.fd_uid;
|
||||
|
||||
if ( b1_pwd == NULL || strlen(user) == 0 ) {
|
||||
LogError(ReadCatalog(
|
||||
MC_LOG_SET,MC_LOG_NO_BLSPACCT,MC_DEF_LOG_NO_BLSPACCT));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/*
|
||||
* This has already been done successfully by dtgreet
|
||||
* but we need to get all the information again for the
|
||||
* dtlogin process.
|
||||
*/
|
||||
if ( verify_user_seclevel(verify,sensitivityLevel) != 1 ) {
|
||||
Debug("BLS - Could not verify sensitivity level.\n");
|
||||
LogError(ReadCatalog(
|
||||
MC_LOG_SET,MC_LOG_NO_VFYLVL,MC_DEF_LOG_NO_VFYLVL));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
if ( change_to_user(verify) != 1 ) {
|
||||
Debug("BLS - Could not change to user: %s.\n",verify->user_name);
|
||||
LogError(ReadCatalog(
|
||||
MC_LOG_SET,MC_LOG_NO_BLSUSR,MC_DEF_LOG_NO_BLSUSR),
|
||||
verify->user_name);
|
||||
exit (1);
|
||||
}
|
||||
|
||||
Debug("BLS - Session setup complete.\n");
|
||||
} else {
|
||||
#endif /* BLS */
|
||||
|
||||
# ifdef __AFS
|
||||
if ( IsVerifyName(VN_AFS) ) {
|
||||
pagval = get_pag_from_groups(verify->groups[0], verify->groups[1]);
|
||||
|
@ -1522,10 +1452,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef BLS
|
||||
} /* ends the else clause of if ( ISSECURE ) */
|
||||
#endif /* BLS */
|
||||
|
||||
#endif /* ! sun */
|
||||
|
||||
/*
|
||||
|
@ -1569,23 +1495,6 @@ StartClient( struct verify_info *verify, struct display *d, int *pidp )
|
|||
if (greet.password)
|
||||
bzero(greet.password, strlen(greet.password));
|
||||
|
||||
#ifdef BLS
|
||||
/*
|
||||
* Write login information to a file
|
||||
* The file name should really be settable by some kind of resource
|
||||
* but time is short so we hard-wire it to ".dtlogininfo".
|
||||
*/
|
||||
if ( ! writeLoginInfo( ".dtlogininfo" , verify ) )
|
||||
Debug("Unable to write \".dtlogininfo\"\n");
|
||||
# ifndef NDEBUG
|
||||
/* extra debugging */
|
||||
if(!dump_sec_debug_info(verify)) {
|
||||
Debug("Something wrong with environment\n");
|
||||
exit(1);
|
||||
}
|
||||
# endif /* ! NDEBUG */
|
||||
#endif /* BLS */
|
||||
|
||||
/*
|
||||
* exec session...
|
||||
*/
|
||||
|
@ -2268,11 +2177,7 @@ RunGreeter( struct display *d, struct greet_info *greet,
|
|||
*/
|
||||
|
||||
if (d->authorizations && d->authFile &&
|
||||
waitVal(status) != NOTIFY_LANG_CHANGE
|
||||
#ifdef BLS
|
||||
&& waitVal(status) != NOTIFY_BAD_SECLEVEL
|
||||
#endif
|
||||
) {
|
||||
waitVal(status) != NOTIFY_LANG_CHANGE) {
|
||||
|
||||
/***
|
||||
Debug ("Done with authorization file %s, removing\n",
|
||||
|
@ -2351,13 +2256,6 @@ RunGreeter( struct display *d, struct greet_info *greet,
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef BLS
|
||||
/*
|
||||
* sensitivityLevel set in BLS_Verify()
|
||||
*/
|
||||
greet->b1security = sensitivityLevel;
|
||||
#endif
|
||||
|
||||
Verify(d, greet, verify);
|
||||
return;
|
||||
|
||||
|
@ -2405,10 +2303,6 @@ RunGreeter( struct display *d, struct greet_info *greet,
|
|||
LANGUAGESIZE) = '\0';
|
||||
|
||||
return;
|
||||
#ifdef BLS
|
||||
case NOTIFY_BAD_SECLEVEL:
|
||||
return;
|
||||
#endif
|
||||
case waitCompose (SIGTERM,0,0):
|
||||
Debug ("Greeter exited on SIGTERM\n");
|
||||
SessionExit(d, OPENFAILED_DISPLAY);
|
||||
|
@ -2769,9 +2663,6 @@ ManageGreeter( struct display *d, struct greet_info *greet,
|
|||
case VF_BAD_AID: SETMC(msg, BAD_AID); break;
|
||||
case VF_BAD_AFLAG: SETMC(msg, BAD_AFLAG); break;
|
||||
case VF_NO_LOGIN: SETMC(msg, NO_LOGIN); break;
|
||||
#ifdef BLS
|
||||
case VF_BAD_SEN_LEVEL: SETMC(msg, BAD_SEN_LEVEL); break;
|
||||
#endif
|
||||
case VF_MESSAGE: msg.id=0; msg.def=state->msg; break;
|
||||
default: msg.id=0; msg.def=""; break;
|
||||
}
|
||||
|
|
|
@ -55,8 +55,6 @@
|
|||
** self-auditing of login actions. Incompatible with
|
||||
** #ifdef SecureWare
|
||||
**
|
||||
** BLS HP BLS B1 simple authentication.
|
||||
**
|
||||
** __AFS AFS 3 authentication mechanism
|
||||
** __KERBEROS Kerberos authentication mechanism
|
||||
** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism
|
||||
|
|
|
@ -74,10 +74,6 @@
|
|||
#define VF_CHALLENGE 12
|
||||
#define VF_MESSAGE 13
|
||||
|
||||
#ifdef BLS
|
||||
#define VF_BAD_SEN_LEVEL 14
|
||||
#endif
|
||||
|
||||
/****************************************************************************
|
||||
*
|
||||
* External procedure declarations
|
||||
|
|
|
@ -62,10 +62,6 @@ extern int errno;
|
|||
#include <Xm/Xm.h>
|
||||
#include "vgproto.h"
|
||||
|
||||
#ifdef BLS
|
||||
# include <sys/security.h>
|
||||
#endif
|
||||
|
||||
#ifdef USE_XINERAMA
|
||||
# include <Dt/DtXinerama.h>
|
||||
#endif
|
||||
|
|
|
@ -55,8 +55,6 @@
|
|||
** self-auditing of login actions. Incompatible with
|
||||
** #ifdef SecureWare
|
||||
**
|
||||
** BLS HP BLS B1 simple authentication.
|
||||
**
|
||||
** __AFS AFS 3 authentication mechanism
|
||||
** __KERBEROS Kerberos authentication mechanism
|
||||
** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism
|
||||
|
|
|
@ -110,11 +110,6 @@ static void ProcessTraversal( Widget w, int direction) ;
|
|||
static void _DtShowDialog(DialogType dtype, XmString msg);
|
||||
static void TellRequester(char * buf, size_t nbytes);
|
||||
|
||||
# ifdef BLS
|
||||
static void PromptSensitivityLevel(void); /* prompt for B1 Sen. Level */
|
||||
int VerifySensitivityLevel(void); /* verify B1 Sensitivity Level */
|
||||
# endif
|
||||
|
||||
static int session_selected = False;
|
||||
static Widget default_dt = NULL;
|
||||
|
||||
|
@ -131,11 +126,6 @@ char *userName = "\0";
|
|||
struct passwd *user_p;
|
||||
|
||||
|
||||
#ifdef BLS
|
||||
static int normalPasswordWidget = True;
|
||||
char *sensitivityLevel = NULL;
|
||||
#endif
|
||||
|
||||
#ifndef SVR4
|
||||
long groups[NGROUPS];
|
||||
#endif
|
||||
|
@ -1877,67 +1867,6 @@ GetLoginTextPtr( Widget w )
|
|||
}
|
||||
|
||||
|
||||
#ifdef BLS
|
||||
/***************************************************************************
|
||||
*
|
||||
* PromptSensitivityLevel
|
||||
*
|
||||
* Prompt for B1 Sensitivity Level. The password widget set is reused for
|
||||
* this purpose rather than creating another complete widget set. It already
|
||||
* has most of the proper size and alignment specifications needed. Using
|
||||
* the password set also allows the B1 code changes to be more localized.
|
||||
*
|
||||
***************************************************************************/
|
||||
|
||||
static void
|
||||
PromptSensitivityLevel( void)
|
||||
{
|
||||
|
||||
Dimension width;
|
||||
int i, width1, width2;
|
||||
|
||||
/*
|
||||
* Use the password widget set to prompt for the B1 Sensitivity Level.
|
||||
* Remember to put it back to normal if the user presses [Clear].
|
||||
*/
|
||||
|
||||
normalPasswordWidget = False;
|
||||
|
||||
XtRemoveAllCallbacks(_text, XmNmodifyVerifyCallback);
|
||||
XmTextFieldSetString(_text,"");
|
||||
|
||||
|
||||
/*
|
||||
* Change the label and resize the password form...
|
||||
*/
|
||||
|
||||
i = 0;
|
||||
XtSetArg(argt[i], XmNresizable, True ); i++;
|
||||
XtSetArg(argt[i], XmNresizePolicy, XmRESIZE_ANY ); i++;
|
||||
XtSetValues(_form, argt, i);
|
||||
|
||||
i = 0;
|
||||
xmstr = ReadCatalogXms(MC_LABEL_SET, -1, "Sensitivity Level:");
|
||||
XtSetArg(argt[i], XmNrecomputeSize, True ); i++;
|
||||
XtSetArg(argt[i], XmNlabelString, xmstr ); i++;
|
||||
XtSetValues(_label, argt, i);
|
||||
|
||||
XmStringFree(xmstr);
|
||||
|
||||
/*
|
||||
* Center the form horizontally in the login_matte...
|
||||
*
|
||||
*/
|
||||
|
||||
CenterForm(matte1, _form);
|
||||
|
||||
ProcessTraversal(_text, XmTRAVERSE_CURRENT);
|
||||
|
||||
}
|
||||
|
||||
#endif /* BLS */
|
||||
|
||||
|
||||
static void
|
||||
TellRequester(char * buf, size_t nbytes)
|
||||
{
|
||||
|
|
|
@ -371,31 +371,6 @@ main( int argc, char **argv )
|
|||
|
||||
(void) signal(SIGTERM, Terminate);
|
||||
|
||||
|
||||
#ifdef BLS
|
||||
# ifndef NDEBUG
|
||||
{
|
||||
extern SIGVAL BLS_ToggleDebug( int arg );
|
||||
|
||||
/*
|
||||
* Allow debug output to be turned on for dtgreet.
|
||||
*/
|
||||
|
||||
(void) signal(SIGHUP, BLS_ToggleDebug);
|
||||
|
||||
}
|
||||
# endif /* NDEBUG */
|
||||
/*
|
||||
* set up authorization parameters, see the identity(3) man page...
|
||||
*/
|
||||
|
||||
if (ISSECURE) {
|
||||
set_auth_parameters(1, argv);
|
||||
init_security();
|
||||
}
|
||||
#endif /* BLS */
|
||||
|
||||
|
||||
/*
|
||||
* check some environment variables...
|
||||
*/
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue