From: Stefan Metzmacher Date: Fri, 12 Jul 2024 18:23:52 +0000 (+0200) Subject: selftest: setup pam_matrix in the simpleserver env X-Git-Tag: tdb-1.4.11~106 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=66e9d3fe01f80f19264aaf8250d92c82a707162a;p=thirdparty%2Fsamba.git selftest: setup pam_matrix in the simpleserver env This allows testing a plaintext password authentication on a standalone server using the PAM stack to verify it. There are still production systems out in the wild using this... BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 3dbaa4f0c18..26b1663b5b6 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -62,6 +62,8 @@ my $opt_libnss_wrapper_so_path = ""; my $opt_libresolv_wrapper_so_path = ""; my $opt_libsocket_wrapper_so_path = ""; my $opt_libuid_wrapper_so_path = ""; +my $opt_libpam_wrapper_so_path = ""; +my $opt_libpam_matrix_so_path = ""; my $opt_libasan_so_path = ""; my $opt_libcrypt_so_path = ""; my $opt_use_dns_faking = 0; @@ -255,6 +257,8 @@ my $result = GetOptions ( 'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path, 'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path, 'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path, + 'pam_wrapper_so_path=s' => \$opt_libpam_wrapper_so_path, + 'pam_matrix_so_path=s' => \$opt_libpam_matrix_so_path, 'asan_so_path=s' => \$opt_libasan_so_path, 'crypt_so_path=s' => \$opt_libcrypt_so_path, 'use-dns-faking' => \$opt_use_dns_faking @@ -402,6 +406,14 @@ if ($opt_libuid_wrapper_so_path) { } } +if ($opt_libpam_wrapper_so_path) { + if ($ld_preload) { + $ld_preload = "$ld_preload:$opt_libpam_wrapper_so_path"; + } else { + $ld_preload = "$opt_libpam_wrapper_so_path"; + } +} + if (defined($ENV{USE_NAMESPACES})) { print "Using linux containerization for selftest testenv(s)...\n"; @@ -469,6 +481,7 @@ if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") { $target = new Samba($bindir, $srcdir, $server_maxtime, $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap, + $opt_libpam_matrix_so_path, $opt_default_ldb_backend); unless ($opt_list) { if ($opt_target eq "samba") { diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 516684ee900..15d7692b5d6 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -16,11 +16,13 @@ use IO::Poll qw(POLLIN); sub new($$$$$) { my ($classname, $bindir, $srcdir, $server_maxtime, $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap, + $opt_libpam_matrix_so_path, $default_ldb_backend) = @_; my $self = { opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap, opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap, + opt_libpam_matrix_so_path => $opt_libpam_matrix_so_path, }; $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime); $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend); @@ -178,6 +180,14 @@ sub nss_wrapper_winbind_so_path($) { return $ret; } +sub pam_matrix_so_path($) { + my ($self) = @_; + my $SambaCtx = $self; + $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx}); + + return $SambaCtx->{opt_libpam_matrix_so_path}; +} + sub copy_file_content($$) { my ($in, $out) = @_; @@ -795,6 +805,20 @@ sub get_env_for_process if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) { $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE}; } + + if (defined($env_vars->{PAM_WRAPPER})) { + $proc_envs->{PAM_WRAPPER} = $env_vars->{PAM_WRAPPER}; + } + if (defined($env_vars->{PAM_WRAPPER_KEEP_DIR})) { + $proc_envs->{PAM_WRAPPER_KEEP_DIR} = $env_vars->{PAM_WRAPPER_KEEP_DIR}; + } + if (defined($env_vars->{PAM_WRAPPER_SERVICE_DIR})) { + $proc_envs->{PAM_WRAPPER_SERVICE_DIR} = $env_vars->{PAM_WRAPPER_SERVICE_DIR}; + } + if (defined($env_vars->{PAM_WRAPPER_DEBUGLEVEL})) { + $proc_envs->{PAM_WRAPPER_DEBUGLEVEL} = $env_vars->{PAM_WRAPPER_DEBUGLEVEL}; + } + return $proc_envs; } diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a47678b9da2..c7cdbefc72d 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1790,6 +1790,29 @@ sub setup_simpleserver $vars or return undef; + my $pam_service_dir = "$prefix_abs/pam_services"; + remove_tree($pam_service_dir); + mkdir($pam_service_dir, 0777); + my $pam_service_file = "$pam_service_dir/samba"; + my $pam_matrix_passdb = "$pam_service_dir/samba_pam_matrix_passdb"; + my $pam_matrix_so_path = Samba::pam_matrix_so_path($self); + + open(FILE, "> $pam_service_file"); + print FILE "auth required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n"; + print FILE "account required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n"; + close(FILE); + + my $tmpusername = $vars->{USERNAME}; + my $tmppassword = $vars->{PASSWORD}; + open(FILE, "> $pam_matrix_passdb"); + print FILE "$tmpusername:$tmppassword:samba"; + close(FILE); + + $vars->{PAM_WRAPPER} = "1"; + $vars->{PAM_WRAPPER_KEEP_DIR} = "1"; + $vars->{PAM_WRAPPER_SERVICE_DIR} = $pam_service_dir; + $vars->{PAM_WRAPPER_DEBUGLEVEL} = "3"; + if (not $self->check_or_start( env_vars => $vars, nmbd => "yes", diff --git a/selftest/wscript b/selftest/wscript index b8faf6dbc84..2d7e192c14f 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -253,6 +253,8 @@ def cmd_testonly(opt): env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH') env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH') env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH') + env.OPTIONS += " --pam_wrapper_so_path=" + CONFIG_GET(opt, 'LIBPAM_WRAPPER_SO_PATH') + env.OPTIONS += " --pam_matrix_so_path=" + CONFIG_GET(opt, 'PAM_MATRIX_SO_PATH') # selftest can optionally use kernel namespaces instead of socket-wrapper if os.environ.get('USE_NAMESPACES') is None: