Package for stretch and buster

This way syscom can still login when their accounts expired, but messages are still printed. This should hopefully stop the whole 'wait crap I wasn't registered for the past k terms', k>=1 that has been happening semi-frequently for a bunch of syscom members.

Also added #define LDAP_DEPRECATED to get access to a bunch of function prototypes for functions in the LDAP API that are apparently now deprecated.

Also removed the CSCF cruft. In case we ever do need it again, we can vacuum it out from past commits. Or just rewrite it from scratch, especially considering that I doubt CSCF uses that auth backend anymore and some 2/3ds of all functions involved are deprecated according to the latest release of the OpenLDAP API. Or rather, the latest according to Debian, which means it's ~3 years out of date and the functions might very well not even exist anymore (they do exist, I checked, but point still stands. There's no real point to keeping this stuff around, I don't think it was ever operational at any point in the wild, even).

-bofh

Makefile

@@ -1,11 +1,11 @@
 CC=gcc
-CFLAGS=-g -O2 -fPIC -Wall
-LDFLAGS=-g -shared -lpam -lldap
+CFLAGS=-std=c99 -g -O2 -fPIC -Wall -DLDAP_DEPRECATED
+LDFLAGS=-g -shared
 
 all: pam_csc.so
 
 pam_csc.so: pam_csc.o
-	$(CC) -o $@ $(LDFLAGS) $<
+	$(CC) -o $@ $(LDFLAGS) $< -lpam -lldap
 
 clean:
 	rm -f pam_csc.so pam_csc.o

debian/README.Debian

@@ -1,6 +0,0 @@
-libpam-csc for Debian
----------------------
-
-<possible notes regarding this package - if none, delete this file>
-
- -- David Bartley <dtbartle@csclub.uwaterloo.ca>  Sun, 24 Jun 2007 23:18:22 -0400

debian/changelog

@@ -1,3 +1,83 @@
+libpam-csc (1.11~buster0) buster; urgency=medium
+
+  * Package for buster
+
+ -- Zachary Seguin <ztseguin@csclub.uwaterloo.ca>  Sun, 15 Apr 2018 14:09:15 -0400
+
+libpam-csc (1.11~stretch0) stretch; urgency=medium
+
+  * Re-package for stretch
+
+ -- Zachary Seguin <ztseguin@csclub.uwaterloo.ca>  Tue, 06 Mar 2018 21:36:01 -0500
+
+libpam-csc (1.11ubuntu16.04) xenial; urgency=low
+
+  * Non-maintainer upload.
+
+ -- Elana Hashman <ehashman@csclub.uwaterloo.ca>  Tue, 25 Apr 2017 22:37:29 -0400
+
+libpam-csc (1.11debian9) stretch; urgency=medium
+
+  * Packaging updates; we are targeting 7-year old policy.
+  * Release for stretch.
+
+ -- Elana Hashman <ehashman@csclub.uwaterloo.ca>  Tue, 25 Apr 2017 22:13:54 -0400
+
+libpam-csc (1.10ubuntu5) saucy; urgency=low
+
+  * Packaging for saucy.
+
+ -- Sean Hunt <scshunt@csclub.uwaterloo.ca>  Thu, 05 Dec 2013 15:54:05 -0500
+
+libpam-csc (1.10jessie0) jessie; urgency=low
+
+  * Packaging for jessie.
+
+ -- Luqman Aden <laden@csclub.uwaterloo.ca>  Thu, 10 Oct 2013 22:08:48 -0400
+
+libpam-csc (1.10) stable; urgency=low
+
+  * Make pbarfuss' syscom change not deref a null pointer if syscom isn't present
+  * Package for wheezy.
+
+ -- Jeremy Roman <jbroman@csclub.uwaterloo.ca>  Sat, 07 Sep 2013 14:07:57 -0400
+
+libpam-csc (1.9ubuntu4) quantal; urgency=low
+
+  * Packaging for quantal.
+
+ -- Owen Michael Smith <omsmith@csclub.uwaterloo.ca>  Sat, 25 May 2013 19:37:24 -0400
+
+libpam-csc (1.9ubuntu3) precise; urgency=low
+
+  * Build for precise.
+
+ -- Jeremy Roman <jbroman@csclub.uwaterloo.ca>  Fri, 16 Mar 2012 18:04:21 -0400
+
+libpam-csc (1.9ubuntu2) oneiric; urgency=low
+
+  * Build for oneiric.
+
+ -- Jeremy Roman <jbroman@csclub.uwaterloo.ca>  Wed, 18 Jan 2012 17:32:15 -0500
+
+libpam-csc (1.9ubuntu1) maverick; urgency=low
+
+  * Build for maverick.
+
+ -- Michael Spang <mspang@csclub.uwaterloo.ca>  Fri, 22 Oct 2010 10:08:19 -0400
+
+libpam-csc (1.9) stable; urgency=low
+
+  * Update package for squeeze.
+
+ -- Michael Spang <mspang@csclub.uwaterloo.ca>  Wed, 13 Oct 2010 13:48:27 -0400
+
+libpam-csc (1.8) stable testing; urgency=low
+
+  * Build fixes
+
+ -- David Bartley <dtbartle@csclub.uwaterloo.ca>  Tue, 15 Apr 2008 09:00:57 -0400
+
 libpam-csc (1.7) stable testing; urgency=low
 
   * Allocate less memory

debian/compat

@@ -1 +1 @@
-5
+10

debian/control

@@ -1,12 +1,17 @@
 Source: libpam-csc
 Section: net
 Priority: optional
-Maintainer: David Bartley <dtbartle@csclub.uwaterloo.ca>
-Build-Depends: debhelper (>= 4.0.0), libldap2-dev, libpam0g-dev, libsasl2-dev
-Standards-Version: 3.7.2
+Maintainer: Systems Commmittee <syscom@csclub.uwaterloo.ca>
+Uploaders:
+ David Bartley <dtbartle@csclub.uwaterloo.ca>,
+ Michael Spang <mspang@csclub.uwaterloo.ca>,
+ Jeremy Roman <jbroman@csclub.uwaterloo.ca>,
+ Elana Hashman <ehashman@csclub.uwaterloo.ca>
+Build-Depends: debhelper (>= 10), libldap2-dev, libpam0g-dev, libsasl2-dev
+Standards-Version: 3.9.8
 
 Package: libpam-csc
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: CSC PAM module to handle account expiration.
- CSC PAM module to handle account expiration.
+ This module disallows login by expired accounts.

debian/copyright

@@ -4,7 +4,7 @@ on Sun, 24 Jun 2007 23:18:22 -0400.
 The original source can always be found at:
 	ftp://ftp.debian.org/dists/unstable/main/source/
 
-Copyright Holder:  David Bartley
+Copyright 2007-2010  David Bartley
 
 License:
 

debian/rules

@@ -1,16 +1,4 @@
 #!/usr/bin/make -f
-# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
-
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
-
-
-
 
 CFLAGS = -Wall -g
 
@@ -23,14 +11,13 @@ endif
 configure: configure-stamp
 configure-stamp:
 	dh_testdir
-	# Add here commands to configure the package.
-
 	touch configure-stamp
 
 
-build: build-stamp
-
-build-stamp: configure-stamp 
+build: build-arch build-indep
+build-arch: build-stamp
+build-indep: build-stamp
+build-stamp: configure-stamp
 	dh_testdir
 
 	$(MAKE)
@@ -43,13 +30,12 @@ clean:
 	rm -f build-stamp configure-stamp
 
 	$(MAKE) clean
-
-	dh_clean 
+	dh_clean
 
 install: build-stamp
 	dh_testdir
 	dh_testroot
-	dh_clean -k 
+	dh_prep
 	dh_installdirs
 	install -m 644 pam_csc.so $(CURDIR)/debian/libpam-csc/lib/security
 
