1 | <?php |
---|
2 | /** |
---|
3 | * Manages PAM repository connection with SQUID help |
---|
4 | * |
---|
5 | * @package davical |
---|
6 | * @category Technical |
---|
7 | * @subpackage ldap |
---|
8 | * @author Eric Seigne <eric.seigne@ryxeo.com> |
---|
9 | * @copyright Eric Seigne |
---|
10 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 |
---|
11 | */ |
---|
12 | |
---|
13 | require_once("auth-functions.php"); |
---|
14 | |
---|
15 | class squidPamDrivers |
---|
16 | { |
---|
17 | /**#@+ |
---|
18 | * @access private |
---|
19 | */ |
---|
20 | |
---|
21 | /**#@-*/ |
---|
22 | |
---|
23 | |
---|
24 | /** |
---|
25 | * Constructor. |
---|
26 | * @param string $config path where /usr/lib/squid/pam_auth is |
---|
27 | */ |
---|
28 | function squidPamDrivers($config){ |
---|
29 | $this->__construct($config); |
---|
30 | } |
---|
31 | |
---|
32 | |
---|
33 | /** |
---|
34 | * The constructor |
---|
35 | * |
---|
36 | * @param string $config path where /usr/lib/squid/pam_auth is |
---|
37 | */ |
---|
38 | function __construct($config) |
---|
39 | { |
---|
40 | global $c; |
---|
41 | if (! file_exists($config)){ |
---|
42 | $c->messages[] = sprintf(i18n( 'drivers_squid_pam : Unable to find %s file'), $config ); |
---|
43 | $this->valid=false; |
---|
44 | return ; |
---|
45 | } |
---|
46 | } |
---|
47 | } |
---|
48 | |
---|
49 | |
---|
50 | /** |
---|
51 | * Check the username / password against the PAM system |
---|
52 | */ |
---|
53 | function SQUID_PAM_check($username, $password ){ |
---|
54 | global $c; |
---|
55 | |
---|
56 | /** |
---|
57 | * @todo Think of the children! This is a horribly insecure use of unvalidated user input! Probably it should be done with a popen or something, and it seems remarkably dodgy to expect that naively quoted strings will work in any way reliably. |
---|
58 | * Meanwhile, I've quickly hacked something basic in place to improve the situation. No quotes/backslashes in passwords for YOU! |
---|
59 | */ |
---|
60 | $username = str_replace("'","",str_replace('"',"",str_replace('\\',"",$username))); |
---|
61 | $password = str_replace("'","",str_replace('"',"",str_replace('\\',"",$password))); |
---|
62 | $cmd = "echo '" . $username . "' '" . $password . "' | " . $c->authenticate_hook['config']['script'] . " -n common-auth"; |
---|
63 | $auth_result = exec($cmd); |
---|
64 | if ( $auth_result == "OK") { |
---|
65 | if ( $usr = getUserByName($username) ) { |
---|
66 | return $usr; |
---|
67 | } |
---|
68 | else { |
---|
69 | dbg_error_log( "PAM", "user %s doesn't exist in local DB, we need to create it",$username ); |
---|
70 | $fullname = exec('getent passwd "'.$username.'"' ); |
---|
71 | $fullname = preg_replace( '{^[^:]+:[^:]+:\d+:\d+:([^:,]+)(,?[^:]*):.*$}', '$1', $fullname ); |
---|
72 | $usr = (object) array( |
---|
73 | 'user_no' => 0, |
---|
74 | 'username' => $username, |
---|
75 | 'active' => 't', |
---|
76 | 'email' => $username . "@" . $c->authenticate_hook['config']['email_base'], |
---|
77 | 'updated' => date(), |
---|
78 | 'fullname' => $fullname |
---|
79 | ); |
---|
80 | |
---|
81 | UpdateUserFromExternal( $usr ); |
---|
82 | return $usr; |
---|
83 | } |
---|
84 | } |
---|
85 | else { |
---|
86 | dbg_error_log( "PAM", "User %s is not a valid username (or password was wrong)", $username ); |
---|
87 | return false; |
---|
88 | } |
---|
89 | |
---|
90 | } |
---|