From dan@dan.emsphone.com  Wed Jan 12 18:15:22 2005
Return-Path: <dan@dan.emsphone.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C440A16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Jan 2005 18:15:22 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3334C43D3F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Jan 2005 18:15:22 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.13.1/8.13.1) id j0CIFLdk048734;
	Wed, 12 Jan 2005 12:15:21 -0600 (CST)
	(envelope-from dan)
Message-Id: <200501121815.j0CIFLdk048734@dan.emsphone.com>
Date: Wed, 12 Jan 2005 12:15:21 -0600 (CST)
From: Dan Nelson <dnelson@allantgroup.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] Add PAM support to cvs pserver
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76169
>Category:       gnu
>Synopsis:       [patch] Add PAM support to cvs pserver
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 12 18:20:21 GMT 2005
>Closed-Date:    Sat Sep 15 23:37:41 UTC 2012
>Last-Modified:  Sat Sep 15 23:37:41 UTC 2012
>Originator:     Dan Nelson
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dan.emsphone.com 5.3-STABLE FreeBSD 5.3-STABLE #386: Tue Jan 11 12:01:34 CST 2005 zsh@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386


	
>Description:

Most of the base services have been PAM-ified, but cvs is a notable
exception.  CVS 1.12 will have PAM support, but I don't know when 1.12
will be declared stable. The following patch is based on Steve
McIntyre's 1.11 patch at
http://ccvs.cvshome.org/issues/show_bug.cgi?id=44 .

	
>How-To-Repeat:
	
>Fix:

Index: contrib/cvs/src/server.c
===================================================================
RCS file: /home/ncvs/src/contrib/cvs/src/server.c,v
retrieving revision 1.24
diff -u -p -r1.24 server.c
--- contrib/cvs/src/server.c	10 Jun 2004 19:12:50 -0000	1.24
+++ contrib/cvs/src/server.c	5 Jan 2005 18:25:50 -0000
@@ -20,6 +20,13 @@
 #include "getline.h"
 #include "buffer.h"
 
+#define HAVE_PAM
+
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+#endif
+
 #if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
 # ifdef HAVE_GSSAPI
 /* This stuff isn't included solely with SERVER_SUPPORT since some of these
@@ -5593,7 +5600,66 @@ check_repository_password (username, pas
     return retval;
 }
 
+#ifdef HAVE_PAM
+
+static struct pam_conv conv = {
+    openpam_nullconv,
+    NULL
+};
+
+/* Modelled very closely on the example code in "The Linux-PAM
+   Application Developers' Guide" by Andrew G. Morgan. */
+static int
+check_pam_password (username, password, repository, host_user_ptr)
+     char *username, *password, *repository, **host_user_ptr;
+{
+    pam_handle_t *pamh=NULL;
+    int retval;
+    int rc = 0;
+
+    retval = pam_start("cvs", username, &conv, &pamh);
+
+    if (retval == PAM_SUCCESS)
+	retval = pam_set_item(pamh, PAM_AUTHTOK, password);
+
+    if (retval == PAM_SUCCESS)
+	retval = pam_authenticate(pamh, 0);    /* is user really user? */
+
+    if (retval == PAM_SUCCESS)
+	retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
+
+    /* This is where we have been authorized or not. */
+
+    switch(retval)
+    {
+	case PAM_SUCCESS:
+	    *host_user_ptr = xstrdup(username);
+	    rc = 1;
+	    break;
+	case PAM_AUTH_ERR:
+	    syslog (LOG_DAEMON | LOG_ERR,
+		    "some pam function failed: %s ",
+		    pam_strerror(pamh, retval));
+	    *host_user_ptr = NULL;
+	    rc = 2;
+	    break;
+	default:
+	    syslog (LOG_DAEMON | LOG_ERR,
+		    "some pam function failed: %s ",
+		    pam_strerror(pamh, retval));
+	    *host_user_ptr = NULL;
+	    rc = 0;
+	    break;
+    }
+    
+    if (pam_end(pamh, retval) != PAM_SUCCESS) {     /* close PAM */
+	pamh = NULL;
+	fprintf(stderr, "failed to release authenticator\n");
+    }
 
+    return rc;       /* indicate success */
+}
+#endif /* HAVE_PAM */
 
 /* Return a hosting username if password matches, else NULL. */
 static char *
@@ -5639,6 +5705,26 @@ check_password (username, password, repo
 	error_exit ();
     }
 
+
+#ifdef HAVE_PAM
+	rc = check_pam_password (username, password, repository,
+				 &host_user);
+	if (rc == 2)
+	{
+		syslog (LOG_NOTICE,
+			"pam auth failed for %s", username);
+		return NULL;
+	}
+
+	/* else */
+	
+	if (rc == 1)
+	{
+	    /* host_user already set by reference, so just return. */
+	    goto handle_return;
+	}
+#else /* HAVE_PAM */
+
     /* No cvs password found, so try /etc/passwd. */
 
