From 9791a4db0f4105990e31274db5cdcccee9841894 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:31 +0100 Subject: [PATCH 1/9] pam: doc --- DOCUMENTATION.md | 4 ++ radicale/auth/pam.py | 93 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 radicale/auth/pam.py diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index b9c4c572..8718c08f 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -829,6 +829,10 @@ Available backends: `oauth2` : Use an OAuth2 server to authenticate users. +`pam` +: Use local PAM to authenticate users. + + Default: `none` ##### cache_logins diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py new file mode 100644 index 00000000..25e66b19 --- /dev/null +++ b/radicale/auth/pam.py @@ -0,0 +1,93 @@ +# -*- coding: utf-8 -*- +# +# This file is part of Radicale Server - Calendar Server +# Copyright © 2011 Henry-Nicolas Tourneur +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + +""" +PAM authentication. + +Authentication based on the ``pam-python`` module. + +""" + +import grp +import pam +import pwd + +from .. import config, log + + +GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") + + +# Compatibility for old versions of python-pam. +if hasattr(pam, "pam"): + def pam_authenticate(*args, **kwargs): + return pam.pam().authenticate(*args, **kwargs) +else: + def pam_authenticate(*args, **kwargs): + return pam.authenticate(*args, **kwargs) + + +def is_authenticated(user, password): + """Check if ``user``/``password`` couple is valid.""" + if user is None or password is None: + return False + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(user).pw_uid + except KeyError: + log.LOGGER.debug("User %s not found" % user) + return False + else: + log.LOGGER.debug("User %s found" % user) + + # Check whether the group exists + try: + # Obtain supplementary groups + members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem + except KeyError: + log.LOGGER.debug( + "The PAM membership required group (%s) doesn't exist" % + GROUP_MEMBERSHIP) + return False + + # Check whether the user exists + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name + except KeyError: + log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) + return False + + # Check whether the user belongs to the required group + # (primary or supplementary) + if primary_group == GROUP_MEMBERSHIP or user in members: + log.LOGGER.debug( + "The PAM user belongs to the required group (%s)" % + GROUP_MEMBERSHIP) + # Check the password + if pam_authenticate(user, password, service='radicale'): + return True + else: + log.LOGGER.debug("Wrong PAM password") + else: + log.LOGGER.debug( + "The PAM user doesn't belong to the required group (%s)" % + GROUP_MEMBERSHIP) + + return False From 6683775c81968043bcdd929c1773d229ffb3638f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:51 +0100 Subject: [PATCH 2/9] pam: doc --- DOCUMENTATION.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8718c08f..fb86db70 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1032,6 +1032,18 @@ OAuth2 token endpoint URL Default: +##### pam_service + +PAM service + +Default: radicale + +##### pam_group_membership + +PAM group user should be member of + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 954ddea0062f111b2eb7b1faa0d747099b53612f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:13 +0100 Subject: [PATCH 3/9] pam: config --- config | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config b/config index dfd8c4e2..2585c718 100644 --- a/config +++ b/config @@ -128,6 +128,12 @@ # OAuth2 token endpoint URL #oauth2_token_endpoint = +# PAM service +#pam_serivce = radicale + +# PAM group user should be member of +#pam_group_membership = + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 046d39b1bd87dbcb08617098eb36436f702de2a4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:36 +0100 Subject: [PATCH 4/9] pam: add support --- radicale/auth/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index e92272f8..62a7b34f 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -43,6 +43,7 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "ldap", "imap", "oauth2", + "pam", "dovecot") CACHE_LOGIN_TYPES: Sequence[str] = ( @@ -51,6 +52,7 @@ CACHE_LOGIN_TYPES: Sequence[str] = ( "htpasswd", "imap", "oauth2", + "pam", ) AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") From c8f650bc2c5699ad2c3dc3e43363d1041db915ae Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:52 +0100 Subject: [PATCH 5/9] extend copyright --- radicale/auth/pam.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 25e66b19..3194cb59 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -2,6 +2,8 @@ # # This file is part of Radicale Server - Calendar Server # Copyright © 2011 Henry-Nicolas Tourneur +# Copyright © 2021-2021 Unrud +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 855e3743caaf389643a8c567abe35565ea199823 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:07 +0100 Subject: [PATCH 6/9] pam: merge+adjust module from v1 --- radicale/auth/pam.py | 134 +++++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 3194cb59..84cacb82 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -21,75 +21,85 @@ """ PAM authentication. -Authentication based on the ``pam-python`` module. +Authentication using the ``pam-python`` module. +Important: radicale user need access to /etc/shadow by e.g. + chgrp radicale /etc/shadow + chmod g+r """ import grp -import pam import pwd -from .. import config, log +from radicale import auth +from radicale.log import logger -GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") - - -# Compatibility for old versions of python-pam. -if hasattr(pam, "pam"): - def pam_authenticate(*args, **kwargs): - return pam.pam().authenticate(*args, **kwargs) -else: - def pam_authenticate(*args, **kwargs): - return pam.authenticate(*args, **kwargs) - - -def is_authenticated(user, password): - """Check if ``user``/``password`` couple is valid.""" - if user is None or password is None: - return False - - # Check whether the user exists in the PAM system - try: - pwd.getpwnam(user).pw_uid - except KeyError: - log.LOGGER.debug("User %s not found" % user) - return False - else: - log.LOGGER.debug("User %s found" % user) - - # Check whether the group exists - try: - # Obtain supplementary groups - members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem - except KeyError: - log.LOGGER.debug( - "The PAM membership required group (%s) doesn't exist" % - GROUP_MEMBERSHIP) - return False - - # Check whether the user exists - try: - # Get user primary group - primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name - except KeyError: - log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) - return False - - # Check whether the user belongs to the required group - # (primary or supplementary) - if primary_group == GROUP_MEMBERSHIP or user in members: - log.LOGGER.debug( - "The PAM user belongs to the required group (%s)" % - GROUP_MEMBERSHIP) - # Check the password - if pam_authenticate(user, password, service='radicale'): - return True +class Auth(auth.BaseAuth): + def __init__(self, configuration) -> None: + super().__init__(configuration) + try: + import pam + self.pam = pam + except ImportError as e: + raise RuntimeError("PAM authentication requires the Python pam module") from e + self._service = configuration.get("auth", "pam_service") + logger.info("auth.pam_service: %s" % self._service) + self._group_membership = configuration.get("auth", "pam_group_membership") + if (self._group_membership): + logger.info("auth.pam_group_membership: %s" % self._group_membership) else: - log.LOGGER.debug("Wrong PAM password") - else: - log.LOGGER.debug( - "The PAM user doesn't belong to the required group (%s)" % - GROUP_MEMBERSHIP) + logger.info("auth.pam_group_membership: (empty, nothing to check / INSECURE)") - return False + def pam_authenticate(self, *args, **kwargs): + return self.pam.authenticate(*args, **kwargs) + + def _login(self, login: str, password: str) -> str: + """Check if ``user``/``password`` couple is valid.""" + if login is None or password is None: + return "" + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(login).pw_uid + except KeyError: + logger.debug("PAM user not found: %r" % login) + return "" + else: + logger.debug("PAM user found: %r" % login) + + # Check whether the user has a primary group (mandatory) + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(login).pw_gid).gr_name + logger.debug("PAM user %r has primary group: %r" % (login, primary_group)) + except KeyError: + logger.debug("PAM user has no primary group: %r" % login) + return "" + + # Obtain supplementary groups + members = [] + if (self._group_membership): + try: + members = grp.getgrnam(self._group_membership).gr_mem + except KeyError: + logger.debug( + "PAM membership required group doesn't exist: %r" % + self._group_membership) + return "" + + # Check whether the user belongs to the required group + # (primary or supplementary) + if (self._group_membership): + if (primary_group != self._group_membership) and (login not in members): + logger.warning("PAM user %r belongs not to the required group: %r" % (login, self._group_membership)) + return "" + else: + logger.debug("PAM user %r belongs to the required group: %r" % (login, self._group_membership)) + + # Check the password + if self.pam_authenticate(login, password, service=self._service): + return login + else: + logger.debug("PAM authentication not successful for user: %r (service %r)" % (login, self._service)) + return "" From 0759673e67ab0bd1f631f458cac15a5e4e308bb6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:24 +0100 Subject: [PATCH 7/9] pam: config parser --- radicale/config.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 5f46022e..6a218160 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -311,6 +311,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "OAuth2 token endpoint URL", "type": str}), + ("pam_group_membership", { + "value": "", + "help": "PAM group user should be member of", + "type": str}), + ("pam_service", { + "value": "radicale", + "help": "PAM service", + "type": str}), ("strip_domain", { "value": "False", "help": "strip domain from username", From 7f3fedc048576afd2bdbc439d8ec9ca0bc0890e4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:42 +0100 Subject: [PATCH 8/9] log used python version --- radicale/utils.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/utils.py b/radicale/utils.py index 097be3fb..a75e5089 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -18,6 +18,7 @@ # along with Radicale. If not, see . import ssl +import sys from importlib import import_module, metadata from typing import Callable, Sequence, Type, TypeVar, Union @@ -55,6 +56,7 @@ def package_version(name): def packages_version(): versions = [] + versions.append("python=%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])) for pkg in RADICALE_MODULES: versions.append("%s=%s" % (pkg, package_version(pkg))) return " ".join(versions) From 6518f1b63aea24d8e0f0c7d6072930213dc639fa Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:51:06 +0100 Subject: [PATCH 9/9] pam: add to config selector --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 2585c718..e367083c 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall #type = none # Cache logins for until expiration time