diff options
| -rw-r--r-- | content/posts/WIP-how-bsd-authentication-works/index.org | 84 | ||||
| -rw-r--r-- | content/posts/WIP-how-bsd-authentication-works/notes.org | 83 |
2 files changed, 83 insertions, 84 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org index ba5a5f4..6c211a9 100644 --- a/content/posts/WIP-how-bsd-authentication-works/index.org +++ b/content/posts/WIP-how-bsd-authentication-works/index.org @@ -152,7 +152,6 @@ The simplest way to authenticate a user with BSD Auth is by using [[#auth_userokay][=auth_userokay=]]. -** TODO How are these configured in login.conf? * Approval Scripts :PROPERTIES: :CUSTOM_ID: approval @@ -174,7 +173,6 @@ section of the =login.conf= man page. Approval scripts are run using [[#auth_approval][=auth_approval=]]. -** TODO How are these configured in login.conf? * auth_userokay :PROPERTIES: @@ -2637,88 +2635,6 @@ #+INCLUDE: "gen_dot.rb" src ruby @@html: </details> @@ -* Notes - https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/ - - In the man page for [[https://man.openbsd.org/auth_subr.3#auth_call][=auth_call=]] it says - #+begin_src text - path The full path name of the login script to run. The call will - fail if path does not pass the requirements of the secure_path(3) - function. - #+end_src - - However I don't see this enforced anywhere, I even wrote a small test - script to prove it. - - #+CAPTION: =authfail.c= - #+begin_src c - #include <sys/types.h> - #include <login_cap.h> - #include <bsd_auth.h> - #include <stdio.h> - - int main(void) { - auth_session_t *as; - - as = auth_open(); - auth_call(as, "/home/dante/auth_tests/authtest/test", "hello", NULL); - auth_close(as); - } - #+end_src - - Changing ="/home/dante/auth_tests/authtest/test"= to the location - of the =test= binary. - - #+CAPTION: =test.c= - #+begin_src c - #include <stdio.h> - - int main(void) { - printf("Hello! I don't have a secure path!\n"); - return 0; - } - #+end_src - - #+CAPTION: =Makefile= - #+begin_src makefile - CFLAGS = -Wall -Wextra - - run: authfail test - ./authfail - - authfail: authfail.c - $(CC) -o $@ $(CFLAGS) $< - - test: test.c - $(CC) -o $@ $(CFLAGS) $< - #+end_src - - Which results in the following: - - #+begin_src text - $ pwd && ls -l && make - /home/dante/auth_tests/authtest - total 12 - -rw-r--r-- 1 dante dante 143 May 30 19:20 Makefile - -rw-r--r-- 1 dante dante 248 May 29 19:30 authfail.c - -rw-r--r-- 1 dante dante 115 May 29 19:22 test.c - cc -o authfail -Wall -Wextra authfail.c - cc -o test -Wall -Wextra test.c - ./authfail - Hello! I don't have a secure path! - #+end_src - - - The manpage also says the path is limited to =/bin/= and =/usr/bin=, - which is also not the case. - - - The man page describes the interface for =auth_getitem= is in the - format of =AUTH_<item>=, but in reality it is =AUTHV_<item>=. - - # Ask jcs about the file descriptor situation, I don't understand it - # after reading both the man page and source. - - - The [[#auth_getchallenge][=auth_getchallenge=]] function in the [[https://man.openbsd.org/auth_subr.3#auth_getchallenge][=auth_subr(3)=]] man page - doesn't seem to exist in the source code. - * Copyright :PROPERTIES: :CUSTOM_ID: copyright diff --git a/content/posts/WIP-how-bsd-authentication-works/notes.org b/content/posts/WIP-how-bsd-authentication-works/notes.org new file mode 100644 index 0000000..9bd67d4 --- /dev/null +++ b/content/posts/WIP-how-bsd-authentication-works/notes.org @@ -0,0 +1,83 @@ +* Notes + https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/ + - In the man page for [[https://man.openbsd.org/auth_subr.3#auth_call][=auth_call=]] it says + #+begin_src text + path The full path name of the login script to run. The call will + fail if path does not pass the requirements of the secure_path(3) + function. + #+end_src + + However I don't see this enforced anywhere, I even wrote a small test + script to prove it. + + #+CAPTION: =authfail.c= + #+begin_src c + #include <sys/types.h> + #include <login_cap.h> + #include <bsd_auth.h> + #include <stdio.h> + + int main(void) { + auth_session_t *as; + + as = auth_open(); + auth_call(as, "/home/dante/auth_tests/authtest/test", "hello", NULL); + auth_close(as); + } + #+end_src + + Changing ="/home/dante/auth_tests/authtest/test"= to the location + of the =test= binary. + + #+CAPTION: =test.c= + #+begin_src c + #include <stdio.h> + + int main(void) { + printf("Hello! I don't have a secure path!\n"); + return 0; + } + #+end_src + + #+CAPTION: =Makefile= + #+begin_src makefile + CFLAGS = -Wall -Wextra + + run: authfail test + ./authfail + + authfail: authfail.c + $(CC) -o $@ $(CFLAGS) $< + + test: test.c + $(CC) -o $@ $(CFLAGS) $< + #+end_src + + Which results in the following: + + #+begin_src text + $ pwd && ls -l && make + /home/dante/auth_tests/authtest + total 12 + -rw-r--r-- 1 dante dante 143 May 30 19:20 Makefile + -rw-r--r-- 1 dante dante 248 May 29 19:30 authfail.c + -rw-r--r-- 1 dante dante 115 May 29 19:22 test.c + cc -o authfail -Wall -Wextra authfail.c + cc -o test -Wall -Wextra test.c + ./authfail + Hello! I don't have a secure path! + #+end_src + + - The manpage also says the path is limited to =/bin/= and =/usr/bin=, + which is also not the case. + + - The man page describes the interface for =auth_getitem= is in the + format of =AUTH_<item>=, but in reality it is =AUTHV_<item>=. + + # Ask jcs about the file descriptor situation, I don't understand it + # after reading both the man page and source. + + - The [[#auth_getchallenge][=auth_getchallenge=]] function in the [[https://man.openbsd.org/auth_subr.3#auth_getchallenge][=auth_subr(3)=]] man page + doesn't seem to exist in the source code. + +** TODO How are these configured in login.conf? |