vgauth.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831
  1. /*
  2. * CDE - Common Desktop Environment
  3. *
  4. * Copyright (c) 1993-2012, The Open Group. All rights reserved.
  5. *
  6. * These libraries and programs are free software; you can
  7. * redistribute them and/or modify them under the terms of the GNU
  8. * Lesser General Public License as published by the Free Software
  9. * Foundation; either version 2 of the License, or (at your option)
  10. * any later version.
  11. *
  12. * These libraries and programs are distributed in the hope that
  13. * they will be useful, but WITHOUT ANY WARRANTY; without even the
  14. * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
  15. * PURPOSE. See the GNU Lesser General Public License for more
  16. * details.
  17. *
  18. * You should have received a copy of the GNU Lesser General Public
  19. * License along with these libraries and programs; if not, write
  20. * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
  21. * Floor, Boston, MA 02110-1301 USA
  22. */
  23. /* $XConsortium: vgauth.c /main/4 1996/10/04 16:56:33 drk $ */
  24. /* *
  25. * (c) Copyright 1993, 1994 Hewlett-Packard Company *
  26. * (c) Copyright 1993, 1994 International Business Machines Corp. *
  27. * (c) Copyright 1993, 1994 Sun Microsystems, Inc. *
  28. * (c) Copyright 1993, 1994 Novell, Inc. *
  29. */
  30. /************************************<+>*************************************
  31. ****************************************************************************
  32. **
  33. ** File: vgauth.h
  34. **
  35. ** Project: HP Visual User Environment (DT)
  36. **
  37. ** Description: Dtgreet user authentication routines
  38. **
  39. ** These routines validate the user; checking name, password,
  40. ** number of users on the system, password aging, etc.
  41. **
  42. **
  43. ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
  44. **
  45. **
  46. ** Conditional compiles for HPUX:
  47. **
  48. ** AUDIT HP C2 security enhancements; checks for existence of
  49. ** SECUREPASSWD file and authenticates user against
  50. ** password contained in that file. Also performs
  51. ** self-auditing of login actions. Incompatible with
  52. ** #ifdef SecureWare
  53. **
  54. ** __AFS AFS 3 authentication mechanism
  55. ** __KERBEROS Kerberos authentication mechanism
  56. ** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism
  57. **
  58. ** Platform identification:
  59. **
  60. ** sun SUN OS only
  61. ** SVR4 SUN OS et al.
  62. ** _AIX AIX only
  63. **
  64. ****************************************************************************
  65. ************************************<+>*************************************/
  66. /***************************************************************************
  67. *
  68. * Includes & Defines
  69. *
  70. ***************************************************************************/
  71. #include <stdio.h>
  72. #include <fcntl.h>
  73. #include <stdlib.h>
  74. #include <pwd.h>
  75. /* necessary for bzero */
  76. #ifdef SVR4
  77. #include <X11/Xfuncs.h>
  78. #ifdef sun
  79. #include <shadow.h>
  80. #endif
  81. #endif
  82. #include "vg.h"
  83. #include "vgmsg.h"
  84. /*
  85. * Define as generic those without platform specific code.
  86. */
  87. #if !(defined(_AIX) || defined(sun))
  88. #define generic
  89. #endif
  90. #ifdef sun
  91. /***************************************************************************
  92. *
  93. * Start authentication routines (SUN)
  94. *
  95. ***************************************************************************/
  96. /***************************************************************************
  97. *
  98. * External declarations (SUN)
  99. *
  100. ***************************************************************************/
  101. /***************************************************************************
  102. *
  103. * Procedure declarations (SUN)
  104. *
  105. ***************************************************************************/
  106. static void Audit( struct passwd *p, char *msg, int errnum) ;
  107. static int PasswordAged( struct passwd *pw) ;
  108. static void WriteBtmp( char *name) ;
  109. /***************************************************************************
  110. *
  111. * Global variables (SUN)
  112. *
  113. ***************************************************************************/
  114. /***************************************************************************
  115. *
  116. * Audit (SUN)
  117. *
  118. ***************************************************************************/
  119. static void
  120. Audit( struct passwd *p, char *msg, int errnum )
  121. {
  122. /*
  123. * make sure program is back to super-user...
  124. */
  125. seteuid(0);
  126. return;
  127. }
  128. /***************************************************************************
  129. *
  130. * WriteBtmp (SUN)
  131. *
  132. * log bad login attempts
  133. *
  134. ***************************************************************************/
  135. static void
  136. WriteBtmp( char *name )
  137. {
  138. return;
  139. }
  140. /***************************************************************************
  141. *
  142. * PasswordAged (SUN)
  143. *
  144. * see if password has aged
  145. ***************************************************************************/
  146. #define SECONDS_IN_WEEK 604800L
  147. static int
  148. PasswordAged( struct passwd *pw )
  149. {
  150. long change_week; /* week password was changed (1/1/70 = Week 0) */
  151. long last_week; /* week after which password must change */
  152. long first_week; /* week before which password can't change */
  153. long this_week; /* this week derived from time() */
  154. char *file; /* help file name */
  155. char *command; /* the /bin/passwd command string */
  156. if (*pw->pw_age == NULL)
  157. return(0);
  158. first_week = last_week = change_week = (long) a64l(pw->pw_age);
  159. last_week &= 0x3f; /* first six bits */
  160. first_week = (first_week >> 6) & 0x3f; /* next six bits */
  161. change_week >>= 12; /* everything else */
  162. this_week = (long) time((long *) 0) / SECONDS_IN_WEEK;
  163. /*
  164. ** Password aging conditions:
  165. ** * if the last week is less than the first week (e.g., the aging
  166. ** field looks like "./"), only the superuser can change the
  167. ** password. We don't request a new password.
  168. ** * if the week the password was last changed is after this week,
  169. ** we have a problem, and request a new password.
  170. ** * if this week is after the specified aging time, we request
  171. ** a new password.
  172. */
  173. if (last_week < first_week)
  174. return(0);
  175. if (change_week <= this_week && this_week <= (change_week + last_week))
  176. return(0);
  177. return(1);
  178. }
  179. /***************************************************************************
  180. *
  181. * Verify (SUN)
  182. *
  183. * verify the user
  184. *
  185. * return codes indicate authentication results.
  186. ***************************************************************************/
  187. #define MAXATTEMPTS 3
  188. extern Widget focusWidget; /* login or password text field */
  189. struct passwd nouser = {"", "nope"}; /* invalid user password struct */
  190. int
  191. Verify( char *name, char *passwd )
  192. {
  193. static int login_attempts = 0; /* # failed authentications */
  194. struct passwd *p; /* password structure */
  195. struct spwd *sp; /* shadow info */
  196. char *crypt();
  197. int n;
  198. p = getpwnam(name);
  199. sp = getspnam(name);
  200. if (!p || strlen(name) == 0 ||
  201. strcmp (crypt (passwd, sp->sp_pwdp), sp->sp_pwdp)) {
  202. if ( focusWidget == passwd_text ) {
  203. WriteBtmp(name);
  204. if ((++login_attempts % MAXATTEMPTS) == 0 ) {
  205. if (p->pw_name == NULL )
  206. p = &nouser;
  207. Audit(p, " Failed login (bailout)", 1);
  208. }
  209. }
  210. return(VF_INVALID);
  211. }
  212. /*
  213. * check password aging...
  214. */
  215. if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
  216. /*
  217. * verify home directory exists...
  218. */
  219. if(chdir(p->pw_dir) < 0) {
  220. Audit(p, " attempted to login - no home directory", 1);
  221. return(VF_HOME);
  222. }
  223. /*
  224. * validate uid and gid...
  225. */
  226. if ((p->pw_gid < 0) ||
  227. (setgid(p->pw_gid) == -1)) {
  228. Audit(p, " attempted to login - bad group id", 1);
  229. return(VF_BAD_GID);
  230. }
  231. if ((p->pw_uid < 0) ||
  232. (seteuid(p->pw_uid) == -1)) {
  233. Audit(p, " attempted to login - bad user id", 1);
  234. return(VF_BAD_UID);
  235. }
  236. /*
  237. * verify ok...
  238. */
  239. Audit(p, " Successful login", 0);
  240. return(VF_OK);
  241. }
  242. /***************************************************************************
  243. *
  244. * End authentication routines (SUN)
  245. *
  246. ***************************************************************************/
  247. #endif /* sun */
  248. /***************************************************************************
  249. ***************************************************************************
  250. ***************************************************************************
  251. ***************************************************************************
  252. ***************************************************************************
  253. ***************************************************************************
  254. ***************************************************************************
  255. ***************************************************************************/
  256. #ifdef _AIX
  257. /***************************************************************************
  258. *
  259. * Start authentication routines (AIX)
  260. *
  261. ***************************************************************************/
  262. #include <time.h>
  263. #include <sys/types.h>
  264. #include <usersec.h>
  265. #include <userpw.h>
  266. #include <userconf.h>
  267. /***************************************************************************
  268. *
  269. * External declarations (AIX)
  270. *
  271. ***************************************************************************/
  272. /***************************************************************************
  273. *
  274. * Procedure declarations (AIX)
  275. *
  276. ***************************************************************************/
  277. static void Audit( struct passwd *p, char *msg, int errnum) ;
  278. static int PasswordAged(char *name, struct passwd *pw) ;
  279. static void WriteBtmp( char *name) ;
  280. /***************************************************************************
  281. *
  282. * Global variables (AIX)
  283. *
  284. ***************************************************************************/
  285. /***************************************************************************
  286. *
  287. * Audit (AIX)
  288. *
  289. ***************************************************************************/
  290. static void
  291. Audit( struct passwd *p, char *msg, int errnum )
  292. {
  293. /*
  294. * make sure program is back to super-user...
  295. */
  296. seteuid(0);
  297. return;
  298. }
  299. /***************************************************************************
  300. *
  301. * WriteBtmp (AIX)
  302. *
  303. * log bad login attempts
  304. *
  305. ***************************************************************************/
  306. static void
  307. WriteBtmp( char *name )
  308. {
  309. return;
  310. }
  311. /***************************************************************************
  312. *
  313. * PasswordAged (AIX)
  314. *
  315. * see if password has aged
  316. ***************************************************************************/
  317. #define SECONDS_IN_WEEK 604800L
  318. static int
  319. PasswordAged(char *name, struct passwd *pw )
  320. {
  321. struct userpw *pupw; /* authentication information from getuserpw() */
  322. struct userpw upw; /* working authentication information */
  323. int err; /* return code from getconfattr() */
  324. ulong maxage; /* maximun age from getconfattr() */
  325. ulong now; /* time now */
  326. /*
  327. * Determine user password aging criteria. Note that only
  328. * the 'lastupdate' and 'flags' fields are set by this operation.
  329. */
  330. setpwdb(S_READ);
  331. if ((pupw = getuserpw(name)) != NULL)
  332. {
  333. upw.upw_lastupdate = pupw->upw_lastupdate;
  334. upw.upw_flags = pupw->upw_flags;
  335. }
  336. else
  337. {
  338. upw.upw_lastupdate = 0;
  339. upw.upw_flags = 0;
  340. }
  341. endpwdb();
  342. /*
  343. * Consider password as having not expired if nocheck set.
  344. */
  345. if (upw.upw_flags & PW_NOCHECK) return(FALSE);
  346. /*
  347. * Get system password aging criteria.
  348. */
  349. err = getconfattr (SC_SYS_PASSWD, SC_MAXAGE, (void *)&maxage, SEC_INT);
  350. if (!err && maxage)
  351. {
  352. /*
  353. * Change from weeks to seconds
  354. */
  355. maxage = maxage * SECONDS_IN_WEEK;
  356. now = time ((long *) 0);
  357. if ((upw.upw_lastupdate + maxage) >= now)
  358. {
  359. /*
  360. * Password has not expired.
  361. */
  362. return(FALSE);
  363. }
  364. }
  365. else
  366. {
  367. /*
  368. * Could not retrieve system password aging info or maxage set to
  369. * zero. In either case, consider password has having not expired.
  370. */
  371. return(FALSE);
  372. }
  373. /*
  374. * We haven't returned by now, so indicate password has expired.
  375. */
  376. return(TRUE);
  377. }
  378. /***************************************************************************
  379. *
  380. * Verify (AIX)
  381. *
  382. * verify the user
  383. *
  384. * return codes indicate authentication results.
  385. ***************************************************************************/
  386. #define MAXATTEMPTS 3
  387. extern Widget focusWidget; /* login or password text field */
  388. struct passwd nouser = {"", "nope"}; /* invalid user password struct */
  389. int
  390. Verify( char *name, char *passwd )
  391. {
  392. static int login_attempts = 0; /* # failed authentications */
  393. struct passwd *p; /* password structure */
  394. char *crypt();
  395. int n;
  396. p = getpwnam(name);
  397. if (!p || strlen(name) == 0 ||
  398. strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
  399. if ( focusWidget == passwd_text ) {
  400. WriteBtmp(name);
  401. if ((++login_attempts % MAXATTEMPTS) == 0 ) {
  402. if (p->pw_name == NULL )
  403. p = &nouser;
  404. Audit(p, " Failed login (bailout)", 1);
  405. }
  406. }
  407. return(VF_INVALID);
  408. }
  409. /*
  410. * check password aging...
  411. */
  412. if ( PasswordAged(name,p) ) return(VF_PASSWD_AGED);
  413. /*
  414. * verify home directory exists...
  415. */
  416. if(chdir(p->pw_dir) < 0) {
  417. Audit(p, " attempted to login - no home directory", 1);
  418. return(VF_HOME);
  419. }
  420. /*
  421. * validate uid and gid...
  422. */
  423. if ((p->pw_gid < 0) ||
  424. (setgid(p->pw_gid) == -1)) {
  425. Audit(p, " attempted to login - bad group id", 1);
  426. return(VF_BAD_GID);
  427. }
  428. if ((p->pw_uid < 0)) {
  429. Audit(p, " attempted to login - bad user id", 1);
  430. return(VF_BAD_UID);
  431. }
  432. /*
  433. * verify ok...
