You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Jiahao Niu (JIRA)" <ji...@apache.org> on 2016/10/31 02:23:58 UTC

[jira] [Commented] (RANGER-1187) In pamCredValidator.c, pam_end() is not called if authentication fails.

    [ https://issues.apache.org/jira/browse/RANGER-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15620995#comment-15620995 ] 

Jiahao Niu commented on RANGER-1187:
------------------------------------

The lifecycle of a typical PAM transaction is described below. Note that if any of these steps fails, the server should report a suitable error message to the client and abort the transaction.

    If necessary, the server obtains arbitrator credentials through a mechanism independent of PAM—most commonly by virtue of having been started by root, or of being setuid root.

    The server calls pam_start(3) to initialize the PAM library and specify its service name and the target account, and register a suitable conversation function.

    The server obtains various information relating to the transaction (such as the applicant's user name and the name of the host the client runs on) and submits it to PAM using pam_set_item(3).

    The server calls pam_authenticate(3) to authenticate the applicant.

    The server calls pam_acct_mgmt(3) to verify that the requested account is available and valid. If the password is correct but has expired, pam_acct_mgmt(3) will return PAM_NEW_AUTHTOK_REQD instead of PAM_SUCCESS.

    If the previous step returned PAM_NEW_AUTHTOK_REQD, the server now calls pam_chauthtok(3) to force the client to change the authentication token for the requested account.

    Now that the applicant has been properly authenticated, the server calls pam_setcred(3) to establish the credentials of the requested account. It is able to do this because it acts on behalf of the arbitrator, and holds the arbitrator's credentials.

    Once the correct credentials have been established, the server calls pam_open_session(3) to set up the session.

    The server now performs whatever service the client requested—for instance, provide the applicant with a shell.

    Once the server is done serving the client, it calls pam_close_session(3) to tear down the session.

    Finally, the server calls pam_end to notify the PAM library that it is done and that it can release whatever resources it has allocated in the course of the transaction.

   When an exception occurs, the pam_end() needs to be called to stop the pam transaction.





> In pamCredValidator.c, pam_end() is not called if authentication fails.
> -----------------------------------------------------------------------
>
>                 Key: RANGER-1187
>                 URL: https://issues.apache.org/jira/browse/RANGER-1187
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: zhangqiang
>            Assignee: Qiang Zhang
>            Priority: Minor
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> In main method of C file "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
> when authentication fails, pam_end() is not called before exit(1),
> which result in PAM transaction is not closed.
> The pam_end() function terminates a PAM transaction and destroys the
> corresponding PAM context, releasing all resources allocated to it.
> int main(int ac, char **av, char **ev)
> {
> 	char username[64] ;
> 	char password[64] ;
> 	char line[512] ;
> 	int retval;
> 	pam_handle_t *pamh = NULL;
> 	fgets(line,512,stdin) ;
> 	sscanf(line, "LOGIN:%s %s",username,password) ;
> 	conv.appdata_ptr = (char *) password;
> 	retval = pam_start("ranger-remote", username, &conv, &pamh);
> 	if (retval != PAM_SUCCESS) {
> 		/* why expose this? */
> 		fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
> 		exit(1);
> 	}
> 	retval = pam_authenticate(pamh, 0);
> 	if (retval != PAM_SUCCESS) {
> 		fprintf(stdout, "FAILED: Password did not match.\n") ;
> 		exit(1);
> 	}
> 	/* authorize */
> 	retval = pam_acct_mgmt(pamh, 0);
> 	if (retval != PAM_SUCCESS) {
> 		fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
> 		exit(1);
> 	}
> 	/* establish the requested credentials */
> 	if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
> 			fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ;
>     		exit(1);
> 	}
> 	/* not opening a session, as logout has not been implemented as a remote service */
> 	fprintf(stdout, "OK:\n") ;
> 	if (pamh) {
> 		pam_end(pamh, retval);
> 	}
> 	exit(0) ;
> }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)