@@ -62,27 +48,14 @@ binary-indep: build install
 binary-arch: build install
 	dh_testdir
 	dh_testroot
-	dh_installchangelogs 
+	dh_installchangelogs
 	dh_installdocs
 	dh_installexamples
-#	dh_install
-#	dh_installmenu
-#	dh_installdebconf	
-#	dh_installlogrotate
-#	dh_installemacsen
-#	dh_installpam
-#	dh_installmime
-#	dh_python
-#	dh_installinit
-#	dh_installcron
-#	dh_installinfo
 	dh_installman
 	dh_link
 	dh_strip
 	dh_compress
 	dh_fixperms
-#	dh_perl
-#	dh_makeshlibs
 	dh_installdeb
 	dh_shlibdeps
 	dh_gencontrol

pam_csc.c

@@ -1,4 +1,5 @@
 #define PAM_SM_ACCOUNT
+#define LDAP_DEPRECATED 1
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/time.h>
@@ -7,24 +8,27 @@
 #include <stdlib.h>
 #include <stdbool.h>
 #include <string.h>
-#include <security/pam_modules.h>
 #include <security/pam_appl.h>
+#include <security/pam_modules.h>
 #include <ldap.h>
 #include <sasl/sasl.h>
 #include <syslog.h>
 #include <pwd.h>
+#include <grp.h>
+
+#ifndef LDAP_SASL_QUIET
+#  define LDAP_SASL_QUIET 0
+#endif
+
+#ifndef LOG_AUTHPRIV
+#  define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#ifndef PAM_EXTERN
+#  define PAM_EXTERN extern
+#endif
 
 #define PAM_CSC_CSC_BASE_DN         "ou=People,dc=csclub,dc=uwaterloo,dc=ca"
-#define PAM_CSC_CSCF_URI \
-    "ldaps://eponina.student.cs.uwaterloo.ca" \
-    "ldaps://canadenis.student.cs.uwaterloo.ca"
-#define PAM_CSC_CSCF_BASE_DN        "dc=student,dc=cs,dc=uwateloo,dc=ca"
-#define PAM_CSC_CSCF_BIND_DN \
-    "uid=TODO,dc=student,dc=cs,dc=uwaterloo,dc=ca"
-#define PAM_CSC_CSCF_SASL_USER \
-    "dn:uid=TODO,cn=STUDENT.CS.UWATERLOO.CA,cn=DIGEST-MD5,cn=auth"
-#define PAM_CSC_CSCF_PASSWORD_FILE  "/etc/security/pam_csc_cscf_password"
-#define PAM_CSC_CSCF_SASL_REALM     "STUDENT.CS.UWATERLOO.CA"
 #define PAM_CSC_LDAP_TIMEOUT        5
 #define PAM_CSC_ALLOWED_USERNAMES   {"nobody"}
 #define PAM_CSC_EXPIRED_MSG \
@@ -33,17 +37,13 @@
     "*    Your account has expired - please contact the Computer Science Club    *\n" \
     "*                                                                           *\n" \
     "*****************************************************************************\n"
-#define PAM_CSC_CSCF_DISALLOWED_MSG \
-    "You are not registered as a CS student - login denied."
 
-#define PAM_CSC_SYSLOG_EXPIRED_WARNING \
+#define PAM_CSC_SYSLOG_EXPIRED_NO_TERMS \
     "(pam_csc): %s was not registered for current term or previous term - denying login\n"
-#define PAM_CSC_SYSLOG_EXPIRED_ERROR \
+#define PAM_CSC_SYSLOG_EXPIRED_LAST_TERM \
     "(pam_csc): %s was not registered for current term but was registered for previous term - permitting login\n"
 #define PAM_CSC_SYSLOG_NOT_A_MEMBER \
     "(pam_csc): %s is not a member account - permitting login\n"
-#define PAM_CSC_SYSLOG_CSCF_DISALLOWED \
-    "(pam_csc): %s is using a CSCF machine but is not enrolled in CS - denying login\n"
 #define PAM_CSC_SYSLOG_SASL_UNRECOGNIZED_CALLBACK \
     "(pam_csc): %ld is not a recognized SASL callback option\n"
 
@@ -148,7 +148,7 @@ int pam_csc_print_message(pam_handle_t* pamh, char* msg, int style)
     messages[0] = &message;
     message.msg_style = style;
     message.msg = msg;
-    WARN_PAM( conv->conv(1, (const struct pam_message**)messages, 
+    WARN_PAM( conv->conv(1, (const struct pam_message**)messages,
         &response, conv->appdata_ptr) )
 
 cleanup:
@@ -161,24 +161,22 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     int retval = PAM_SUCCESS;
     const char* username;
     struct passwd* pwd;
+    struct group *grp;
     const char* allowed_usernames[] = PAM_CSC_ALLOWED_USERNAMES;
-    int i;
+    unsigned int i;
     time_t cur_time;
     struct tm* local_time;
     int long_term, term_month;
     static const char term_chars[] = {'w', 's', 'f'};
     char cur_term[6], prev_term[6];
-    LDAP *ld_csc = NULL, *ld_cscf = NULL;
-    bool cscf;
-    FILE* pass_file = NULL;
+    LDAP *ld_csc = NULL;
     char* username_escaped = NULL;
-    char *filter_csc = NULL, *filter_cscf = NULL;
-    char *attrs_csc[] = {"objectClass", "term", "nonMemberTerm", NULL},
-        *attrs_cscf[] = {"objectClass", NULL};
-    bool expired;
+    char *filter_csc = NULL;
+    char *attrs_csc[] = {"objectClass", "term", "nonMemberTerm", NULL};
+    bool expired, syscom = 0; 
     const char* pam_rhost;
-    int msg_csc, msg_cscf;
-    LDAPMessage *res_csc = NULL, *res_cscf = NULL;
+    int msg_csc;
+    LDAPMessage *res_csc = NULL;
     struct timeval timeout = {PAM_CSC_LDAP_TIMEOUT, 0};
     LDAPMessage* entry = NULL;
     char **values = NULL, **nmvalues = NULL, **values_iter = NULL;
@@ -200,6 +198,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
         }
     }
 
+    /* check to see if user is in group syscom, if yes, still print message but allow login even if user expired */
+    grp = getgrnam("syscom");
+    for(i = 0; grp && grp->gr_mem[i]; i++) {
+        if(!strcmp(grp->gr_mem[i], username)) {
+            syscom = 1;
+            break;
+        }
+    }
+
     /* check username */
     for(i = 0; i < sizeof(allowed_usernames) / sizeof(char*); i++)
     {
@@ -226,55 +233,19 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     WARN_NEG1( ldap_simple_bind(ld_csc, NULL, NULL) )
 
     /* check if we are logging in from a CSCF teaching thin client */
-    cscf = false;
     if(pam_get_item(pamh, PAM_RHOST, (const void**)&pam_rhost) && pam_rhost)
     {
         /* TODO: check if pam_rhost is tcNNN.student.cs */
     }
 
-    if(cscf)
-    {
-        pam_csc_sasl_interact_param_t interact_param = {
-            PAM_CSC_CSCF_SASL_REALM,
-            PAM_CSC_CSCF_SASL_USER
-        };
-        int ret;
-
-        /* read password file */
-        WARN_ZERO( pass_file = fopen(PAM_CSC_CSCF_PASSWORD_FILE, "r") )
-        ret = fread(interact_param.pass, sizeof(char), 
-            sizeof(interact_param.pass) - 1, pass_file);
-        interact_param.pass[ret] = '\0';
-        if(ret && interact_param.pass[ret - 1] == '\n')
-            interact_param.pass[ret - 1] = '\0';
-        fclose(pass_file); pass_file = NULL;
-
-        /* connect to CSCF */
-        WARN_LDAP( ldap_initialize(&ld_cscf, PAM_CSC_CSCF_URI) )
-        WARN_NEG1( ldap_sasl_interactive_bind_s(ld_cscf, PAM_CSC_CSCF_BIND_DN,
-            "DIGEST-MD5", NULL, NULL, LDAP_SASL_INTERACTIVE | LDAP_SASL_QUIET,
-            pam_csc_sasl_interact, &interact_param) )
-    }
-
     /* create CSC request string */
     WARN_ZERO( filter_csc = malloc(140 + strlen(username_escaped)) )
     sprintf(filter_csc, "(&(uid=%s)(|(&(objectClass=member)(|(term=%s)(term=%s)(nonMemberTerm=%s)(nonMemberTerm=%s)))(!(objectClass=member))))", username_escaped, cur_term, prev_term, cur_term, prev_term);
 
     /* issue CSC request */
-    WARN_NEG1( msg_csc = ldap_search(ld_csc, PAM_CSC_CSC_BASE_DN, 
+    WARN_NEG1( msg_csc = ldap_search(ld_csc, PAM_CSC_CSC_BASE_DN,
         LDAP_SCOPE_SUBTREE, filter_csc, attrs_csc, 0) )
 
-    if(cscf)
-    {
-        /* create CSCF request string */
-        WARN_ZERO( filter_cscf = malloc(100 + strlen(username_escaped)) )
-        sprintf(filter_csc, "TODO %s", username_escaped);
-
-        /* issue CSCF request */
-        WARN_NEG1( msg_cscf = ldap_search(ld_cscf, PAM_CSC_CSCF_BASE_DN, 
-            LDAP_SCOPE_SUBTREE, filter_cscf, attrs_cscf, 1) )
-    }
-
     /* wait for CSC response */
     WARN_NEG1( ldap_result(ld_csc, msg_csc, 1, &timeout, &res_csc) )
 
@@ -283,9 +254,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     {
         /* show notice and disallow login */
         pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_ERROR_MSG);
-        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_WARNING, 
+        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_NO_TERMS,
             username);
-        retval = PAM_AUTH_ERR;
+        retval = (syscom ? PAM_SUCCESS : PAM_AUTH_ERR);
         goto cleanup;
     }
 
@@ -296,7 +267,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
 
     if(!values && !nmvalues)
     {
-        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_NOT_A_MEMBER, 
+        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_NOT_A_MEMBER,
             username);
         retval = PAM_SUCCESS;
         goto cleanup;
@@ -336,49 +307,26 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
         {
             /* show notice and continue */
             pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_TEXT_INFO);
-            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_ERROR, 
+            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_LAST_TERM,
                 username);
         }
         else
         {
             /* show notice and disallow login */
             pam_csc_print_message(pamh, PAM_CSC_EXPIRED_MSG, PAM_ERROR_MSG);
-            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_WARNING, 
+            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_EXPIRED_NO_TERMS,
                 username);
-            retval = PAM_AUTH_ERR;
-            goto cleanup;
-        }
-    }
-
-    if(cscf)
-    {
-        /* wait for CSCF response */
-        WARN_NEG1( ldap_result(ld_cscf, msg_cscf, 1, &timeout, &res_cscf) )
-
-        /* check if we got an entry back from CSCF */
-        if(ldap_count_entries(ld_cscf, res_cscf) == 0)
-        {
-            /* output CSCF disallowed message */
-            pam_csc_print_message(pamh, PAM_CSC_CSCF_DISALLOWED_MSG, 
-                PAM_ERROR_MSG);
-            syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_CSCF_DISALLOWED, 
-                username);
-            retval = PAM_AUTH_ERR;
-            goto cleanup;
+            retval = (syscom ? PAM_SUCCESS : PAM_AUTH_ERR);
         }
     }
 
 cleanup:
-
     if(values) ldap_value_free(values);
     if(nmvalues) ldap_value_free(nmvalues);
     if(res_csc) ldap_msgfree(res_csc);
-    if(res_cscf) ldap_msgfree(res_cscf);
     if(ld_csc) ldap_unbind(ld_csc);
-    if(ld_cscf) ldap_unbind(ld_cscf);
     if(filter_csc) free(filter_csc);
-    if(filter_cscf) free(filter_cscf);
     if(username_escaped) free(username_escaped);
-
     return retval;
 }
+