Just to show that PAM can do almost anything from the ridiculous to the

obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.

Sponsored by:	DARPA, NAI Labs.

lib/libpam/modules/modules.inc

@@ -2,6 +2,8 @@
 
 MODULES		 =
 MODULES		+= pam_deny
+MODULES		+= pam_echo
+MODULES		+= pam_exec
 MODULES		+= pam_ftp
 MODULES		+= pam_ftpusers
 .if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)

lib/libpam/modules/pam_echo/Makefile

@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+LIB=		pam_echo
+SRCS=		pam_echo.c
+MAN=		pam_echo.8
+
+.include <bsd.lib.mk>

lib/libpam/modules/pam_echo/pam_echo.8

@@ -0,0 +1,64 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\" Copyright (c) 2001 Networks Associates Technology, Inc.
+.\" All rights reserved.
+.\"
+.\" Portions of this software were developed for the FreeBSD Project by
+.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
+.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd May 24, 2002
+.Dt PAM_ECHO 8
+.Os
+.Sh NAME
+.Nm pam_echo
+.Nd Echo PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_echo
+.Op Ar arguments
+.Sh DESCRIPTION
+The echo service module for PAM displays its arguments to the user,
+separated by spaces, using the current conversation function.
+.Sh SEE ALSO
+.Xr pam.conf 5 ,
+.Xr pam 8
+.Sh AUTHORS
+The
+.Nm
+module and this manual page were developed for the
+.Fx
+Project by
+ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.

lib/libpam/modules/pam_echo/pam_echo.c

@@ -0,0 +1,126 @@
+/*-
+ * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/openpam.h>
+
+static int
+_pam_echo(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+	struct pam_message msg;
+	const struct pam_message *msgp;
+	const struct pam_conv *pamc;
+	struct pam_response *resp;
+	size_t len;
+	int i, pam_err;
+
+	if (flags & PAM_SILENT)
+		return (PAM_SUCCESS);
+	pam_err = pam_get_item(pamh, PAM_CONV, (const void **)&pamc);
+	if (pam_err != PAM_SUCCESS)
+		return (pam_err);
+	for (i = 0, len = 0; i < argc; ++i)
+		len += strlen(argv[i]) + 1;
+	if ((msg.msg = malloc(len)) == NULL)
+		return (PAM_BUF_ERR);
+	for (i = 0, len = 0; i < argc; ++i)
+		len += sprintf(msg.msg + len, "%s%s", i ? " " : "", argv[i]);
+	msg.msg[len] = '\0';
+	msg.msg_style = PAM_TEXT_INFO;
+	msgp = &msg;
+	resp = NULL;
+	pam_err = (pamc->conv)(1, &msgp, &resp, pamc->appdata_ptr);
+	free(resp);
+	free(msg.msg);
+	return (pam_err);
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_echo(pamh, flags, argc, argv));
+}
+
+PAM_MODULE_ENTRY("pam_echo");

lib/libpam/modules/pam_exec/Makefile

@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+LIB=		pam_exec
+SRCS=		pam_exec.c
+MAN=		pam_exec.8
+
+.include <bsd.lib.mk>

lib/libpam/modules/pam_exec/pam_exec.8

@@ -0,0 +1,65 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\" Copyright (c) 2001 Networks Associates Technology, Inc.
+.\" All rights reserved.
+.\"
+.\" Portions of this software were developed for the FreeBSD Project by
+.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
+.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd May 24, 2002
+.Dt PAM_EXEC 8
+.Os
+.Sh NAME
+.Nm pam_exec
+.Nd Exec PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_exec
+.Op Ar arguments
+.Sh DESCRIPTION
+The exec service module for PAM executes the program designated by its
+first argument, with its remaining arguments as command-line
+arguments.
+.Sh SEE ALSO
+.Xr pam.conf 5 ,
+.Xr pam 8
+.Sh AUTHORS
+The
+.Nm
+module and this manual page were developed for the
+.Fx
+Project by
+ThinkSec AS and NAI Labs, the Security Research Division of Network
+Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.

lib/libpam/modules/pam_exec/pam_exec.c

@@ -0,0 +1,147 @@
+/*-
+ * Copyright (c) 2001 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/openpam.h>
+
+static int
+_pam_exec(pam_handle_t *pamh __unused, int flags __unused,
+    int argc, const char *argv[])
+{
+	int childerr, status;
+	pid_t pid;
+
+	if (argc < 1)
+		return (PAM_SERVICE_ERR);
+
+	/*
+	 * XXX For additional credit, divert child's stdin/stdout/stderr
+	 * to the conversation function.
+	 */
+	childerr = 0;
+	if ((pid = vfork()) == 0) {
+		execv(argv[0], argv);
+		childerr = errno;
+		_exit(1);
+	} else if (pid == -1) {
+		openpam_log(PAM_LOG_ERROR, "vfork(): %m");
+		return (PAM_SYSTEM_ERR);
+	}
+	if (waitpid(pid, &status, 0) == -1) {
+		openpam_log(PAM_LOG_ERROR, "waitpid(): %m");
+		return (PAM_SYSTEM_ERR);
+	}
+	if (childerr != 0) {
+		openpam_log(PAM_LOG_ERROR, "execv(): %m");
+		return (PAM_SYSTEM_ERR);
+	}
+	if (WIFSIGNALED(status)) {
+		openpam_log(PAM_LOG_ERROR, "%s caught signal %d%s",
+		    argv[0], WTERMSIG(status),
+		    WCOREDUMP(status) ? " (core dumped)" : "");
+		return (PAM_SYSTEM_ERR);
+	}
+	if (!WIFEXITED(status)) {
+		openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status);
+		return (PAM_SYSTEM_ERR);
+	}
+	if (WEXITSTATUS(status) != 0) {
+		openpam_log(PAM_LOG_ERROR, "%s returned code %d",
+		    argv[0], WEXITSTATUS(status));
+		return (PAM_SYSTEM_ERR);
+	}
+	return (PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+
+	return (_pam_exec(pamh, flags, argc, argv));
+}
+
+PAM_MODULE_ENTRY("pam_exec");