summaryrefslogtreecommitdiff
path: root/modules/pam_listfile
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_listfile')
-rw-r--r--modules/pam_listfile/.cvsignore8
-rw-r--r--modules/pam_listfile/Makefile.am31
-rw-r--r--modules/pam_listfile/README.xml41
-rw-r--r--modules/pam_listfile/pam_listfile.8.xml297
-rw-r--r--modules/pam_listfile/pam_listfile.c462
-rwxr-xr-xmodules/pam_listfile/tst-pam_listfile2
6 files changed, 0 insertions, 841 deletions
diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore
deleted file mode 100644
index f54f6f27..00000000
--- a/modules/pam_listfile/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_listfile.8
diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am
deleted file mode 100644
index 2f211320..00000000
--- a/modules/pam_listfile/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile
-
-man_MANS = pam_listfile.8
-XMLS = README.xml pam_listfile.8.xml
-
-TESTS = tst-pam_listfile
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_listfile.la
-pam_listfile_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_listfile.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_listfile/README.xml b/modules/pam_listfile/README.xml
deleted file mode 100644
index d851aef3..00000000
--- a/modules/pam_listfile/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_listfile.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_listfile-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml
deleted file mode 100644
index e54e80a4..00000000
--- a/modules/pam_listfile/pam_listfile.8.xml
+++ /dev/null
@@ -1,297 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_listfile">
-
- <refmeta>
- <refentrytitle>pam_listfile</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_listfile-name">
- <refname>pam_listfile</refname>
- <refpurpose>deny or allow services based on an arbitrary file</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_listfile-cmdsynopsis">
- <command>pam_listfile.so</command>
- <arg choice="plain">
- item=[tty|user|rhost|ruser|group|shell]
- </arg>
- <arg choice="plain">
- sense=[allow|deny]
- </arg>
- <arg choice="plain">
- file=<replaceable>/path/filename</replaceable>
- </arg>
- <arg choice="plain">
- onerr=[succeed|fail]
- </arg>
- <arg choice="opt">
- apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]
- </arg>
- <arg choice="opt">
- quiet
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_listfile-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_listfile is a PAM module which provides a way to deny or
- allow services based on an arbitrary file.
- </para>
- <para>
- The module gets the <option>item</option> of the type specified --
- <emphasis>user</emphasis> specifies the username,
- <emphasis>PAM_USER</emphasis>; tty specifies the name of the terminal
- over which the request has been made, <emphasis>PAM_TTY</emphasis>;
- rhost specifies the name of the remote host (if any) from which the
- request was made, <emphasis>PAM_RHOST</emphasis>; and ruser specifies
- the name of the remote user (if available) who made the request,
- <emphasis>PAM_RUSER</emphasis> -- and looks for an instance of that
- item in the <option>file=<replaceable>filename</replaceable></option>.
- <filename>filename</filename> contains one line per item listed. If
- the item is found, then if
- <option>sense=<replaceable>allow</replaceable></option>,
- <emphasis>PAM_SUCCESS</emphasis> is returned, causing the authorization
- request to succeed; else if
- <option>sense=<replaceable>deny</replaceable></option>,
- <emphasis>PAM_AUTH_ERR</emphasis> is returned, causing the authorization
- request to fail.
- </para>
- <para>
- If an error is encountered (for instance, if
- <filename>filename</filename> does not exist, or a poorly-constructed
- argument is encountered), then if <emphasis>onerr=succeed</emphasis>,
- <emphasis>PAM_SUCCESS</emphasis> is returned, otherwise if
- <emphasis>onerr=fail</emphasis>, <emphasis>PAM_AUTH_ERR</emphasis> or
- <emphasis>PAM_SERVICE_ERR</emphasis> (as appropriate) will be returned.
- </para>
- <para>
- An additional argument, <option>apply=</option>, can be used
- to restrict the application of the above to a specific user
- (<option>apply=<replaceable>username</replaceable></option>)
- or a given group
- (<option>apply=<replaceable>@groupname</replaceable></option>).
- This added restriction is only meaningful when used with the
- <emphasis>tty</emphasis>, <emphasis>rhost</emphasis> and
- <emphasis>shell</emphasis> items.
- </para>
- <para>
- Besides this last one, all arguments should be specified; do not
- count on any default behavior.
- </para>
- <para>
- No credentials are awarded by this module.
