From efd293947f940180eedd8d0915b124f4aedccc08 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Mon, 12 Jul 2021 21:09:10 -0700 Subject: Support running pam_cap.so as a simple binary. This prints module information and supports the sole optional argument --help. Signed-off-by: Andrew G. Morgan --- pam_cap/Makefile | 20 +++++++++++++++---- pam_cap/capability.conf | 2 +- pam_cap/execable.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+), 5 deletions(-) create mode 100644 pam_cap/execable.c diff --git a/pam_cap/Makefile b/pam_cap/Makefile index ce63f16..a4c4891 100644 --- a/pam_cap/Makefile +++ b/pam_cap/Makefile @@ -15,21 +15,33 @@ install: all # does, *verify that it does*, and if you observe that it fails as # written (and you know why it fails), email me and explain why. Thanks! -pam_cap.so: pam_cap.o - $(LD) -o pam_cap.so $< $(LIBCAPLIB) $(LDFLAGS) +../libcap/loader.txt: + $(MAKE) -C ../libcap loader.txt + +execable.o: execable.c ../libcap/execable.h ../libcap/loader.txt + $(CC) $(CFLAGS) $(IPATH) -DLIBCAP_VERSION=\"libcap-$(VERSION).$(MINOR)\" -DSHARED_LOADER=\"$(shell cat ../libcap/loader.txt)\" -c execable.c -o $@ + +pam_cap.so: pam_cap.o execable.o + $(LD) -o pam_cap.so $+ $(LIBCAPLIB) $(LDFLAGS) --entry=__so_start pam_cap.o: pam_cap.c $(CC) $(CFLAGS) $(IPATH) -c $< -o $@ -test_pam_cap: test_pam_cap.c pam_cap.c +../libcap/libcap.a: + $(MAKE) -C ../libcap libcap.a + +test_pam_cap: test_pam_cap.c pam_cap.c ../libcap/libcap.a $(CC) $(CFLAGS) $(IPATH) -o $@ test_pam_cap.c $(LIBCAPLIB) $(LDFLAGS) --static testlink: test.c pam_cap.o $(CC) $(CFLAGS) -o $@ $+ -lpam -ldl $(LIBCAPLIB) $(LDFLAGS) -test: pam_cap.so test_pam_cap +test: testlink test_pam_cap pam_cap.so $(MAKE) testlink ./test_pam_cap + LD_LIBRARY_PATH=../libcap ./pam_cap.so + LD_LIBRARY_PATH=../libcap ./pam_cap.so --help + @echo "module can be run as an executable!" sudotest: test test_pam_cap sudo ./test_pam_cap root 0x0 0x0 0x0 config=./capability.conf diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf index fb93ed9..08c01e1 100644 --- a/pam_cap/capability.conf +++ b/pam_cap/capability.conf @@ -25,7 +25,7 @@ # config= - override the default config for the module with file # keepcaps - workaround for applications that setuid without this # autoauth - if you want pam_cap.so to always succeed for the auth phase -# default - provide a failback IAB value if there is no '*' rule +# default= - provide a fallback IAB value if there is no '*' rule ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) #cap_setfcap morgan diff --git a/pam_cap/execable.c b/pam_cap/execable.c new file mode 100644 index 0000000..60cf667 --- /dev/null +++ b/pam_cap/execable.c @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2021 Andrew G. Morgan + * + * The purpose of this file is to provide an executable mode for the + * pam_cap.so binary. If you run it directly, all it does is print + * version information. + * + * It accepts the optional --help argument which causes the executable + * to display a summary of all the supported, pam stacked, module + * arguments. + */ + +#include +#include +#include + +#include "../libcap/execable.h" + +SO_MAIN(int argc, char **argv) +{ + const char *cmd = ""; + if (argv != NULL) { + cmd = argv[0]; + } + + printf( + "%s (version " LIBCAP_VERSION ") is a PAM module to specify\n" + "inheritable (IAB) capabilities via the libpam authentication\n" + "abstraction. See the libcap License file for licensing information.\n" + "\n" + "Release notes and feature documentation for libcap and pam_cap.so\n" + "can be found at:\n" + "\n" + " https://sites.google.com/site/fullycapable/\n", cmd); + if (argc == 1) { + return; + } + + if (argc > 2 || strcmp(argv[1], "--help")) { + printf("\n%s only supports the optional argument --help\n", cmd); + exit(1); + } + + printf("\n" + "%s supports the following module arguments:\n" + "\n" + "debug - verbose logging (ignored for now)\n" + "config= - override the default config with file\n" + "keepcaps - workaround for apps that setuid without this\n" + "autoauth - pam_cap.so to always succeed for the 'auth' phase\n" + "default= - fallback IAB value if there is no '*' rule\n", + cmd); +} -- cgit v1.2.1