 #ifdef HAVE_GETSPNAM
@@ -5714,6 +5800,7 @@ error 0 %s: no such user\n", username);
     syslog (LOG_AUTHPRIV | LOG_NOTICE,
 	    "login refused for %s: user has no password", username);
 #endif
+#endif /* HAVE_PAM */
 
 handle_return:
     if (host_user)
Index: gnu/usr.bin/cvs/cvs/Makefile
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/cvs/cvs/Makefile,v
retrieving revision 1.48
diff -u -p -r1.48 Makefile
--- gnu/usr.bin/cvs/cvs/Makefile	6 Aug 2004 07:27:03 -0000	1.48
+++ gnu/usr.bin/cvs/cvs/Makefile	5 Jan 2005 18:25:50 -0000
@@ -31,7 +31,7 @@ CFLAGS+= -I${.CURDIR} -I../lib -DHAVE_CO
 	 -I${CVSDIR}/lib -I${CVSDIR}/diff -I.
 
 DPADD=	${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ}
-LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz
+LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz -lpam
 
 .if !defined(NO_KERBEROS) && !defined(NO_OPENSSL) && !defined(NOCRYPT)
 CFLAGS+= -DHAVE_GSSAPI -DHAVE_GSSAPI_H -DENCRYPTION


	


>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Dan Nelson <dnelson@allantgroup.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/76169: [PATCH] Add PAM support to cvs pserver
Date: Wed, 12 Jan 2005 23:17:32 +0200

 On 2005-01-12 12:15, Dan Nelson <dnelson@allantgroup.com> wrote:
 > Most of the base services have been PAM-ified, but cvs is a notable
 > exception.  CVS 1.12 will have PAM support, but I don't know when 1.12
 > will be declared stable. The following patch is based on Steve
 > McIntyre's 1.11 patch at
 > http://ccvs.cvshome.org/issues/show_bug.cgi?id=44 .
 
 CVS is contrib software, so I don't know if we can just pull the files
 off the vendor branch so easily.  But I noticed a small nit, that you
 may want to fix in the diff:
 
 > --- gnu/usr.bin/cvs/cvs/Makefile	6 Aug 2004 07:27:03 -0000	1.48
 > +++ gnu/usr.bin/cvs/cvs/Makefile	5 Jan 2005 18:25:50 -0000
 :
 >  DPADD=	${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ}
 > -LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz
 > +LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz -lpam
 
 Adding libraries in LDADD should also update DPADD, IIRC.
 The fix is simple: add ${LIBPAM} to DPADD too.
 

From: Dan Nelson <dnelson@allantgroup.com>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc: bug-followup@freebsd.org
Subject: Re: bin/76169: [PATCH] Add PAM support to cvs pserver
Date: Wed, 12 Jan 2005 15:48:21 -0600

 In the last episode (Jan 12), Giorgos Keramidas said:
 > On 2005-01-12 12:15, Dan Nelson <dnelson@allantgroup.com> wrote:
 > > Most of the base services have been PAM-ified, but cvs is a notable
 > > exception.  CVS 1.12 will have PAM support, but I don't know when 1.12
 > > will be declared stable. The following patch is based on Steve
 > > McIntyre's 1.11 patch at
 > > http://ccvs.cvshome.org/issues/show_bug.cgi?id=44 .
 > 
 > CVS is contrib software, so I don't know if we can just pull the
 > files off the vendor branch so easily.
 
 I think server.c is already off the vendor branch.
 
 >  But I noticed a small nit, that you may want to fix in the diff:
 > 
 > > --- gnu/usr.bin/cvs/cvs/Makefile	6 Aug 2004 07:27:03 -0000	1.48
 > > +++ gnu/usr.bin/cvs/cvs/Makefile	5 Jan 2005 18:25:50 -0000
 > :
 > >  DPADD=	${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ}
 > > -LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz
 > > +LDADD=	${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz -lpam
 > 
 > Adding libraries in LDADD should also update DPADD, IIRC.
 > The fix is simple: add ${LIBPAM} to DPADD too.
 
 Yes.  Updated copy at http://dan.allantgroup.com/FreeBSD/cvs.diff
 
 -- 
 	Dan Nelson
 	dnelson@allantgroup.com

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Dan Nelson <dnelson@allantgroup.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/76169: [PATCH] Add PAM support to cvs pserver
Date: Wed, 12 Jan 2005 23:55:57 +0200

 On 2005-01-12 15:48, Dan Nelson <dnelson@allantgroup.com> wrote:
 >In the last episode (Jan 12), Giorgos Keramidas said:
 >> CVS is contrib software, so I don't know if we can just pull the
 >> files off the vendor branch so easily.
 >
 > I think server.c is already off the vendor branch.
 
 I posted before checking if it was.  You're right, of course.
 
State-Changed-From-To: open->closed 
State-Changed-By: eadler 
State-Changed-When: Sat Sep 15 23:37:38 UTC 2012 
State-Changed-Why:  
this patch no longer applies 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76169 
>Unformatted:
