1*4882a593SmuzhiyunFrom 3f90452cb9d5dbb38906dd161b4dd639be4e45c9 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Philipp Zabel <philipp.zabel@gmail.com> 3*4882a593SmuzhiyunDate: Sat, 19 Nov 2022 09:52:01 +0100 4*4882a593SmuzhiyunSubject: [PATCH 88/92] libweston: Add user authentication support via PAM 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunAdd user authentication support for remote backends via PAM. 7*4882a593SmuzhiyunThis requires a configuration file /etc/pam.d/weston. 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunSigned-off-by: Philipp Zabel <philipp.zabel@gmail.com> 10*4882a593Smuzhiyun(cherry picked from commit 0733c8f5715a06c1109d380093d4f2e040284140) 11*4882a593SmuzhiyunSigned-off-by: Jeffy Chen <jeffy.chen@rock-chips.com> 12*4882a593Smuzhiyun--- 13*4882a593Smuzhiyun libweston/auth.c | 116 +++++++++++++++++++++++++++++++++ 14*4882a593Smuzhiyun libweston/libweston-internal.h | 5 ++ 15*4882a593Smuzhiyun libweston/meson.build | 13 ++++ 16*4882a593Smuzhiyun meson.build | 2 + 17*4882a593Smuzhiyun pam/meson.build | 8 +++ 18*4882a593Smuzhiyun pam/weston-remote-access | 3 + 19*4882a593Smuzhiyun 6 files changed, 147 insertions(+) 20*4882a593Smuzhiyun create mode 100644 libweston/auth.c 21*4882a593Smuzhiyun create mode 100644 pam/meson.build 22*4882a593Smuzhiyun create mode 100644 pam/weston-remote-access 23*4882a593Smuzhiyun 24*4882a593Smuzhiyundiff --git a/libweston/auth.c b/libweston/auth.c 25*4882a593Smuzhiyunnew file mode 100644 26*4882a593Smuzhiyunindex 0000000..2133abb 27*4882a593Smuzhiyun--- /dev/null 28*4882a593Smuzhiyun+++ b/libweston/auth.c 29*4882a593Smuzhiyun@@ -0,0 +1,116 @@ 30*4882a593Smuzhiyun+/* 31*4882a593Smuzhiyun+ * Copyright © 2022 Philipp Zabel 32*4882a593Smuzhiyun+ * 33*4882a593Smuzhiyun+ * Permission is hereby granted, free of charge, to any person obtaining 34*4882a593Smuzhiyun+ * a copy of this software and associated documentation files (the 35*4882a593Smuzhiyun+ * "Software"), to deal in the Software without restriction, including 36*4882a593Smuzhiyun+ * without limitation the rights to use, copy, modify, merge, publish, 37*4882a593Smuzhiyun+ * distribute, sublicense, and/or sell copies of the Software, and to 38*4882a593Smuzhiyun+ * permit persons to whom the Software is furnished to do so, subject to 39*4882a593Smuzhiyun+ * the following conditions: 40*4882a593Smuzhiyun+ * 41*4882a593Smuzhiyun+ * The above copyright notice and this permission notice (including the 42*4882a593Smuzhiyun+ * next paragraph) shall be included in all copies or substantial 43*4882a593Smuzhiyun+ * portions of the Software. 44*4882a593Smuzhiyun+ * 45*4882a593Smuzhiyun+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 46*4882a593Smuzhiyun+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 47*4882a593Smuzhiyun+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 48*4882a593Smuzhiyun+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 49*4882a593Smuzhiyun+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 50*4882a593Smuzhiyun+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 51*4882a593Smuzhiyun+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 52*4882a593Smuzhiyun+ * SOFTWARE. 53*4882a593Smuzhiyun+ */ 54*4882a593Smuzhiyun+ 55*4882a593Smuzhiyun+#include "config.h" 56*4882a593Smuzhiyun+ 57*4882a593Smuzhiyun+#include <shared/xalloc.h> 58*4882a593Smuzhiyun+#include <stdbool.h> 59*4882a593Smuzhiyun+#include "libweston-internal.h" 60*4882a593Smuzhiyun+ 61*4882a593Smuzhiyun+#ifdef HAVE_PAM 62*4882a593Smuzhiyun+ 63*4882a593Smuzhiyun+#include <security/pam_appl.h> 64*4882a593Smuzhiyun+#include <security/pam_misc.h> 65*4882a593Smuzhiyun+ 66*4882a593Smuzhiyun+static int 67*4882a593Smuzhiyun+weston_pam_conv(int num_msg, const struct pam_message **msg, 68*4882a593Smuzhiyun+ struct pam_response **resp, void *appdata_ptr) 69*4882a593Smuzhiyun+{ 70*4882a593Smuzhiyun+ const char *password = appdata_ptr; 71*4882a593Smuzhiyun+ struct pam_response *rsp; 72*4882a593Smuzhiyun+ int i; 73*4882a593Smuzhiyun+ 74*4882a593Smuzhiyun+ if (!num_msg) 75*4882a593Smuzhiyun+ return PAM_CONV_ERR; 76*4882a593Smuzhiyun+ 77*4882a593Smuzhiyun+ rsp = calloc(num_msg, sizeof(*rsp)); 78*4882a593Smuzhiyun+ if (!rsp) 79*4882a593Smuzhiyun+ return PAM_CONV_ERR; 80*4882a593Smuzhiyun+ 81*4882a593Smuzhiyun+ for (i = 0; i < num_msg; i++) { 82*4882a593Smuzhiyun+ switch (msg[i]->msg_style) { 83*4882a593Smuzhiyun+ case PAM_PROMPT_ECHO_OFF: 84*4882a593Smuzhiyun+ rsp[i].resp = strdup(password); 85*4882a593Smuzhiyun+ break; 86*4882a593Smuzhiyun+ case PAM_PROMPT_ECHO_ON: 87*4882a593Smuzhiyun+ break; 88*4882a593Smuzhiyun+ case PAM_ERROR_MSG: 89*4882a593Smuzhiyun+ weston_log("PAM error message: %s\n", msg[i]->msg); 90*4882a593Smuzhiyun+ break; 91*4882a593Smuzhiyun+ case PAM_TEXT_INFO: 92*4882a593Smuzhiyun+ weston_log("PAM info text: %s\n", msg[i]->msg); 93*4882a593Smuzhiyun+ break; 94*4882a593Smuzhiyun+ default: 95*4882a593Smuzhiyun+ free(rsp); 96*4882a593Smuzhiyun+ return PAM_CONV_ERR; 97*4882a593Smuzhiyun+ } 98*4882a593Smuzhiyun+ } 99*4882a593Smuzhiyun+ 100*4882a593Smuzhiyun+ *resp = rsp; 101*4882a593Smuzhiyun+ return PAM_SUCCESS; 102*4882a593Smuzhiyun+} 103*4882a593Smuzhiyun+ 104*4882a593Smuzhiyun+#endif 105*4882a593Smuzhiyun+ 106*4882a593Smuzhiyun+WL_EXPORT bool 107*4882a593Smuzhiyun+weston_authenticate_user(const char *username, const char *password) 108*4882a593Smuzhiyun+{ 109*4882a593Smuzhiyun+ bool authenticated = false; 110*4882a593Smuzhiyun+#ifdef HAVE_PAM 111*4882a593Smuzhiyun+ struct pam_conv conv = { 112*4882a593Smuzhiyun+ .conv = weston_pam_conv, 113*4882a593Smuzhiyun+ .appdata_ptr = strdup(password), 114*4882a593Smuzhiyun+ }; 115*4882a593Smuzhiyun+ struct pam_handle *pam; 116*4882a593Smuzhiyun+ int ret; 117*4882a593Smuzhiyun+ 118*4882a593Smuzhiyun+ conv.appdata_ptr = strdup(password); 119*4882a593Smuzhiyun+ 120*4882a593Smuzhiyun+ ret = pam_start("weston-remote-access", username, &conv, &pam); 121*4882a593Smuzhiyun+ if (ret != PAM_SUCCESS) { 122*4882a593Smuzhiyun+ weston_log("PAM: start failed\n"); 123*4882a593Smuzhiyun+ goto out; 124*4882a593Smuzhiyun+ } 125*4882a593Smuzhiyun+ 126*4882a593Smuzhiyun+ ret = pam_authenticate(pam, 0); 127*4882a593Smuzhiyun+ if (ret != PAM_SUCCESS) { 128*4882a593Smuzhiyun+ weston_log("PAM: authentication failed\n"); 129*4882a593Smuzhiyun+ goto out; 130*4882a593Smuzhiyun+ } 131*4882a593Smuzhiyun+ 132*4882a593Smuzhiyun+ ret = pam_acct_mgmt(pam, 0); 133*4882a593Smuzhiyun+ if (ret != PAM_SUCCESS) { 134*4882a593Smuzhiyun+ weston_log("PAM: account check failed\n"); 135*4882a593Smuzhiyun+ goto out; 136*4882a593Smuzhiyun+ } 137*4882a593Smuzhiyun+ 138*4882a593Smuzhiyun+ authenticated = true; 139*4882a593Smuzhiyun+out: 140*4882a593Smuzhiyun+ ret = pam_end(pam, ret); 141*4882a593Smuzhiyun+ assert(ret == PAM_SUCCESS); 142*4882a593Smuzhiyun+ free(conv.appdata_ptr); 143*4882a593Smuzhiyun+#endif 144*4882a593Smuzhiyun+ return authenticated; 145*4882a593Smuzhiyun+} 146*4882a593Smuzhiyundiff --git a/libweston/libweston-internal.h b/libweston/libweston-internal.h 147*4882a593Smuzhiyunindex bcfb153..ea5c478 100644 148*4882a593Smuzhiyun--- a/libweston/libweston-internal.h 149*4882a593Smuzhiyun+++ b/libweston/libweston-internal.h 150*4882a593Smuzhiyun@@ -502,4 +502,9 @@ wl_data_device_manager_init(struct wl_display *display); 151*4882a593Smuzhiyun bool 152*4882a593Smuzhiyun weston_output_set_color_outcome(struct weston_output *output); 153*4882a593Smuzhiyun 154*4882a593Smuzhiyun+/* User authentication for remote backends */ 155*4882a593Smuzhiyun+ 156*4882a593Smuzhiyun+bool 157*4882a593Smuzhiyun+weston_authenticate_user(const char *username, const char *password); 158*4882a593Smuzhiyun+ 159*4882a593Smuzhiyun #endif 160*4882a593Smuzhiyundiff --git a/libweston/meson.build b/libweston/meson.build 161*4882a593Smuzhiyunindex 6906244..6f0b624 100644 162*4882a593Smuzhiyun--- a/libweston/meson.build 163*4882a593Smuzhiyun+++ b/libweston/meson.build 164*4882a593Smuzhiyun@@ -10,6 +10,7 @@ deps_libweston = [ 165*4882a593Smuzhiyun srcs_libweston = [ 166*4882a593Smuzhiyun git_version_h, 167*4882a593Smuzhiyun 'animation.c', 168*4882a593Smuzhiyun+ 'auth.c', 169*4882a593Smuzhiyun 'bindings.c', 170*4882a593Smuzhiyun 'clipboard.c', 171*4882a593Smuzhiyun 'color.c', 172*4882a593Smuzhiyun@@ -79,6 +80,18 @@ if dep_egl.found() and dep_gbm.found() 173*4882a593Smuzhiyun deps_libweston += [ dep_egl, dep_gbm ] 174*4882a593Smuzhiyun endif 175*4882a593Smuzhiyun 176*4882a593Smuzhiyun+if get_option('backend-vnc') 177*4882a593Smuzhiyun+ dep_pam = dependency('pam', required: false) 178*4882a593Smuzhiyun+ if not dep_pam.found() 179*4882a593Smuzhiyun+ dep_pam = cc.find_library('pam') 180*4882a593Smuzhiyun+ endif 181*4882a593Smuzhiyun+ if not dep_pam.found() 182*4882a593Smuzhiyun+ error('VNC backend requires libpam which was not found. Or, you can use \'-Dbackend-vnc=false\'.') 183*4882a593Smuzhiyun+ endif 184*4882a593Smuzhiyun+ config_h.set('HAVE_PAM', '1') 185*4882a593Smuzhiyun+ deps_libweston += dep_pam 186*4882a593Smuzhiyun+endif 187*4882a593Smuzhiyun+ 188*4882a593Smuzhiyun lib_weston = shared_library( 189*4882a593Smuzhiyun 'weston-@0@'.format(libweston_major), 190*4882a593Smuzhiyun srcs_libweston, 191*4882a593Smuzhiyundiff --git a/meson.build b/meson.build 192*4882a593Smuzhiyunindex e03d085..cc510f1 100644 193*4882a593Smuzhiyun--- a/meson.build 194*4882a593Smuzhiyun+++ b/meson.build 195*4882a593Smuzhiyun@@ -44,6 +44,7 @@ dir_data_pc = join_paths(dir_data, 'pkgconfig') 196*4882a593Smuzhiyun dir_lib_pc = join_paths(dir_lib, 'pkgconfig') 197*4882a593Smuzhiyun dir_man = join_paths(dir_prefix, get_option('mandir')) 198*4882a593Smuzhiyun dir_protocol_libweston = join_paths('libweston-@0@'.format(libweston_major), 'protocols') 199*4882a593Smuzhiyun+dir_sysconf = join_paths(dir_prefix, get_option('sysconfdir')) 200*4882a593Smuzhiyun 201*4882a593Smuzhiyun public_inc = include_directories('include') 202*4882a593Smuzhiyun common_inc = [ include_directories('.'), public_inc ] 203*4882a593Smuzhiyun@@ -191,6 +192,7 @@ subdir('wcap') 204*4882a593Smuzhiyun subdir('tests') 205*4882a593Smuzhiyun subdir('data') 206*4882a593Smuzhiyun subdir('man') 207*4882a593Smuzhiyun+subdir('pam') 208*4882a593Smuzhiyun 209*4882a593Smuzhiyun configure_file(output: 'config.h', configuration: config_h) 210*4882a593Smuzhiyun 211*4882a593Smuzhiyundiff --git a/pam/meson.build b/pam/meson.build 212*4882a593Smuzhiyunnew file mode 100644 213*4882a593Smuzhiyunindex 0000000..7b7eff8 214*4882a593Smuzhiyun--- /dev/null 215*4882a593Smuzhiyun+++ b/pam/meson.build 216*4882a593Smuzhiyun@@ -0,0 +1,8 @@ 217*4882a593Smuzhiyun+if not get_option('backend-vnc') 218*4882a593Smuzhiyun+ subdir_done() 219*4882a593Smuzhiyun+endif 220*4882a593Smuzhiyun+ 221*4882a593Smuzhiyun+install_data( 222*4882a593Smuzhiyun+ 'weston-remote-access', 223*4882a593Smuzhiyun+ install_dir: join_paths(dir_sysconf, 'pam.d') 224*4882a593Smuzhiyun+) 225*4882a593Smuzhiyundiff --git a/pam/weston-remote-access b/pam/weston-remote-access 226*4882a593Smuzhiyunnew file mode 100644 227*4882a593Smuzhiyunindex 0000000..d3014dd 228*4882a593Smuzhiyun--- /dev/null 229*4882a593Smuzhiyun+++ b/pam/weston-remote-access 230*4882a593Smuzhiyun@@ -0,0 +1,3 @@ 231*4882a593Smuzhiyun+#%PAM-1.0 232*4882a593Smuzhiyun+auth include login 233*4882a593Smuzhiyun+account include login 234*4882a593Smuzhiyun-- 235*4882a593Smuzhiyun2.20.1 236*4882a593Smuzhiyun 237