Message ID | 20190215155709.15777-11-berrange@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add a standard authorization framework | expand |
Hi Daniel, On 2/15/19 4:57 PM, Daniel P. Berrangé wrote: > From: "Daniel P. Berrange" <berrange@redhat.com> > > Add an authorization backend that talks to PAM to check whether the user > identity is allowed. This only uses the PAM account validation facility, > which is essentially just a check to see if the provided username is permitted > access. It doesn't use the authentication or session parts of PAM, since > that's dealt with by the relevant part of QEMU (eg VNC server). > > Consider starting QEMU with a VNC server and telling it to use TLS with > x509 client certificates and configuring it to use an PAM to validate > the x509 distinguished name. In this example we're telling it to use PAM > for the QAuthZ impl with a service name of "qemu-vnc" > > $ qemu-system-x86_64 \ > -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\ > endpoint=server,verify-peer=yes \ > -object authz-pam,id=authz0,service=qemu-vnc \ > -vnc :1,tls-creds=tls0,tls-authz=authz0 > > This requires an /etc/pam/qemu-vnc file to be created with the auth > rules. A very simple file based whitelist can be setup using > > $ cat > /etc/pam/qemu-vnc <<EOF > account requisite pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow > EOF > > The /etc/qemu/vnc.allow file simply contains one username per line. Any > username not in the file is denied. The usernames in this example are > the x509 distinguished name from the client's x509 cert. > > $ cat > /etc/qemu/vnc.allow <<EOF > CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB > EOF > > More interesting would be to configure PAM to use an LDAP backend, so > that the QEMU authorization check data can be centralized instead of > requiring each compute host to have file maintained. > > The main limitation with this PAM module is that the rules apply to all > QEMU instances on the host. Setting up different rules per VM, would > require creating a separate PAM service name & config file for every > guest. An alternative approach for the future might be to not pass in > the plain username to PAM, but instead combine the VM name or UUID with > the username. This requires further consideration though. > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > --- > authz/Makefile.objs | 3 + > authz/pamacct.c | 149 ++++++++++++++++++++++++++++++++++++++++ > authz/trace-events | 3 + > configure | 37 ++++++++++ > include/authz/pamacct.h | 100 +++++++++++++++++++++++++++ > qemu-options.hx | 35 ++++++++++ > tests/Makefile.include | 2 + > tests/test-authz-pam.c | 124 +++++++++++++++++++++++++++++++++ > 8 files changed, 453 insertions(+) > create mode 100644 authz/pamacct.c > create mode 100644 include/authz/pamacct.h > create mode 100644 tests/test-authz-pam.c > > diff --git a/authz/Makefile.objs b/authz/Makefile.objs > index 8351bf181d..ed7b273596 100644 > --- a/authz/Makefile.objs > +++ b/authz/Makefile.objs > @@ -2,3 +2,6 @@ authz-obj-y += base.o > authz-obj-y += simple.o > authz-obj-y += list.o > authz-obj-y += listfile.o > +authz-obj-$(CONFIG_AUTH_PAM) += pamacct.o > + > +pamacct.o-libs = -lpam > diff --git a/authz/pamacct.c b/authz/pamacct.c > new file mode 100644 > index 0000000000..8fe4c8ee11 > --- /dev/null > +++ b/authz/pamacct.c > @@ -0,0 +1,149 @@ > +/* > + * QEMU PAM authorization driver > + * > + * Copyright (c) 2018 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "qemu/osdep.h" > +#include "authz/pamacct.h" > +#include "authz/trace.h" > +#include "qom/object_interfaces.h" > + > +#include <security/pam_appl.h> > + > + > +static bool qauthz_pam_is_allowed(QAuthZ *authz, > + const char *identity, > + Error **errp) > +{ > + QAuthZPAM *pauthz = QAUTHZ_PAM(authz); > + const struct pam_conv pam_conversation = { 0 }; > + pam_handle_t *pamh = NULL; > + int ret; > + > + trace_qauthz_pam_check(authz, identity, pauthz->service); > + ret = pam_start(pauthz->service, > + identity, > + &pam_conversation, > + &pamh); > + if (ret != PAM_SUCCESS) { > + error_setg(errp, "Unable to start PAM transaction: %s", > + pam_strerror(NULL, ret)); > + return false; > + } > + > + ret = pam_acct_mgmt(pamh, PAM_SILENT); > + if (ret != PAM_SUCCESS) { > + error_setg(errp, "Unable to authorize user '%s': %s", > + identity, pam_strerror(pamh, ret)); > + goto cleanup; > + } > + > + cleanup: > + pam_end(pamh, ret); > + return ret == PAM_SUCCESS; > +} I still need to digest this function (reading more about PAM). Code below reviewed/tested. > + > + > +static void > +qauthz_pam_prop_set_service(Object *obj, > + const char *service, > + Error **errp G_GNUC_UNUSED) > +{ > + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); > + > + g_free(pauthz->service); > + pauthz->service = g_strdup(service); > +} > + > + > +static char * > +qauthz_pam_prop_get_service(Object *obj, > + Error **errp G_GNUC_UNUSED) > +{ > + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); > + > + return g_strdup(pauthz->service); > +} > + > + > +static void > +qauthz_pam_complete(UserCreatable *uc, Error **errp) > +{ > +} > + > + > +static void > +qauthz_pam_finalize(Object *obj) > +{ > + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); > + > + g_free(pauthz->service); > +} > + > + > +static void > +qauthz_pam_class_init(ObjectClass *oc, void *data) > +{ > + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); > + QAuthZClass *authz = QAUTHZ_CLASS(oc); > + > + ucc->complete = qauthz_pam_complete; > + authz->is_allowed = qauthz_pam_is_allowed; > + > + object_class_property_add_str(oc, "service", > + qauthz_pam_prop_get_service, > + qauthz_pam_prop_set_service, > + NULL); > +} > + > + > +QAuthZPAM *qauthz_pam_new(const char *id, > + const char *service, > + Error **errp) > +{ > + return QAUTHZ_PAM( > + object_new_with_props(TYPE_QAUTHZ_PAM, > + object_get_objects_root(), > + id, errp, > + "service", service, > + NULL)); > +} > + > + > +static const TypeInfo qauthz_pam_info = { > + .parent = TYPE_QAUTHZ, > + .name = TYPE_QAUTHZ_PAM, > + .instance_size = sizeof(QAuthZPAM), > + .instance_finalize = qauthz_pam_finalize, > + .class_size = sizeof(QAuthZPAMClass), > + .class_init = qauthz_pam_class_init, > + .interfaces = (InterfaceInfo[]) { > + { TYPE_USER_CREATABLE }, > + { } > + } > +}; > + > + > +static void > +qauthz_pam_register_types(void) > +{ > + type_register_static(&qauthz_pam_info); > +} > + > + > +type_init(qauthz_pam_register_types); > diff --git a/authz/trace-events b/authz/trace-events > index fb65349a90..72c411927d 100644 > --- a/authz/trace-events > +++ b/authz/trace-events > @@ -13,3 +13,6 @@ qauthz_list_default_policy(void *authz, const char *identity, int policy) "AuthZ > # auth/listfile.c > qauthz_list_file_load(void *authz, const char *filename) "AuthZ file %p load filename=%s" > qauthz_list_file_refresh(void *authz, const char *filename, int success) "AuthZ file %p load filename=%s success=%d" > + > +# auth/pam.c > +qauthz_pam_check(void *authz, const char *identity, const char *service) "AuthZ PAM %p identity=%s service=%s" > diff --git a/configure b/configure > index a61682c3c7..4fe916e31f 100755 > --- a/configure > +++ b/configure > @@ -463,6 +463,7 @@ gnutls="" > nettle="" > gcrypt="" > gcrypt_hmac="no" > +auth_pam="" > vte="" > virglrenderer="" > tpm="yes" > @@ -1381,6 +1382,10 @@ for opt do > ;; > --enable-gcrypt) gcrypt="yes" > ;; > + --disable-auth-pam) auth_pam="no" > + ;; > + --enable-auth-pam) auth_pam="yes" > + ;; > --enable-rdma) rdma="yes" > ;; > --disable-rdma) rdma="no" > @@ -1707,6 +1712,7 @@ disabled with --disable-FEATURE, default is enabled if available: > gnutls GNUTLS cryptography support > nettle nettle cryptography support > gcrypt libgcrypt cryptography support > + auth-pam PAM access control > sdl SDL UI > sdl_image SDL Image support for icons > gtk gtk UI > @@ -2864,6 +2870,33 @@ else > fi > > > +########################################## > +# PAM probe > + > +if test "x$auth_pam" != "no"; then Either check "x$auth_pam" != "xno", or "$auth_pam" != "no" (the latter seems to follow the style of this file). Currently this condition is always true, so the script always calls compile_prog. And if an user has PAM locally installed, it is not possible to not use it. > + cat > $TMPC <<EOF > +#include <security/pam_appl.h> > +#include <stdio.h> > +int main(void) { > + const char *service_name = "qemu"; > + const char *user = "frank"; > + const struct pam_conv *pam_conv = NULL; > + pam_handle_t *pamh = NULL; > + pam_start(service_name, user, pam_conv, &pamh); > + return 0; > +} > +EOF > + if compile_prog "" "-lpam" ; then > + auth_pam=yes > + else > + if test "$auth_pam" = "yes"; then > + feature_not_found "PAM" "Install PAM development package" > + else > + auth_pam=no > + fi > + fi > +fi > + > ########################################## > # getifaddrs (for tests/test-io-channel-socket ) > > @@ -6083,6 +6116,7 @@ echo "GNUTLS support $gnutls" > echo "libgcrypt $gcrypt" > echo "nettle $nettle $(echo_version $nettle $nettle_version)" > echo "libtasn1 $tasn1" > +echo "PAM $auth_pam" > echo "curses support $curses" > echo "virgl support $virglrenderer $(echo_version $virglrenderer $virgl_version)" > echo "curl support $curl" > @@ -6537,6 +6571,9 @@ fi > if test "$tasn1" = "yes" ; then > echo "CONFIG_TASN1=y" >> $config_host_mak > fi > +if test "$auth_pam" = "yes" ; then > + echo "CONFIG_AUTH_PAM=y" >> $config_host_mak > +fi > if test "$have_ifaddrs_h" = "yes" ; then > echo "HAVE_IFADDRS_H=y" >> $config_host_mak > fi > diff --git a/include/authz/pamacct.h b/include/authz/pamacct.h > new file mode 100644 > index 0000000000..6e3046e528 > --- /dev/null > +++ b/include/authz/pamacct.h > @@ -0,0 +1,100 @@ > +/* > + * QEMU PAM authorization driver > + * > + * Copyright (c) 2018 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see <http://www.gnu.org/licenses/>. > + * > + */ > + > +#ifndef QAUTHZ_PAM_H__ > +#define QAUTHZ_PAM_H__ > + > +#include "authz/base.h" > + > + > +#define TYPE_QAUTHZ_PAM "authz-pam" > + > +#define QAUTHZ_PAM_CLASS(klass) \ > + OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ > + TYPE_QAUTHZ_PAM) > +#define QAUTHZ_PAM_GET_CLASS(obj) \ > + OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ > + TYPE_QAUTHZ_PAM) > +#define QAUTHZ_PAM(obj) \ > + INTERFACE_CHECK(QAuthZPAM, (obj), \ > + TYPE_QAUTHZ_PAM) > + > +typedef struct QAuthZPAM QAuthZPAM; > +typedef struct QAuthZPAMClass QAuthZPAMClass; > + > + > +/** > + * QAuthZPAM: > + * > + * This authorization driver provides a PAM mechanism > + * for granting access by matching user names against a > + * list of globs. Each match rule has an associated policy > + * and a catch all policy applies if no rule matches > + * > + * To create an instance of this class via QMP: > + * > + * { > + * "execute": "object-add", > + * "arguments": { > + * "qom-type": "authz-pam", > + * "id": "authz0", > + * "parameters": { > + * "service": "qemu-vnc-tls" > + * } > + * } > + * } > + * > + * The driver only uses the PAM "account" verification > + * subsystem. The above config would require a config > + * file /etc/pam.d/qemu-vnc-tls. For a simple file > + * lookup it