Port to HPUX 11.31 (ia64)

[johnnys66]

As a disclaimer I'm not a developer so this might not be the best approach.

Tried not to make big changes to the existing code by adding as much as possible the code for HPUX in else statments. Since SSL/TLS is not working (yet) had to resort to the 'HPUX' macro to undefine 'HAVE_LDAP_START_TLS' and 'HAVE_LDAPSSL_CLIENT_INIT' to return 'LDAP_NOT_SUPPORTED' in the secure_connection function. Had to write code to substitute the 'pam_vsyslog' function that doesn't exist (the 'pam_syslog' function isn't an option since it doesn't take a va_list argument). Had to write code to implement get-groups-for-user since the 'getgrgid_r' function doesn't exist. Strangely, when invoked through pam in HPUX, 'fopen' doesn't set 'errno' on error. Changed the initialization value of the 'errno' variable to an unknown value (666) so that in case there's an error trying to open it, an error is returned instead of the value 0 that would be considered as if no error had occurred.

Haven't had the chance to compile it in Solaris or Linux to make sure that the functionality on those platforms has not been affected.

I'm available for further tests and of course suggestions on the implementation part.

[jhrozek]

First, thank you very much for the patches, this is a very nice work!

I will comment on the patches. There are some things that I think could be solved differently, but in general I think we'll be able to merge the patch if they are fixed.

[jhrozek]

Also, if you would like me to help to add some plumbing work (like the disable-ssl option), I'm totally fine doing that..

[jhrozek]

On Thu, Sep 29, 2016 at 02:50:35AM -0700, johnnys66 wrote:

johnnys66 commented on this pull request.

+SSL/TLS +======= +So far SSL/TLS is not working so do not use ldaps in the URI otherwise the module will get +ignored and access allowed. + +Configuration +============= +You need to configure the module itself, then include the module in the +PAM stack. Please see the pam_hbac.conf(5) man page for the available +configuration options. + +This has only been tested with the sshd service. +When the config file is created, put the following into /etc/pam.conf:

• sshd account required pam_hbac.so ignore_unknown_user ignore_authinfo_unavail + +Adding the option ignore_unknown_user is important on FreeBSD for the same

Actually the copy-n-paste came from README.Solaris, so the error is also there :). Will correct it in the next release.

Oops, please add a new patch, then :) (or just open a new PR..)

[jhrozek]

On Thu, Sep 29, 2016 at 02:36:03AM -0700, johnnys66 wrote:

johnnys66 commented on this pull request.

@@ -61,6 +64,10 @@ getgroupname(gid_t gid) return NULL; }

+#ifndef getgrgid_r // to avoid not compiling on hpux

• extern int getgrgid_r(gidt, struct group , char , sizet, struct group); +#endif +

HP-UX has getgrgid_r, but I get an implicit declaration error when compiling:

libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I./src -I. -DPAM_HBAC_CONF_DIR=\"/etc\" -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -I/usr/local/include/glib-2.0 -I/usr/local/lib/hpux32/glib-2.0/include -I/usr/local/include -g -O2 -MT src/pam_hbac_obj.lo -MD -MP -MF src/.deps/pam_hbac_obj.Tpo -c src/pam_hbac_obj.c -fPIC -DPIC -o src/.libs/pam_hbac_obj.o src/pam_hbac_obj.c: In function 'getgroupname': src/pam_hbac_obj.c:65: error: implicit declaration of function 'getgrgid_r' src/pam_hbac_obj.c:141:2: error: #error No known get-groups-for-user implementation found src/pam_hbac_obj.c: In function 'get_user_groups': src/pam_hbac_obj.c:127: warning: unused variable 'ngroups' src/pam_hbac_obj.c: In function 'get_user_int': src/pam_hbac_obj.c:158: error: implicit declaration of function 'getpwnam_r' *\ Error exit code 1

Stop.

Here's the config.log from LDFLAGS="-L/usr/local/lib/hpux32/" ./configure --with-pammoddir=/usr/lib/security/hpux32 --mandir=/usr/share/man --sysconfdir=/etc --mandir=/usr/local/share/man

config.log.txt

OK, so the platform does have the function. Then I wonder if we are just missing some include or similar. Does maybe the manpage list an example?

