initial commit: WIP debugging PAM module

2026-03-16 11:59:16 +11:00
commit 1d3eaff622
20 changed files with 699 additions and 0 deletions
--- a/pam-module/CMakeLists.txt
+++ b/pam-module/CMakeLists.txt
@@ -0,0 +1,25 @@
+cmake_minimum_required(VERSION 3.15)
+project(pam_usercontainer LANGUAGES CXX)
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+
+add_library(pam_usercontainer SHARED src/pam_module.cpp src/auth_client.cpp)
+set_target_properties(pam_usercontainer PROPERTIES
+    OUTPUT_NAME "pam_usercontainer"
+    PREFIX ""
+)
+target_compile_options(pam_usercontainer PRIVATE
+    $<$<CXX_COMPILER_ID:GNU>:-Wall -Wextra>
+    $<$<CXX_COMPILER_ID:Clang>:-Wall -Wextra>
+)
+target_include_directories(pam_usercontainer PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include)
+
+# Link to Rust staticlib
+add_dependencies(pam_usercontainer rust_backend_build)
+set(RUST_STATICLIB "${CMAKE_BINARY_DIR}/rust-backend/target/release/librust_backend.a")
+target_link_libraries(pam_usercontainer PRIVATE ${RUST_STATICLIB})
+
+# Install target
+install(TARGETS pam_usercontainer DESTINATION lib/security)
--- a/pam-module/include/rust_backend_ffi.h
+++ b/pam-module/include/rust_backend_ffi.h
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Suyono
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+// Initialize logging
+void rust_init_logging(const char* log_path);
+
+// Authenticate user (stub)
+int rust_auth_user(const char* user, const char* password);
+
+// Log event (file sink)
+void rust_log_event(const char* event);
+
+#ifdef __cplusplus
+}
+#endif
--- a/pam-module/src/auth_client.cpp
+++ b/pam-module/src/auth_client.cpp
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Suyono
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+#include "rust_backend_ffi.h"
+#include "auth_client.h"
+#include <exception>
+// Add PAM header for status codes
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+int auth_client_authenticate(const char* user, const char* password) {
+    try {
+        rust_init_logging(nullptr); // Ensure logger is initialized
+        int result = rust_auth_user(user, password);
+        if (result == 0) {
+            return PAM_SUCCESS;
+        } else {
+            return PAM_AUTH_ERR;
+        }
+    } catch (...) {
+        return PAM_AUTH_ERR;
+    }
+}
--- a/pam-module/src/auth_client.h
+++ b/pam-module/src/auth_client.h
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Suyono
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+int auth_client_authenticate(const char* user, const char* password);
--- a/pam-module/src/pam_module.cpp
+++ b/pam-module/src/pam_module.cpp
@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Suyono
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <cstring>
+#include "rust_backend_ffi.h"
+#include "auth_client.h"
+
+extern "C" {
+
+int pam_sm_authenticate(pam_handle_t* pamh, int flags, int argc, const char** argv) {
+    try {
+        rust_init_logging(nullptr); // Ensure logger is initialized
+        rust_log_event("PAM authentication attempt");
+
+
+        const char* user = nullptr;
+        pam_get_user(pamh, &user, NULL);
+        const void* pw_ptr = nullptr;
+        int item_result = pam_get_item(pamh, PAM_AUTHTOK, &pw_ptr);
+        const char* password = (item_result == PAM_SUCCESS && pw_ptr) ? static_cast<const char*>(pw_ptr) : nullptr;
+        int result = auth_client_authenticate(user, password);
+        return result;
+    } catch (...) {
+        // Log and return PAM error
+        return PAM_AUTH_ERR;
+    }
+}
+
+int pam_sm_setcred(pam_handle_t*, int, int, const char**) {
+    return PAM_SUCCESS;
+}
+
+}