Mercurial > crates > nonstick

view src/module.rs @ 65:8e507c7af9cf default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added tag v0.0.5 for changeset bbe84835d6db
author Paul Fisher <paul@pfish.zone>
date Thu, 22 May 2025 02:08:10 -0400
parents bbe84835d6db
children
line wrap: on
line source

//! Functions and types useful for implementing a PAM module.

use crate::constants::{ErrorCode, Flags, Result};
use crate::handle::PamHandle;
use std::ffi::CStr;

/// A trait for a PAM module to implement.
///
/// The default implementations of all these hooks tell PAM to ignore them
/// (i.e., behave as if this module does not exist) by returning [`ErrorCode::Ignore`].
/// Override any functions you wish to handle in your module.
/// After implementing this trait, use the [`pam_hooks!`](crate::pam_hooks!) macro
/// to make the functions available to PAM.
///
/// For more information, see [`pam(3)`’s root manual page][manpage]
/// and the [PAM Module Writer’s Guide][mwg].
///
/// [manpage]: https://www.man7.org/linux/man-pages/man3/pam.3.html
/// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/Linux-PAM_MWG.html
#[allow(unused_variables)]
pub trait PamModule {
    // Functions for auth modules.

    /// Authenticate the user.
    ///
    /// This is probably the first thing you want to implement.
    /// In most cases, you will want to get the user and password,
    /// using [`PamHandle::get_user`] and [`PamHandle::get_authtok`],
    /// and verify them against something.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_authenticate`][mwg]
    /// for more information.
    ///
    /// # Valid flags
    ///
    /// This function may be called with the following flags set:
    ///
    /// - [`Flags::SILENT`]
    /// - [`Flags::DISALLOW_NULL_AUTHTOK`]
    ///
    /// # Returns
    ///
    /// If the password check was successful, return `Ok(())`.
    ///
    /// Sensible error codes to return include:
    ///
    /// - [`ErrorCode::AuthenticationError`]: Generic authentication error
    ///   (like an incorrect password).
    /// - [`ErrorCode::CredentialsInsufficient`]: The application does not have
    ///   sufficient credentials to authenticate the user.
    /// - [`ErrorCode::AuthInfoUnavailable`]: The module was not able to access
    ///   the authentication information, for instance due to a network failure.
    /// - [`ErrorCode::UserUnknown`]: The supplied username is not known by this service.
    /// - [`ErrorCode::MaxTries`]: The user has tried authenticating too many times.
    ///   They should not try again.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-auth.html#mwg-pam_sm_authenticate
    fn authenticate(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }

    /// Perform "account management".
    ///
    /// When PAM calls this function, the user has already been authenticated
    /// by an authentication module (either this one or some other module).
    /// This hook can check for other things, for instance:
    ///
    /// - Date/time (keep your kids off the computer at night)
    /// - Remote host (only let employees log in from the office)
    ///
    /// You can also check things like, e.g., password expiration,
    /// and alert that the user change it before continuing,
    /// or really do whatever you want.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_acct_mgmt`][mwg]
    /// for more information.
    ///
    ///
    /// # Valid flags
    ///
    /// This function may be called with the following flags set:
    ///
    /// - [`Flags::SILENT`]
    /// - [`Flags::DISALLOW_NULL_AUTHTOK`]
    ///
    /// # Returns
    ///
    /// If the user should be allowed to log in, return `Ok(())`.
    ///
    /// Sensible error codes to return include:
    ///
    /// - [`ErrorCode::AccountExpired`]: The user's account has expired.
    /// - [`ErrorCode::AuthenticationError`]: Generic authentication error.
    /// - [`ErrorCode::NewAuthTokRequired`]: The user's authentication token has expired.
    ///   PAM will ask the user to set a new authentication token, which may be handled by
    ///   this module in [`Self::change_authtok`].
    /// - [`ErrorCode::PermissionDenied`]: This one is pretty self-explanatory.
    /// - [`ErrorCode::UserUnknown`]: The supplied username is not known by this service.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-acct.html#mwg-pam_sm_acct_mgmt
    fn account_management(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }

    /// Set credentials on this session.
    ///
    /// If an authentication module knows more about the user than just
    /// their authentication token, then it uses this function to provide
    /// that information to the application. It should only be called after
    /// authentication but before a session is established.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_setcred`][mwg]
    /// for more information.
    ///
    /// # Valid flags
    ///
    /// This function may be called with the following flags set:
    ///
    /// - [`Flags::SILENT`]
    /// - [`Flags::ESTABLISH_CREDENTIALS`]: Initialize credentials for the user.
    /// - [`Flags::DELETE_CREDENTIALS`]: Delete the credentials associated with this module.
    /// - [`Flags::REINITIALIZE_CREDENTIALS`]: Re-initialize credentials for this user.
    /// - [`Flags::REFRESH_CREDENTIALS`]: Extend the lifetime of the user's credentials.
    ///
    /// # Returns
    ///
    /// If credentials were set successfully, return `Ok(())`.
    ///
    /// Sensible error codes to return include:
    ///
    /// - [`ErrorCode::CredentialsUnavailable`]: The credentials cannot be retrieved.
    /// - [`ErrorCode::CredentialsExpired`]: The credentials have expired.
    /// - [`ErrorCode::CredentialsError`]: Some other error occurred when setting credentials.
    /// - [`ErrorCode::UserUnknown`]: The supplied username is not known by this service.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-auth.html#mwg-pam_sm_setcred
    fn set_credentials(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }

    // Function for chauthtok modules.

    /// Called to set or reset the user's authentication token.
    ///
    /// PAM calls this function twice in succession.
    ///  1. The first time, [`Flags::PRELIMINARY_CHECK`] will be set.
    ///     If the new token is acceptable, return success;
    ///     if not, return [`ErrorCode::TryAgain`] to re-prompt the user.
    ///  2. After the preliminary check succeeds, [`Flags::UPDATE_AUTHTOK`]
    ///     will be set. On this call, actually update the stored auth token.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_chauthtok`][mwg]
    /// for more information.
    ///
    /// # Valid flags
    ///
    /// This function may be called with the following flags set:
    ///
    /// - [`Flags::SILENT`]
    /// - [`Flags::CHANGE_EXPIRED_AUTHTOK`]: This module should only change
    ///   any expired passwords, and leave non-expired passwords alone.
    ///   If present, it _must_ be combined with one of the following.
    /// - [`Flags::PRELIMINARY_CHECK`]: Don't actually change the password,
    ///   just check if the new one is valid.
    /// - [`Flags::UPDATE_AUTHTOK`]: Do actually change the password.
    ///
    /// # Returns
    ///
    /// If the authentication token was changed successfully
    /// (or the check passed), return `Ok(())`.
    ///
    /// Sensible error codes to return include:
    ///
    /// - [`ErrorCode::AuthTokError`]: The service could not get the authentication token.
    /// - [`ErrorCode::AuthTokRecoveryError`]: The service could not get the old token.
    /// - [`ErrorCode::AuthTokLockBusy`]: The password cannot be changed because
    ///   the authentication token is currently locked.
    /// - [`ErrorCode::AuthTokDisableAging`]: Aging (expiration) is disabled.
    /// - [`ErrorCode::PermissionDenied`]: What it says on the tin.
    /// - [`ErrorCode::TryAgain`]: When the preliminary check is unsuccessful,
    ///   ask the user for a new authentication token.
    /// - [`ErrorCode::UserUnknown`]: The supplied username is not known by this service.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-chauthtok.html#mwg-pam_sm_chauthtok
    fn change_authtok(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }

    // Functions for session modules.

