1 files changed, 65 insertions, 16 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 5bc90b7..98a13e2 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -14,12 +14,12 @@
   OpenBSD is quite different from many other Unix-like operating
   systems in many ways, but one way which I find interesting is the
   authentication system. Most systems from AIX, Solaris, and Linux to
-  most BSDs including MacOS use some form of a system called Pluggable
-  Authentication Module (PAM). The two main implementations of PAM are
+  most BSDs including MacOS use some form of a system called [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable
+  Authentication Module]] (PAM). The two main implementations of PAM are
   [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically loaded
-  shared objects, which communicate using a set of standard interfaces
-  ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory
-  and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]].
+  shared objects, which communicate using a set of somewhat
+  standardized interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured
+  using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]].
 
   OpenBSD on the other hand uses a mechanism called BSD
   Authentication. It was originally developed for a proprietary
@@ -488,10 +488,8 @@
   _auth_spool(as, pfd[0]);
   #+end_src
 
-  <<here>>
-
-  After that the spooled data is scanned for key words defined in
-  =login_cap.h=.
+  Once the back channel data has finished spooling, it is scanned for
+  key words defined in =login_cap.h=.
 
   #+BEGIN_SRC c
   #define BI_AUTH         "authorize"         /* Accepted authentication */
@@ -576,13 +574,9 @@
 
   #+END_SRC
 
-  # Write about =auth_getvalue=
-
-  It is looking for lines that start with either =BI_AUTH=
-  (=authorize=), or =BI_REJECT= (=reject=). If the line is still longer,
-  it continues to scan for any other qualifiers such as =pwexpired= or
-  =silent=. The struct's =state= is set to one using the =AUTH_= values
-  from =login_cap.h= accordingly.
+  The scanner is looking for lines that begin with =BI_AUTH=,
+  =BI_REJECT=, or =BI_REMOVE=. Here =as->state= is set according to
+  the values defined on =login_cap.h=.
 
   #+BEGIN_SRC c
   /*
@@ -597,6 +591,49 @@
   #define  AUTH_PWEXPIRED  0x40            /* password expired */
   #+END_SRC
 
+  If an authorization is received (any line starting with =BI_AUTH=),
+  the appropriate state is bitwise =or=-ed onto =as->state=, allowing
+  multiple authorizations, such as a case where both =BI_ROOTOKAY=,
+  resulting in a state of =AUTH_ROOTOKAY=, and =BI_SECURE=, resulting
+  in a state of =AUTH_SECURE= are both sent.
+
+  If a rejection is received (any line starting with =BI_REJECT=),
+  =as->state= is set according to the rejection, and the scanning is
+  stopped. Rejections are final and take precedence over any
+  authorizations.
+
+  For any lines beginning with =BI_REMOVE=, the file names after the
+  key word are sent to =_add_rmlist=.
+  #+begin_src c
+  _add_rmlist(as, line);
+  #+end_src
+
+  After scanning is complete, the resulting status is checked against
+  a bitmask to ensure the result is either only accept or only reject.
+
+  An =okay= value is then defined by masking the state with the value
+  =AUTH_ALLOW=.
+
+  #+begin_src c
+  okay = as->state & AUTH_ALLOW;
+  #+end_src
+
+  =AUTH_ALLOW= is defined in =login_cap.h=.
+
+  #+begin_src c
+  #define	AUTH_ALLOW	(AUTH_OKAY | AUTH_ROOTOKAY | AUTH_SECURE)
+  #+end_src
+
+  If the status results in a rejection, =auth_clearenv= is called on
+  =as=.
+
+  =okay= is then returned to the caller.
+
+
+  # Write about =auth_getvalue=
+
+  <<here>>
+
 ** COMMENT note
 
   ---
@@ -656,6 +693,18 @@
    =fd= and tried to receive a file descriptor. If it receives one and
    =as->fd= is equal to =-1=, it sets it to the received file
    descriptor. Otherwise it closes the received file descriptor.
+
+** _add_rmlist
+   #+begin_src c
+   static void _add_rmlist(auth_session_t *as, char *file)
+   #+end_src
+
+   =_add_rmlist= is used to add to the list of files to be removed
+   after authentication is complete
+
+   A =rmfiles= struct is allocated and appended to the end of the
+   =as->rmlist= linked list.
+
 * auth_close
   =auth_close= is the function responsible for cleaning up the session
   and taking care of the values returned though the back channel.