[johnnys66]

grp.h.txt getgrent.man.txt

From the headers file there's the _REENTRANT macro that I tried using, but then I get a bunch of other compiling errors, maybe from missing some include, but I couldn't figure it out.

CFLAGS="-D_REENTRANT" LDFLAGS="-L/usr/local/lib/hpux32/" ./configure --with-pammoddir=/usr/lib/security/hpux32 --mandir=/usr/share/man --sysconfdir=/etc --mandir=/usr/local/share/man

libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I./src -I. -DPAM_HBAC_CONF_DIR=\"/etc\" -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -I/usr/local/include/glib-2.0 -I/usr/local/lib/hpux32/glib-2.0/include -I/usr/local/include -D_REENTRANT -MT src/pam_hbac.lo -MD -MP -MF src/.deps/pam_hbac.Tpo -c src/pam_hbac.c -fPIC -DPIC -o src/.libs/pam_hbac.o In file included from /usr/local/lib/gcc/ia64-hp-hpux11.31/4.2.3/include/stdlib.h:729, from src/pam_hbac.c:20: /usr/local/include/pwd.h:71: error: expected declaration specifiers or '...' before '*size_t' /usr/local/include/pwd.h:72: error: expected declaration specifiers or '...' before '__size_t' In file included from src/pam_hbac.c:30: src/pam_hbac.h:69: error: expected specifier-qualifier-list before 'pam_handle_t' src/pamhbac.h:87: error: expected ')' before '' token src/pamhbac.h:92: error: expected ')' before '' token src/pamhbac.h:99: error: expected ')' before '' token src/pamhbac.h:100: error: expected ')' before '' token In file included from src/pam_hbac.c:31: src/pam_hbacobj.h:30: error: expected ')' before '' token In file included from src/pam_hbac.c:32: src/pam_hbacldap.h:43: error: expected ')' before '' token src/pamhbac.c:65: error: expected ')' before '' token src/pamhbac.c:100: error: expected ')' before '' token src/pam_hbac.c:115: warning: type defaults to 'int' in declaration of 'pam_handle_t' src/pamhbac.c:115: error: expected ';', ',' or ')' before '' token src/pamhbac.c:128: error: expected ')' before '' token src/pam_hbac.c:172: error: expected ')' before '' token src/pam_hbac.c:188: error: expected '=', ',', ';', 'asm' or '_attribute**' before '' token src/pam_hbac.c: In function 'hbac_debug_messages': src/pam_hbac.c:220: error: implicit declaration of function 'va_logger' src/pam_hbac.c:220: error: 'global_pam_handle' undeclared (first use in this function) src/pam_hbac.c:220: error: (Each undeclared identifier is reported only once src/pam_hbac.c:220: error: for each function it appears in.) src/pam_hbac.c: At top level: src/pamhbac.c:225: error: expected ')' before '' token src/pam_hbac.c: In function 'ph_cleanup': src/pam_hbac.c:260: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c: In function 'ph_destroy_secret': src/pam_hbac.c:267: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:267: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:271: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:272: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:274: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c: At top level: src/pam_hbac.c:279: error: expected declaration specifiers or '...' before 'pam_handle_t' src/pam_hbac.c: In function 'pam_hbac': src/pam_hbac.c:283: error: 'PAM_SYSTEM_ERR' undeclared (first use in this function) src/pam_hbac.c:300: error: 'global_pam_handle' undeclared (first use in this function) src/pam_hbac.c:300: error: 'pamh' undeclared (first use in this function) src/pam_hbac.c:308: error: implicit declaration of function 'logger' src/pam_hbac.c:312: error: implicit declaration of function 'parse_args' src/pam_hbac.c:313: error: 'PAM_SUCCESS' undeclared (first use in this function) src/pam_hbac.c:322: error: implicit declaration of function 'print_found_options' src/pam_hbac.c:324: error: implicit declaration of function 'pam_hbac_get_items' src/pam_hbac.c:328: error: implicit declaration of function 'pam_strerror' src/pam_hbac.c:332: error: implicit declaration of function 'ph_init' src/pam_hbac.c:332: warning: assignment makes pointer from integer without a cast src/pam_hbac.c:339: error: implicit declaration of function 'ph_dump_config' src/pam_hbac.c:339: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:348: error: 'PAM_IGNORE' undeclared (first use in this function) src/pam_hbac.c:350: error: 'PAM_AUTHINFO_UNAVAIL' undeclared (first use in this function) src/pam_hbac.c:356: error: implicit declaration of function 'print_pam_items' src/pam_hbac.c:361: error: implicit declaration of function 'ph_get_user' src/pam_hbac.c:361: warning: assignment makes pointer from integer without a cast src/pam_hbac.c:368: error: 'PAM_USER_UNKNOWN' undeclared (first use in this function) src/pam_hbac.c:375: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:378: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:379: error: 'PAM_PERM_DENIED' undeclared (first use in this function) src/pam_hbac.c:384: error: 'PAM_ABORT' undeclared (first use in this function) src/pam_hbac.c:417: error: 'struct pam_hbac_ctx' has no member named 'pc' src/pam_hbac.c:449: error: 'PAM_BUF_ERR' undeclared (first use in this function) src/pam_hbac.c: At top level: src/pamhbac.c:477: error: expected ')' before '' token _\ Error exit code 1

Stop.

Resulting config.log: config.log.txt

[johnnys66]

If you can help with the --disable-ssl part it would be great! :)

[jhrozek]

On Thu, Sep 29, 2016 at 07:44:11AM -0700, johnnys66 wrote:

johnnys66 commented on this pull request.

@@ -281,13 +281,20 @@ ph_read_config(pam_handle_t *pamh,

 logger(pamh, LOG_DEBUG, "config file: %s", config_file);

+#ifdef HPUX

• errno = 666; // for some reason when invoked through pam in HPUX, fopen doesn't set errno on error

Do you have any idea why errno is not set when in PAM context? When invoked otherwise it sets it properly. For instance when using the pam_test_client utility the correct error is set.

No idea, I'm pretty sure it does get set on Linux..

[jhrozek]

On Thu, Sep 29, 2016 at 10:58:25AM -0700, johnnys66 wrote:

johnnys66 commented on this pull request.

@@ -137,8 +144,33 @@ get_user_groups(const char name, gid_t primary_gid, ret = 0; ngroups_ptr = ngroups; } -#else -#error No known get-groups-for-user implementation found +#else // for systems lacking the above functions, tested on hpux only

Created ph_getgrouplist_fallback. Think it's more suited since it's a replacement for the missing getgrouplist and _getgroupsbymember functions. But have no problem changing it.

Thanks!

[jhrozek]

On Thu, Sep 29, 2016 at 11:02:44AM -0700, johnnys66 wrote:

If you can help with the --disable-ssl part it would be great! :)

Sure, I will, although probably not until the weekend.

Another note, I'm trying to get my hands on a HP-UX machine myself to help with the PR review. But it might take a couple of days..

[johnnys66]

Hi Jakub, any news on this patch reviewf?

[jhrozek]

Hello, I'm really sorry about the unacceptably long delay in response, but I wanted to change some details in the patches but at the same time I didn't want to do so without testing on HP-UX myself and it took me some time before getting access to a HP-UX box (thanks, polarhome.com!) and most of all, then finding the time to polish the patches. This was only possible for me during the Christmas break.

I did some changes in your original branch and pushed them here: https://github.com/jhrozek/pam_hbac/tree/hpux

Mostly I implemented the --disable-ssl option as one patch, then added another which defines __REENTRANT during build time which should be enough for the getXXbyYY_r() functions to be implemented. The rest of the patches retain your authorship, I just split them so that there is one patch per change and sometimes moved the code around a bit, but the logic and intent should be yours.

Please let me know (if you're still interested after all this time :-/) if you're OK with me merging the code like this. I tested the code on Linux (full CI), OS-X (compilation only) and HP-UX (compilation only to be honest).

[johnnys66]

Hi Jakub,

I have changed companies and unfortunately I don't have access to HPUX boxes any more. I have however now AIX boxes so when we start the IPA project around here I will definitely be trying it out on AIX.

Regards, JS

[jhrozek]

OK, I merged your code with my amendments and let's work on AIX next :-)