接前一篇文章:PAM从入门到精通(二十)
本文参考:
《The Linux-PAM Application Developers' Guide》
先再来重温一下PAM系统架构:
更加形象的形式:
前边的文章讲解了各PAM-API函数以及总体流程,但是也只是从接口层面介绍的,并没有深入到代码层面。从本篇文章开始,将对于各个接口函数从源码级进行讲解,以使大家不但知其然,还要知其所以然。
1. pam_start函数
上回讲到_pam_start_internal函数的第一部分,本文继续往下进行讲解。为了便于理解,再次贴出_pam_start_internal函数源码。在libpam/pam_start.c中,如下所示:
- static int _pam_start_internal (
- const char *service_name,
- const char *user,
- const struct pam_conv *pam_conversation,
- const char *confdir,
- pam_handle_t **pamh)
- {
- D(("called pam_start: [%s] [%s] [%p] [%p]"
- ,service_name, user, pam_conversation, pamh));
-
- if (pamh == NULL) {
- pam_syslog(NULL, LOG_CRIT,
- "pam_start: invalid argument: pamh == NULL");
- return (PAM_SYSTEM_ERR);
- }
-
- if (service_name == NULL) {
- pam_syslog(NULL, LOG_CRIT,
- "pam_start: invalid argument: service == NULL");
- return (PAM_SYSTEM_ERR);
- }
-
- if (pam_conversation == NULL) {
- pam_syslog(NULL, LOG_CRIT,
- "pam_start: invalid argument: conv == NULL");
- return (PAM_SYSTEM_ERR);
- }
-
- if ((*pamh = calloc(1, sizeof(**pamh))) == NULL) {
- pam_syslog(NULL, LOG_CRIT, "pam_start: calloc failed for *pamh");
- return (PAM_BUF_ERR);
- }
-
- /* All service names should be files below /etc/pam.d and nothing
- else. Forbid paths. */
- if (strrchr(service_name, '/') != NULL)
- service_name = strrchr(service_name, '/') + 1;
-
- /* Mark the caller as the application - permission to do certain
- things is limited to a module or an application */
-
- __PAM_TO_APP(*pamh);
-
- if (((*pamh)->service_name = _pam_strdup(service_name)) == NULL) {
- pam_syslog(*pamh, LOG_CRIT,
- "pam_start: _pam_strdup failed for service name");
- _pam_drop(*pamh);
- return (PAM_BUF_ERR);
- } else {
- char *tmp;
-
- for (tmp=(*pamh)->service_name; *tmp; ++tmp)
- *tmp = tolower(*tmp); /* require lower case */
- }
-
- if (user) {
- if (((*pamh)->user = _pam_strdup(user)) == NULL) {
- pam_syslog(*pamh, LOG_CRIT,
- "pam_start: _pam_strdup failed for user");
- _pam_drop((*pamh)->service_name);
- _pam_drop(*pamh);
- return (PAM_BUF_ERR);
- }
- } else
- (*pamh)->user = NULL;
-
- if (confdir) {
- if (((*pamh)->confdir = _pam_strdup(confdir)) == NULL) {
- pam_syslog(*pamh, LOG_CRIT,
- "pam_start: _pam_strdup failed for confdir");
- _pam_drop((*pamh)->service_name);
- _pam_drop((*pamh)->user);
- _pam_drop(*pamh);
- return (PAM_BUF_ERR);
- }
- } else
- (*pamh)->confdir = NULL;
-
- (*pamh)->tty = NULL;
- (*pamh)->prompt = NULL; /* prompt for pam_get_user() */
- (*pamh)->ruser = NULL;
- (*pamh)->rhost = NULL;
- (*pamh)->authtok = NULL;
- (*pamh)->oldauthtok = NULL;
- (*pamh)->fail_delay.delay_fn_ptr = NULL;
- (*pamh)->former.choice = PAM_NOT_STACKED;
- (*pamh)->former.substates = NULL;
- #ifdef HAVE_LIBAUDIT
- (*pamh)->audit_state = 0;
- #endif
- (*pamh)->xdisplay = NULL;
- (*pamh)->authtok_type = NULL;
- (*pamh)->authtok_verified = 0;
- memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
-
- if (((*pamh)->pam_conversation = (struct pam_conv *)
- malloc(sizeof(struct pam_conv))) == NULL) {
- pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv");
- _pam_drop((*pamh)->service_name);
- _pam_drop((*pamh)->user);
- _pam_drop((*pamh)->confdir);
- _pam_drop(*pamh);
- return (PAM_BUF_ERR);
- } else {
- memcpy((*pamh)->pam_conversation, pam_conversation,
- sizeof(struct pam_conv));
- }
-
- (*pamh)->data = NULL;
- if ( _pam_make_env(*pamh) != PAM_SUCCESS ) {
- pam_syslog(*pamh,LOG_ERR,"pam_start: failed to initialize environment");
- _pam_drop((*pamh)->pam_conversation);
- _pam_drop((*pamh)->service_name);
- _pam_drop((*pamh)->user);
- _pam_drop((*pamh)->confdir);
- _pam_drop(*pamh);
- return PAM_ABORT;
- }
-
- _pam_reset_timer(*pamh); /* initialize timer support */
-
- _pam_start_handlers(*pamh); /* cannot fail */
-
- /* According to the SunOS man pages, loading modules and resolving
- * symbols happens on the first call from the application. */
-
- if ( _pam_init_handlers(*pamh) != PAM_SUCCESS ) {
- pam_syslog(*pamh, LOG_ERR, "pam_start: failed to initialize handlers");
- _pam_drop_env(*pamh); /* purge the environment */
- _pam_drop((*pamh)->pam_conversation);
- _pam_drop((*pamh)->service_name);
- _pam_drop((*pamh)->user);
- _pam_drop((*pamh)->confdir);
- _pam_drop(*pamh);
- return PAM_ABORT;
- }
-
- D(("exiting pam_start successfully"));
-
- return PAM_SUCCESS;
- }
做完第一步参数检查的工作后,接下来正式开始进行实际功能实现。
先是进行核心结构体的实例分配,代码片段如下:
- if ((*pamh = calloc(1, sizeof(**pamh))) == NULL) {
- pam_syslog(NULL, LOG_CRIT, "pam_start: calloc failed for *pamh");
- return (PAM_BUF_ERR);
- }
一般调用pam_start函数的时候,传入的参数都是这样:
- pam_handle_t *pamh = NULL;
-
- /* 初始化,并提供一个回调函数 */
- if ((pam_start("login", user_name, &conv, &pamh)) != PAM_SUCCESS)
- exit(1);
传入的是pam_handle_t即struct pam_handle的指针的地址,也就是指针的指针。之所以传入指针的地址,就是为了在这里使该指针指向calloc动态分配的空间。再来重温一下struct pam_handle的定义,在libpam/pam_private.h中,如下:
- struct pam_handle {
- char *authtok;
- unsigned caller_is;
- struct pam_conv *pam_conversation;
- char *oldauthtok;
- char *prompt; /* for use by pam_get_user() */
- char *service_name;
- char *user;
- char *rhost;
- char *ruser;
- char *tty;
- char *xdisplay;
- char *authtok_type; /* PAM_AUTHTOK_TYPE */
- struct pam_data *data;
- struct pam_environ *env; /* structure to maintain environment list */
- struct _pam_fail_delay fail_delay; /* helper function for easy delays */
- struct pam_xauth_data xauth; /* auth info for X display */
- struct service handlers;
- struct _pam_former_state former; /* library state - support for
- event driven applications */
- const char *mod_name; /* Name of the module currently executed */
- int mod_argc; /* Number of module arguments */
- char **mod_argv; /* module arguments */
- int choice; /* Which function we call from the module */
-
- #ifdef HAVE_LIBAUDIT
- int audit_state; /* keep track of reported audit messages */
- #endif
- int authtok_verified;
- char *confdir;
- };
分配了pam_handle_t类型的内存后,_pam_start_internal函数接下来对参数service_name作进一步处理,代码片段如下:
- /* All service names should be files below /etc/pam.d and nothing
- else. Forbid paths. */
- if (strrchr(service_name, '/') != NULL)
- service_name = strrchr(service_name, '/') + 1;
如果传入的service_name字符串中包含'/',则只取'/'之后的名称。
接下来来到以下代码片段:
- /* Mark the caller as the application - permission to do certain
- things is limited to a module or an application */
-
- __PAM_TO_APP(*pamh);
__PAM_TO_APP是一个宏,在libpam/pam_private.h中定义,代码如下:
- #define __PAM_TO_APP(pamh) \
- do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
这句代码很好理解,就是将上边分配的pamh对象的caller_is(unsigned caller_is)成员赋值为_PAM_CALLED_FROM_APP。_PAM_CALLED_FROM_APP在同文件中定义,代码如下:
- /* used to work out where control currently resides (in an application
- or in a module) */
-
- #define _PAM_CALLED_FROM_MODULE 1
- #define _PAM_CALLED_FROM_APP 2
综上,这段代码的意思就是将调用者(控制权)标记为应用(Application)侧。
_pam_start_internal函数的其余部分将在后续文章中继续讲解。