diff options
author | George Lebl <jirka@5z.com> | 2001-12-07 05:34:10 +0000 |
---|---|---|
committer | George Lebl <jirka@src.gnome.org> | 2001-12-07 05:34:10 +0000 |
commit | e130bfa971bb223d1ebc43fe28e0edd3600eaaf2 (patch) | |
tree | 9b50458f46cbc9f2591688cc0b5026bb14e65b59 | |
parent | 94044199cddd23d7f8ddba64e2dd1bdb625f20f5 (diff) | |
download | gdm-e130bfa971bb223d1ebc43fe28e0edd3600eaaf2.tar.gz |
Fix TimedLogin I broke on last commit
Thu Dec 06 22:09:11 2001 George Lebl <jirka@5z.com>
* daemon/slave.c: Fix TimedLogin I broke on last commit
* daemon/verify-pam.c: For autologin, still call authenticate,
but use the service gdm-autologin. Also a bit of cleanup.
* config/gdm-autologin, config/Makefile.am: A promiscuous
service. This will let anyone in, gdm uses this for autologin
or timed login when we want to let a user in without a password,
this way we can follow all the proper pam doodaah with
pam_authenticate and all that so we can safely call setcred
-rw-r--r-- | ChangeLog | 13 | ||||
-rw-r--r-- | config/Makefile.am | 6 | ||||
-rw-r--r-- | config/gdm-autologin | 8 | ||||
-rw-r--r-- | daemon/slave.c | 4 | ||||
-rw-r--r-- | daemon/verify-pam.c | 183 |
5 files changed, 109 insertions, 105 deletions
@@ -1,3 +1,16 @@ +Thu Dec 06 22:09:11 2001 George Lebl <jirka@5z.com> + + * daemon/slave.c: Fix TimedLogin I broke on last commit + + * daemon/verify-pam.c: For autologin, still call authenticate, + but use the service gdm-autologin. Also a bit of cleanup. + + * config/gdm-autologin, config/Makefile.am: A promiscuous + service. This will let anyone in, gdm uses this for autologin + or timed login when we want to let a user in without a password, + this way we can follow all the proper pam doodaah with + pam_authenticate and all that so we can safely call setcred + Tue Dec 04 20:46:57 2001 George Lebl <jirka@5z.com> * daemon/gdm.c, daemon/misc.[ch], daemon/display.c: On events where diff --git a/config/Makefile.am b/config/Makefile.am index c3ccb1fc..f401bbf3 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -17,6 +17,7 @@ EXTRA_DIST = \ gnomerc.in \ Xsession \ gdm \ + gdm-autologin \ locale.alias \ Default \ PostSession \ @@ -119,7 +120,10 @@ install-data-hook: gdm.conf gnomerc Gnome if test $$system = Linux && test '!' -f $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm; then \ $(INSTALL_DATA) gdm $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm; \ fi; \ + if test $$system = Linux && test '!' -f $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-autologin; then \ + $(INSTALL_DATA) gdm-autologin $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-autologin; \ + fi; \ if test $$system = SunOS; then \ - echo "Please add PAM authentication for gdm in $(PAM_PREFIX)/pam.conf!"; \ + echo "Please add PAM authentication for gdm and gdm-autologin in $(PAM_PREFIX)/pam.conf!"; \ fi; \ fi diff --git a/config/gdm-autologin b/config/gdm-autologin new file mode 100644 index 00000000..750db477 --- /dev/null +++ b/config/gdm-autologin @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_env.so +auth required /lib/security/pam_nologin.so +auth required /lib/security/pam_permit.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so diff --git a/daemon/slave.c b/daemon/slave.c index 04d34de8..98093387 100644 --- a/daemon/slave.c +++ b/daemon/slave.c @@ -471,7 +471,7 @@ gdm_slave_run (GdmDisplay *display) gdm_slave_send_string (GDM_SOP_LOGIN, ParsedAutomaticLogin); if (setup_automatic_session (d, ParsedAutomaticLogin)) { - gdm_slave_session_start(); + gdm_slave_session_start (); } gdm_slave_send_num (GDM_SOP_LOGGED_IN, FALSE); @@ -491,7 +491,7 @@ gdm_slave_run (GdmDisplay *display) if (do_timed_login) { /* timed out into a timed login */ do_timed_login = FALSE; - if ( ! setup_automatic_session (d, ParsedTimedLogin)) { + if (setup_automatic_session (d, ParsedTimedLogin)) { gdm_slave_send_string (GDM_SOP_LOGIN, ParsedTimedLogin); gdm_slave_session_start (); diff --git a/daemon/verify-pam.c b/daemon/verify-pam.c index a666c54b..e0dce026 100644 --- a/daemon/verify-pam.c +++ b/daemon/verify-pam.c @@ -202,6 +202,62 @@ static struct pam_conv standalone_pamc = { NULL }; +/* Creates a pam handle for the auto login */ +static gboolean +create_pamh (GdmDisplay *d, + const char *service, + const char *login, + struct pam_conv *conv, + const char *display, + int *pamerr) +{ + if (login == NULL || + display == NULL) { + gdm_error (_("Cannot setup pam handle with null login " + "and/or display")); + return FALSE; + } + + if (pamh != NULL) { + gdm_error ("create_pamh: Stale pamh around, cleaning up"); + pam_end (pamh, PAM_SUCCESS); + } + pamh = NULL; + + /* Initialize a PAM session for the user */ + if ((*pamerr = pam_start (service, login, conv, &pamh)) != PAM_SUCCESS) { + if (gdm_slave_should_complain ()) + gdm_error (_("Can't find /etc/pam.d/%s!"), service); + return FALSE; + } + + /* Inform PAM of the user's tty */ + if ((*pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) { + if (gdm_slave_should_complain ()) + gdm_error (_("Can't set PAM_TTY=%s"), display); + return FALSE; + } + + /* gdm is requesting the login */ + if ((*pamerr = pam_set_item (pamh, PAM_RUSER, GdmUser)) != PAM_SUCCESS) { + if (gdm_slave_should_complain ()) + gdm_error (_("Can't set PAM_RUSER=%s"), GdmUser); + return FALSE; + } + + /* From the host of the display */ + if ((*pamerr = pam_set_item (pamh, PAM_RHOST, + d->console ? "localhost" : d->hostname)) != PAM_SUCCESS) { + if (gdm_slave_should_complain ()) + gdm_error (_("Can't set PAM_RHOST=%s"), + d->console ? "localhost" : d->hostname); + return FALSE; + } + + return TRUE; +} + + /** * gdm_verify_user: * @username: Name of user or NULL if we should ask @@ -227,15 +283,9 @@ gdm_verify_user (GdmDisplay *d, gboolean started_timer = FALSE; gchar *auth_errmsg; - if (pamh != NULL) { - gdm_error ("gdm_verify_user: Stale pamh around, cleaning up"); - pam_end (pamh, PAM_SUCCESS); - } - pamh = NULL; - /* start the timer for timed logins */ - if (local || - (!ve_string_empty(GdmTimedLogin) && GdmAllowRemoteAutoLogin)) { + if ( ! ve_string_empty (GdmTimedLogin) && + (local || GdmAllowRemoteAutoLogin)) { gdm_slave_greeter_ctl_no_ret (GDM_STARTTIMER, ""); started_timer = TRUE; } @@ -256,45 +306,14 @@ gdm_verify_user (GdmDisplay *d, } cur_gdm_disp = d; - - /* Initialize a PAM session for the user */ - if ((pamerr = pam_start ("gdm", login, &pamc, &pamh)) != PAM_SUCCESS) { - if (started_timer) - gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); - if (gdm_slave_should_complain ()) - gdm_error (_("Can't find /etc/pam.d/gdm!")); - goto pamerr; - } - - /* Inform PAM of the user's tty */ - if ((pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) { - if (started_timer) - gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_TTY=%s"), display); - goto pamerr; - } - /* gdm is requesting the login */ - if ((pamerr = pam_set_item (pamh, PAM_RUSER, GdmUser)) != PAM_SUCCESS) { - if (started_timer) - gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_RUSER=%s"), GdmUser); - goto pamerr; - } - - /* From the host of the display */ - if ((pamerr = pam_set_item (pamh, PAM_RHOST, - d->console ? "localhost" : d->hostname)) != PAM_SUCCESS) { + /* Initialize a PAM session for the user */ + if ( ! create_pamh (d, "gdm", login, &pamc, display, &pamerr)) { if (started_timer) gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_RHOST=%s"), - d->console ? "localhost" : d->hostname); goto pamerr; } - + #ifdef PAM_FAIL_DELAY pam_fail_delay (pamh, GdmRetryDelay * 1000); #endif /* PAM_FAIL_DELAY */ @@ -438,59 +457,6 @@ gdm_verify_user (GdmDisplay *d, return NULL; } -/* Ensures a pamh existance */ -static gboolean -ensure_pamh (GdmDisplay *d, - const char *login, - const char *display, - int *pamerr) -{ - if (login == NULL || - display == NULL) { - gdm_error (_("Cannot setup pam handle with null login " - "and/or display")); - return FALSE; - } - - if (pamh != NULL) { - gdm_error ("gdm_verify_user: Stale pamh around, cleaning up"); - pam_end (pamh, PAM_SUCCESS); - } - pamh = NULL; - - /* Initialize a PAM session for the user */ - if ((*pamerr = pam_start ("gdm", login, &standalone_pamc, &pamh)) != PAM_SUCCESS) { - if (gdm_slave_should_complain ()) - gdm_error (_("Can't find /etc/pam.d/gdm!")); - return FALSE; - } - - /* Inform PAM of the user's tty */ - if ((*pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) { - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_TTY=%s"), display); - return FALSE; - } - - /* gdm is requesting the login */ - if ((*pamerr = pam_set_item (pamh, PAM_RUSER, GdmUser)) != PAM_SUCCESS) { - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_RUSER=%s"), GdmUser); - return FALSE; - } - - /* From the host of the display */ - if ((*pamerr = pam_set_item (pamh, PAM_RHOST, - d->console ? "localhost" : d->hostname)) != PAM_SUCCESS) { - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_RHOST=%s"), - d->console ? "localhost" : d->hostname); - return FALSE; - } - - return TRUE; -} - /** * gdm_verify_setup_user: * @login: The name of the user @@ -512,7 +478,19 @@ gdm_verify_setup_user (GdmDisplay *d, const gchar *login, const gchar *display) cur_gdm_disp = d; /* Initialize a PAM session for the user */ - if ( ! ensure_pamh (d, login, display, &pamerr)) { + if ( ! create_pamh (d, "gdm-autologin", login, &standalone_pamc, + display, &pamerr)) { + goto setup_pamerr; + } + + /* Start authentication session */ + if ((pamerr = pam_authenticate (pamh, 0)) != PAM_SUCCESS) { + if (gdm_slave_should_complain ()) { + gdm_error (_("Couldn't authenticate user")); + gdm_error_box (cur_gdm_disp, + GNOME_MESSAGE_BOX_ERROR, + _("Authentication failed")); + } goto setup_pamerr; } @@ -541,13 +519,13 @@ gdm_verify_setup_user (GdmDisplay *d, const gchar *login, const gchar *display) gdm_error (_("User %s no longer permitted to access the system"), login); gdm_error_box (cur_gdm_disp, GNOME_MESSAGE_BOX_ERROR, - _("\nThe system administrator has disabled your account.")); + _("\nThe system administrator has disabled your account.")); goto setup_pamerr; case PAM_PERM_DENIED : gdm_error (_("User %s not permitted to gain access at this time"), login); gdm_error_box (cur_gdm_disp, GNOME_MESSAGE_BOX_ERROR, - _("\nThe system administrator has your disabled access to the system temporary.")); + _("\nThe system administrator has your disabled access to the system temporary.")); goto setup_pamerr; default : if (gdm_slave_should_complain ()) @@ -559,10 +537,11 @@ gdm_verify_setup_user (GdmDisplay *d, const gchar *login, const gchar *display) if (/* paranoia */ pwent == NULL || ! gdm_setup_gids (login, pwent->pw_gid)) { gdm_error (_("Cannot set user group for %s"), login); - gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, - _("\nCannot set your user group, " - "you will not be able to log in, " - "please contact your system administrator.")); + gdm_error_box (cur_gdm_disp, + GNOME_MESSAGE_BOX_ERROR, + _("\nCannot set your user group, " + "you will not be able to log in, " + "please contact your system administrator.")); goto setup_pamerr; } |