1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
/*
uWSGI pam plugin 20120809
Credits:
Harry Percival (PythonAnywhere.com)
*/
#include "../../uwsgi.h"
extern struct uwsgi_server uwsgi;
#include <security/pam_appl.h>
char *uwsgi_pam_service = NULL;
char *uwsgi_pam_user = NULL;
struct uwsgi_option uwsgi_pam_options[] = {
{"pam", required_argument, 0, "set the pam service name to use", uwsgi_opt_set_str, &uwsgi_pam_service, 0},
{"pam-user", required_argument, 0, "set a fake user for pam", uwsgi_opt_set_str, &uwsgi_pam_user, 0},
{0, 0, 0, 0, 0, 0 ,0},
};
static int uwsgi_pam_conv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr) {
int i;
for(i=0;i<num_msg;i++) {
uwsgi_log("%s\n", msg[i]->msg);
}
return PAM_SUCCESS;
}
void uwsgi_setup_pam(void) {
pam_handle_t *pamh = NULL;
struct pam_conv pamc = { uwsgi_pam_conv, NULL };
if (uwsgi_pam_service) {
if (!uwsgi_pam_user) {
if (!uwsgi.uid) {
uwsgi_log("you cannot use pam for root !!!\n");
exit(1);
}
struct passwd *pwd = getpwuid(uwsgi.uid);
if (!pwd) {
uwsgi_error("getpwuid()");
exit(1);
}
// no need to make a copy as we will use that only here
uwsgi_pam_user = pwd->pw_name;
}
if (pam_start(uwsgi_pam_service, uwsgi_pam_user, &pamc, &pamh) != PAM_SUCCESS) {
uwsgi_error("pam_start()");
exit(1);
}
if (pam_open_session(pamh, 0) != PAM_SUCCESS) {
uwsgi_error("pam_open_session()");
exit(1);
}
}
}
struct uwsgi_plugin pam_plugin = {
.name = "pam",
.options = uwsgi_pam_options,
.before_privileges_drop = uwsgi_setup_pam,
};
|
