c - 无法在共享对象文件中通过 system() 命令运行 python 文件

问题描述

（找到下面附加的代码）我正在尝试更改 Ubuntu 系统中 SSH 的身份验证机制，以使用基于零知识证明的身份验证，而不是普通的用户名密码。我正在尝试在此 git repo中提供的工作的基础上进行构建，并减轻它的一些漏洞。它使用 /lib/x86_64-linux-gnu/security 中名为“pam_schnorr.so”的共享对象文件，该文件将 PAM_SUCCESS 或 PAM_IGNORE 返回给 ssh 进程并相应地授予身份验证。

pam_schnorr.so 使用 system() 命令运行 python3 文件 'attempt.py'。attempt.py 反过来使用 jpype 运行一些 java 代码（在一些计算之后将 y/n 写入 output.txt）。我面临的问题是 system() 命令无法成功运行 try.py，因为返回的 WEXITSTATUS 是 1。这些是我到目前为止尝试过的一些组合 -

1. 我能够使用 test.c 中的 system() 命令成功运行 attempt.py 文件，该命令与 pam_schnorr.so 位于同一文件夹中
2. 我能够通过终端成功运行 try.py
3. 我可以通过 pam_schnorr.so 中的 system() 命令运行一个简单的 python 文件 test.py
4. 如果我注释掉 import jpype 和其他 jpype 相关语句，我可以通过 pam_schnorr.so 中的 system() 运行 try.py

因此，我得出的结论是，当通过 .so 文件中的 system() 运行时，尝试在 try.py 中运行 jpype 语句可能会导致问题。

我用来从 pam_schnorr.c 生成 pam_schnorr.so 的命令是 -

$sudo gcc -c -fPIC pam_schnorr.c -o new_pam_schnorr.o

$sudo gcc new_pam_schnorr.o -shared -o pam_schnorr.so

我不确定到底是什么问题，但是从 pam_schnorr.so 运行 try.py 对于身份验证过程至关重要。对此的任何帮助表示赞赏

尝试.py

import jpype
import sys
import traceback

def main(a,b,c,d,e,f,g,h,i):
    classpath = "-Djava.class.path=%s" % "/home/madhav/Downloads/6857-PasswordManager/out/production/6.857_ZKPassword/"
    jpype.startJVM("/usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so", classpath)
    Main = jpype.JPackage("sixeightfiveseven").Main
    Main.main([a,b,c,d,e,f,g,h,i])
                
if __name__ == "__main__":
    # expect 9 arguments
    a = sys.argv[1]
    b = sys.argv[2]
    c = sys.argv[3]
    d = sys.argv[4]
    e = sys.argv[5]
    f = sys.argv[6]
    g = sys.argv[7]
    h = sys.argv[8]
    i = sys.argv[9]
    main(a, b, c, d, e, f, g, h, i)

test.c // WEXITSTATUS 返回为 0（成功）

#include <stdio.h>
#include <gmp.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/wait.h>

void main(){
    FILE *f = fopen("/home/madhav/Desktop/debug.txt", "w+");
    int status = system("sudo python3 /lib/x86_64-linux-gnu/security/attempt.py"); //providing the reqd arguments for attempt.py
    fprintf(f, "\nSTATUS: %d", WEXITSTATUS(status));
    if (status != 0) {
      fprintf(f, "failed :(\n");
    }
    else{
        fprintf(f, "success :)\n"); 
    }
    fclose(f); 
}

测试.py

def func():
    f = open("/home/madhav/Desktop/demofile.txt", "a")
    f.write("Now the file has more content!")
    f.close()

if __name__ == "__main__":
    func()

pam_schnorr.c（pam_sm_athenticate 函数中的系统调用）

/* Define which PAM interfaces we provide */
  #define PAM_SM_ACCOUNT
  #define PAM_SM_AUTH
  #define PAM_SM_PASSWORD
  #define PAM_SM_SESSION

#include <stdio.h>
#include <gmp.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/wait.h>

/* Include PAM headers */
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>

  /* PAM entry point for session creation */
  int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
          return(PAM_IGNORE);
  }

  /* PAM entry point for session cleanup */
  int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
          return(PAM_IGNORE);
  }

  /* PAM entry point for accounting */
  int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
          return(PAM_IGNORE);
  }

  /* PAM entry point for authentication verification */
  int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    int retval; 
    const char *p;
    retval = pam_get_authtok(pamh, PAM_AUTHTOK, &p , NULL);

    // open a file to help debug
    FILE *f = fopen("/home/sylvielee/Desktop/debug_log.txt", "w");
    
    // Expect a string containing GP_x,GP_y,PK_x,PK_y,V_x,V_Y,r,n,userID in that order
    int num_vars = 9;
    int pv_index = 0;
    char *packet_vars[num_vars];
    const char *delimiter = ",";

    char *saveptr;
    char *var = strtok_r(p, delimiter, &saveptr);
    if (!var) {
      fprintf(f, "incorrect input");
      fclose(f); 
      return(PAM_IGNORE); 
    }
    packet_vars[pv_index++] = var;

    while (pv_index < num_vars) {
      var = strtok_r(NULL, delimiter, &saveptr);
      fprintf(f, "\npv index is %d\n", pv_index);
      fprintf(f, "var is %s\n", var);
      if (!var) {
    fprintf(f, "broke out"); 
    break; 
      }
      packet_vars[pv_index++] = var;
    }
    
    if (pv_index != num_vars) {
      // didn't get all the desired variables
      fclose(f); 
      return(PAM_IGNORE); 
    }

    // call python script to check with verifier
    char script_call[80];
    sprintf(script_call, "python3 /lib/x86_64-linux-gnu/security/attempt.py %s %s %s %s %s %s %s %s %s",
        packet_vars[0], packet_vars[1], packet_vars[2], packet_vars[3], packet_vars[4],
        packet_vars[5], packet_vars[6], packet_vars[7], packet_vars[8]);
    puts(script_call);
    fprintf(f, "\n%s", script_call); 

    // check success of script call and log
    int status = system(script_call); 
    fprintf(f, "\nSTATUS: %d", WEXITSTATUS(status));
    if (status != 0) {
      fprintf(f, "failed :("); 
      fclose(f); 
      return(PAM_IGNORE); 
    }

    // read the verifier result
    char *verifier_fp = "/home/sylvielee/Desktop/out.txt";
    FILE *verifier_output = fopen(verifier_fp, "r");
    int good = 0;    
    if (fgetc(verifier_output) == 121) { // ASCII for y
      good = 1; 
    }
    fprintf(f, "\nOutput is %d\n", good);
    
    // return success of failure based on verifier result
    fclose(f);
    fclose(verifier_output);
    if (good == 1) {
      return(PAM_SUCCESS); 
    }
    return(PAM_IGNORE);
  }

  /*
     PAM entry point for setting user credentials (that is, to actually
     establish the authenticated user's credentials to the service provider)
   */
  int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
          return(PAM_IGNORE);
  }

  /* PAM entry point for authentication token (password) changes */
  int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
          return(PAM_IGNORE);
  }

标签： clinuxpam.sojpype