would contain > + * > + * account requisite pam_listfile.so item=user sense=allow \ > + * file=/etc/qemu/vnc.allow > + * > + * The external file would then contain a list of usernames. > + * If x509 cert was being used as the username, a suitable > + * entry would match the distinguish name: > + * > + * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB > + * > + * On the command line it can be created using > + * > + * -object authz-pam,id=authz0,service=qemu-vnc-tls > + * > + */ > +struct QAuthZPAM { > + QAuthZ parent_obj; > + > + char *service; > +}; > + > + > +struct QAuthZPAMClass { > + QAuthZClass parent_class; > +}; > + > + > +QAuthZPAM *qauthz_pam_new(const char *id, > + const char *service, > + Error **errp); > + > + > +#endif /* QAUTHZ_PAM_H__ */ > diff --git a/qemu-options.hx b/qemu-options.hx > index e34d30a013..22cfb32489 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -4430,6 +4430,41 @@ would look like: > ... > @end example > > +@item -object authz-pam,id=@var{id},service=@var{string} > + > +Create an authorization object that will control access to network services. > + > +The @option{service} parameter provides the name of a PAM service to use > +for authorization. It requires that a file @code{/etc/pam.d/@var{service}} > +exist to provide the configuration for the @code{account} subsystem. > + > +An example authorization object to validate a TLS x509 distinguished > +name would look like: > + > +@example > + # $QEMU \ > + ... > + -object authz-pam,id=auth0,service=qemu-vnc > + ... > +@end example > + > +There would then be a corresponding config file for PAM at > +@code{/etc/pam.d/qemu-vnc} that contains: > + > +@example > +account requisite pam_listfile.so item=user sense=allow \ > + file=/etc/qemu/vnc.allow > +@end example > + > +Finally the @code{/etc/qemu/vnc.allow} file would contain > +the list of x509 distingished names that are permitted > +access > + > +@example > +CN=laptop.example.com,O=Example Home,L=London,ST=London,C=GB > +@end example > + > + > @end table > > ETEXI > diff --git a/tests/Makefile.include b/tests/Makefile.include > index 199e74d670..bc11d565a6 100644 > --- a/tests/Makefile.include > +++ b/tests/Makefile.include > @@ -119,6 +119,7 @@ check-unit-y += tests/test-util-sockets$(EXESUF) > check-unit-y += tests/test-authz-simple$(EXESUF) > check-unit-y += tests/test-authz-list$(EXESUF) > check-unit-y += tests/test-authz-listfile$(EXESUF) > +check-unit-$(CONFIG_AUTH_PAM) += tests/test-authz-pam$(EXESUF) > check-unit-y += tests/test-io-task$(EXESUF) > check-unit-y += tests/test-io-channel-socket$(EXESUF) > check-unit-y += tests/test-io-channel-file$(EXESUF) > @@ -669,6 +670,7 @@ tests/test-util-sockets$(EXESUF): tests/test-util-sockets.o \ > tests/test-authz-simple$(EXESUF): tests/test-authz-simple.o $(test-authz-obj-y) > tests/test-authz-list$(EXESUF): tests/test-authz-list.o $(test-authz-obj-y) > tests/test-authz-listfile$(EXESUF): tests/test-authz-listfile.o $(test-authz-obj-y) > +tests/test-authz-pam$(EXESUF): tests/test-authz-pam.o $(test-authz-obj-y) > tests/test-io-task$(EXESUF): tests/test-io-task.o $(test-io-obj-y) > tests/test-io-channel-socket$(EXESUF): tests/test-io-channel-socket.o \ > tests/io-channel-helpers.o tests/socket-helpers.o $(test-io-obj-y) > diff --git a/tests/test-authz-pam.c b/tests/test-authz-pam.c > new file mode 100644 > index 0000000000..93d5ac8bbf > --- /dev/null > +++ b/tests/test-authz-pam.c > @@ -0,0 +1,124 @@ > +/* > + * QEMU PAM authorization object tests > + * > + * Copyright (c) 2018 Red Hat, Inc. > + * > + * This library is free software; you can redistribute it and/or > + * modify it under the terms of the GNU Lesser General Public > + * License as published by the Free Software Foundation; either > + * version 2 of the License, or (at your option) any later version. > + * > + * This library is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this library; if not, see <http://www.gnu.org/licenses/>. > + * > + */ > + > +#include "qemu/osdep.h" > +#include "qapi/error.h" > +#include "authz/pamacct.h" > + > +#include <security/pam_appl.h> > + > +static bool failauth; > + > +/* > + * These two functions are exported by libpam.so. > + * > + * By defining them again here, our impls are resolved > + * by the linker instead of those in libpam.so > + * > + * The test suite is thus isolated from the host system > + * PAM setup, so we can do predictable test scenarios > + */ > +int > +pam_start(const char *service_name, const char *user, > + const struct pam_conv *pam_conversation, > + pam_handle_t **pamh) > +{ > + failauth = true; > + if (!g_str_equal(service_name, "qemu-vnc")) { > + return PAM_AUTH_ERR; > + } > + > + if (g_str_equal(user, "fred")) { > + failauth = false; > + } > + > + return PAM_SUCCESS; > +} > + > + > +int > +pam_acct_mgmt(pam_handle_t *pamh, int flags) > +{ > + if (failauth) { > + return PAM_AUTH_ERR; > + } > + > + return PAM_SUCCESS; > +} > + > + > +static void test_authz_unknown_service(void) > +{ > + Error *local_err = NULL; > + QAuthZPAM *auth = qauthz_pam_new("auth0", > + "qemu-does-not-exist", > + &error_abort); > + > + g_assert_nonnull(auth); > + > + g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err)); > + > + error_free_or_abort(&local_err); > + object_unparent(OBJECT(auth)); > +} > + > + > +static void test_authz_good_user(void) > +{ > + QAuthZPAM *auth = qauthz_pam_new("auth0", > + "qemu-vnc", > + &error_abort); > + > + g_assert_nonnull(auth); > + > + g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); > + > + object_unparent(OBJECT(auth)); > +} > + > + > +static void test_authz_bad_user(void) > +{ > + Error *local_err = NULL; > + QAuthZPAM *auth = qauthz_pam_new("auth0", > + "qemu-vnc", > + &error_abort); > + > + g_assert_nonnull(auth); > + > + g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err)); > + > + error_free_or_abort(&local_err); > + object_unparent(OBJECT(auth)); > +} > + > + > +int main(int argc, char **argv) > +{ > + g_test_init(&argc, &argv, NULL); > + > + module_call_init(MODULE_INIT_QOM); > + > + g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service); > + g_test_add_func("/auth/pam/good-user", test_authz_good_user); > + g_test_add_func("/auth/pam/bad-user", test_authz_bad_user); > + > + return g_test_run(); > +} > Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
On Fri, Feb 22, 2019 at 01:34:12AM +0100, Philippe Mathieu-Daudé wrote: > Hi Daniel, > > On 2/15/19 4:57 PM, Daniel P. Berrangé wrote: > > From: "Daniel P. Berrange" <berrange@redhat.com> > > > > Add an authorization backend that talks to PAM to check whether the user > > identity is allowed. This only uses the PAM account validation facility, > > which is essentially just a check to see if the provided username is permitted > > access. It doesn't use the authentication or session parts of PAM, since > > that's dealt with by the relevant part of QEMU (eg VNC server). > > > > Consider starting QEMU with a VNC server and telling it to use TLS with > > x509 client certificates and configuring it to use an PAM to validate > > the x509 distinguished name. In this example we're telling it to use PAM > > for the QAuthZ impl with a service name of "qemu-vnc" > > > > $ qemu-system-x86_64 \ > > -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\ > > endpoint=server,verify-peer=yes \ > > -object authz-pam,id=authz0,service=qemu-vnc \ > > -vnc :1,tls-creds=tls0,tls-authz=authz0 > > > > This requires an /etc/pam/qemu-vnc file to be created with the auth > > rules. A very simple file based whitelist can be setup using > > > > $ cat > /etc/pam/qemu-vnc <<EOF > > account requisite pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow > > EOF > > > > The /etc/qemu/vnc.allow file simply contains one username per line. Any > > username not in the file is denied. The usernames in this example are > > the x509 distinguished name from the client's x509 cert. > > > > $ cat > /etc/qemu/vnc.allow <<EOF > > CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB > > EOF > > > > More interesting would be to configure PAM to use an LDAP backend, so > > that the QEMU authorization check data can be centralized instead of > > requiring each compute host to have file maintained. > > > > The main limitation with this PAM module is that the rules apply to all > > QEMU instances on the host. Setting up different rules per VM, would > > require creating a separate PAM service name & config file for every > > guest. An alternative approach for the future might be to not pass in > > the plain username to PAM, but instead combine the VM name or UUID with > > the username. This requires further consideration though. > > > > Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > > --- > > +static bool qauthz_pam_is_allowed(QAuthZ *authz, > > + const char *identity, > > + Error **errp) > > +{ > > + QAuthZPAM *pauthz = QAUTHZ_PAM(authz); > > + const struct pam_conv pam_conversation = { 0 }; > > + pam_handle_t *pamh = NULL; > > + int ret; > > + > > + trace_qauthz_pam_check(authz, identity, pauthz->service); > > + ret = pam_start(pauthz->service, > > + identity, > > + &pam_conversation, > > + &pamh); > > + if (ret != PAM_SUCCESS) { > > + error_setg(errp, "Unable to start PAM transaction: %s", > > + pam_strerror(NULL, ret)); > > + return false; > > + } > > + > > + ret = pam_acct_mgmt(pamh, PAM_SILENT); > > + if (ret != PAM_SUCCESS) { > > + error_setg(errp, "Unable to authorize user '%s': %s", > > + identity, pam_strerror(pamh, ret)); > > + goto cleanup; > > + } > > + > > + cleanup: > > + pam_end(pamh, ret); > > + return ret == PAM_SUCCESS; > > +} > > I still need to digest this function (reading more about PAM). FWIW there's reasonably good manpages 'pam(3)' and 'pam(8)' are starting points. > > @@ -2864,6 +2870,33 @@ else > > fi > > > > > > +########################################## > > +# PAM probe > > + > > +if test "x$auth_pam" != "no"; then > > Either check "x$auth_pam" != "xno", or "$auth_pam" != "no" (the latter > seems to follow the style of this file). > > Currently this condition is always true, so the script always calls > compile_prog. And if an user has PAM locally installed, it is not > possible to not use it. Opps, yes, did I say I hate shell :-) > > > + cat > $TMPC <<EOF > > +#include <security/pam_appl.h> > > +#include <stdio.h> > > +int main(void) { > > + const char *service_name = "qemu"; > > + const char *user = "frank"; > > + const struct pam_conv *pam_conv = NULL; > > + pam_handle_t *pamh = NULL; > > + pam_start(service_name, user, pam_conv, &pamh); > > + return 0; > > +} > > +EOF > > + if compile_prog "" "-lpam" ; then > > + auth_pam=yes > > + else > > + if test "$auth_pam" = "yes"; then > > + feature_not_found "PAM" "Install PAM development package" > > + else > > + auth_pam=no > > + fi > > + fi I notice some indentation damage here now due to tabs that I'll also fix. Regards, Daniel
Hi Daniel, On 2/22/19 1:24 PM, Daniel P. Berrangé wrote: > On Fri, Feb 22, 2019 at 01:34:12AM +0100, Philippe Mathieu-Daudé wrote: >> Hi Daniel, >> >> On 2/15/19 4:57 PM, Daniel P. Berrangé wrote: >>> From: "Daniel P. Berrange" <berrange@redhat.com> >>> >>> Add an authorization backend that talks to PAM to check whether the user >>> identity is allowed. This only uses the PAM account validation facility, >>> which is essentially just a check to see if the provided username is permitted >>> access. It doesn't use the authentication or session parts of PAM, since >>> that's dealt with by the relevant part of QEMU (eg VNC server). >>> >>> Consider starting QEMU with a VNC server and telling it to use TLS with >>> x509 client certificates and configuring it to use an PAM to validate >>> the x509 distinguished name. In this example we're telling it to use PAM >>> for the QAuthZ impl with a service name of "qemu-vnc" >>> >>> $ qemu-system-x86_64 \ >>> -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\ >>> endpoint=server,verify-peer=yes \ >>> -object authz-pam,id=authz0,service=qemu-vnc \ >>> -vnc :1,tls-creds=tls0,tls-authz=authz0 >>> >>> This requires an /etc/pam/qemu-vnc file to be created with the auth >>> rules. A very simple file based whitelist can be setup using >>> >>> $ cat > /etc/pam/qemu-vnc <<EOF >>> account requisite pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow >>> EOF >>> >>> The /etc/qemu/vnc.allow file simply contains one username per line. Any >>> username not in the file is denied. The usernames in this example are >>> the x509 distinguished name from the client's x509 cert. >>> >>> $ cat > /etc/qemu/vnc.allow <<EOF >>> CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB >>> EOF >>> >>> More interesting would be to configure PAM to use an LDAP backend, so >>> that the QEMU authorization check data can be centralized instead of >>> requiring each compute host to have file maintained. >>> >>> The main limitation with this PAM module is that the rules apply to all >>> QEMU instances on the host. Setting up different rules per VM, would >>> require creating a separate PAM service name & config file for every >>> guest. An alternative approach for the future might be to not pass in >>> the plain username to PAM, but instead combine the VM name or UUID with >>> the username. This requires further consideration though. >>> >>> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> >>> --- > >>> +static bool qauthz_pam_is_allowed(QAuthZ *authz, >>> + const char *identity, >>> + Error **errp) >>> +{ >>> + QAuthZPAM *pauthz = QAUTHZ_PAM(authz); >>> + const struct pam_conv pam_conversation = { 0 }; >>> + pam_handle_t *pamh = NULL; >>> + int ret; >>> + >>> + trace_qauthz_pam_check(authz, identity, pauthz->service); >>> + ret = pam_start(pauthz->service, >>> + identity, >>> + &pam_conversation, >>> + &pamh); >>> + if (ret != PAM_SUCCESS) { >>> + error_setg(errp, "Unable to start PAM transaction: %s", >>> + pam_strerror(NULL, ret)); "In an error case is the content of pamh undefined." So it is safer to use NULL here indeed. >>> + return false; >>> + } >>> + >>> + ret = pam_acct_mgmt(pamh, PAM_SILENT); >>> + if (ret != PAM_SUCCESS) { >>> + error_setg(errp, "Unable to authorize user '%s': %s", >>> + identity, pam_strerror(pamh, ret)); >>> + goto cleanup; >>> + } >>> + >>> + cleanup: >>> + pam_end(pamh, ret); >>> + return ret == PAM_SUCCESS; Hmm I find this fragile. A 'cleanup' label means (to me) you expect someone to eventually add more code around, and I'm worried someone add a pam_smth() call after pam_acct_mgmt(), that sets ret to PAM_SUCCESS. It looks safer to me to simply not use any label here (for the current code, if it is extended, we'll see). >>> +} >> >> I still need to digest this function (reading more about PAM). > > FWIW there's reasonably good manpages 'pam(3)' and 'pam(8)' are > starting points. Easier inverted, first 'pam(8)' then 'pam(3)' ;) Here I realize last time I checked 'pam(3)' was 17 years ago... >>> @@ -2864,6 +2870,33 @@ else >>> fi >>> >>> >>> +########################################## >>> +# PAM probe >>> + >>> +if test "x$auth_pam" != "no"; then >> >> Either check "x$auth_pam" != "xno", or "$auth_pam" != "no" (the latter >> seems to follow the style of this file). >> >> Currently this condition is always true, so the script always calls >> compile_prog. And if an user has PAM locally installed, it is not >> possible to not use it. > > Opps, yes, did I say I hate shell :-) > >> >>> + cat > $TMPC <<EOF >>> +#include <security/pam_appl.h> >>> +#include <stdio.h> >>> +int main(void) { >>> + const char *service_name = "qemu"; >>> + const char *user = "frank"; >>> + const struct pam_conv *pam_conv = NULL; >>> + pam_handle_t *pamh = NULL; >>> + pam_start(service_name, user, pam_conv, &pamh); >>> + return 0; >>> +} >>> +EOF >>> + if compile_prog "" "-lpam" ; then >>> + auth_pam=yes >>> + else >>> + if test "$auth_pam" = "yes"; then >>> + feature_not_found "PAM" "Install PAM development package" >>> + else >>> + auth_pam=no >>> + fi >>> + fi > > I notice some indentation damage here now due to tabs that I'll also > fix. OK. If you agree on removing the 'cleanup' label in qauthz_pam_is_allowed(), for the whole patch: Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Regards, Phil. > > Regards, > Daniel >
On Fri, Feb 22, 2019 at 02:27:26PM +0100, Philippe Mathieu-Daudé wrote: > Hi Daniel, > > On 2/22/19 1:24 PM, Daniel P. Berrangé wrote: > > On Fri, Feb 22, 2019 at 01:34:12AM +0100, Philippe Mathieu-Daudé wrote: > >> Hi Daniel, > >> > >> On 2/15/19 4:57 PM, Daniel P. Berrangé wrote: > >>> From: "Daniel P. Berrange" <berrange@redhat.com> > >>> > >>> Add an authorization backend that talks to PAM to check whether the user > >>> identity is allowed. This only uses the PAM account validation facility, > >>> which is essentially just a check to see if the provided username is permitted > >>> access. It doesn't use the authentication or session parts of PAM, since > >>> that's dealt with by the relevant part of QEMU (eg VNC server). > >>> > >>> Consider starting QEMU with a VNC server and telling it to use TLS with > >>> x509 client certificates and configuring it to use an PAM to validate > >>> the x509 distinguished name. In this example we're telling it to use PAM > >>> for the QAuthZ impl with a service name of "qemu-vnc" > >>> > >>> $ qemu-system-x86_64 \ > >>> -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\ > >>> endpoint=server,verify-peer=yes \ > >>> -object authz-pam,id=authz0,service=qemu-vnc \ > >>> -vnc :1,tls-creds=tls0,tls-authz=authz0 > >>> > >>> This requires an /etc/pam/qemu-vnc file to be created with the auth > >>> rules. A very simple file based whitelist can be setup using > >>> > >>> $ cat > /etc/pam/qemu-vnc <<EOF > >>> account requisite pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow > >>> EOF > >>> > >>> The /etc/qemu/vnc.allow file simply contains one username per line. Any > >>> username not in the file is denied. The usernames in this example are > >>> the x509 distinguished name from the client's x509 cert. > >>> > >>> $ cat > /etc/qemu/vnc.allow <<EOF > >>> CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB > >>> EOF > >>> > >>> More interesting would be to configure PAM to use an LDAP backend, so > >>> that the QEMU authorization check data can be centralized instead of > >>> requiring each compute host to have file maintained. > >>> > >>> The main limitation with this PAM module is that the rules apply to all > >>> QEMU instances on the host. Setting up different rules per VM, would > >>> require creating a separate PAM service name & config file for every > >>> guest. An alternative approach for the future might be to not pass in > >>> the plain username to PAM, but instead combine the VM name or UUID with > >>> the username. This requires further consideration though. > >>> > >>> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> > >>> --- > > > >>> +static bool qauthz_pam_is_allowed(QAuthZ *authz, > >>> + const char *identity, > >>> + Error **errp) > >>> +{ > >>> + QAuthZPAM *pauthz = QAUTHZ_PAM(authz); > >>> + const struct pam_conv pam_conversation = { 0 }; > >>> + pam_handle_t *pamh = NULL; > >>> + int ret; > >>> + > >>> + trace_qauthz_pam_check(authz, identity, pauthz->service); > >>> + ret = pam_start(pauthz->service, > >>> + identity, > >>> + &pam_conversation, > >>> + &pamh); > >>> + if (ret != PAM_SUCCESS) { > >>> + error_setg(errp, "Unable to start PAM transaction: %s", > >>> + pam_strerror(NULL, ret)); > > "In an error case is the content of pamh undefined." > So it is safer to use NULL here indeed. > > >>> + return false; > >>> + } > >>> + > >>> + ret = pam_acct_mgmt(pamh, PAM_SILENT); > >>> + if (ret != PAM_SUCCESS) { > >>> + error_setg(errp, "Unable to authorize user '%s': %s", > >>> + identity, pam_strerror(pamh, ret)); > >>> + goto cleanup; > >>> + } > >>> + > >>> + cleanup: > >>> + pam_end(pamh, ret); > >>> + return ret == PAM_SUCCESS; > > Hmm I find this fragile. > > A 'cleanup' label means (to me) you expect someone to eventually add > more code around, and I'm worried someone add a pam_smth() call after > pam_acct_mgmt(), that sets ret to PAM_SUCCESS. > > It looks safer to me to simply not use any label here (for the current > code, if it is extended, we'll see). > > If you agree on removing the 'cleanup' label in qauthz_pam_is_allowed(), > for the whole patch: > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Thanks, I will squash this in: diff --git a/authz/pamacct.c b/authz/pamacct.c index 8fe4c8ee11..5038358cdc 100644 --- a/authz/pamacct.c +++ b/authz/pamacct.c @@ -47,15 +47,14 @@ static bool qauthz_pam_is_allowed(QAuthZ *authz, } ret = pam_acct_mgmt(pamh, PAM_SILENT); + pam_end(pamh, ret); if (ret != PAM_SUCCESS) { error_setg(errp, "Unable to authorize user '%s': %s", identity, pam_strerror(pamh, ret)); - goto cleanup; + return false; } - cleanup: - pam_end(pamh, ret); - return ret == PAM_SUCCESS; + return true; } Regards, Daniel
diff --git a/authz/Makefile.objs b/authz/Makefile.objs index 8351bf181d..ed7b273596 100644 --- a/authz/Makefile.objs +++ b/authz/Makefile.objs @@ -2,3 +2,6 @@ authz-obj-y += base.o authz-obj-y += simple.o authz-obj-y += list.o authz-obj-y += listfile.o +authz-obj-$(CONFIG_AUTH_PAM) += pamacct.o + +pamacct.o-libs = -lpam diff --git a/authz/pamacct.c b/authz/pamacct.c new file mode 100644 index 0000000000..8fe4c8ee11 --- /dev/null +++ b/authz/pamacct.c @@ -0,0 +1,149 @@ +/* + * QEMU PAM authorization driver + * + * Copyright (c) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "authz/pamacct.h" +#include "authz/trace.h" +#include "qom/object_interfaces.h" + +#include <security/pam_appl.h> + + +static bool qauthz_pam_is_allowed(QAuthZ *authz, + const char *identity, + Error **errp) +{ + QAuthZPAM *pauthz = QAUTHZ_PAM(authz); + const struct pam_conv pam_conversation = { 0 }; + pam_handle_t *pamh = NULL; + int ret; + + trace_qauthz_pam_check(authz, identity, pauthz->service); + ret = pam_start(pauthz->service, + identity, + &pam_conversation, + &pamh); + if (ret != PAM_SUCCESS) { + error_setg(errp, "Unable to start PAM transaction: %s", + pam_strerror(NULL, ret)); + return false; + } + + ret = pam_acct_mgmt(pamh, PAM_SILENT); + if (ret != PAM_SUCCESS) { + error_setg(errp, "Unable to authorize user '%s': %s", + identity, pam_strerror(pamh, ret)); + goto cleanup; + } + + cleanup: + pam_end(pamh, ret); + return ret == PAM_SUCCESS; +} + + +static void +qauthz_pam_prop_set_service(Object *obj, + const char *service, + Error **errp G_GNUC_UNUSED) +{ + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); + + g_free(pauthz->service); + pauthz->service = g_strdup(service); +} + + +static char * +qauthz_pam_prop_get_service(Object *obj, + Error **errp G_GNUC_UNUSED) +{ + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); + + return g_strdup(pauthz->service); +} + + +static void +qauthz_pam_complete(UserCreatable *uc, Error **errp) +{ +} + + +static void +qauthz_pam_finalize(Object *obj) +{ + QAuthZPAM *pauthz = QAUTHZ_PAM(obj); + + g_free(pauthz->service); +} + + +static void +qauthz_pam_class_init(ObjectClass *oc, void *data) +{ + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); + QAuthZClass *authz = QAUTHZ_CLASS(oc); + + ucc->complete = qauthz_pam_complete; + authz->is_allowed = qauthz_pam_is_allowed; + + object_class_property_add_str(oc, "service", + qauthz_pam_prop_get_service, + qauthz_pam_prop_set_service, + NULL); +} + + +QAuthZPAM *qauthz_pam_new(const char *id, + const char *service, + Error **errp) +{ + return QAUTHZ_PAM( + object_new_with_props(TYPE_QAUTHZ_PAM, + object_get_objects_root(), + id, errp, + "service", service, + NULL)); +} + + +static const TypeInfo qauthz_pam_info = { + .parent = TYPE_QAUTHZ, + .name = TYPE_QAUTHZ_PAM, + .instance_size = sizeof(QAuthZPAM), + .instance_finalize = qauthz_pam_finalize, + .class_size = sizeof(QAuthZPAMClass), + .class_init = qauthz_pam_class_init, + .interfaces = (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } +}; + + +static void +qauthz_pam_register_types(void) +{ + type_register_static(&qauthz_pam_info); +} + + +type_init(qauthz_pam_register_types); diff --git a/authz/trace-events b/authz/trace-events index fb65349a90..72c411927d 100644 --- a/authz/trace-events +++ b/authz/trace-events @@ -13,3 +13,6 @@ qauthz_list_default_policy(void *authz, const char *identity, int policy) "AuthZ # auth/listfile.c qauthz_list_file_load(void *authz, const char *filename) "AuthZ file %p load filename=%s" qauthz_list_file_refresh(void *authz, const char *filename, int success) "AuthZ file %p load filename=%s success=%d" + +# auth/pam.c +qauthz_pam_check(void *authz, const char *identity, const char *service) "AuthZ PAM %p identity=%s service=%s" diff --git a/configure b/configure index a61682c3c7..4fe916e31f 100755 --- a/configure +++ b/configure @@ -463,6 +463,7 @@ gnutls="" nettle="" gcrypt="" gcrypt_hmac="no" +auth_pam="" vte="" virglrenderer="" tpm="yes" @@ -1381,6 +1382,10 @@ for opt do ;; --enable-gcrypt) gcrypt="yes" ;; + --disable-auth-pam) auth_pam="no" + ;; + --enable-auth-pam) auth_pam="yes" + ;; --enable-rdma) rdma="yes" ;; --disable-rdma) rdma="no" @@ -1707,6 +1712,7 @@ disabled with --disable-FEATURE, default is enabled if available: gnutls GNUTLS cryptography support nettle nettle cryptography support gcrypt libgcrypt cryptography support + auth-pam PAM access control sdl SDL UI sdl_image SDL Image support for icons gtk gtk UI @@ -2864,6 +2870,33 @@ else fi +########################################## +# PAM probe + +if test "x$auth_pam" != "no"; then + cat > $TMPC <<EOF +#include <security/pam_appl.h> +#include <stdio.h> +int main(void) { + const char *service_name = "qemu"; + const char *user = "frank"; + const struct pam_conv *pam_conv = NULL; + pam_handle_t *pamh = NULL; + pam_start(service_name, user, pam_conv, &pamh); + return 0; +} +EOF + if compile_prog "" "-lpam" ; then + auth_pam=yes + else + if test "$auth_pam" = "yes"; then + feature_not_found "PAM" "Install PAM development package" + else + auth_pam=no + fi + fi +fi + ########################################## # getifaddrs (for tests/test-io-channel-socket ) @@ -6083,6 +6116,7 @@ echo "GNUTLS support $gnutls" echo "libgcrypt $gcrypt" echo "nettle $nettle $(echo_version $nettle $nettle_version)" echo "libtasn1 $tasn1" +echo "PAM $auth_pam" echo "curses support $curses" echo "virgl support $virglrenderer $(echo_version $virglrenderer $virgl_version)" echo "curl support $curl" @@ -6537,6 +6571,9 @@ fi if test "$tasn1" = "yes" ; then echo "CONFIG_TASN1=y" >> $config_host_mak fi +if test "$auth_pam" = "yes" ; then + echo "CONFIG_AUTH_PAM=y" >> $config_host_mak +fi if test "$have_ifaddrs_h" = "yes" ; then echo "HAVE_IFADDRS_H=y" >> $config_host_mak fi diff --git a/include/authz/pamacct.h b/include/authz/pamacct.h new file mode 100644 index 0000000000..6e3046e528 --- /dev/null +++ b/include/authz/pamacct.h @@ -0,0 +1,100 @@ +/* + * QEMU PAM authorization driver + * + * Copyright (c) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#ifndef QAUTHZ_PAM_H__ +#define QAUTHZ_PAM_H__ + +#include "authz/base.h" + + +#define TYPE_QAUTHZ_PAM "authz-pam" + +#define QAUTHZ_PAM_CLASS(klass) \ + OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ + TYPE_QAUTHZ_PAM) +#define QAUTHZ_PAM_GET_CLASS(obj) \ + OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ + TYPE_QAUTHZ_PAM) +#define QAUTHZ_PAM(obj) \ + INTERFACE_CHECK(QAuthZPAM, (obj), \ + TYPE_QAUTHZ_PAM) + +typedef struct QAuthZPAM QAuthZPAM; +typedef struct QAuthZPAMClass QAuthZPAMClass; + + +/** + * QAuthZPAM: + * + * This authorization driver provides a PAM mechanism + * for granting access by matching user names against a + * list of globs. Each match rule has an associated policy + * and a catch all policy applies if no rule matches + * + * To create an instance of this class via QMP: + * + * { + * "execute": "object-add", + * "arguments": { + * "qom-type": "authz-pam", + * "id": "authz0", + * "parameters": { + * "service": "qemu-vnc-tls" + * } + * } + * } + * + * The driver only uses the PAM "account" verification + * subsystem. The above config would require a config + * file /etc/pam.d/qemu-vnc-tls. For a simple file + * lookup it would contain + * + * account requisite pam_listfile.so item=user sense=allow \ + * file=/etc/qemu/vnc.allow + * + * The external file would then contain a list of usernames. + * If x509 cert was being used as the username, a suitable + * entry would match the distinguish name: + * + * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB + * + * On the command line it can be created using + * + * -object authz-pam,id=authz0,service=qemu-vnc-tls + * + */ +struct QAuthZPAM { + QAuthZ parent_obj; + + char *service; +}; + + +struct QAuthZPAMClass { + QAuthZClass parent_class; +}; + + +QAuthZPAM *qauthz_pam_new(const char *id, + const char *service, + Error **errp); + + +#endif /* QAUTHZ_PAM_H__ */ diff --git a/qemu-options.hx b/qemu-options.hx index e34d30a013..22cfb32489 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4430,6 +4430,41 @@ would look like: ... @end example +@item -object authz-pam,id=@var{id},service=@var{string} + +Create an authorization object that will control access to network services. + +The @option{service} parameter provides the name of a PAM service to use +for authorization. It requires that a file @code{/etc/pam.d/@var{service}} +exist to provide the configuration for the @code{account} subsystem. + +An example authorization object to validate a TLS x509 distinguished +name would look like: + +@example + # $QEMU \ + ... + -object authz-pam,id=auth0,service=qemu-vnc + ... +@end example + +There would then be a corresponding config file for PAM at +@code{/etc/pam.d/qemu-vnc} that contains: + +@example +account requisite pam_listfile.so item=user sense=allow \ + file=/etc/qemu/vnc.allow +@end example + +Finally the @code{/etc/qemu/vnc.allow} file would contain +the list of x509 distingished names that are permitted +access + +@example +CN=laptop.example.com,O=Example Home,L=London,ST=London,C=GB +@end example + + @end table ETEXI diff --git a/tests/Makefile.include b/tests/Makefile.include index 199e74d670..bc11d565a6 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -119,6 +119,7 @@ check-unit-y += tests/test-util-sockets$(EXESUF) check-unit-y += tests/test-authz-simple$(EXESUF) check-unit-y += tests/test-authz-list$(EXESUF) check-unit-y += tests/test-authz-listfile$(EXESUF) +check-unit-$(CONFIG_AUTH_PAM) += tests/test-authz-pam$(EXESUF) check-unit-y += tests/test-io-task$(EXESUF) check-unit-y += tests/test-io-channel-socket$(EXESUF) check-unit-y += tests/test-io-channel-file$(EXESUF) @@ -669,6 +670,7 @@ tests/test-util-sockets$(EXESUF): tests/test-util-sockets.o \ tests/test-authz-simple$(EXESUF): tests/test-authz-simple.o $(test-authz-obj-y) tests/test-authz-list$(EXESUF): tests/test-authz-list.o $(test-authz-obj-y) tests/test-authz-listfile$(EXESUF): tests/test-authz-listfile.o $(test-authz-obj-y) +tests/test-authz-pam$(EXESUF): tests/test-authz-pam.o $(test-authz-obj-y) tests/test-io-task$(EXESUF): tests/test-io-task.o $(test-io-obj-y) tests/test-io-channel-socket$(EXESUF): tests/test-io-channel-socket.o \ tests/io-channel-helpers.o tests/socket-helpers.o $(test-io-obj-y) diff --git a/tests/test-authz-pam.c b/tests/test-authz-pam.c new file mode 100644 index 0000000000..93d5ac8bbf --- /dev/null +++ b/tests/test-authz-pam.c @@ -0,0 +1,124 @@ +/* + * QEMU PAM authorization object tests + * + * Copyright (c) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "authz/pamacct.h" + +#include <security/pam_appl.h> + +static bool failauth; + +/* + * These two functions are exported by libpam.so. + * + * By defining them again here, our impls are resolved + * by the linker instead of those in libpam.so + * + * The test suite is thus isolated from the host system + * PAM setup, so we can do predictable test scenarios + */ +int +pam_start(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh) +{ + failauth = true; + if (!g_str_equal(service_name, "qemu-vnc")) { + return PAM_AUTH_ERR; + } + + if (g_str_equal(user, "fred")) { + failauth = false; + } + + return PAM_SUCCESS; +} + + +int +pam_acct_mgmt(pam_handle_t *pamh, int flags) +{ + if (failauth) { + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + + +static void test_authz_unknown_service(void) +{ + Error *local_err = NULL; + QAuthZPAM *auth = qauthz_pam_new("auth0", + "qemu-does-not-exist", + &error_abort); + + g_assert_nonnull(auth); + + g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "fred", &local_err)); + + error_free_or_abort(&local_err); + object_unparent(OBJECT(auth)); +} + + +static void test_authz_good_user(void) +{ + QAuthZPAM *auth = qauthz_pam_new("auth0", + "qemu-vnc", + &error_abort); + + g_assert_nonnull(auth); + + g_assert_true(qauthz_is_allowed(QAUTHZ(auth), "fred", &error_abort)); + + object_unparent(OBJECT(auth)); +} + + +static void test_authz_bad_user(void) +{ + Error *local_err = NULL; + QAuthZPAM *auth = qauthz_pam_new("auth0", + "qemu-vnc", + &error_abort); + + g_assert_nonnull(auth); + + g_assert_false(qauthz_is_allowed(QAUTHZ(auth), "bob", &local_err)); + + error_free_or_abort(&local_err); + object_unparent(OBJECT(auth)); +} + + +int main(int argc, char **argv) +{ + g_test_init(&argc, &argv, NULL); + + module_call_init(MODULE_INIT_QOM); + + g_test_add_func("/auth/pam/unknown-service", test_authz_unknown_service); + g_test_add_func("/auth/pam/good-user", test_authz_good_user); + g_test_add_func("/auth/pam/bad-user", test_authz_bad_user); + + return g_test_run(); +}