From: Oliver Kurth <okurth@vmware.com>
Date: Tue, 5 Jun 2018 22:45:04 +0000 (-0700)
Subject: [Lifecycle][ESX] Allow ALL 'admin' users to access Personality Manager APIs
X-Git-Tag: stable-11.0.0~581
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41dc7d851d9d20b345f0063e700775fc8e8b594a;p=thirdparty%2Fopen-vm-tools.git

[Lifecycle][ESX] Allow ALL 'admin' users to access Personality Manager APIs

1. During the uninstall workflow, NSX-T does not have access to 'root'
   users and uses an admin user created by them to call Personality Manager APIs

2. Added a new PAM module for "settingsd" service and removed "root"
   hardcoding.

2.1 Kept it same as "sshd" module except I removed sending VOB during
    authentication.

3. For this, updated the auth lib to add a new method Auth_AuthenticateUserPAM,i
   which takes the PAM "service-name" to use while authenticating.

4. Modified the existing method Auth_AuthenticateUser to call this API
   when USE_PAM is true.

5. This would be available only on !_WIN32
---

diff --git a/open-vm-tools/lib/auth/authPosix.c b/open-vm-tools/lib/auth/authPosix.c
index 2a19a2390..908ac3ff1 100644
--- a/open-vm-tools/lib/auth/authPosix.c
+++ b/open-vm-tools/lib/auth/authPosix.c
@@ -366,9 +366,9 @@ Auth_AuthenticateSelf(void)  // IN
 /*
  *----------------------------------------------------------------------
  *
- * Auth_AuthenticateUser --
+ * Auth_AuthenticateUserPAM --
  *
- *      Accept username/password And verfiy it
+ *      Accept username/password, and service and verfiy it with PAM
  *
  * Side effects:
  *      None.
@@ -382,17 +382,21 @@ Auth_AuthenticateSelf(void)  // IN
  */
 
 AuthToken
-Auth_AuthenticateUser(const char *user,  // IN:
-                      const char *pass)  // IN:
+Auth_AuthenticateUserPAM(const char *user,     // IN:
+                         const char *pass,     // IN:
+                         const char *service)  // IN:
 {
-#ifdef USE_PAM
+#ifndef USE_PAM
+   return NULL;
+#else
    pam_handle_t *pamh;
    int pam_error;
-#endif
 
    Bool success = FALSE;
    AuthTokenInternal *ati = NULL;
 
+   ASSERT(service);
+
    if (!CodeSet_Validate(user, strlen(user), "UTF-8")) {
       Log("User not in UTF-8\n");
       goto exit;
@@ -402,7 +406,6 @@ Auth_AuthenticateUser(const char *user,  // IN:
       goto exit;
    }
 
-#ifdef USE_PAM
    if (!AuthLoadPAM()) {
       goto exit;
    }
@@ -422,13 +425,10 @@ Auth_AuthenticateUser(const char *user,  // IN:
    PAM_username = user;
    PAM_password = pass;
 
-#if defined(VMX86_TOOLS)
-   pam_error = dlpam_start("vmtoolsd", PAM_username, &PAM_conversation,
-                           &pamh);
-#else
-   pam_error = dlpam_start("vmware-authd", PAM_username, &PAM_conversation,
+
+   pam_error = dlpam_start(service, PAM_username, &PAM_conversation,
                            &pamh);
-#endif
+
    if (pam_error != PAM_SUCCESS) {
       Log("Failed to start PAM (error = %d).\n", pam_error);
       goto exit;
@@ -442,9 +442,67 @@ Auth_AuthenticateUser(const char *user,  // IN:
    PAM_BAIL;
    dlpam_end(pamh, PAM_SUCCESS);
 
+#undef PAM_BAIL
+
    /* If this point is reached, the user has been authenticated. */
    ati = (AuthTokenInternal *) Auth_GetPwnam(user);
+   success = TRUE;
+
+exit:
+   if (success) {
+      return (AuthToken) ati;
+   } else {
+      Auth_CloseToken((AuthToken) ati);
+      return NULL;
+   }
+
+#endif // USE_PAM
+}
+
+
+/*
+ *----------------------------------------------------------------------
+ *
+ * Auth_AuthenticateUser --
+ *
+ *      Accept username/password And verfiy it
+ *
+ * Side effects:
+ *      None.
+ *
+ * Results:
+ *
+ *      The vmauthToken for the authenticated user, or NULL if
+ *      authentication failed.
+ *
+ *----------------------------------------------------------------------
+ */
+
+AuthToken
+Auth_AuthenticateUser(const char *user,  // IN:
+                      const char *pass)  // IN:
+{
+
+#ifdef USE_PAM
+
+#if defined(VMX86_TOOLS)
+   return Auth_AuthenticateUserPAM(user, pass, "vmtoolsd");
+#else
+   return Auth_AuthenticateUserPAM(user, pass, "vmware-authd");
+#endif
+
 #else /* !USE_PAM */
+   Bool success = FALSE;
+   AuthTokenInternal *ati = NULL;
+
+   if (!CodeSet_Validate(user, strlen(user), "UTF-8")) {
+      Log("User not in UTF-8\n");
+      goto exit;
+   }
+   if (!CodeSet_Validate(pass, strlen(pass), "UTF-8")) {
+      Log("Password not in UTF-8\n");
+      goto exit;
+   }
 
    /* All of the following issues are dealt with in the PAM configuration
       file, so put all authentication/priviledge checks before the
@@ -480,17 +538,17 @@ Auth_AuthenticateUser(const char *user,  // IN:
       // Clear out crypt()'s internal state, too.
       crypt("glurp", pw);
    }
-#endif /* !USE_PAM */
 
    success = TRUE;
 
-  exit:
+exit:
    if (success) {
       return (AuthToken) ati;
    } else {
       Auth_CloseToken((AuthToken) ati);
       return NULL;
    }
+#endif /* !USE_PAM */
 }
 
 
diff --git a/open-vm-tools/lib/include/auth.h b/open-vm-tools/lib/include/auth.h
index ce3680b8b..328aa7962 100644
--- a/open-vm-tools/lib/include/auth.h
+++ b/open-vm-tools/lib/include/auth.h
@@ -67,6 +67,8 @@ uint32 Auth_RetrieveAccountInformationForVM(const char *filename, uint32 *attrib
 
 AuthToken Auth_GetPwnam(const char *user);
 AuthToken Auth_AuthenticateSelf(void);
+AuthToken Auth_AuthenticateUserPAM(const char *user, const char *pass,
+                                   const char *service);
 
 #endif