New upstream version 1.1.5

author: Steve Langasek <steve.langasek@ubuntu.com> 2019-01-03 21:13:04 -0800
committer: Steve Langasek <steve.langasek@ubuntu.com> 2019-01-03 21:13:04 -0800
commit: c55c14c5c6762139ec6695d84ea0e2e917da5264 (patch)
tree: 9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_securetty
parent: f3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff)
parent: fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff)
2 files changed, 87 insertions, 1 deletions
diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
index dd57705b..48215f5f 100644
--- a/modules/pam_securetty/pam_securetty.8.xml
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -33,7 +33,10 @@
       user is logging in on a "secure" tty, as defined by the listing
       in <filename>/etc/securetty</filename>. pam_securetty also checks
       to make sure that <filename>/etc/securetty</filename> is a plain
-      file and not world writable.
+      file and not world writable. It will also allow root logins on
+      the tty specified with <option>console=</option> switch on the
+      kernel command line and on ttys from the
+      <filename>/sys/class/tty/console/active</filename>.
     </para>
     <para>
       This module has no effect on non-root users and requires that the
@@ -61,6 +64,19 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>noconsole</option>
+        </term>
+        <listitem>
+          <para>
+            Do not automatically allow root logins on the kernel console
+            device, as specified on the kernel command line or by the sys file,
+            if it is not also specified in the
+            <filename>/etc/securetty</filename> file.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index a3c2010d..4e97ef59 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -2,6 +2,8 @@
 
 #define SECURETTY_FILE "/etc/securetty"
 #define TTY_PREFIX     "/dev/"
+#define CMDLINE_FILE   "/proc/cmdline"
+#define CONSOLEACTIVE_FILE	"/sys/class/tty/console/active"
 
 /*
  * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@@ -22,6 +24,7 @@
 #include <pwd.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 
 /*
  * here, we make a definition for the externally accessible function
@@ -38,6 +41,7 @@
 #include <security/pam_ext.h>
 
 #define PAM_DEBUG_ARG       0x0001
+#define PAM_NOCONSOLE_ARG   0x0002
 
 static int
 _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
@@ -51,6 +55,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
 
 	if (!strcmp(*argv,"debug"))
 	    ctrl |= PAM_DEBUG_ARG;
+        else if (!strcmp(*argv, "noconsole"))
+            ctrl |= PAM_NOCONSOLE_ARG;
 	else {
 	    pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
 	}
@@ -144,6 +150,70 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
     }
     fclose(ttyfile);
 
+    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+        FILE *cmdlinefile;
+
+        /* Allow access from the kernel console, if enabled */
+        cmdlinefile = fopen(CMDLINE_FILE, "r");
+
+        if (cmdlinefile != NULL) {
+            char line[LINE_MAX], *p;
+
+            line[0] = 0;
+            fgets(line, sizeof(line), cmdlinefile);
+            fclose(cmdlinefile);
+
+            for (p = line; p; p = strstr(p+1, "console=")) {
+                char *e;
+
+                /* Test whether this is a beginning of a word? */
+                if (p > line && p[-1] != ' ')
+                    continue;
+
+                /* Is this our console? */
+                if (strncmp(p + 8, uttyname, strlen(uttyname)))
+                    continue;
+
+                /* Is there any garbage after the TTY name? */
+                e = p + 8 + strlen(uttyname);
+                if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
+                    retval = 0;
+                    break;
+                }
+            }
+        }
+    }
+    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+        FILE *consoleactivefile;
+
+        /* Allow access from the active console */
+        consoleactivefile = fopen(CONSOLEACTIVE_FILE, "r");
+
+        if (consoleactivefile != NULL) {
+            char line[LINE_MAX], *p, *n;
+
+            line[0] = 0;
+            p = fgets(line, sizeof(line), consoleactivefile);
+            fclose(consoleactivefile);
+
+	    if (p) {
+		/* remove the newline character at end */
+		if (line[strlen(line)-1] == '\n')
+		    line[strlen(line)-1] = 0;
+
+		for (n = p; n != NULL; p = n+1) {
+		    if ((n = strchr(p, ' ')) != NULL)
+		    	*n = '\0';
+
+            	    if (strcmp(p, uttyname) == 0) {
+			retval = 0;
+			break;
+		    }
+		}
+	    }
+	}
+    }
+
     if (retval) {
 	    pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
 		     uttyname);
author	Steve Langasek <steve.langasek@ubuntu.com>	2019-01-03 21:13:04 -0800
committer	Steve Langasek <steve.langasek@ubuntu.com>	2019-01-03 21:13:04 -0800
commit	c55c14c5c6762139ec6695d84ea0e2e917da5264 (patch)
tree	9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_securetty
parent	f3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff)
parent	fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff)