#include <sbuild-auth.h>
Inheritance diagram for sbuild::auth:
Public Types | |
enum | status { STATUS_NONE, STATUS_USER, STATUS_FAIL } |
Authentication status. More... | |
enum | verbosity { VERBOSITY_QUIET, VERBOSITY_NORMAL, VERBOSITY_VERBOSE } |
Message verbosity. More... | |
enum | error_code { HOSTNAME, USER, AUTHENTICATION, AUTHORISATION, PAM_DOUBLE_INIT, PAM } |
Error codes. More... | |
typedef custom_error< error_code > | error |
Exception type. | |
typedef std::tr1::shared_ptr< auth_conv > | conv_ptr |
A shared_ptr to an auth_conv object. | |
Public Member Functions | |
auth (std::string const &service_name) | |
The constructor. | |
virtual | ~auth () |
The destructor. | |
std::string const & | get_service () const |
Get the PAM service name. | |
uid_t | get_uid () const |
Get the uid of the user. | |
gid_t | get_gid () const |
Get the gid of the user. | |
std::string const & | get_user () const |
Get the name of the user. | |
void | set_user (std::string const &user) |
Set the name of the user. | |
string_list const & | get_command () const |
Get the command to run in the session. | |
void | set_command (string_list const &command) |
Set the command to run in the session. | |
std::string const & | get_home () const |
Get the home directory. | |
std::string const & | get_wd () const |
Get the working directory. | |
void | set_wd (std::string const &wd) |
Set the working directory. | |
std::string const & | get_shell () const |
Get the name of the shell. | |
environment const & | get_environment () const |
Get the environment to use in the session. | |
void | set_environment (char **environment) |
Set the environment to use in the session. | |
void | set_environment (environment const &environment) |
Set the environment to use in the session. | |
environment | get_pam_environment () const |
Get the PAM environment. | |
uid_t | get_ruid () const |
Get the "remote uid" of the user. | |
std::string const & | get_ruser () const |
Get the "remote" name of the user. | |
verbosity | get_verbosity () const |
Get the message verbosity. | |
void | set_verbosity (verbosity verbosity) |
Set the message verbosity. | |
conv_ptr & | get_conv () |
Get the conversation handler. | |
void | set_conv (conv_ptr &conv) |
Set the conversation handler. | |
void | run () |
Run a session. | |
void | start () |
Start the PAM system. | |
void | stop () |
Stop the PAM system. | |
void | authenticate () |
Perform PAM authentication. | |
void | setupenv () |
Import the user environment into PAM. | |
void | account () |
Do PAM account management (authorisation). | |
void | cred_establish () |
Use PAM to establish credentials. | |
void | cred_delete () |
Use PAM to delete credentials. | |
void | open_session () |
Open a PAM session. | |
void | close_session () |
Close a PAM session. | |
status | change_auth (status oldauth, status newauth) const |
Set new authentication status. | |
Protected Member Functions | |
virtual status | get_auth_status () const |
Check if authentication is required. | |
virtual void | run_impl ()=0 |
Run session. | |
const char * | pam_strerror (int pam_error) |
Get a description of a PAM error. | |
Protected Attributes | |
pam_handle_t * | pam |
The PAM handle. | |
Private Attributes | |
const std::string | service |
The PAM service name. | |
uid_t | uid |
The uid to run as. | |
gid_t | gid |
The gid to run as. | |
std::string | user |
The user name to run as. | |
string_list | command |
The command to run. | |
std::string | home |
The home directory. | |
std::string | wd |
The directory to run in. | |
std::string | shell |
The user shell to run. | |
environment | user_environment |
The user environment to set. | |
uid_t | ruid |
The uid requesting authentication. | |
std::string | ruser |
The user name requesting authentication. | |
conv_ptr | conv |
The PAM conversation handler. | |
verbosity | message_verbosity |
The message verbosity. |
auth handles user authentication, authorisation and session management using the Pluggable Authentication Modules (PAM) library. It is essentially an object-oriented wrapper around PAM.
In order to use PAM correctly, it is important to call several of the methods in the correct order. For example, it is not possible to authorise a user before authenticating a user, and a session may not be started before either of these have occurred.
The correct order is
After the session has finished, or if an error occurred, the corresponding cleanup methods should be called
The run method will handle all this. The run_impl virtual function should be used to provide a session handler to open and close the session for the user. open_session and close_session must still be called.
Definition at line 73 of file sbuild-auth.h.
typedef custom_error<error_code> sbuild::auth::error |
typedef std::tr1::shared_ptr<auth_conv> sbuild::auth::conv_ptr |
enum sbuild::auth::status |
Authentication status.
STATUS_NONE | Authentication is not required. |
STATUS_USER | Authentication is required by the user. |
STATUS_FAIL | Authentication has failed. |
Definition at line 77 of file sbuild-auth.h.
Message verbosity.
VERBOSITY_QUIET | Only print essential messages. |
VERBOSITY_NORMAL | Print messages (the default). |
VERBOSITY_VERBOSE | Print all messages. |
Definition at line 85 of file sbuild-auth.h.
Error codes.
HOSTNAME | Failed to get hostname. |
USER | User not found. |
AUTHENTICATION | Authentication failed. |
AUTHORISATION | Authorisation failed. |
PAM_DOUBLE_INIT | PAM was already initialised. |
PAM | PAM error. |
Reimplemented in sbuild::session.
Definition at line 93 of file sbuild-auth.h.
auth::auth | ( | std::string const & | service_name | ) |
The constructor.
service_name | the PAM service name. This should be a hard-coded constant string literal for safety and security. This is passed to pam_start() when initialising PAM, and is used to load the correct configuration file from /etc/pam.d. |
Definition at line 136 of file sbuild-auth.cc.
References ruid, ruser, set_user(), and USER.
Here is the call graph for this function:
auth::~auth | ( | ) | [virtual] |
The destructor.
Definition at line 167 of file sbuild-auth.cc.
References sbuild::log_exception_error(), and stop().
Here is the call graph for this function:
std::string const & auth::get_service | ( | ) | const |
Get the PAM service name.
Definition at line 181 of file sbuild-auth.cc.
References service.
uid_t auth::get_uid | ( | ) | const |
Get the uid of the user.
This is the uid to run as in the * session.
Definition at line 187 of file sbuild-auth.cc.
References uid.
Referenced by sbuild::session::get_chroot_auth_status(), dchroot_dsa::session::get_chroot_auth_status(), sbuild::session::get_login_command(), sbuild::session::get_user_command(), dchroot::session::get_user_command(), dchroot_dsa::session::get_user_command(), sbuild::session::run_child(), and dchroot::session_base::run_impl().
Here is the caller graph for this function:
gid_t auth::get_gid | ( | ) | const |
Get the gid of the user.
This is the gid to run as in the session.
Definition at line 193 of file sbuild-auth.cc.
References gid.
Referenced by sbuild::session::run_child().
Here is the caller graph for this function:
std::string const & auth::get_user | ( | ) | const |
Get the name of the user.
This is the user to run as in the session.
Definition at line 199 of file sbuild-auth.cc.
References user.
Referenced by sbuild::session::get_login_command(), sbuild::session::get_user_command(), dchroot::session::get_user_command(), dchroot_dsa::session::get_user_command(), sbuild::session::run_child(), dchroot::session_base::run_impl(), and sbuild::session::setup_chroot().
Here is the caller graph for this function:
void auth::set_user | ( | std::string const & | user | ) |
Set the name of the user.
This is the user to run as in the session.
As a side effect, the uid, gid, home and shell member variables will also be set, so calling the corresponding get methods will now return meaningful values.
user | the name to set. |
Definition at line 205 of file sbuild-auth.cc.
References sbuild::DEBUG_INFO, gid, home, sbuild::log_debug(), shell, uid, and USER.
Referenced by auth().
Here is the call graph for this function:
Here is the caller graph for this function:
string_list const & auth::get_command | ( | ) | const |
Get the command to run in the session.
Definition at line 232 of file sbuild-auth.cc.
References command.
Referenced by sbuild::session::restore_termios(), sbuild::session::run_child(), and sbuild::session::save_termios().
Here is the caller graph for this function:
void auth::set_command | ( | string_list const & | command | ) |
Set the command to run in the session.
command | the command to run. This is a string list, each item being a separate argument. |
Definition at line 238 of file sbuild-auth.cc.
std::string const & auth::get_home | ( | ) | const |
Get the home directory.
This is the $HOME to set in the session, if the user environment is not being preserved.
Definition at line 244 of file sbuild-auth.cc.
References home.
Referenced by sbuild::session::get_login_directories(), dchroot::session::get_login_directories(), and dchroot_dsa::session::get_login_directories().
Here is the caller graph for this function:
std::string const & auth::get_wd | ( | ) | const |
Get the working directory.
This is the working directory to set in the session.
Definition at line 250 of file sbuild-auth.cc.
References wd.
Referenced by sbuild::session::get_command_directories(), sbuild::session::get_login_directories(), dchroot::session::get_login_directories(), and dchroot_dsa::session::get_login_directories().
Here is the caller graph for this function:
void auth::set_wd | ( | std::string const & | wd | ) |
Set the working directory.
This is the working directory to set in the session.
cvs | the current working directory. |
Definition at line 256 of file sbuild-auth.cc.
std::string const & auth::get_shell | ( | ) | const |
Get the name of the shell.
This is the shell to run in the session.
Reimplemented in sbuild::session.
Definition at line 262 of file sbuild-auth.cc.
References shell.
Referenced by sbuild::session::get_shell().
Here is the caller graph for this function:
environment const & auth::get_environment | ( | ) | const |
Get the environment to use in the session.
Definition at line 268 of file sbuild-auth.cc.
References user_environment.
Referenced by sbuild::session::get_login_command(), and dchroot::session::get_login_directories().
Here is the caller graph for this function:
void auth::set_environment | ( | char ** | environment | ) |
Set the environment to use in the session.
environment | an environ- or envp-like string vector containing key=value pairs. |
Definition at line 274 of file sbuild-auth.cc.
void auth::set_environment | ( | environment const & | environment | ) |
Set the environment to use in the session.
environment | an environment list. |
Definition at line 280 of file sbuild-auth.cc.
References user_environment.
environment auth::get_pam_environment | ( | ) | const |
Get the PAM environment.
This is the environment as set by PAM modules.
Definition at line 286 of file sbuild-auth.cc.
Referenced by sbuild::session::get_login_directories(), sbuild::session::get_user_command(), and sbuild::session::run_child().
Here is the caller graph for this function:
uid_t auth::get_ruid | ( | ) | const |
Get the "remote uid" of the user.
This is the uid which is requesting authentication.
Definition at line 292 of file sbuild-auth.cc.
References ruid.
Referenced by sbuild::session::get_login_command(), sbuild::session::get_user_command(), dchroot::session::get_user_command(), dchroot_dsa::session::get_user_command(), and dchroot::session_base::run_impl().
Here is the caller graph for this function:
std::string const & auth::get_ruser | ( | ) | const |
Get the "remote" name of the user.
This is the user which is requesting authentication.
Definition at line 298 of file sbuild-auth.cc.
References ruser.
Referenced by sbuild::session::get_chroot_auth_status(), sbuild::session::get_login_command(), sbuild::session::get_user_command(), dchroot::session::get_user_command(), dchroot_dsa::session::get_user_command(), and dchroot::session_base::run_impl().
Here is the caller graph for this function:
auth::verbosity auth::get_verbosity | ( | ) | const |
Get the message verbosity.
Returns the verbosity level.
Definition at line 304 of file sbuild-auth.cc.
References message_verbosity.
Referenced by sbuild::session::get_login_command(), sbuild::session::get_user_command(), dchroot::session::get_user_command(), dchroot_dsa::session::get_user_command(), and sbuild::session::setup_chroot().
Here is the caller graph for this function:
void auth::set_verbosity | ( | verbosity | verbosity | ) |
Set the message verbosity.
verbosity | the verbosity level. |
Definition at line 310 of file sbuild-auth.cc.
References message_verbosity.
auth::conv_ptr & auth::get_conv | ( | ) |
Get the conversation handler.
Definition at line 316 of file sbuild-auth.cc.
References conv.
void auth::set_conv | ( | conv_ptr & | conv | ) |
Set the conversation handler.
conv | a shared_ptr to the handler. |
Definition at line 322 of file sbuild-auth.cc.
void auth::run | ( | ) |
Run a session.
The user will be asked for authentication if required, and then the run_impl virtual method will be called.
An error will be thrown on failure.
Definition at line 328 of file sbuild-auth.cc.
References account(), authenticate(), cred_delete(), cred_establish(), sbuild::DEBUG_INFO, sbuild::log_debug(), run_impl(), setupenv(), start(), and stop().
Here is the call graph for this function:
void auth::start | ( | ) |
Start the PAM system.
No other PAM functions may be called before calling this function.
An error will be thrown on failure.
Definition at line 390 of file sbuild-auth.cc.
References auth_conv_hook(), conv, sbuild::DEBUG_CRITICAL, sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, pam, PAM_DOUBLE_INIT, pam_strerror(), and user.
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::stop | ( | ) |
Stop the PAM system.
No other PAM functions may be used after calling this function.
An error will be thrown on failure.
Definition at line 421 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), pam, PAM, and pam_strerror().
Referenced by run(), and ~auth().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::authenticate | ( | ) |
Perform PAM authentication.
If required, the user will be prompted to authenticate themselves.
An error will be thrown on failure.
Definition at line 440 of file sbuild-auth.cc.
References _, AUTHENTICATION, AUTHORISATION, sbuild::DEBUG_CRITICAL, sbuild::DEBUG_INFO, sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, get_auth_status(), HOSTNAME, sbuild::log_debug(), PAM, pam_strerror(), service, STATUS_FAIL, STATUS_NONE, STATUS_USER, and user.
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::setupenv | ( | ) |
Import the user environment into PAM.
If no environment was specified with set_environment, a minimal environment will be created containing HOME, LOGNAME, PATH, TERM and LOGNAME.
An error will be thrown on failure.
Definition at line 537 of file sbuild-auth.cc.
References sbuild::environment::add(), sbuild::DEBUG_INFO, sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, pam_strerror(), and sbuild::environment::remove().
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::account | ( | ) |
Do PAM account management (authorisation).
An error will be thrown on failure.
Definition at line 627 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, and pam_strerror().
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::cred_establish | ( | ) |
Use PAM to establish credentials.
An error will be thrown on failure.
Definition at line 646 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, and pam_strerror().
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::cred_delete | ( | ) |
Use PAM to delete credentials.
An error will be thrown on failure.
Definition at line 663 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, and pam_strerror().
Referenced by run().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::open_session | ( | ) |
Open a PAM session.
An error will be thrown on failure.
Definition at line 680 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, and pam_strerror().
Referenced by sbuild::session::run_impl().
Here is the call graph for this function:
Here is the caller graph for this function:
void auth::close_session | ( | ) |
Close a PAM session.
An error will be thrown on failure.
Definition at line 697 of file sbuild-auth.cc.
References sbuild::DEBUG_NOTICE, sbuild::DEBUG_WARNING, sbuild::log_debug(), PAM, and pam_strerror().
Referenced by sbuild::session::run_impl().
Here is the call graph for this function:
Here is the caller graph for this function:
auth::status auth::get_auth_status | ( | ) | const [protected, virtual] |
Check if authentication is required.
This default implementation always requires authentication.
Reimplemented in sbuild::session.
Definition at line 714 of file sbuild-auth.cc.
References change_auth(), STATUS_NONE, and STATUS_USER.
Referenced by authenticate().
Here is the call graph for this function:
Here is the caller graph for this function:
virtual void sbuild::auth::run_impl | ( | ) | [protected, pure virtual] |
Run session.
The code to run when authentication and authorisation have been completed.
Implemented in sbuild::session, and dchroot::session_base.
Referenced by run().
Here is the caller graph for this function:
Set new authentication status.
If newauth > oldauth, newauth is returned, otherwise oldauth is returned. This is to ensure the authentication status can never be decreased (relaxed).
oldauth | the current authentication status. | |
newauth | the new authentication status. |
Definition at line 435 of file sbuild-auth.h.
Referenced by sbuild::session::get_auth_status(), get_auth_status(), sbuild::session::get_chroot_auth_status(), dchroot::session::get_chroot_auth_status(), and dchroot_dsa::session::get_chroot_auth_status().
Here is the caller graph for this function:
const char * auth::pam_strerror | ( | int | pam_error | ) | [protected] |
Get a description of a PAM error.
pam_error | the PAM error number. |
Definition at line 724 of file sbuild-auth.cc.
Referenced by account(), authenticate(), close_session(), cred_delete(), cred_establish(), open_session(), setupenv(), start(), and stop().
Here is the caller graph for this function:
pam_handle_t* sbuild::auth::pam [protected] |
The PAM handle.
Definition at line 447 of file sbuild-auth.h.
Referenced by sbuild::session::run_child(), start(), and stop().
const std::string sbuild::auth::service [private] |
The PAM service name.
Definition at line 460 of file sbuild-auth.h.
Referenced by authenticate(), and get_service().
uid_t sbuild::auth::uid [private] |
The uid to run as.
Definition at line 462 of file sbuild-auth.h.
Referenced by get_uid(), and set_user().
gid_t sbuild::auth::gid [private] |
The gid to run as.
Definition at line 464 of file sbuild-auth.h.
Referenced by get_gid(), and set_user().
std::string sbuild::auth::user [private] |
The user name to run as.
Definition at line 466 of file sbuild-auth.h.
Referenced by authenticate(), get_user(), and start().
string_list sbuild::auth::command [private] |
The command to run.
Definition at line 468 of file sbuild-auth.h.
Referenced by get_command(), sbuild::session::restore_termios(), sbuild::session::run_child(), and sbuild::session::save_termios().
std::string sbuild::auth::home [private] |
The home directory.
Definition at line 470 of file sbuild-auth.h.
Referenced by get_home(), sbuild::session::get_login_directories(), and set_user().
std::string sbuild::auth::wd [private] |
The directory to run in.
Definition at line 472 of file sbuild-auth.h.
Referenced by sbuild::session::get_command_directories(), sbuild::session::get_login_directories(), dchroot::session::get_login_directories(), dchroot_dsa::session::get_login_directories(), and get_wd().
std::string sbuild::auth::shell [private] |
The user shell to run.
Definition at line 474 of file sbuild-auth.h.
Referenced by sbuild::session::get_login_command(), sbuild::session::get_shell(), get_shell(), and set_user().
environment sbuild::auth::user_environment [private] |
The user environment to set.
Definition at line 476 of file sbuild-auth.h.
Referenced by get_environment(), and set_environment().
uid_t sbuild::auth::ruid [private] |
The uid requesting authentication.
Definition at line 478 of file sbuild-auth.h.
Referenced by auth(), and get_ruid().
std::string sbuild::auth::ruser [private] |
The user name requesting authentication.
Definition at line 480 of file sbuild-auth.h.
Referenced by auth(), and get_ruser().
conv_ptr sbuild::auth::conv [private] |
The PAM conversation handler.
Definition at line 482 of file sbuild-auth.h.
Referenced by get_conv(), and start().
verbosity sbuild::auth::message_verbosity [private] |
The message verbosity.
Definition at line 484 of file sbuild-auth.h.
Referenced by get_verbosity(), and set_verbosity().