- </para>
- </refsect1>
-
- <refsect1 id="pam_listfile-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>item=[tty|user|rhost|ruser|group|shell]</option>
- </term>
- <listitem>
- <para>
- What is listed in the file and should be checked for.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>sense=[allow|deny]</option>
- </term>
- <listitem>
- <para>
- Action to take if found in file, if the item is NOT found in
- the file, then the opposite action is requested.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>file=<replaceable>/path/filename</replaceable></option>
- </term>
- <listitem>
- <para>
- File containing one item per line. The file needs to be a plain
- file and not world writeable.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>onerr=[succeed|fail]</option>
- </term>
- <listitem>
- <para>
- What to do if something weird happens like being unable to open
- the file.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option>
- </term>
- <listitem>
- <para>
- Restrict the user class for which the restriction apply. Note that
- with <option>item=[user|ruser|group]</option> this does not make sense,
- but for <option>item=[tty|rhost|shell]</option> it have a meaning.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>quiet</option>
- </term>
- <listitem>
- <para>
- Do not treat service refusals or missing list files as
- errors that need to be logged.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_listfile-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The services <option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option> are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>Authentication failure.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- The rule does not apply to the <option>apply</option> option.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Error in service module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Success.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-examples'>
- <title>EXAMPLES</title>
- <para>
- Classic 'ftpusers' authentication can be implemented with this entry
- in <filename>/etc/pam.d/ftpd</filename>:
- <programlisting>
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
- </programlisting>
- Note, users listed in <filename>/etc/ftpusers</filename> file are
- (counterintuitively) <emphasis>not</emphasis> allowed access to
- the ftp service.
- </para>
- <para>
- To allow login access only for certain users, you can use a
- <filename>/etc/pam.d/login</filename> entry like this:
- <programlisting>
-#
-# permit login to users listed in /etc/loginusers
-#
-auth required pam_listfile.so \
- onerr=fail item=user sense=allow file=/etc/loginusers
- </programlisting>
- For this example to work, all users who are allowed to use the
- login service should be listed in the file
- <filename>/etc/loginusers</filename>. Unless you are explicitly
- trying to lock out root, make sure that when you do this, you leave
- a way for root to log in, either by listing root in
- <filename>/etc/loginusers</filename>, or by listing a user who is
- able to <emphasis>su</emphasis> to the root account.
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-author'>
- <title>AUTHOR</title>
- <para>
- pam_listfile was written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;
- and Elliot Lee &lt;sopwith@cuc.edu&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
deleted file mode 100644
index f276e5b8..00000000
--- a/modules/pam_listfile/pam_listfile.c
+++ /dev/null
@@ -1,462 +0,0 @@
-/*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. July 25, 1996.
- * log refused access error christopher mccrory <chrismcc@netus.com> 1998/7/11
- *
- * This code began life as the pam_rootok module.
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-#include <pwd.h>
-#include <grp.h>
-
-#ifdef DEBUG
-#include <assert.h>
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_PASSWORD
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* checks if a user is on a list of members */
-static int is_on_list(char * const *list, const char *member)
-{
- while (*list) {
- if (strcmp(*list, member) == 0)
- return 1;
- list++;
- }
- return 0;
-}
-
-/* --- authentication management functions (only) --- */
-
-/* Extended Items that are not directly available via pam_get_item() */
-#define EI_GROUP (1 << 0)
-#define EI_SHELL (1 << 1)
-
-/* Constants for apply= parameter */
-#define APPLY_TYPE_NULL 0
-#define APPLY_TYPE_NONE 1
-#define APPLY_TYPE_USER 2
-#define APPLY_TYPE_GROUP 3
-
-#define LESSER(a, b) ((a) < (b) ? (a) : (b))
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2, quiet=0;
- const void *void_citemp;
- const char *citemp;
- char *ifname=NULL;
- char aline[256];
- char mybuf[256],myval[256];
- struct stat fileinfo;
- FILE *inf;
- char apply_val[256];
- int apply_type;
-
- /* Stuff for "extended" items */
- struct passwd *userinfo;
- struct group *grpinfo;
- char *itemlist[256]; /* Maximum of 256 items */
-
- apply_type=APPLY_TYPE_NULL;
- memset(apply_val,0,sizeof(apply_val));
