Support running pam_cap.so as a simple binary.

This prints module information and supports the sole optional
argument --help.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

3 files changed, 70 insertions, 5 deletions

diff --git a/pam_cap/Makefile b/pam_cap/Makefile
index ce63f16..a4c4891 100644
--- a/pam_cap/Makefile
+++ b/pam_cap/Makefile
@@ -15,21 +15,33 @@ install: all
 # does, *verify that it does*, and if you observe that it fails as
 # written (and you know why it fails), email me and explain why. Thanks!
 
-pam_cap.so: pam_cap.o
-	$(LD) -o pam_cap.so $< $(LIBCAPLIB) $(LDFLAGS)
+../libcap/loader.txt:
+	$(MAKE) -C ../libcap loader.txt
+
+execable.o: execable.c ../libcap/execable.h ../libcap/loader.txt
+	$(CC) $(CFLAGS) $(IPATH) -DLIBCAP_VERSION=\"libcap-$(VERSION).$(MINOR)\" -DSHARED_LOADER=\"$(shell cat ../libcap/loader.txt)\" -c execable.c -o $@
+
+pam_cap.so: pam_cap.o execable.o
+	$(LD) -o pam_cap.so $+ $(LIBCAPLIB) $(LDFLAGS) --entry=__so_start
 
 pam_cap.o: pam_cap.c
 	$(CC) $(CFLAGS) $(IPATH) -c $< -o $@
 
-test_pam_cap: test_pam_cap.c pam_cap.c
+../libcap/libcap.a:
+	$(MAKE) -C ../libcap libcap.a
+
+test_pam_cap: test_pam_cap.c pam_cap.c ../libcap/libcap.a
 	$(CC) $(CFLAGS) $(IPATH) -o $@ test_pam_cap.c $(LIBCAPLIB) $(LDFLAGS) --static
 
 testlink: test.c pam_cap.o
 	$(CC) $(CFLAGS) -o $@ $+ -lpam -ldl $(LIBCAPLIB) $(LDFLAGS)
 
-test: pam_cap.so test_pam_cap
+test: testlink test_pam_cap pam_cap.so
 	$(MAKE) testlink
 	./test_pam_cap
+	LD_LIBRARY_PATH=../libcap ./pam_cap.so
+	LD_LIBRARY_PATH=../libcap ./pam_cap.so --help
+	@echo "module can be run as an executable!"
 
 sudotest: test test_pam_cap
 	sudo ./test_pam_cap root 0x0 0x0 0x0 config=./capability.conf
diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf
index fb93ed9..08c01e1 100644
--- a/pam_cap/capability.conf
+++ b/pam_cap/capability.conf
@@ -25,7 +25,7 @@
 #   config=<file> - override the default config for the module with file
 #   keepcaps      - workaround for applications that setuid without this
 #   autoauth      - if you want pam_cap.so to always succeed for the auth phase
-#   default       - provide a failback IAB value if there is no '*' rule
+#   default=<iab> - provide a fallback IAB value if there is no '*' rule
 
 ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
 #cap_setfcap		morgan
diff --git a/pam_cap/execable.c b/pam_cap/execable.c
new file mode 100644
index 0000000..60cf667
--- /dev/null
+++ b/pam_cap/execable.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2021 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * The purpose of this file is to provide an executable mode for the
+ * pam_cap.so binary. If you run it directly, all it does is print
+ * version information.
+ *
+ * It accepts the optional --help argument which causes the executable
+ * to display a summary of all the supported, pam stacked, module
+ * arguments.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../libcap/execable.h"
+
+SO_MAIN(int argc, char **argv)
+{
+    const char *cmd = "<pam_cap.so>";
+    if (argv != NULL) {
+	cmd = argv[0];
+    }
+
+    printf(
+	"%s (version " LIBCAP_VERSION ") is a PAM module to specify\n"
+	"inheritable (IAB) capabilities via the libpam authentication\n"
+	"abstraction. See the libcap License file for licensing information.\n"
+	"\n"
+	"Release notes and feature documentation for libcap and pam_cap.so\n"
+	"can be found at:\n"
+	"\n"
+	"    https://sites.google.com/site/fullycapable/\n", cmd);
+    if (argc == 1) {
+	return;
+    }
+
+    if (argc > 2 || strcmp(argv[1], "--help")) {
+	printf("\n%s only supports the optional argument --help\n", cmd);
+	exit(1);
+    }
+
+    printf("\n"
+	   "%s supports the following module arguments:\n"
+	   "\n"
+	   "debug         - verbose logging (ignored for now)\n"
+	   "config=<file> - override the default config with file\n"
+	   "keepcaps      - workaround for apps that setuid without this\n"
+	   "autoauth      - pam_cap.so to always succeed for the 'auth' phase\n"
+	   "default=<iab> - fallback IAB value if there is no '*' rule\n",
+	cmd);
+}