Line data Source code
1 : /*
2 : * <security/_pam_types.h>
3 : *
4 : * This file defines all of the types common to the Linux-PAM library
5 : * applications and modules.
6 : *
7 : * Note, the copyright+license information is at end of file.
8 : */
9 :
10 : #ifndef _SECURITY__PAM_TYPES_H
11 : #define _SECURITY__PAM_TYPES_H
12 :
13 : /* This is a blind structure; users aren't allowed to see inside a
14 : * pam_handle_t, so we don't define struct pam_handle here. This is
15 : * defined in a file private to the PAM library. (i.e., it's private
16 : * to PAM service modules, too!) */
17 :
18 : typedef struct pam_handle pam_handle_t;
19 :
20 : /* ---------------- The Linux-PAM Version defines ----------------- */
21 :
22 : /* Major and minor version number of the Linux-PAM package. Use
23 : these macros to test for features in specific releases. */
24 : #define __LINUX_PAM__ 1
25 : #define __LINUX_PAM_MINOR__ 0
26 :
27 : /* ----------------- The Linux-PAM return values ------------------ */
28 :
29 : #define PAM_SUCCESS 0 /* Successful function return */
30 : #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
31 : /* loading a service module */
32 : #define PAM_SYMBOL_ERR 2 /* Symbol not found */
33 : #define PAM_SERVICE_ERR 3 /* Error in service module */
34 : #define PAM_SYSTEM_ERR 4 /* System error */
35 : #define PAM_BUF_ERR 5 /* Memory buffer error */
36 : #define PAM_PERM_DENIED 6 /* Permission denied */
37 : #define PAM_AUTH_ERR 7 /* Authentication failure */
38 : #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */
39 : /* due to insufficient credentials */
40 : #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */
41 : /* can not retrieve authentication */
42 : /* information */
43 : #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */
44 : /* authentication module */
45 : #define PAM_MAXTRIES 11 /* An authentication service has */
46 : /* maintained a retry count which has */
47 : /* been reached. No further retries */
48 : /* should be attempted */
49 : #define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */
50 : /* This is normally returned if the */
51 : /* machine security policies require */
52 : /* that the password should be changed */
53 : /* because the password is NULL or it */
54 : /* has aged */
55 : #define PAM_ACCT_EXPIRED 13 /* User account has expired */
56 : #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */
57 : /* the specified session */
58 : #define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */
59 : /* can not retrieve user credentials */
60 : /* unavailable */
61 : #define PAM_CRED_EXPIRED 16 /* User credentials expired */
62 : #define PAM_CRED_ERR 17 /* Failure setting user credentials */
63 : #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */
64 : #define PAM_CONV_ERR 19 /* Conversation error */
65 : #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */
66 : #define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */
67 : /* cannot be recovered */
68 : #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
69 : #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
70 : #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
71 : #define PAM_IGNORE 25 /* Ignore underlying account module */
72 : /* regardless of whether the control */
73 : /* flag is required, optional, or sufficient */
74 : #define PAM_ABORT 26 /* Critical error (?module fail now request) */
75 : #define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */
76 : #define PAM_MODULE_UNKNOWN 28 /* module is not known */
77 :
78 : #define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */
79 : #define PAM_CONV_AGAIN 30 /* conversation function is event driven
80 : and data is not available yet */
81 : #define PAM_INCOMPLETE 31 /* please call this function again to
82 : complete authentication stack. Before
83 : calling again, verify that conversation
84 : is completed */
85 :
86 : /*
87 : * Add new #define's here - take care to also extend the libpam code:
88 : * pam_strerror() and "libpam/pam_tokens.h" .
89 : */
90 :
91 : #define _PAM_RETURN_VALUES 32 /* this is the number of return values */
92 :
93 :
94 : /* ---------------------- The Linux-PAM flags -------------------- */
95 :
96 : /* Authentication service should not generate any messages */
97 : #define PAM_SILENT 0x8000U
98 :
99 : /* Note: these flags are used by pam_authenticate{,_secondary}() */
100 :
101 : /* The authentication service should return PAM_AUTH_ERROR if the
102 : * user has a null authentication token */
103 : #define PAM_DISALLOW_NULL_AUTHTOK 0x0001U
104 :
105 : /* Note: these flags are used for pam_setcred() */
106 :
107 : /* Set user credentials for an authentication service */
108 : #define PAM_ESTABLISH_CRED 0x0002U
109 :
110 : /* Delete user credentials associated with an authentication service */
111 : #define PAM_DELETE_CRED 0x0004U
112 :
113 : /* Reinitialize user credentials */
114 : #define PAM_REINITIALIZE_CRED 0x0008U
115 :
116 : /* Extend lifetime of user credentials */
117 : #define PAM_REFRESH_CRED 0x0010U
118 :
119 : /* Note: these flags are used by pam_chauthtok */
120 :
121 : /* The password service should only update those passwords that have
122 : * aged. If this flag is not passed, the password service should
123 : * update all passwords. */
124 : #define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U
125 :
126 : /* ------------------ The Linux-PAM item types ------------------- */
127 :
128 : /* These defines are used by pam_set_item() and pam_get_item().
129 : Please check the spec which are allowed for use by applications
130 : and which are only allowed for use by modules. */
131 :
132 : #define PAM_SERVICE 1 /* The service name */
133 : #define PAM_USER 2 /* The user name */
134 : #define PAM_TTY 3 /* The tty name */
135 : #define PAM_RHOST 4 /* The remote host name */
136 : #define PAM_CONV 5 /* The pam_conv structure */
137 : #define PAM_AUTHTOK 6 /* The authentication token (password) */
138 : #define PAM_OLDAUTHTOK 7 /* The old authentication token */
139 : #define PAM_RUSER 8 /* The remote user name */
140 : #define PAM_USER_PROMPT 9 /* the prompt for getting a username */
141 : /* Linux-PAM extensions */
142 : #define PAM_FAIL_DELAY 10 /* app supplied function to override failure
143 : delays */
144 : #define PAM_XDISPLAY 11 /* X display name */
145 : #define PAM_XAUTHDATA 12 /* X server authentication data */
146 : #define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */
147 :
148 : /* -------------- Special defines used by Linux-PAM -------------- */
149 :
150 : #if defined(__GNUC__) && defined(__GNUC_MINOR__)
151 : # define PAM_GNUC_PREREQ(maj, min) \
152 : ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
153 : #else
154 : # define PAM_GNUC_PREREQ(maj, min) 0
155 : #endif
156 :
157 : #if PAM_GNUC_PREREQ(2,5)
158 : # define PAM_FORMAT(params) __attribute__((__format__ params))
159 : #else
160 : # define PAM_FORMAT(params)
161 : #endif
162 :
163 : #if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE)
164 : # define PAM_NONNULL(params) __attribute__((__nonnull__ params))
165 : #else
166 : # define PAM_NONNULL(params)
167 : #endif
168 :
169 : /* ---------- Common Linux-PAM application/module PI ----------- */
170 :
171 : extern int PAM_NONNULL((1))
172 222 : pam_set_item(pam_handle_t *pamh, int item_type, const void *item);
173 :
174 : extern int PAM_NONNULL((1))
175 3085 : pam_get_item(const pam_handle_t *pamh, int item_type, const void **item);
176 :
177 : extern const char *
178 722 : pam_strerror(pam_handle_t *pamh, int errnum);
179 :
180 : extern int PAM_NONNULL((1,2))
181 3087 : pam_putenv(pam_handle_t *pamh, const char *name_value);
182 :
183 : extern const char * PAM_NONNULL((1,2))
184 2 : pam_getenv(pam_handle_t *pamh, const char *name);
185 :
186 : extern char ** PAM_NONNULL((1))
187 29 : pam_getenvlist(pam_handle_t *pamh);
188 :
189 : /* ---------- Common Linux-PAM application/module PI ----------- */
190 2 :
191 : /*
192 : * here are some proposed error status definitions for the
193 1 : * 'error_status' argument used by the cleanup function associated
194 : * with data items they should be logically OR'd with the error_status
195 : * of the latest return from libpam -- new with .52 and positive
196 : * impression from Sun although not official as of 1996/9/4
197 : * [generally the other flags are to be found in pam_modules.h]
198 : */
199 :
200 : #define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */
201 :
202 : /*
203 : * here we define an externally (by apps or modules) callable function
204 : * that primes the libpam library to delay when a stacked set of
205 : * modules results in a failure. In the case of PAM_SUCCESS this delay
206 : * is ignored.
207 : *
208 : * Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set
209 : * a function pointer which can override the default fail-delay behavior.
210 : * This item was added to accommodate event driven programs that need to
211 : * manage delays more carefully. The function prototype for this data
212 : * item is
213 : * void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr);
214 : */
215 :
216 : #define HAVE_PAM_FAIL_DELAY
217 : extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay);
218 :
219 : /* ------------ The Linux-PAM conversation structures ------------ */
220 :
221 : /* Message styles */
222 :
223 : #define PAM_PROMPT_ECHO_OFF 1
224 : #define PAM_PROMPT_ECHO_ON 2
225 : #define PAM_ERROR_MSG 3
226 : #define PAM_TEXT_INFO 4
227 :
228 : /* Linux-PAM specific types */
229 :
230 : #define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */
231 :
232 : /* This is for server client non-human interaction.. these are NOT
233 : part of the X/Open PAM specification. */
234 :
235 : #define PAM_BINARY_PROMPT 7
236 :
237 : /* maximum size of messages/responses etc.. (these are mostly
238 : arbitrary so Linux-PAM should handle longer values). */
239 :
240 : #define PAM_MAX_NUM_MSG 32
241 : #define PAM_MAX_MSG_SIZE 512
242 : #define PAM_MAX_RESP_SIZE 512
243 :
244 : /* Used to pass prompting text, error messages, or other informatory
245 : * text to the user. This structure is allocated and freed by the PAM
246 : * library (or loaded module). */
247 :
248 : struct pam_message {
249 : int msg_style;
250 : const char *msg;
251 : };
252 :
253 : /* if the pam_message.msg_style = PAM_BINARY_PROMPT
254 : the 'pam_message.msg' is a pointer to a 'const *' for the following
255 : pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned
256 : pam_response.resp pointer points to an object with the following
257 : structure:
258 :
259 : struct {
260 : u32 length; # network byte order
261 : unsigned char type;
262 : unsigned char data[length-5];
263 : };
264 :
265 : The 'libpamc' library is designed around this flavor of
266 : message and should be used to handle this flavor of msg_style.
267 : */
268 :
269 : /* Used to return the user's response to the PAM library. This
270 : structure is allocated by the application program, and free()'d by
271 : the Linux-PAM library (or calling module). */
272 :
273 : struct pam_response {
274 : char *resp;
275 : int resp_retcode; /* currently un-used, zero expected */
276 : };
277 :
278 : /* The actual conversation structure itself */
279 :
280 : struct pam_conv {
281 : int (*conv)(int num_msg, const struct pam_message **msg,
282 : struct pam_response **resp, void *appdata_ptr);
283 : void *appdata_ptr;
284 : };
285 :
286 : /* Used by the PAM_XAUTHDATA pam item. Contains X authentication
287 : data used by modules to connect to the user's X display. Note:
288 : this structure is intentionally compatible with xcb_auth_info_t. */
289 :
290 : struct pam_xauth_data {
291 : int namelen;
292 : char *name;
293 : int datalen;
294 : char *data;
295 : };
296 :
297 : /* ... adapted from the pam_appl.h file created by Theodore Ts'o and
298 : *
299 : * Copyright Theodore Ts'o, 1996. All rights reserved.
300 : * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8
301 : *
302 : * Redistribution and use in source and binary forms, with or without
303 : * modification, are permitted provided that the following conditions
304 : * are met:
305 : * 1. Redistributions of source code must retain the above copyright
306 : * notice, and the entire permission notice in its entirety,
307 : * including the disclaimer of warranties.
308 : * 2. Redistributions in binary form must reproduce the above copyright
309 : * notice, this list of conditions and the following disclaimer in the
310 : * documentation and/or other materials provided with the distribution.
311 : * 3. The name of the author may not be used to endorse or promote
312 : * products derived from this software without specific prior
313 : * written permission.
314 : *
315 : * ALTERNATIVELY, this product may be distributed under the terms of
316 : * the GNU Public License, in which case the provisions of the GPL are
317 : * required INSTEAD OF the above restrictions. (This clause is
318 : * necessary due to a potential bad interaction between the GPL and
319 : * the restrictions contained in a BSD-style copyright.)
320 : *
321 : * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
322 : * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
323 : * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
324 : * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
325 : * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
326 : * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
327 : * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
328 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
329 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
330 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
331 : * OF THE POSSIBILITY OF SUCH DAMAGE. */
332 :
333 : #endif /* _SECURITY__PAM_TYPES_H */
|