    /// Called when a session is opened.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_open_session`][mwg]
    /// for more information.
    ///
    /// # Valid flags
    ///
    /// The only valid flag is [`Flags::SILENT`].
    ///
    /// # Returns
    ///
    /// If the session was opened successfully, return `Ok(())`.
    ///
    /// A sensible error code to return is:
    ///
    /// - [`ErrorCode::SessionError`]: Cannot make an entry for this session.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-session.html#mwg-pam_sm_open_session
    fn open_session(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }

    /// Called when a session is being terminated.
    ///
    /// See [the Module Writer's Guide entry for `pam_sm_close_session`][mwg]
    /// for more information.
    ///
    /// # Valid flags
    ///
    /// The only valid flag is [`Flags::SILENT`].
    ///
    /// # Returns
    ///
    /// If the session was closed successfully, return `Ok(())`.
    ///
    /// A sensible error code to return is:
    ///
    /// - [`ErrorCode::SessionError`]: Cannot remove an entry for this session.
    ///
    /// [mwg]: https://www.chiark.greenend.org.uk/doc/libpam-doc/html/mwg-expected-of-module-session.html#mwg-pam_sm_close_session
    fn close_session(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> Result<()> {
        Err(ErrorCode::Ignore)
    }
}

/// Generates the dynamic library entry points for a [PamModule] implementation.
///
/// Calling `pam_hooks!(SomeType)` on a type that implements [PamModule] will
/// generate the exported `extern "C"` functions that PAM uses to call into
/// your module.
///
/// ## Examples:
///
/// Here is full example of a PAM module that would authenticate and authorize everybody:
///
/// ```no_run
/// use nonstick::{Flags, PamHandle, PamModule, Result as PamResult, pam_hooks};
/// use std::ffi::CStr;
/// # fn main() {}
///
/// struct MyPamModule;
/// pam_hooks!(MyPamModule);
///
/// impl PamModule for MyPamModule {
///     fn authenticate(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> PamResult<()> {
///         let password = handle.get_authtok(Some("what's your password?"))?;
///         eprintln!("If you say your password is {:?}, who am I to disagree!", password.unsecure());
///         Ok(())
///     }
///
///     fn account_management(handle: &mut PamHandle, args: Vec<&CStr>, flags: Flags) -> PamResult<()> {
///         let username = handle.get_user(None)?;
///         // You should use a Conversation to communicate with the user
///         // instead of writing to the console, but this is just an example.
///         eprintln!("Hello {username}! I trust you unconditionally!");
///         Ok(())
///     }
/// }
/// ```
#[macro_export]
macro_rules! pam_hooks {
    ($ident:ident) => {
        mod _pam_hooks_scope {
            use std::ffi::{c_char, c_int, CStr};
            use $crate::{ErrorCode, Flags, PamModule};

            #[no_mangle]
            extern "C" fn pam_sm_acct_mgmt(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::account_management(
                    &mut pamh.into(),
                    args,
                    flags,
                ))
            }

            #[no_mangle]
            extern "C" fn pam_sm_authenticate(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::authenticate(&mut pamh.into(), args, flags))
            }

            #[no_mangle]
            extern "C" fn pam_sm_chauthtok(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::change_authtok(&mut pamh.into(), args, flags))
            }

            #[no_mangle]
            extern "C" fn pam_sm_close_session(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::close_session(&mut pamh.into(), args, flags))
            }

            #[no_mangle]
            extern "C" fn pam_sm_open_session(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::open_session(&mut pamh.into(), args, flags))
            }

            #[no_mangle]
            extern "C" fn pam_sm_setcred(
                pamh: *mut libc::c_void,
                flags: Flags,
                argc: c_int,
                argv: *const *const c_char,
            ) -> c_int {
                let args = extract_argv(argc, argv);
                ErrorCode::result_to_c(super::$ident::set_credentials(
                    &mut pamh.into(),
                    args,
                    flags,
                ))
            }

            /// Turns `argc`/`argv` into a [Vec] of [CStr]s.
            ///
            /// # Safety
            ///
            /// We use this only with arguments we get from `libpam`, which we kind of have to trust.
            fn extract_argv<'a>(argc: c_int, argv: *const *const c_char) -> Vec<&'a CStr> {
                (0..argc)
                    .map(|o| unsafe { CStr::from_ptr(*argv.offset(o as isize) as *const c_char) })
                    .collect()
            }
        }
    };
}

#[cfg(test)]
pub mod test {
    use crate::module::PamModule;

    struct Foo;
    impl PamModule for Foo {}

    pam_hooks!(Foo);
}