17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
54a7ceb24Sjjj  * Common Development and Distribution License (the "License").
64a7ceb24Sjjj  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22*c7402f07SJoep Vesseur  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate #include <sys/stat.h>
277c478bd9Sstevel@tonic-gate #include <stdio.h>
287c478bd9Sstevel@tonic-gate #include <syslog.h>
297c478bd9Sstevel@tonic-gate #include <fcntl.h>
307c478bd9Sstevel@tonic-gate #include <time.h>
317c478bd9Sstevel@tonic-gate #include <errno.h>
327c478bd9Sstevel@tonic-gate #include <signal.h>
337c478bd9Sstevel@tonic-gate #include "packer.h"
347c478bd9Sstevel@tonic-gate 
357c478bd9Sstevel@tonic-gate static int lockfd = -1;
367c478bd9Sstevel@tonic-gate static struct flock flock = { 0, 0, 0, 0, 0, 0 };
377c478bd9Sstevel@tonic-gate 
387c478bd9Sstevel@tonic-gate char dblock[PATH_MAX];
397c478bd9Sstevel@tonic-gate 
404a7ceb24Sjjj #define	LOCK_WAIT	1000000
414a7ceb24Sjjj #define	LOCK_RETRIES	60
427c478bd9Sstevel@tonic-gate 
437c478bd9Sstevel@tonic-gate /*
447c478bd9Sstevel@tonic-gate  * lock_db()
457c478bd9Sstevel@tonic-gate  *
467c478bd9Sstevel@tonic-gate  * Create a lockfile to prevent simultaneous access to the database
477c478bd9Sstevel@tonic-gate  * creation routines. We set a timeout to LOCK_WAIT seconds. If we
484a7ceb24Sjjj  * haven't obtained a lock after LOCK_RETIRES attempts, we bail out.
497c478bd9Sstevel@tonic-gate  *
507c478bd9Sstevel@tonic-gate  * returns 0 on succes, -1 on (lock) failure.
517c478bd9Sstevel@tonic-gate  * side effect: the directory "path" will be created if it didn't exist.
527c478bd9Sstevel@tonic-gate  */
537c478bd9Sstevel@tonic-gate int
lock_db(char * path)547c478bd9Sstevel@tonic-gate lock_db(char *path)
557c478bd9Sstevel@tonic-gate {
567c478bd9Sstevel@tonic-gate 	int retval;
577c478bd9Sstevel@tonic-gate 	struct stat st;
584a7ceb24Sjjj 	int retries = 0;
597c478bd9Sstevel@tonic-gate 
607c478bd9Sstevel@tonic-gate 	/* create directory "path" if it doesn't exist */
617c478bd9Sstevel@tonic-gate 	if (stat(path, &st) == -1) {
627c478bd9Sstevel@tonic-gate 		if (errno != ENOENT ||
637c478bd9Sstevel@tonic-gate 		    (mkdir(path, 0755) == -1 || chmod(path, 0755) == -1))
647c478bd9Sstevel@tonic-gate 			return (-1);
657c478bd9Sstevel@tonic-gate 	}
667c478bd9Sstevel@tonic-gate 
677c478bd9Sstevel@tonic-gate 	(void) snprintf(dblock, sizeof (dblock), "%s/authtok_check.lock", path);
687c478bd9Sstevel@tonic-gate 
697c478bd9Sstevel@tonic-gate 	if ((lockfd = open(dblock, O_WRONLY|O_CREAT|O_EXCL, 0400)) == -1) {
707c478bd9Sstevel@tonic-gate 		if (errno == EEXIST)
717c478bd9Sstevel@tonic-gate 			lockfd = open(dblock, O_WRONLY);
727c478bd9Sstevel@tonic-gate 		if (lockfd == -1) {
737c478bd9Sstevel@tonic-gate 			int olderrno = errno;
747c478bd9Sstevel@tonic-gate 			syslog(LOG_ERR, "pam_authtok_check::pam_sm_chauthtok: "
757c478bd9Sstevel@tonic-gate 			    "can't open lockfile: %s", strerror(errno));
767c478bd9Sstevel@tonic-gate 			errno = olderrno;
777c478bd9Sstevel@tonic-gate 			return (-1);
787c478bd9Sstevel@tonic-gate 		}
797c478bd9Sstevel@tonic-gate 	}
807c478bd9Sstevel@tonic-gate 
814a7ceb24Sjjj 	do {
824a7ceb24Sjjj 		flock.l_type = F_WRLCK;
834a7ceb24Sjjj 		retval = fcntl(lockfd, F_SETLK, &flock);
844a7ceb24Sjjj 		if (retval == -1)
854a7ceb24Sjjj 			(void) usleep(LOCK_WAIT);
864a7ceb24Sjjj 	} while (retval == -1 && ++retries < LOCK_RETRIES);
877c478bd9Sstevel@tonic-gate 
884a7ceb24Sjjj 	if (retval == -1) {
894a7ceb24Sjjj 		int errno_saved = errno;
907c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "pam_authtok_check::pam_sm_chauthtok: timeout "
917c478bd9Sstevel@tonic-gate 		    "waiting for dictionary lock.");
924a7ceb24Sjjj 		errno = errno_saved;
937c478bd9Sstevel@tonic-gate 	}
947c478bd9Sstevel@tonic-gate 
957c478bd9Sstevel@tonic-gate 	return (retval);
967c478bd9Sstevel@tonic-gate }
977c478bd9Sstevel@tonic-gate 
987c478bd9Sstevel@tonic-gate /*
997c478bd9Sstevel@tonic-gate  * unlock_db()
1007c478bd9Sstevel@tonic-gate  *
1017c478bd9Sstevel@tonic-gate  * Release the database lock
1027c478bd9Sstevel@tonic-gate  */
1037c478bd9Sstevel@tonic-gate void
unlock_db(void)1047c478bd9Sstevel@tonic-gate unlock_db(void)
1057c478bd9Sstevel@tonic-gate {
1067c478bd9Sstevel@tonic-gate 	if (lockfd != -1) {
1077c478bd9Sstevel@tonic-gate 		flock.l_type = F_UNLCK;
1087c478bd9Sstevel@tonic-gate 		(void) fcntl(lockfd, F_SETLK, &flock);
1097c478bd9Sstevel@tonic-gate 		(void) close(lockfd);
1107c478bd9Sstevel@tonic-gate 		lockfd = -1;
1117c478bd9Sstevel@tonic-gate 	}
1127c478bd9Sstevel@tonic-gate }
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate /*
1157c478bd9Sstevel@tonic-gate  * database_present()
1167c478bd9Sstevel@tonic-gate  *
1177c478bd9Sstevel@tonic-gate  * returns 0 if the database files are found, and the database size is
118*c7402f07SJoep Vesseur  * greater than 0 and the database version matches the current version.
1197c478bd9Sstevel@tonic-gate  */
1207c478bd9Sstevel@tonic-gate int
database_present(char * path)1217c478bd9Sstevel@tonic-gate database_present(char *path)
1227c478bd9Sstevel@tonic-gate {
1237c478bd9Sstevel@tonic-gate 	struct stat st;
1247c478bd9Sstevel@tonic-gate 	char dict_hwm[PATH_MAX];
1257c478bd9Sstevel@tonic-gate 	char dict_pwd[PATH_MAX];
1267c478bd9Sstevel@tonic-gate 	char dict_pwi[PATH_MAX];
127*c7402f07SJoep Vesseur 	PWDICT *dict;
1287c478bd9Sstevel@tonic-gate 
1297c478bd9Sstevel@tonic-gate 	(void) snprintf(dict_hwm, sizeof (dict_hwm), "%s/%s", path,
1307c478bd9Sstevel@tonic-gate 	    DICT_DATABASE_HWM);
1317c478bd9Sstevel@tonic-gate 	(void) snprintf(dict_pwd, sizeof (dict_pwd), "%s/%s", path,
1327c478bd9Sstevel@tonic-gate 	    DICT_DATABASE_PWD);
1337c478bd9Sstevel@tonic-gate 	(void) snprintf(dict_pwi, sizeof (dict_pwi), "%s/%s", path,
1347c478bd9Sstevel@tonic-gate 	    DICT_DATABASE_PWI);
1357c478bd9Sstevel@tonic-gate 
1367c478bd9Sstevel@tonic-gate 	if (stat(dict_hwm, &st) == -1 ||
1377c478bd9Sstevel@tonic-gate 	    (stat(dict_pwd, &st) == -1 || st.st_size == 0) ||
1387c478bd9Sstevel@tonic-gate 	    stat(dict_pwi, &st) == -1)
1397c478bd9Sstevel@tonic-gate 		return (NO_DICTDATABASE);
1407c478bd9Sstevel@tonic-gate 
141*c7402f07SJoep Vesseur 	/* verify database version number by trying to open it */
142*c7402f07SJoep Vesseur 	if ((dict = PWOpen(path, "r")) == NULL) {
143*c7402f07SJoep Vesseur 		/* the files are there, but an outdated version */
144*c7402f07SJoep Vesseur 		PWRemove(path);
145*c7402f07SJoep Vesseur 		return (NO_DICTDATABASE);
146*c7402f07SJoep Vesseur 	}
147*c7402f07SJoep Vesseur 	(void) PWClose(dict);
1487c478bd9Sstevel@tonic-gate 	return (0);
1497c478bd9Sstevel@tonic-gate }
1507c478bd9Sstevel@tonic-gate 
1517c478bd9Sstevel@tonic-gate /*
1527c478bd9Sstevel@tonic-gate  * build_dict_database(list, char *path)
1537c478bd9Sstevel@tonic-gate  *
1547c478bd9Sstevel@tonic-gate  * Create the Crack Dictionary Database based on the list of sources
1557c478bd9Sstevel@tonic-gate  * dictionaries specified in "list". Store the database in "path".
1567c478bd9Sstevel@tonic-gate  */
1577c478bd9Sstevel@tonic-gate int
build_dict_database(char * list,char * path)1587c478bd9Sstevel@tonic-gate build_dict_database(char *list, char *path)
1597c478bd9Sstevel@tonic-gate {
1607c478bd9Sstevel@tonic-gate 	return (packer(list, path) == -1 ? DICTDATABASE_BUILD_ERR : 0);
1617c478bd9Sstevel@tonic-gate }
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate /*
1647c478bd9Sstevel@tonic-gate  * Rebuild the database in "path" if the database is older than one of the
1657c478bd9Sstevel@tonic-gate  * files listed in "list", or older than the config-file PWADMIN.
1667c478bd9Sstevel@tonic-gate  */
1677c478bd9Sstevel@tonic-gate int
update_dict_database(char * list,char * path)1687c478bd9Sstevel@tonic-gate update_dict_database(char *list, char *path)
1697c478bd9Sstevel@tonic-gate {
1707c478bd9Sstevel@tonic-gate 	struct stat st_db;
1717c478bd9Sstevel@tonic-gate 	struct stat st_file;
1727c478bd9Sstevel@tonic-gate 	char *buf;
1737c478bd9Sstevel@tonic-gate 	char *listcopy;
1747c478bd9Sstevel@tonic-gate 	boolean_t update_needed = B_FALSE;
1757c478bd9Sstevel@tonic-gate 	char dbase_pwd[PATH_MAX];
1767c478bd9Sstevel@tonic-gate 
1777c478bd9Sstevel@tonic-gate 	(void) snprintf(dbase_pwd, sizeof (dbase_pwd), "%s/%s", path,
1787c478bd9Sstevel@tonic-gate 	    DICT_DATABASE_PWD);
1797c478bd9Sstevel@tonic-gate 
1807c478bd9Sstevel@tonic-gate 	if (stat(dbase_pwd, &st_db) == -1)
1817c478bd9Sstevel@tonic-gate 		return (DICTFILE_ERR);
1827c478bd9Sstevel@tonic-gate 
1837c478bd9Sstevel@tonic-gate 	if ((listcopy = strdup(list)) == NULL)
1847c478bd9Sstevel@tonic-gate 		return (DICTFILE_ERR);
1857c478bd9Sstevel@tonic-gate 
1867c478bd9Sstevel@tonic-gate 	buf = strtok(listcopy,  "\t ,");
1877c478bd9Sstevel@tonic-gate 
1887c478bd9Sstevel@tonic-gate 	/* Compare mtime of each listed dictionary against DB mtime */
1897c478bd9Sstevel@tonic-gate 	while (update_needed == B_FALSE && buf != NULL) {
1907c478bd9Sstevel@tonic-gate 		if (stat(buf, &st_file) == -1) {
1917c478bd9Sstevel@tonic-gate 			if (errno == ENOENT) {
1927c478bd9Sstevel@tonic-gate 				syslog(LOG_ERR,
1937c478bd9Sstevel@tonic-gate 				    "pam_authtok_check:update_dict_database: "
1947c478bd9Sstevel@tonic-gate 				    "dictionary \"%s\" not present.", buf);
1957c478bd9Sstevel@tonic-gate 			} else {
1967c478bd9Sstevel@tonic-gate 				syslog(LOG_ERR,
1977c478bd9Sstevel@tonic-gate 				    "pam_authtok_check:update_dict_database: "
1987c478bd9Sstevel@tonic-gate 				    "stat(%s) failed: %s", buf,
1997c478bd9Sstevel@tonic-gate 				    strerror(errno));
2007c478bd9Sstevel@tonic-gate 			}
2017c478bd9Sstevel@tonic-gate 			free(listcopy);
2027c478bd9Sstevel@tonic-gate 			return (DICTFILE_ERR);
2037c478bd9Sstevel@tonic-gate 		}
2047c478bd9Sstevel@tonic-gate 		if (st_db.st_mtime < st_file.st_mtime)
2057c478bd9Sstevel@tonic-gate 			update_needed = B_TRUE;	/* database out of date */
2067c478bd9Sstevel@tonic-gate 		buf = strtok(NULL, "\t ,");
2077c478bd9Sstevel@tonic-gate 	}
2087c478bd9Sstevel@tonic-gate 
2097c478bd9Sstevel@tonic-gate 	free(listcopy);
2107c478bd9Sstevel@tonic-gate 
2117c478bd9Sstevel@tonic-gate 	/*
2127c478bd9Sstevel@tonic-gate 	 * If /etc/default/passwd is updated, generate the database.
2137c478bd9Sstevel@tonic-gate 	 * Because this is the only way we can check if files have been
2147c478bd9Sstevel@tonic-gate 	 * added/deleted from DICTIONLIST.
2157c478bd9Sstevel@tonic-gate 	 * Drawback: the database will also be generated when other
2167c478bd9Sstevel@tonic-gate 	 * tunables are changed.
2177c478bd9Sstevel@tonic-gate 	 */
2187c478bd9Sstevel@tonic-gate 	if (stat(PWADMIN, &st_file) != -1 && st_db.st_mtime < st_file.st_mtime)
2197c478bd9Sstevel@tonic-gate 		update_needed = B_TRUE;
2207c478bd9Sstevel@tonic-gate 
2217c478bd9Sstevel@tonic-gate 	if (update_needed) {
2227c478bd9Sstevel@tonic-gate 		/*
2237c478bd9Sstevel@tonic-gate 		 * Since we actually rebuild the database, we need to remove
2247c478bd9Sstevel@tonic-gate 		 * the old database first.
2257c478bd9Sstevel@tonic-gate 		 */
2267c478bd9Sstevel@tonic-gate 		PWRemove(path);
2277c478bd9Sstevel@tonic-gate 		return (build_dict_database(list, path));
2287c478bd9Sstevel@tonic-gate 	}
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate 	return (0);
2317c478bd9Sstevel@tonic-gate }
2327c478bd9Sstevel@tonic-gate 
2337c478bd9Sstevel@tonic-gate /*
2347c478bd9Sstevel@tonic-gate  * Build or update database, while holding the global lock.
2357c478bd9Sstevel@tonic-gate  */
2367c478bd9Sstevel@tonic-gate int
make_dict_database(char * list,char * path)2377c478bd9Sstevel@tonic-gate make_dict_database(char *list, char *path)
2387c478bd9Sstevel@tonic-gate {
2397c478bd9Sstevel@tonic-gate 	int r = -1;
2407c478bd9Sstevel@tonic-gate 
2417c478bd9Sstevel@tonic-gate 	if (lock_db(path) == 0) {
2427c478bd9Sstevel@tonic-gate 		if (database_present(path) == NO_DICTDATABASE)
2437c478bd9Sstevel@tonic-gate 			r = build_dict_database(list, path);
2447c478bd9Sstevel@tonic-gate 		else
2457c478bd9Sstevel@tonic-gate 			r = update_dict_database(list, path);
2467c478bd9Sstevel@tonic-gate 		unlock_db();
2477c478bd9Sstevel@tonic-gate 	}
2487c478bd9Sstevel@tonic-gate 	return (r);
2497c478bd9Sstevel@tonic-gate }
250