  434. */
  435. Audit(p, " Successful login", 0);
  436. return(VF_OK);
  437. }
  438. /***************************************************************************
  439. *
  440. * End authentication routines (AIX)
  441. *
  442. ***************************************************************************/
  443. #endif /* _AIX */
  444. /***************************************************************************
  445. ***************************************************************************
  446. ***************************************************************************
  447. ***************************************************************************
  448. ***************************************************************************
  449. ***************************************************************************
  450. ***************************************************************************
  451. ***************************************************************************/
  452. #ifdef generic
  453. /***************************************************************************
  454. *
  455. * Start authentication routines (generic)
  456. *
  457. ***************************************************************************/
  458. /***************************************************************************
  459. *
  460. * These are a set of routine to do simple password, home dir, uid, and gid
  461. * validation. They can be used as a first pass validation for future
  462. * porting efforts.
  463. *
  464. * When platform specific validation is developed, those routines should be
  465. * included in their own section and the use of these routines discontinued.
  466. *
  467. ***************************************************************************/
  468. /***************************************************************************
  469. *
  470. * External declarations (generic)
  471. *
  472. ***************************************************************************/
  473. /***************************************************************************
  474. *
  475. * Procedure declarations (generic)
  476. *
  477. ***************************************************************************/
  478. static void Audit( struct passwd *p, char *msg, int errnum) ;
  479. static int PasswordAged( struct passwd *pw) ;
  480. static void WriteBtmp( char *name) ;
  481. /***************************************************************************
  482. *
  483. * Global variables (generic)
  484. *
  485. ***************************************************************************/
  486. /***************************************************************************
  487. *
  488. * Audit (generic)
  489. *
  490. ***************************************************************************/
  491. static void
  492. Audit( struct passwd *p, char *msg, int errnum )
  493. {
  494. /*
  495. * make sure program is back to super-user...
  496. */
  497. seteuid(0);
  498. return;
  499. }
  500. /***************************************************************************
  501. *
  502. * WriteBtmp (generic)
  503. *
  504. * log bad login attempts
  505. *
  506. ***************************************************************************/
  507. static void
  508. WriteBtmp( char *name )
  509. {
  510. return;
  511. }
  512. /***************************************************************************
  513. *
  514. * PasswordAged (Generic)
  515. *
  516. * see if password has aged
  517. ***************************************************************************/
  518. #define SECONDS_IN_WEEK 604800L
  519. static int
  520. PasswordAged( struct passwd *pw )
  521. {
  522. return(FALSE);
  523. }
  524. /***************************************************************************
  525. *
  526. * Verify (generic)
  527. *
  528. * verify the user
  529. *
  530. * return codes indicate authentication results.
  531. ***************************************************************************/
  532. #define MAXATTEMPTS 3
  533. extern Widget focusWidget; /* login or password text field */
  534. struct passwd nouser = {"", "nope"}; /* invalid user password struct */
  535. int
  536. Verify( char *name, char *passwd )
  537. {
  538. static int login_attempts = 0; /* # failed authentications */
  539. struct passwd *p; /* password structure */
  540. char *crypt();
  541. int n;
  542. p = getpwnam(name);
  543. if (!p || strlen(name) == 0 ||
  544. strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
  545. if ( focusWidget == passwd_text ) {
  546. WriteBtmp(name);
  547. if ((++login_attempts % MAXATTEMPTS) == 0 ) {
  548. if (p->pw_name == NULL )
  549. p = &nouser;
  550. Audit(p, " Failed login (bailout)", 1);
  551. }
  552. }
  553. return(VF_INVALID);
  554. }
  555. /*
  556. * check password aging...
  557. */
  558. if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
  559. /*
  560. * verify home directory exists...
  561. */
  562. if(chdir(p->pw_dir) < 0) {
  563. Audit(p, " attempted to login - no home directory", 1);
  564. return(VF_HOME);
  565. }
  566. /*
  567. * validate uid and gid...
  568. */
  569. if ((p->pw_gid < 0) ||
  570. (setgid(p->pw_gid) == -1)) {
  571. Audit(p, " attempted to login - bad group id", 1);
  572. return(VF_BAD_GID);
  573. }
  574. if ((p->pw_uid < 0) ||
  575. (seteuid(p->pw_uid) == -1)) {
  576. Audit(p, " attempted to login - bad user id", 1);
  577. return(VF_BAD_UID);
  578. }
  579. /*
  580. * verify ok...
  581. */
  582. Audit(p, " Successful login", 0);
  583. return(VF_OK);
  584. }
  585. /***************************************************************************
  586. *
  587. * End authentication routines (generic)
  588. *
  589. ***************************************************************************/
  590. #endif /* generic */
  591. /***************************************************************************
  592. ***************************************************************************
  593. ***************************************************************************
  594. ***************************************************************************
  595. ***************************************************************************
  596. ***************************************************************************
  597. ***************************************************************************
  598. ***************************************************************************/