summaryrefslogtreecommitdiff
path: root/modules/pam_securetty
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 12:44:11 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 12:44:11 -0800
commitefd31890b5ed496a5a00c08a262da240e66a4ddc (patch)
tree22a7aab22b3a491bb58df250d7d6409e0c160bcc /modules/pam_securetty
parent067affee9267fa0d1c21835182ba639ba33e820f (diff)
New upstream version 0.76
Diffstat (limited to 'modules/pam_securetty')
-rw-r--r--modules/pam_securetty/.cvsignore1
-rw-r--r--modules/pam_securetty/Makefile15
-rw-r--r--modules/pam_securetty/README9
-rw-r--r--modules/pam_securetty/pam_securetty.c191
4 files changed, 0 insertions, 216 deletions
diff --git a/modules/pam_securetty/.cvsignore b/modules/pam_securetty/.cvsignore
deleted file mode 100644
index 380a834a..00000000
--- a/modules/pam_securetty/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-dynamic
diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile
deleted file mode 100644
index 9b80d2e9..00000000
--- a/modules/pam_securetty/Makefile
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# $Id$
-#
-# This Makefile controls a build process of $(TITLE) module for
-# Linux-PAM. You should not modify this Makefile (unless you know
-# what you are doing!).
-#
-# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27
-#
-
-include ../../Make.Rules
-
-TITLE=pam_securetty
-
-include ../Simple.Rules
diff --git a/modules/pam_securetty/README b/modules/pam_securetty/README
deleted file mode 100644
index 1df095c9..00000000
--- a/modules/pam_securetty/README
+++ /dev/null
@@ -1,9 +0,0 @@
-pam_securetty:
- Allows root logins only if the user is logging in on a
- "secure" tty, as defined by the listing in /etc/securetty
-
- Also checks to make sure that /etc/securetty is a plain
- file and not world writable.
-
- - Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- July 25, 1996.
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
deleted file mode 100644
index 9e6121e8..00000000
--- a/modules/pam_securetty/pam_securetty.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/* pam_securetty module */
-
-#define SECURETTY_FILE "/etc/securetty"
-#define TTY_PREFIX "/dev/"
-
-/*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
- * July 25, 1996.
- * This code shamelessly ripped from the pam_rootok module.
- * Slight modifications AGM. 1996/12/3
- */
-
-#define _GNU_SOURCE
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <pwd.h>
-#include <string.h>
-
-#define PAM_SM_AUTH
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-
-static int _pam_parse(int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
-
- return ctrl;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- int retval = PAM_AUTH_ERR;
- const char *username;
- char *uttyname;
- char ttyfileline[256];
- struct stat ttyfileinfo;
- struct passwd *user_pwd;
- FILE *ttyfile;
- int ctrl;
-
- /* parse the arguments */
- ctrl = _pam_parse(argc, argv);
-
- retval = pam_get_user(pamh, &username, NULL);
- if (retval != PAM_SUCCESS || username == NULL) {
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_WARNING, "cannot determine username");
- }
- return (retval == PAM_CONV_AGAIN
- ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
- }
-
- retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname);
- if (retval != PAM_SUCCESS || uttyname == NULL) {
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_WARNING, "cannot determine user's tty");
- }
- return PAM_SERVICE_ERR;
- }
-
- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
- uttyname += sizeof(TTY_PREFIX)-1;
-
- user_pwd = getpwnam(username);
- if (user_pwd == NULL) {
- return PAM_IGNORE;
- } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
- securetty's does not apply
- to them */
- return PAM_SUCCESS;
- }
-
- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
- _pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE);
- return PAM_SUCCESS; /* for compatibility with old securetty handling,
- this needs to succeed. But we still log the
- error. */
- }
-
- if ((ttyfileinfo.st_mode & S_IWOTH)
- || !S_ISREG(ttyfileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- _pam_log(LOG_ERR, SECURETTY_FILE
- " is either world writable or not a normal file");
- return PAM_AUTH_ERR;
- }
-
- ttyfile = fopen(SECURETTY_FILE,"r");
- if(ttyfile == NULL) { /* Check that we opened it successfully */
- _pam_log(LOG_ERR,
- "Error opening " SECURETTY_FILE);
- return PAM_SERVICE_ERR;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
- while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
- && retval) {
- if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
- ttyfileline[strlen(ttyfileline) - 1] = '\0';
- retval = strcmp(ttyfileline,uttyname);
- }
- fclose(ttyfile);
- if(retval) {
- if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !",
- uttyname);
- retval = PAM_AUTH_ERR;
- }
- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG))
- _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
- username, uttyname);
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return PAM_SUCCESS;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_securetty_modstruct = {
- "pam_securetty",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */