selftest: setup pam_matrix in the simpleserver env

This allows testing a plaintext password authentication
on a standalone server using the PAM stack to verify it.

There are still production systems out in the wild using this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 3dbaa4f0c1804951d9050e1da400b08a2dcf748e..26b1663b5b689e70d56dcc03c2af7321fed24339 100755 (executable)
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -62,6 +62,8 @@ my $opt_libnss_wrapper_so_path = "";
 my $opt_libresolv_wrapper_so_path = "";
 my $opt_libsocket_wrapper_so_path = "";
 my $opt_libuid_wrapper_so_path = "";
+my $opt_libpam_wrapper_so_path = "";
+my $opt_libpam_matrix_so_path = "";
 my $opt_libasan_so_path = "";
 my $opt_libcrypt_so_path = "";
 my $opt_use_dns_faking = 0;
@@ -255,6 +257,8 @@ my $result = GetOptions (
                'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path,
                'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path,
                'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path,
+               'pam_wrapper_so_path=s' => \$opt_libpam_wrapper_so_path,
+               'pam_matrix_so_path=s' => \$opt_libpam_matrix_so_path,
                'asan_so_path=s' => \$opt_libasan_so_path,
                'crypt_so_path=s' => \$opt_libcrypt_so_path,
                'use-dns-faking' => \$opt_use_dns_faking
@@ -402,6 +406,14 @@ if ($opt_libuid_wrapper_so_path) {
        }
 }
 
+if ($opt_libpam_wrapper_so_path) {
+       if ($ld_preload) {
+               $ld_preload = "$ld_preload:$opt_libpam_wrapper_so_path";
+       } else {
+               $ld_preload = "$opt_libpam_wrapper_so_path";
+       }
+}
+
 if (defined($ENV{USE_NAMESPACES})) {
        print "Using linux containerization for selftest testenv(s)...\n";
 
@@ -469,6 +481,7 @@ if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {
 $target = new Samba($bindir, $srcdir, $server_maxtime,
                    $opt_socket_wrapper_pcap,
                    $opt_socket_wrapper_keep_pcap,
+                   $opt_libpam_matrix_so_path,
                    $opt_default_ldb_backend);
 unless ($opt_list) {
        if ($opt_target eq "samba") {

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 516684ee900ae1bf074bb208c9ff07c4bd9a051f..15d7692b5d64772affab789aee5ab15ad0f9c130 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -16,11 +16,13 @@ use IO::Poll qw(POLLIN);
 sub new($$$$$) {
        my ($classname, $bindir, $srcdir, $server_maxtime,
            $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap,
+           $opt_libpam_matrix_so_path,
            $default_ldb_backend) = @_;
 
        my $self = {
            opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
            opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
+           opt_libpam_matrix_so_path => $opt_libpam_matrix_so_path,
        };
        $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
        $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend);
@@ -178,6 +180,14 @@ sub nss_wrapper_winbind_so_path($) {
        return $ret;
 }
 
+sub pam_matrix_so_path($) {
+       my ($self) = @_;
+       my $SambaCtx = $self;
+       $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
+
+       return $SambaCtx->{opt_libpam_matrix_so_path};
+}
+
 sub copy_file_content($$)
 {
        my ($in, $out) = @_;
@@ -795,6 +805,20 @@ sub get_env_for_process
        if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
                $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
        }
+
+       if (defined($env_vars->{PAM_WRAPPER})) {
+               $proc_envs->{PAM_WRAPPER} = $env_vars->{PAM_WRAPPER};
+       }
+       if (defined($env_vars->{PAM_WRAPPER_KEEP_DIR})) {
+               $proc_envs->{PAM_WRAPPER_KEEP_DIR} = $env_vars->{PAM_WRAPPER_KEEP_DIR};
+       }
+       if (defined($env_vars->{PAM_WRAPPER_SERVICE_DIR})) {
+               $proc_envs->{PAM_WRAPPER_SERVICE_DIR} = $env_vars->{PAM_WRAPPER_SERVICE_DIR};
+       }
+       if (defined($env_vars->{PAM_WRAPPER_DEBUGLEVEL})) {
+               $proc_envs->{PAM_WRAPPER_DEBUGLEVEL} = $env_vars->{PAM_WRAPPER_DEBUGLEVEL};
+       }
+
        return $proc_envs;
 }
 

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a47678b9da23901d9b360afb38165d6b0103db24..c7cdbefc72d820783fcbdcdadd868bc3115b4aa1 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1790,6 +1790,29 @@ sub setup_simpleserver
 
        $vars or return undef;
 
+       my $pam_service_dir = "$prefix_abs/pam_services";
+       remove_tree($pam_service_dir);
+       mkdir($pam_service_dir, 0777);
+       my $pam_service_file = "$pam_service_dir/samba";
+       my $pam_matrix_passdb = "$pam_service_dir/samba_pam_matrix_passdb";
+       my $pam_matrix_so_path = Samba::pam_matrix_so_path($self);
+
+       open(FILE, "> $pam_service_file");
+       print FILE "auth required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n";
+       print FILE "account required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n";
+       close(FILE);
+
+       my $tmpusername = $vars->{USERNAME};
+       my $tmppassword = $vars->{PASSWORD};
+       open(FILE, "> $pam_matrix_passdb");
+       print FILE "$tmpusername:$tmppassword:samba";
+       close(FILE);
+
+       $vars->{PAM_WRAPPER} = "1";
+       $vars->{PAM_WRAPPER_KEEP_DIR} = "1";
+       $vars->{PAM_WRAPPER_SERVICE_DIR} = $pam_service_dir;
+       $vars->{PAM_WRAPPER_DEBUGLEVEL} = "3";
+
        if (not $self->check_or_start(
                env_vars => $vars,
                nmbd => "yes",

diff --git a/selftest/wscript b/selftest/wscript
index b8faf6dbc84f2d1a2ef42be7ed658220c5ede15c..2d7e192c14fa168c9dd1a90af5016e17d153572f 100644 (file)
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -253,6 +253,8 @@ def cmd_testonly(opt):
     env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH')
     env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH')
     env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH')
+    env.OPTIONS += " --pam_wrapper_so_path=" + CONFIG_GET(opt, 'LIBPAM_WRAPPER_SO_PATH')
+    env.OPTIONS += " --pam_matrix_so_path=" + CONFIG_GET(opt, 'PAM_MATRIX_SO_PATH')
 
     # selftest can optionally use kernel namespaces instead of socket-wrapper
     if os.environ.get('USE_NAMESPACES') is None: