Support for password & security configuration
Support for password & security enforcement configuration added.
Implements the D-Bus interface properties to read and configure
minimum password length, old password remember history, unlock
timeout and maximum login attempt.
Change-Id: I1a462a8a5d1f5dd07f3b594d62bd9c61bbdddb9c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/user_mgr.cpp b/user_mgr.cpp
index cba9366..ee72b05 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -47,6 +47,20 @@
static constexpr size_t systemMaxUserNameLen = 30;
static constexpr size_t maxSystemUsers = 30;
static constexpr const char *grpSsh = "ssh";
+static constexpr uint8_t minPasswdLength = 8;
+static constexpr int success = 0;
+static constexpr int failure = -1;
+
+// pam modules related
+static constexpr const char *pamTally2 = "pam_tally2.so";
+static constexpr const char *pamCrackLib = "pam_cracklib.so";
+static constexpr const char *pamPWHistory = "pam_pwhistory.so";
+static constexpr const char *minPasswdLenProp = "minlen";
+static constexpr const char *remOldPasswdCount = "remember";
+static constexpr const char *maxFailedAttempt = "deny";
+static constexpr const char *unlockTimeout = "unlock_time";
+static constexpr const char *pamPasswdConfigFile = "/etc/pam.d/common-password";
+static constexpr const char *pamAuthConfigFile = "/etc/pam.d/common-auth";
using namespace phosphor::logging;
using InsufficientPermission =
@@ -408,6 +422,193 @@
return;
}
+uint8_t UserMgr::minPasswordLength(uint8_t value)
+{
+ if (value == AccountPolicyIface::minPasswordLength())
+ {
+ return value;
+ }
+ if (value < minPasswdLength)
+ {
+ return value;
+ }
+ if (setPamModuleArgValue(pamCrackLib, minPasswdLenProp,
+ std::to_string(value)) != success)
+ {
+ log<level::ERR>("Unable to set minPasswordLength");
+ elog<InternalFailure>();
+ }
+ return AccountPolicyIface::minPasswordLength(value);
+}
+
+uint8_t UserMgr::rememberOldPasswordTimes(uint8_t value)
+{
+ if (value == AccountPolicyIface::rememberOldPasswordTimes())
+ {
+ return value;
+ }
+ if (setPamModuleArgValue(pamPWHistory, remOldPasswdCount,
+ std::to_string(value)) != success)
+ {
+ log<level::ERR>("Unable to set rememberOldPasswordTimes");
+ elog<InternalFailure>();
+ }
+ return AccountPolicyIface::rememberOldPasswordTimes(value);
+}
+
+uint16_t UserMgr::maxLoginAttemptBeforeLockout(uint16_t value)
+{
+ if (value == AccountPolicyIface::maxLoginAttemptBeforeLockout())
+ {
+ return value;
+ }
+ if (setPamModuleArgValue(pamTally2, maxFailedAttempt,
+ std::to_string(value)) != success)
+ {
+ log<level::ERR>("Unable to set maxLoginAttemptBeforeLockout");
+ elog<InternalFailure>();
+ }
+ return AccountPolicyIface::maxLoginAttemptBeforeLockout(value);
+}
+
+uint32_t UserMgr::accountUnlockTimeout(uint32_t value)
+{
+ if (value == AccountPolicyIface::accountUnlockTimeout())
+ {
+ return value;
+ }
+ if (setPamModuleArgValue(pamTally2, unlockTimeout, std::to_string(value)) !=
+ success)
+ {
+ log<level::ERR>("Unable to set accountUnlockTimeout");
+ elog<InternalFailure>();
+ }
+ return AccountPolicyIface::accountUnlockTimeout(value);
+}
+
+int UserMgr::getPamModuleArgValue(const std::string &moduleName,
+ const std::string &argName,
+ std::string &argValue)
+{
+ std::string fileName;
+ if (moduleName == pamTally2)
+ {
+ fileName = pamAuthConfigFile;
+ }
+ else
+ {
+ fileName = pamPasswdConfigFile;
+ }
+ std::ifstream fileToRead(fileName, std::ios::in);
+ if (!fileToRead.is_open())
+ {
+ log<level::ERR>("Failed to open pam configuration file",
+ entry("FILE_NAME=%s", fileName.c_str()));
+ return failure;
+ }
+ std::string line;
+ auto argSearch = argName + "=";
+ size_t startPos = 0;
+ size_t endPos = 0;
+ while (getline(fileToRead, line))
+ {
+ // skip comments section starting with #
+ if ((startPos = line.find('#')) != std::string::npos)
+ {
+ if (startPos == 0)
+ {
+ continue;
+ }
+ // skip comments after meaningful section and process those
+ line = line.substr(0, startPos);
+ }
+ if (line.find(moduleName) != std::string::npos)
+ {
+ if ((startPos = line.find(argSearch)) != std::string::npos)
+ {
+ if ((endPos = line.find(' ', startPos)) == std::string::npos)
+ {
+ endPos = line.size();
+ }
+ startPos += argSearch.size();
+ argValue = line.substr(startPos, endPos - startPos);
+ return success;
+ }
+ }
+ }
+ return failure;
+}
+
+int UserMgr::setPamModuleArgValue(const std::string &moduleName,
+ const std::string &argName,
+ const std::string &argValue)
+{
+ std::string fileName;
+ if (moduleName == pamTally2)
+ {
+ fileName = pamAuthConfigFile;
+ }
+ else
+ {
+ fileName = pamPasswdConfigFile;
+ }
+ std::string tmpFileName = fileName + "_tmp";
+ std::ifstream fileToRead(fileName, std::ios::in);
+ std::ofstream fileToWrite(tmpFileName, std::ios::out);
+ if (!fileToRead.is_open() || !fileToWrite.is_open())
+ {
+ log<level::ERR>("Failed to open pam configuration /tmp file",
+ entry("FILE_NAME=%s", fileName.c_str()));
+ return failure;
+ }
+ std::string line;
+ auto argSearch = argName + "=";
+ size_t startPos = 0;
+ size_t endPos = 0;
+ bool found = false;
+ while (getline(fileToRead, line))
+ {
+ // skip comments section starting with #
+ if ((startPos = line.find('#')) != std::string::npos)
+ {
+ if (startPos == 0)
+ {
+ fileToWrite << line << std::endl;
+ continue;
+ }
+ // skip comments after meaningful section and process those
+ line = line.substr(0, startPos);
+ }
+ if (line.find(moduleName) != std::string::npos)
+ {
+ if ((startPos = line.find(argSearch)) != std::string::npos)
+ {
+ if ((endPos = line.find(' ', startPos)) == std::string::npos)
+ {
+ endPos = line.size();
+ }
+ startPos += argSearch.size();
+ fileToWrite << line.substr(0, startPos) << argValue
+ << line.substr(endPos, line.size() - endPos)
+ << std::endl;
+ found = true;
+ continue;
+ }
+ }
+ fileToWrite << line << std::endl;
+ }
+ fileToWrite.close();
+ fileToRead.close();
+ if (found)
+ {
+ if (std::rename(tmpFileName.c_str(), fileName.c_str()) == 0)
+ {
+ return success;
+ }
+ }
+ return failure;
+}
+
void UserMgr::userEnable(const std::string &userName, bool enabled)
{
// All user management lock has to be based on /etc/shadow
@@ -594,11 +795,114 @@
}
UserMgr::UserMgr(sdbusplus::bus::bus &bus, const char *path) :
- UserMgrIface(bus, path), bus(bus), path(path)
+ UserMgrIface(bus, path), AccountPolicyIface(bus, path), bus(bus), path(path)
{
UserMgrIface::allPrivileges(privMgr);
std::sort(groupsMgr.begin(), groupsMgr.end());
UserMgrIface::allGroups(groupsMgr);
+ std::string valueStr;
+ auto value = minPasswdLength;
+ unsigned long tmp = 0;
+ if (getPamModuleArgValue(pamCrackLib, minPasswdLenProp, valueStr) !=
+ success)
+ {
+ AccountPolicyIface::minPasswordLength(minPasswdLength);
+ }
+ else
+ {
+ try
+ {
+ tmp = std::stoul(valueStr, nullptr);
+ if (tmp > std::numeric_limits<decltype(value)>::max())
+ {
+ throw std::out_of_range("Out of range");
+ }
+ value = static_cast<decltype(value)>(tmp);
+ }
+ catch (const std::exception &e)
+ {
+ log<level::ERR>("Exception for MinPasswordLength",
+ entry("WHAT=%s", e.what()));
+ throw e;
+ }
+ AccountPolicyIface::minPasswordLength(value);
+ }
+ valueStr.clear();
+ if (getPamModuleArgValue(pamPWHistory, remOldPasswdCount, valueStr) !=
+ success)
+ {
+ AccountPolicyIface::rememberOldPasswordTimes(0);
+ }
+ else
+ {
+ value = 0;
+ try
+ {
+ tmp = std::stoul(valueStr, nullptr);
+ if (tmp > std::numeric_limits<decltype(value)>::max())
+ {
+ throw std::out_of_range("Out of range");
+ }
+ value = static_cast<decltype(value)>(tmp);
+ }
+ catch (const std::exception &e)
+ {
+ log<level::ERR>("Exception for RememberOldPasswordTimes",
+ entry("WHAT=%s", e.what()));
+ throw e;
+ }
+ AccountPolicyIface::rememberOldPasswordTimes(value);
+ }
+ valueStr.clear();
+ if (getPamModuleArgValue(pamTally2, maxFailedAttempt, valueStr) != success)
+ {
+ AccountPolicyIface::maxLoginAttemptBeforeLockout(0);
+ }
+ else
+ {
+ uint16_t value16 = 0;
+ try
+ {
+ tmp = std::stoul(valueStr, nullptr);
+ if (tmp > std::numeric_limits<decltype(value16)>::max())
+ {
+ throw std::out_of_range("Out of range");
+ }
+ value16 = static_cast<decltype(value16)>(tmp);
+ }
+ catch (const std::exception &e)
+ {
+ log<level::ERR>("Exception for MaxLoginAttemptBeforLockout",
+ entry("WHAT=%s", e.what()));
+ throw e;
+ }
+ AccountPolicyIface::maxLoginAttemptBeforeLockout(value16);
+ }
+ valueStr.clear();
+ if (getPamModuleArgValue(pamTally2, unlockTimeout, valueStr) != success)
+ {
+ AccountPolicyIface::accountUnlockTimeout(0);
+ }
+ else
+ {
+ uint32_t value32 = 0;
+ try
+ {
+ tmp = std::stoul(valueStr, nullptr);
+ if (tmp > std::numeric_limits<decltype(value32)>::max())
+ {
+ throw std::out_of_range("Out of range");
+ }
+ value32 = static_cast<decltype(value32)>(tmp);
+ }
+ catch (const std::exception &e)
+ {
+ log<level::ERR>("Exception for AccountUnlockTimeout",
+ entry("WHAT=%s", e.what()));
+ throw e;
+ }
+ AccountPolicyIface::accountUnlockTimeout(value32);
+ }
initUserObjects();
}