From 22c5ffde30008c8f9127db60a99812cd311860ab Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Tue, 25 Sep 2012 20:23:01 +0200
Subject: a simple pam user mapper module

---
 mysql-test/suite/plugins/r/pam.result     |  2 +-
 mysql-test/suite/plugins/t/pam.test       |  2 +-
 plugin/auth_pam/mapper/pam_user_map.c     | 93 +++++++++++++++++++++++++++++++
 plugin/auth_pam/testing/pam_mariadb_mtr.c | 20 ++-----
 4 files changed, 100 insertions(+), 17 deletions(-)
 create mode 100644 plugin/auth_pam/mapper/pam_user_map.c

diff --git a/mysql-test/suite/plugins/r/pam.result b/mysql-test/suite/plugins/r/pam.result
index 1c9036c317e..d1b2d291941 100644
--- a/mysql-test/suite/plugins/r/pam.result
+++ b/mysql-test/suite/plugins/r/pam.result
@@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so';
 create user test_pam identified via pam using 'mariadb_mtr';
 #
 # athentication is successful, challenge/pin are ok
-# note that current_user() differts from user()
+# note that current_user() differs from user()
 #
 Challenge input first.
 Enter: not very secret challenge
diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test
index 3f4c563d8dc..1968d7fdaa6 100644
--- a/mysql-test/suite/plugins/t/pam.test
+++ b/mysql-test/suite/plugins/t/pam.test
@@ -29,7 +29,7 @@ EOF
 
 --echo #
 --echo # athentication is successful, challenge/pin are ok
---echo # note that current_user() differts from user()
+--echo # note that current_user() differs from user()
 --echo #
 --exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
 
diff --git a/plugin/auth_pam/mapper/pam_user_map.c b/plugin/auth_pam/mapper/pam_user_map.c
new file mode 100644
index 00000000000..e73ab6de544
--- /dev/null
+++ b/plugin/auth_pam/mapper/pam_user_map.c
@@ -0,0 +1,93 @@
+/*
+  Pam module to change user names arbitrarily in the pam stack.
+
+  Compile as
+  
+     gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
+
+  Install as appropriate (for example, in /lib/security/).
+  Add to your /etc/pam.d/mysql (preferrably, at the end) this line:
+=========================================================
+auth            required        pam_user_map.so
+=========================================================
+
+  And create /etc/security/user_map.conf with the desired mapping
+  in the format:  orig_user_name: mapped_user_name
+=========================================================
+#comments and emty lines are ignored
+john: jack
+bob:  admin
+top:  accounting
+=========================================================
+
+*/
+
+#include <stdio.h>
+#include <syslog.h>
+#include <security/pam_modules.h>
+
+#define FILENAME "/etc/security/user_map.conf"
+#define skip(what) while (*s && (what)) s++
+
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+  int pam_err, line= 0;
+  const char *username;
+  char buf[256];
+  FILE *f;
+
+  f= fopen(FILENAME, "r");
+  if (f == NULL)
+  {
+    pam_syslog(pamh, LOG_ERR, "Cannot open '%s'\n", FILENAME);
+    return PAM_SYSTEM_ERR;
+  }
+
+  pam_err = pam_get_item(pamh, PAM_USER, (const void**)&username);
+  if (pam_err != PAM_SUCCESS)
+    goto ret;
+
+  while (fgets(buf, sizeof(buf), f) != NULL)
+  {
+    char *s= buf, *from, *to, *end_from, *end_to;
+    line++;
+
+    skip(isspace(*s));
+    if (*s == '#' || *s == 0) continue;
+    from= s;
+    skip(isalnum(*s) || (*s == '_'));
+    end_from= s;
+    skip(isspace(*s));
+    if (end_from == from || *s++ != ':') goto syntax_error;
+    skip(isspace(*s));
+    to= s;
+    skip(isalnum(*s) || (*s == '_'));
+    end_to= s;
+    if (end_to == to) goto syntax_error;
+
+    *end_from= *end_to= 0;
+    if (strcmp(username, from) == 0)
+    {
+      pam_err= pam_set_item(pamh, PAM_USER, to);
+      goto ret;
+    }
+  }
+  pam_err= PAM_SUCCESS;
+  goto ret;
+
+syntax_error:
+  pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
+  pam_err= PAM_SYSTEM_ERR;
+ret:
+  fclose(f);
+  return pam_err;
+}
+
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
+                   int argc, const char *argv[])
+{
+
+    return PAM_SUCCESS;
+}
+
diff --git a/plugin/auth_pam/testing/pam_mariadb_mtr.c b/plugin/auth_pam/testing/pam_mariadb_mtr.c
index 73defe30112..1078b88cf26 100644
--- a/plugin/auth_pam/testing/pam_mariadb_mtr.c
+++ b/plugin/auth_pam/testing/pam_mariadb_mtr.c
@@ -10,7 +10,7 @@
   Create /etc/pam.d/mariadb_mtr with
 =========================================================
 auth            required        pam_mariadb_mtr.so pam_test
-account         required        pam_mariadb_mtr.so
+account         required        pam_permit.so
 =========================================================
 */
 
@@ -21,9 +21,8 @@ account         required        pam_mariadb_mtr.so
 
 #define N 3
 
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags,
-    int argc, const char *argv[])
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+                        int argc, const char *argv[])
 {
   struct pam_conv *conv;
   struct pam_response *resp = 0;
@@ -69,17 +68,8 @@ ret:
   return retval;
 }
 
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags,
-    int argc, const char *argv[])
-{
-
-    return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
-    int argc, const char *argv[])
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
+                   int argc, const char *argv[])
 {
 
     return PAM_SUCCESS;
-- 
cgit v1.2.1