Adding shadow support to a program is actually fairly straightforward. The only problem is that the program must be run by root (or SUID root) in order for the the program to be able to access the /etc/shadow
file.
This presents one big problem: very careful programming practices must be followed when creating SUID programs. For instance, if a program has a shell escape, this must not occur as root if the program is SUID root.
For adding shadow support to a program so that it can check passwords, but otherwise does need to run as root, it's a lot safer to run the program SUID shadow instead. The xlock
program is an example of this.
In the example given below, pppd-1.2.1d
already runs SUID as root, so adding shadow support should not make the program any more vulnerable.
The header files should reside in /usr/include/shadow
. There should also be a /usr/include/shadow.h
, but it will be a symbolic link to /usr/include/shadow/shadow.h
.
To add shadow support to a program, you need to include the header files:
#include <shadow/shadow.h> #include <shadow/pwauth.h>
It might be a good idea to use compiler directives to conditionally compile the shadow code (I do in the example below).
When you installed the Shadow Suite the libshadow.a
file was created and installed in /usr/lib
.
When compiling shadow support into a program, the linker needs to be told to include the libshadow.a
library into the link.
This is done by:
gcc program.c -o program -lshadow
However, as we will see in the example below, most large programs use a Makefile
, and usually have a variable called LIBS=...
that we will modify.
The libshadow.a
library uses a structure called spwd
for the information it retrieves from the /etc/shadow
file. This is the definition of the spwd
structure from the /usr/include/shadow/shadow.h
header file:
struct spwd { char *sp_namp; /* login name */ char *sp_pwdp; /* encrypted password */ sptime sp_lstchg; /* date of last change */ sptime sp_min; /* minimum number of days between changes */ sptime sp_max; /* maximum number of days between changes */ sptime sp_warn; /* number of days of warning before password expires */ sptime sp_inact; /* number of days after password expires until the account becomes unusable. */ sptime sp_expire; /* days since 1/1/70 until account expires */ unsigned long sp_flag; /* reserved for future use */ };
The Shadow Suite can put things into the sp_pwdp
field besides just the encoded passwd. The password field could contain:
username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000::::
This means that in addition to the password, the program /sbin/extra
should be called for further authentication. The program called will get passed the username and a switch that indicates why it's being called. See the file /usr/include/shadow/pwauth.h
and the source code for pwauth.c
for more information.
What this means is that we should use the function pwauth
to perform the actual authentication, as it will take care of the secondary authentication as well. The example below does this.
The author of the Shadow Suite indicates that since most programs in existence don't do this, and that it may be removed or changed in future versions of the Shadow Suite.
The shadow.h
file also contains the function prototypes for the functions contained in the libshadow.a
library:
extern void setspent __P ((void)); extern void endspent __P ((void)); extern struct spwd *sgetspent __P ((__const char *__string)); extern struct spwd *fgetspent __P ((FILE *__fp)); extern struct spwd *getspent __P ((void)); extern struct spwd *getspnam __P ((__const char *__name)); extern int putspent __P ((__const struct spwd *__sp, FILE *__fp));
The function that we are going to use in the example is: getspnam
which will retrieve for us a spwd
structure for the supplied name.
This is an example of adding shadow support to a program that needs it, but does not have it by default.
This example uses the Point-to-Point Protocol Server (pppd-1.2.1d), which has a mode in which it performs PAP authentication using user names and passwords from the /etc/passwd
file instead of the PAP or CHAP files. You would not need to add this code to pppd-2.2.0
because it's already there.
This feature of pppd probably isn't used very much, but if you installed the Shadow Suite, it won't work anymore because the passwords are no longer stored in /etc/passwd
.
The code for authenticating users under pppd-1.2.1d
is located in the /usr/src/pppd-1.2.1d/pppd/auth.c
file.
The following code needs to be added to the top of the file where all the other #include
directives are. We have surrounded the #includes
with conditional directives (i.e. only include if we are compiling for shadow support).
#ifdef HAS_SHADOW #include <shadow.h> #include <shadow/pwauth.h> #endif
The next thing to do is to modify the actual code. We are still making changes to the auth.c
file.
Function auth.c
before modifications:
/* * login - Check the user name and password against the system * password database, and login the user if OK. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } /* * XXX If no passwd, let them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHACK); } epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); }
The user's password is placed into pw->pw_passwd
, so all we really need to do is add the function getspnam
. This will put the password into spwd->sp_pwdp
.
We will add the function pwauth
to perform the actual authentication. This will automatically perform secondary authentication if the shadow file is setup for it.
Function auth.c
after modifications to support shadow:
/* * login - Check the user name and password against the system * password database, and login the user if OK. * * This function has been modified to support the Linux Shadow Password * Suite if USE_SHADOW is defined. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; #ifdef USE_SHADOW struct spwd *spwd; struct spwd *getspnam(); #endif if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } #ifdef USE_SHADOW spwd = getspnam(user); if (spwd) pw->pw_passwd = spwd->sp-pwdp; #endif /* * XXX If no passwd, let NOT them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHNAK); } #ifdef HAS_SHADOW if ((pw->pw_passwd && pw->pw_passwd[0] == '@' && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL)) || !valid (passwd, pw)) { return (UPAP_AUTHNAK); } #else epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } #endif syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); }
Careful examination will reveal that we made another change as well. The original version allowed access (returned UPAP_AUTHACK
if there was NO password in the /etc/passwd
file. This is not good, because a common use of this login feature is to use one account to allow access to the PPP process and then check the username and password supplied by PAP with the username in the /etc/passwd
file and the password in the /etc/shadow
file.
So if we had set the original version up to run as the shell for a user i.e. ppp
, then anyone could get a ppp connection by setting their PAP to user ppp
and a password of null.
We fixed this also by returning UPAP_AUTHNAK
instead of UPAP_AUTHACK
if the password field was empty.
Interestingly enough, pppd-2.2.0
has the same problem.
Next we need to modify the Makefile so that two things occur: USE_SHADOW
must be defined, and libshadow.a
needs to be added to the linking process.
Edit the Makefile, and add:
LIBS = -lshadow
Then we find the line:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t
And change it to:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW
Now make and install.