sbuild
1.7.1
|
Authentication handler. More...
#include <auth.h>
Public Types | |
enum | status { STATUS_NONE, STATUS_USER, STATUS_FAIL } |
Authentication status. More... | |
enum | error_code { HOSTNAME, USER, GROUP, AUTHENTICATION, AUTHORISATION, PAM_DOUBLE_INIT, PAM, PAM_END } |
Error codes. More... | |
typedef custom_error< error_code > | error |
Exception type. | |
typedef std::shared_ptr< auth > | ptr |
A shared_ptr to a auth object. | |
Public Member Functions | |
virtual | ~auth () |
The destructor. | |
std::string const & | get_service () const |
Get the PAM service name. More... | |
uid_t | get_uid () const |
Get the uid of the user. More... | |
gid_t | get_gid () const |
Get the gid of the user. More... | |
std::string const & | get_user () const |
Get the name of the user. More... | |
void | set_user (uid_t uid) |
Set the name of the user. More... | |
void | set_user (const std::string &user) |
Set the name of the user. More... | |
string_list const & | get_command () const |
Get the command to run in the session. More... | |
void | set_command (const string_list &command) |
Set the command to run in the session. More... | |
std::string const & | get_home () const |
Get the home directory. More... | |
std::string const & | get_wd () const |
Get the working directory. More... | |
void | set_wd (const std::string &wd) |
Set the working directory. More... | |
std::string const & | get_shell () const |
Get the name of the shell. More... | |
environment const & | get_user_environment () const |
Get the user environment to use in the session. More... | |
void | set_user_environment (char **environment) |
Set the user environment to use in the session. More... | |
void | set_user_environment (const environment &environment) |
Set the user environment to use in the session. More... | |
environment | get_minimal_environment () const |
Get the minimal environment. More... | |
environment | get_complete_environment () const |
Get the complete environment. More... | |
virtual environment | get_auth_environment () const =0 |
Get the PAM environment. More... | |
uid_t | get_ruid () const |
Get the "remote uid" of the user. More... | |
gid_t | get_rgid () const |
Get the "remote gid" of the user. More... | |
std::string const & | get_ruser () const |
Get the "remote" name of the user. More... | |
void | set_ruser (uid_t ruid) |
Set the "remote" name of the user. More... | |
void | set_ruser (const std::string &ruser) |
Set the "remote" name of the user. More... | |
std::string const & | get_rgroup () const |
Get the "remote" name of the group. More... | |
virtual void | start () |
Start the PAM system. More... | |
virtual void | stop () |
Stop the PAM system. More... | |
virtual void | authenticate (status auth_status) |
Perform PAM authentication. More... | |
virtual void | setupenv () |
Import the user environment into PAM. More... | |
virtual void | account () |
Do PAM account management (authorisation). More... | |
virtual void | cred_establish () |
Use PAM to establish credentials. More... | |
virtual void | cred_delete () |
Use PAM to delete credentials. More... | |
virtual void | open_session () |
Open a PAM session. More... | |
virtual void | close_session () |
Close a PAM session. More... | |
virtual bool | is_initialised () const =0 |
Check if PAM is initialised (i.e. More... | |
Static Public Member Functions | |
static status | change_auth (status oldauth, status newauth) |
Set new authentication status. More... | |
Protected Member Functions | |
auth (const std::string &service_name) | |
The constructor. More... | |
void | set_user (const passwd &pwent) |
Set the name of the user. More... | |
void | set_ruser (const passwd &rpwent) |
Set the "remote" name of the user. More... | |
Protected Attributes | |
const std::string | service |
The PAM service name. | |
uid_t | uid |
The uid to run as. | |
gid_t | gid |
The gid to run as. | |
std::string | user |
The user name to run as. | |
string_list | command |
The command to run. | |
std::string | home |
The home directory. | |
std::string | wd |
The directory to run in. | |
std::string | shell |
The user shell to run. | |
environment | user_environment |
The user environment to set. | |
uid_t | ruid |
The uid requesting authentication. | |
gid_t | rgid |
The gid requesting authentication. | |
std::string | ruser |
The user name requesting authentication. | |
std::string | rgroup |
The group name requesting authentication. | |
Authentication handler.
auth handles user authentication, authorisation and session management using the Pluggable Authentication Modules (PAM) library. It is essentially an object-oriented wrapper around PAM.
In order to use PAM correctly, it is important to call several of the methods in the correct order. For example, it is not possible to authorise a user before authenticating a user, and a session may not be started before either of these have occurred.
A conversation handler must be specified using set_conv before calling any of the functions below.
The correct order is
After the session has finished, or if an error occurred, the corresponding cleanup methods should be called
|
protected |
The constructor.
service_name | the PAM service name. This should be a hard-coded constant string literal for safety and security. This is passed to pam_start() when initialising PAM, and is used to load the correct configuration file from /etc/pam.d. |
References ruid, ruser, set_ruser(), and set_user().
|
virtual |
Do PAM account management (authorisation).
An error will be thrown on failure.
Reimplemented in sbuild::auth::pam.
|
virtual |
Perform PAM authentication.
If auth_status is set to AUTH_USER, the user will be prompted to authenticate themselves. If auth_status is AUTH_NONE, no authentication is required, and if AUTH_FAIL, authentication will fail.
An error will be thrown on failure.
auth_status | initial authentication status. |
Reimplemented in sbuild::auth::pam, and sbuild::auth::deny.
Set new authentication status.
If newauth > oldauth, newauth is returned, otherwise oldauth is returned. This is to ensure the authentication status can never be decreased (relaxed).
oldauth | the current authentication status. |
newauth | the new authentication status. |
Referenced by sbuild::session::get_auth_status(), and sbuild::session::get_chroot_auth_status().
|
virtual |
|
virtual |
Use PAM to delete credentials.
An error will be thrown on failure.
Reimplemented in sbuild::auth::pam.
|
virtual |
Use PAM to establish credentials.
An error will be thrown on failure.
Reimplemented in sbuild::auth::pam.
|
pure virtual |
Get the PAM environment.
This is the environment as set by PAM modules.
Implemented in sbuild::auth::deny, and sbuild::auth::pam.
Referenced by get_complete_environment().
string_list const & sbuild::auth::auth::get_command | ( | ) | const |
Get the command to run in the session.
References command.
environment sbuild::auth::auth::get_complete_environment | ( | ) | const |
Get the complete environment.
This is the user environment plus essential environment variables which are set if not already present.
References get_auth_environment(), get_minimal_environment(), get_user_environment(), sbuild::environment::remove(), uid, and user.
gid_t sbuild::auth::auth::get_gid | ( | ) | const |
Get the gid of the user.
This is the gid to run as in the session.
References gid.
std::string const & sbuild::auth::auth::get_home | ( | ) | const |
Get the home directory.
This is the $HOME to set in the session, if the user environment is not being preserved.
References home.
environment sbuild::auth::auth::get_minimal_environment | ( | ) | const |
Get the minimal environment.
This is essential environment variables which are set if not already present.
References sbuild::environment::add(), home, shell, uid, and user.
Referenced by sbuild::auth::deny::get_auth_environment(), get_complete_environment(), and sbuild::auth::pam::setupenv().
gid_t sbuild::auth::auth::get_rgid | ( | ) | const |
Get the "remote gid" of the user.
This is the gid which is requesting authentication.
References rgid.
std::string const & sbuild::auth::auth::get_rgroup | ( | ) | const |
Get the "remote" name of the group.
This is the group which is requesting authentication.
References rgroup.
uid_t sbuild::auth::auth::get_ruid | ( | ) | const |
Get the "remote uid" of the user.
This is the uid which is requesting authentication.
References ruid.
std::string const & sbuild::auth::auth::get_ruser | ( | ) | const |
Get the "remote" name of the user.
This is the user which is requesting authentication.
References ruser.
std::string const & sbuild::auth::auth::get_service | ( | ) | const |
std::string const & sbuild::auth::auth::get_shell | ( | ) | const |
Get the name of the shell.
This is the shell to run in the session.
References shell.
uid_t sbuild::auth::auth::get_uid | ( | ) | const |
Get the uid of the user.
This is the uid to run as in the * session.
References uid.
std::string const & sbuild::auth::auth::get_user | ( | ) | const |
Get the name of the user.
This is the user to run as in the session.
References user.
environment const & sbuild::auth::auth::get_user_environment | ( | ) | const |
Get the user environment to use in the session.
References user_environment.
Referenced by get_complete_environment().
std::string const & sbuild::auth::auth::get_wd | ( | ) | const |
Get the working directory.
This is the working directory to set in the session.
References wd.
|
pure virtual |
Check if PAM is initialised (i.e.
start has been called).
Implemented in sbuild::auth::pam, and sbuild::auth::deny.
|
virtual |
void sbuild::auth::auth::set_command | ( | const string_list & | command) |
Set the command to run in the session.
command | the command to run. This is a string list, each item being a separate argument. |
References command.
void sbuild::auth::auth::set_ruser | ( | uid_t | ruid) |
Set the "remote" name of the user.
This is the user which is requesting authentication.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
ruid | remote user to set as a uid. |
References USER.
Referenced by auth(), and set_ruser().
void sbuild::auth::auth::set_ruser | ( | const std::string & | ruser) |
Set the "remote" name of the user.
This is the user which is requesting authentication.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
ruser | the remote user name to set. |
References set_ruser(), and USER.
|
protected |
Set the "remote" name of the user.
This is the user which is requesting authentication.
As a side effect, the ruid, rgid, ruser and rgroup member variables will also be set, so calling the corresponding get methods will now return meaningful values.
rpwent | remote user to set as a passwd entry. |
References sbuild::DEBUG_INFO, GROUP, sbuild::log_debug(), rgid, rgroup, ruid, and ruser.
void sbuild::auth::auth::set_user | ( | uid_t | uid) |
Set the name of the user.
This is the user to run as in the session.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
uid | user to set as a uid. |
References USER.
Referenced by auth(), and set_user().
void sbuild::auth::auth::set_user | ( | const std::string & | user) |
Set the name of the user.
This is the user to run as in the session.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
user | the name to set. |
References set_user(), and USER.
|
protected |
Set the name of the user.
This is the user to run as in the session.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
pwent | user to set as a passwd entry. |
References sbuild::DEBUG_INFO, gid, home, sbuild::log_debug(), shell, uid, and user.
void sbuild::auth::auth::set_user_environment | ( | char ** | environment) |
Set the user environment to use in the session.
environment | an environ- or envp-like string vector containing key=value pairs. |
void sbuild::auth::auth::set_user_environment | ( | const environment & | environment) |
Set the user environment to use in the session.
environment | an environment list. |
References user_environment.
void sbuild::auth::auth::set_wd | ( | const std::string & | wd) |
Set the working directory.
This is the working directory to set in the session.
wd | the current working directory. |
References wd.
|
virtual |
Import the user environment into PAM.
If no environment was specified with set_environment, a minimal environment will be created containing HOME, LOGNAME, PATH, TERM and LOGNAME.
An error will be thrown on failure.
Note that the environment is not sanitised in any way. This is the responsibility of the user.
Reimplemented in sbuild::auth::pam.
|
virtual |
Start the PAM system.
No other PAM functions may be called before calling this function.
An error will be thrown on failure.
Reimplemented in sbuild::auth::pam, and sbuild::auth::deny.
|
virtual |
Stop the PAM system.
No other PAM functions may be used after calling this function.
An error will be thrown on failure.
Reimplemented in sbuild::auth::pam, and sbuild::auth::deny.
Referenced by ~auth().