From adfd9011243c2c8fa133dbfdff95cbe16b652b1d Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 4 Dec 2018 14:52:47 +0100
Subject: [pam-slx-plug] Add get_username script to lookup caps

Changing the capitalization of usernames in the PAM stack is a bad idea
and messes everything up. Add a helper script that can loop up a user
name and return the proper capitalization. This script should be called
in the lightdm greeter. exec_auth now refuses login if the username
returned by LDAP has a different capitalization.

Fixes #3503
---
 .../data/opt/openslx/pam/auth-source.d/99-slx-ldap |  7 ++--
 .../pam-slx-plug/data/opt/openslx/pam/exec_account | 16 +++++---
 .../pam-slx-plug/data/opt/openslx/pam/exec_auth    | 18 +++++---
 .../pam-slx-plug/data/opt/openslx/pam/get_username | 48 ++++++++++++++++++++++
 4 files changed, 75 insertions(+), 14 deletions(-)
 create mode 100755 core/modules/pam-slx-plug/data/opt/openslx/pam/get_username

(limited to 'core/modules/pam-slx-plug')

diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
index cab6c0a6..ee2155a5 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
@@ -48,7 +48,7 @@ extract_field() {
 }
 
 run_auth() {
-	local BINDDN SEARCH_ANON SEARCH_USER PW RET
+	local BINDDN SEARCH_ANON SEARCH_USER PW RET uid
 	if [ -n "$LDAP_CACERT" ]; then
 		export LDAPTLS_CACERT="$LDAP_CACERT"
 	else
@@ -86,9 +86,10 @@ run_auth() {
 	# Get proper capitalization
 	RET=$(extract_field "uid" "$SEARCH_ANON")
 	[ -n "$RET" ] && USER_NAME="$RET"
+	uid=$(extract_field "uidNumber" "$SEARCH_ANON")
 	if [ "$PAM_TYPE" = "account" ]; then
 		# 'account' checks just if the user is allowed to log in, bail out
-		USER_UID=$(extract_field "uidNumber" "$SEARCH_ANON")
+		USER_UID=$uid
 		USER_GID=$(extract_field "gidNumber" "$SEARCH_ANON")
 		USER_HOME=$(extract_field "homeDirectory" "$SEARCH_ANON")
 		return 0
@@ -98,7 +99,7 @@ run_auth() {
 	if [ -z "$SCRIPT_USER" ] || [ "$SCRIPT_USER" = "root" ]; then
 		PW="/run/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
 	else
-		PW="/run/user/${USER_UID}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+		PW="/run/user/${uid}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
 	fi
 	for retries in 0 1 1 0; do
 		if ! mkfifo -m 0600 "${PW}"; then
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
index f481d302..a94ac428 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
@@ -3,7 +3,7 @@
 [ "$PAM_TYPE" = "account" ] || exit 1
 
 USER_NAME="$PAM_USER"
-readonly PAM_USER USER_NAME
+readonly PAM_USER
 
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
 
@@ -14,11 +14,13 @@ if echo "$PAM_USER" | grep -Fq ':'; then
 fi
 
 # check if the script runs as root
-[ "x$(whoami)" = "xroot" ] || exit 1
+SCRIPT_USER=$(whoami)
+readonly SCRIPT_USER
 
 # passwd but no shadow hints at a user we added - allow
-grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
-grep -q "^${PAM_USER}:" "/etc/passwd" && exit 0
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+[ "x$SCRIPT_USER" = "xroot" ] && grep -q "^${grepname}:" "/etc/shadow" && exit 1
+grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" && exit 0
 
 # Have neither, run hooks
 for auth_file in /opt/openslx/pam/auth-source.d/*; do
@@ -29,7 +31,7 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do
 	[ -n "$USER_UID" ] || continue
 	break
 done
-readonly USER_UID USER_GID
+readonly USER_UID USER_GID USER_NAME
 
 [ -n "$USER_UID" ] || exit 1
 # Got ok from hook - cache in passwd if we got a USER_GID
@@ -44,7 +46,9 @@ if [ -n "$USER_GID" ] && ! echo "$USER_GID" | grep -Exq '[0-9]+'; then
 	exit 0
 fi
 
-. /opt/openslx/pam/common/homedir-passwd
+if [ "x$SCRIPT_USER" = "xroot" ]; then
+	. /opt/openslx/pam/common/homedir-passwd
+fi
 
 exit 0
 
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
index 99d5afa8..6bbe8bdc 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
@@ -24,12 +24,14 @@ SCRIPT_USER=$(whoami)
 readonly SCRIPT_USER
 [ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1
 
-if [ "$PAM_USER" = "root" ]; then
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+
+if [ "$SCRIPT_USER" = "root" ]; then
 	# See if we have a shadow entry - skip user in that case
-	grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
+	grep -q -i "^${grepname}:" "/etc/shadow" && exit 1
 else
 	# Running in user context - user must be known from before
-	grep -q "^${PAM_USER}:x:.*:.*:${PAM_USER}@SLX:" "/etc/passwd" || exit 1
+	grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" || exit 1
 fi
 
 # ppam -- pluggable pluggable authentication module
@@ -60,7 +62,13 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do
 	break
 done
 [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="$PAM_USER"
-readonly USER_UID REAL_ACCOUNT
+readonly USER_UID REAL_ACCOUNT USER_NAME
+
+# Confirm caps matches!
+if [ "$USER_NAME" != "$PAM_USER" ]; then
+	echo "Capitalization mismatch: '$PAM_USER' vs. '$USER_NAME'" >&2
+	exit 1
+fi
 
 # No success - access denied
 [ -z "$USER_UID" ] && exit 1
@@ -108,7 +116,7 @@ if [ -n "$GROUPENT" ]; then
 		echo "$GROUPENT" >> '/etc/group'
 	fi
 fi
-readonly USER_GID USER_GROUP USER_NAME
+readonly USER_GID USER_GROUP
 
 . /opt/openslx/pam/common/homedir-passwd
 
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username
new file mode 100755
index 00000000..477a2f1b
--- /dev/null
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username
@@ -0,0 +1,48 @@
+#!/bin/ash
+
+PAM_USER="$1"
+
+if [ -z "$PAM_USER" ]; then
+	echo "Usage: $0 <username>" >&2
+	exit 1
+fi
+
+PAM_TYPE="account"
+USER_NAME=
+readonly PAM_USER PAM_TYPE
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
+
+# check for invalid char ':'
+if echo "$PAM_USER" | grep -Fq ':'; then
+	echo "Username '$PAM_USER' contains disallowed character ':'" >&2
+	exit 1
+fi
+
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+
+existing=$( grep -i -m1 "^${grepname}:" "/etc/passwd" | awk -F: '{print $1}' )
+if [ -n "$existing" ]; then
+	echo "$existing"
+	exit 0
+fi
+
+# Have neither, run hooks
+for auth_file in /opt/openslx/pam/auth-source.d/*; do
+	USER_UID=
+	USER_GID=
+	[ -f "$auth_file" ] || continue
+	. "$auth_file"
+	[ -n "$USER_UID" ] || continue
+	break
+done
+readonly USER_UID USER_GID USER_NAME
+
+if [ -z "$USER_UID" ] || [ -z "$USER_NAME" ]; then
+	echo "User not found" >&2
+	exit 1
+fi
+
+echo "$USER_NAME"
+exit 0
+
-- 
cgit v1.2.3-55-g7522