You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Dirk.vanGulik" <Di...@jrc.it> on 1996/06/19 19:39:19 UTC

nis control

----------
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 10

Hi Henri,

Find attached the hacked NIS module, for mod_auth_nis, 
it did what we wanted it to do; feel free to hack it
but assume that it is broken and dead and unsecure.

See you in montreal,

Dirk.

----------
X-Sun-Data-Type: c-file
X-Sun-Data-Description: c-file
X-Sun-Data-Name: mod_auth_nis.c
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 203


/* ====================================================================
 * Copyright (c) 1995 The Apache Group.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the Apache Group
 *    for use in the Apache HTTP server project (http://www.apache.org/)."
 *
 * 4. The names "Apache Server" and "Apache Group" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission.
 *
 * 5. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the Apache Group
 *    for use in the Apache HTTP server project (http://www.apache.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
 * IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Group and was originally based
 * on public domain software written at the National Center for
 * Supercomputing Applications, University of Illinois, Urbana-Champaign.
 * For more information on the Apache Group and the Apache HTTP server
 * project, please see <http://www.apache.org/>.
 *
 */


/*
 * http_auth: authentication
 * 
 * Dirk.vanGulik@jrc.it
 *
 * Very quick and dirty hack to get NIS working; can be
 * improved a lot as we do all the reading/opening every
 * time, rather than caching it decently !
 *
 * SHADOW assumes old/new style passwords, see getpwnam() and getspnam()
 */

#include <pwd.h>
#define SHADOW 1
#define MULTITREADING 0

#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"

typedef struct auth_nis_config_struct {
    int auth_nis;	/* contains true/false */
} auth_config_rec;

void *create_nis_auth_dir_config (pool *p, char *d)
{
    return pcalloc (p, sizeof(auth_config_rec));
}

char *
nis_set_flag_slot (cmd_parms * cmd, char *struct_ptr, int arg)
{
  (int) *(char **) (struct_ptr + ((int) cmd->info)) = arg;
  return NULL;
}
command_rec auth_nis_cmds[] = {
{ "AuthUserNis", nis_set_flag_slot,
    (void*)XtOffsetOf(auth_config_rec,auth_nis), OR_AUTHCFG, FLAG, 
	" NIS/YP checking on/off"
 },
{ NULL }
};

module auth_nis_module;
char *get_nis_pw(request_rec *r, char *user)
{
#ifdef MULTITREADING
    struct passwd *result;
    struct passwd tmp;
    char buff[MAX_STRING_LEN];

#ifdef SHADOW
    result=getspnam_r(user,tmp,buff,MAX_STRING_LEN);
#else
    result=getpwnam_r(user,tmp,buff,MAX_STRING_LEN);
#endif

#else
    struct passwd *result;

#ifdef SHADOW
    result=getspnam(user);
#else
    result=getpwnam(user);
#endif
#endif
    /* success ? */

    if (!result) {
	if (errno) 
           log_reason ("Problem with NIS: %s", strerror(errno), r);

	return NULL;
	};
    if (!result->pw_passwd) {
#ifndef SHADOW
	log_reason ("No NIS password for %s (Are you using shadow)", user, r);
#endif
	return NULL;
	};
    

    return pstrdup (r->pool, result->pw_passwd);
}


/* These functions return 0 if client is OK, and proper error status
 * if not... either AUTH_REQUIRED, if we made a check, and it failed, or
 * SERVER_ERROR, if things are so totally confused that we couldn't
 * figure out how to tell if the client is authorized or not.
 *
 * If they return DECLINED, and all other modules also decline, that's
 * treated by the server core as a configuration error, logged and
 * reported as such.
 */

/* Determine user ID, and check if it really is that user, for HTTP
 * basic authentication...
 */

int authenticate_nis_basic_user (request_rec *r)
{
    auth_config_rec *sec =
      (auth_config_rec *)get_module_config (r->per_dir_config, &auth_nis_module);
    conn_rec *c = r->connection;
    char *sent_pw, *real_pw;
    char errstr[MAX_STRING_LEN];
    int res;
    
    if ((res = get_basic_auth_pw (r, &sent_pw))) return res;
    
    if(!sec->auth_nis) 
        return DECLINED;
	
    if (!(real_pw = get_nis_pw(r, c->user))) {
        sprintf(errstr,"user %s not found",c->user);
	log_reason (errstr, r->uri, r);
	note_basic_auth_failure (r);
	return AUTH_REQUIRED;
    }
    /* anyone know where the prototype for crypt is? */
    if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
        sprintf(errstr,"user %s: password mismatch",c->user);
	log_reason (errstr, r->uri, r);
	note_basic_auth_failure (r);
	return AUTH_REQUIRED;
    }
    return OK;
}

module auth_nis_module = {
   STANDARD_MODULE_STUFF,
   NULL,			/* initializer */
   create_nis_auth_dir_config,	/* dir config creater */
   NULL,			/* dir merger --- default is to override */
   NULL,			/* server config */
   NULL,			/* merge server config */
   auth_nis_cmds,		/* command table */
   NULL,			/* handlers */
   NULL,			/* filename translation */
   authenticate_nis_basic_user,	/* check_user_id */
   NULL,			/* check auth */
   NULL,			/* check access */
   NULL,			/* type_checker */
   NULL,			/* fixups */
   NULL				/* logger */
};