From b7399903540c95e89f0ee427fed1de07301fbd93 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 21 Dec 2021 20:38:03 -0600 Subject: pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok If someone runs 'passwd USER' as root, the user is assigned a new login passphrase without their fscrypt login protector being updated. Detect this case and show a warning message using pam_info(). Fixes https://github.com/google/fscrypt/issues/273 --- pam/pam.c | 5 +++++ pam/pam.go | 7 +++++++ pam/pam.h | 3 +++ 3 files changed, 15 insertions(+) (limited to 'pam') diff --git a/pam/pam.c b/pam/pam.c index 1479dfa..1d6aefe 100644 --- a/pam/pam.c +++ b/pam/pam.c @@ -20,6 +20,7 @@ #include "pam.h" #include +#include #include #include #include @@ -107,3 +108,7 @@ void freeSecret(pam_handle_t* pamh, char* data, int error_status) { munlock(data, size); free(data); } + +void infoMessage(pam_handle_t* pamh, const char* message) { + pam_info(pamh, "%s", message); +} diff --git a/pam/pam.go b/pam/pam.go index 54a60e2..f79e2d4 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -166,6 +166,13 @@ func (h *Handle) err() error { return errors.New(s) } +// InfoMessage sends a message to the application using pam_info(). +func (h *Handle) InfoMessage(message string) { + cMessage := C.CString(message) + defer C.free(unsafe.Pointer(cMessage)) + C.infoMessage(h.handle, cMessage) +} + // Transaction represents a wrapped pam_handle_t type created with pam_start // form an application. type Transaction Handle diff --git a/pam/pam.h b/pam/pam.h index 54bb193..3cb609a 100644 --- a/pam/pam.h +++ b/pam/pam.h @@ -41,4 +41,7 @@ void *copyIntoSecret(void *data); // CleaupFunc that Zeros wipes a C string and unlocks and frees its memory. void freeSecret(pam_handle_t *pamh, char *data, int error_status); +// Sends a message to the application using pam_info(). +void infoMessage(pam_handle_t *pamh, const char *message); + #endif // FSCRYPT_PAM_H -- cgit v1.2.3