From 804affb662da866b504c2b35d771aa3a14d43716 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Mon, 20 Aug 2012 14:23:03 -0500 Subject: Switch to pushing the creditials via stdin --- src/pam-freerdp.c | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index bf533c4..d8c6703 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -1,4 +1,5 @@ #include +#include #include #include #include @@ -95,27 +96,29 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) GET_ITEM(rdomain, PAM_TYPE_DOMAIN); GET_ITEM(password, PAM_AUTHTOK); + int stdinpipe[2]; + if (pipe(stdinpipe) != 0) { + retval = PAM_SYSTEM_ERR; + goto done; + } + /* At this point we should have the values, let's check the auth */ pid_t pid; switch (pid = fork()) { case 0: { /* child */ - char * args[13]; + dup2(stdinpipe[0], 0); + + char * args[8]; + args[0] = XFREERDP; args[1] = "--plugin"; args[2] = "rdpsnd.so"; args[3] = "--no-nla"; args[4] = "-f"; args[5] = "--ignore-certificate"; /* TODO: Change when we set the home directory properly */ + args[6] = "--from-stdin"; - /* TODO: Use stdin */ - args[6] = "-u"; - args[7] = ruser; - args[8] = "-p"; - args[9] = password; - args[10] = "-d"; - args[11] = rdomain; - - args[12] = NULL; + args[7] = NULL; /* TODO: Drop privs */ /* TODO: Home directory environment to user's home */ @@ -129,7 +132,20 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) } default: { int forkret = 0; - if (waitpid(pid, &forkret, 0) < 0) { + int bytesout = 0; + + bytesout += write(stdinpipe[1], ruser, strlen(ruser)); + bytesout += write(stdinpipe[1], " ", 1); + bytesout += write(stdinpipe[1], password, strlen(password)); + bytesout += write(stdinpipe[1], " ", 1); + bytesout += write(stdinpipe[1], rdomain, strlen(rdomain)); + bytesout += write(stdinpipe[1], " ", 1); + bytesout += write(stdinpipe[1], rhost, strlen(rhost)); + bytesout += write(stdinpipe[1], " ", 1); + + close(stdinpipe[1]); + + if (waitpid(pid, &forkret, 0) < 0 || bytesout == 0) { retval = PAM_SYSTEM_ERR; } else if (forkret == 0) { retval = PAM_SUCCESS; -- cgit v1.2.3 From 06a9bad53744e3a7cfe5984087d3330046c35d64 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Mon, 20 Aug 2012 14:39:57 -0500 Subject: Setting the home directory to the user's directory --- src/pam-freerdp.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index d8c6703..7bd2657 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -3,6 +3,8 @@ #include #include #include +#include +#include #include #include @@ -108,20 +110,24 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) case 0: { /* child */ dup2(stdinpipe[0], 0); - char * args[8]; + char * args[7]; args[0] = XFREERDP; args[1] = "--plugin"; args[2] = "rdpsnd.so"; args[3] = "--no-nla"; args[4] = "-f"; - args[5] = "--ignore-certificate"; /* TODO: Change when we set the home directory properly */ - args[6] = "--from-stdin"; - - args[7] = NULL; + args[5] = "--from-stdin"; + args[6] = NULL; + + struct passwd * pwdent = getpwnam(username); + if (pwdent == NULL) { + _exit(-1); + } + + setenv("HOME", pwdent->pw_dir, 1); /* TODO: Drop privs */ - /* TODO: Home directory environment to user's home */ execvp(args[0], args); _exit(EXIT_FAILURE); break; -- cgit v1.2.3 From 6caebbec178693c28431c9c99c2f5d51cfc5a090 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Mon, 20 Aug 2012 14:44:42 -0500 Subject: Make sure we're running as the guest user before we execute the freerdp utility --- src/pam-freerdp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 7bd2657..189c82f 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -122,12 +122,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) struct passwd * pwdent = getpwnam(username); if (pwdent == NULL) { - _exit(-1); + _exit(EXIT_FAILURE); + } + + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || + setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { + _exit(EXIT_FAILURE); } setenv("HOME", pwdent->pw_dir, 1); - /* TODO: Drop privs */ execvp(args[0], args); _exit(EXIT_FAILURE); break; -- cgit v1.2.3