-
- for(i=0; i < argc; i++) {
- {
- const char *junk;
-
- memset(mybuf,'\0',sizeof(mybuf));
- memset(myval,'\0',sizeof(mybuf));
- junk = strchr(argv[i], '=');
- if((junk == NULL) || (junk - argv[i]) >= (int) sizeof(mybuf)) {
- pam_syslog(pamh,LOG_ERR, "Bad option: \"%s\"",
- argv[i]);
- continue;
- }
- strncpy(mybuf, argv[i],
- LESSER(junk - argv[i], (int)sizeof(mybuf) - 1));
- strncpy(myval, junk + 1, sizeof(myval) - 1);
- }
- if(!strcmp(mybuf,"onerr"))
- if(!strcmp(myval,"succeed"))
- onerr = PAM_SUCCESS;
- else if(!strcmp(myval,"fail"))
- onerr = PAM_SERVICE_ERR;
- else {
- if (ifname) free (ifname);
- return PAM_SERVICE_ERR;
- }
- else if(!strcmp(mybuf,"sense"))
- if(!strcmp(myval,"allow"))
- sense=0;
- else if(!strcmp(myval,"deny"))
- sense=1;
- else {
- if (ifname) free (ifname);
- return onerr;
- }
- else if(!strcmp(mybuf,"file")) {
- if (ifname) free (ifname);
- ifname = (char *)malloc(strlen(myval)+1);
- if (!ifname)
- return PAM_BUF_ERR;
- strcpy(ifname,myval);
- } else if(!strcmp(mybuf,"item"))
- if(!strcmp(myval,"user"))
- citem = PAM_USER;
- else if(!strcmp(myval,"tty"))
- citem = PAM_TTY;
- else if(!strcmp(myval,"rhost"))
- citem = PAM_RHOST;
- else if(!strcmp(myval,"ruser"))
- citem = PAM_RUSER;
- else { /* These items are related to the user, but are not
- directly gettable with pam_get_item */
- citem = PAM_USER;
- if(!strcmp(myval,"group"))
- extitem = EI_GROUP;
- else if(!strcmp(myval,"shell"))
- extitem = EI_SHELL;
- else
- citem = 0;
- } else if(!strcmp(mybuf,"apply")) {
- apply_type=APPLY_TYPE_NONE;
- memset(apply_val,'\0',sizeof(apply_val));
- if (myval[0]=='@') {
- apply_type=APPLY_TYPE_GROUP;
- strncpy(apply_val,myval+1,sizeof(apply_val)-1);
- } else {
- apply_type=APPLY_TYPE_USER;
- strncpy(apply_val,myval,sizeof(apply_val)-1);
- }
- } else if (!strcmp(mybuf,"quiet")) {
- quiet = 1;
- } else {
- free(ifname);
- pam_syslog(pamh,LOG_ERR, "Unknown option: %s",mybuf);
- return onerr;
- }
- }
-
- if(!citem) {
- pam_syslog(pamh,LOG_ERR,
- "Unknown item or item not specified");
- free(ifname);
- return onerr;
- } else if(!ifname) {
- pam_syslog(pamh,LOG_ERR, "List filename not specified");
- return onerr;
- } else if(sense == 2) {
- pam_syslog(pamh,LOG_ERR,
- "Unknown sense or sense not specified");
- free(ifname);
- return onerr;
- } else if(
- (apply_type==APPLY_TYPE_NONE) ||
- ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0'))
- ) {
- pam_syslog(pamh,LOG_ERR,
- "Invalid usage for apply= parameter");
- free (ifname);
- return onerr;
- }
-
- /* Check if it makes sense to use the apply= parameter */
- if (apply_type != APPLY_TYPE_NULL) {
- if((citem==PAM_USER) || (citem==PAM_RUSER)) {
- pam_syslog(pamh,LOG_WARNING,
- "Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- if(extitem && (extitem==EI_GROUP)) {
- pam_syslog(pamh,LOG_WARNING,
- "Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- }
-
- /* Short-circuit - test if this session apply for this user */
- {
- const char *user_name;
- int rval;
-
- rval=pam_get_user(pamh,&user_name,NULL);
- if((rval==PAM_SUCCESS) && user_name && user_name[0]) {
- /* Got it ? Valid ? */
- if(apply_type==APPLY_TYPE_USER) {
- if(strcmp(user_name, apply_val)) {
- /* Does not apply to this user */
-#ifdef DEBUG
- pam_syslog(pamh,LOG_DEBUG,
- "don't apply: apply=%s, user=%s",
- apply_val,user_name);
-#endif /* DEBUG */
- free(ifname);
- return PAM_IGNORE;
- }
- } else if(apply_type==APPLY_TYPE_GROUP) {
- if(!pam_modutil_user_in_group_nam_nam(pamh,user_name,apply_val)) {
- /* Not a member of apply= group */
-#ifdef DEBUG
- pam_syslog(pamh,LOG_DEBUG,
-
- "don't apply: %s not a member of group %s",
- user_name,apply_val);
-#endif /* DEBUG */
- free(ifname);
- return PAM_IGNORE;
- }
- }
- }
- }
-
- retval = pam_get_item(pamh,citem,&void_citemp);
- citemp = void_citemp;
- if(retval != PAM_SUCCESS) {
- return onerr;
- }
- if((citem == PAM_USER) && !citemp) {
- retval = pam_get_user(pamh,&citemp,NULL);
- if (retval != PAM_SUCCESS || !citemp) {
- free(ifname);
- return PAM_SERVICE_ERR;
- }
- }
- if((citem == PAM_TTY) && citemp) {
- /* Normalize the TTY name. */
- if(strncmp(citemp, "/dev/", 5) == 0) {
- citemp += 5;
- }
- }
-
- if(!citemp || (strlen(citemp) == 0)) {
- free(ifname);
- /* The item was NULL - we are sure not to match */
- return sense?PAM_SUCCESS:PAM_AUTH_ERR;
- }
-
- if(extitem) {
- switch(extitem) {
- case EI_GROUP:
- userinfo = pam_modutil_getpwnam(pamh, citemp);
- if (userinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed",
- citemp);
- free(ifname);
- return onerr;
- }
- grpinfo = pam_modutil_getgrgid(pamh, userinfo->pw_gid);
- if (grpinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getgrgid(%d) failed",
- (int)userinfo->pw_gid);
- free(ifname);
- return onerr;
- }
- itemlist[0] = x_strdup(grpinfo->gr_name);
- setgrent();
- for (i=1; (i < (int)(sizeof(itemlist)/sizeof(itemlist[0])-1)) &&
- (grpinfo = getgrent()); ) {
- if (is_on_list(grpinfo->gr_mem,citemp)) {
- itemlist[i++] = x_strdup(grpinfo->gr_name);
- }
- }
- endgrent();
- itemlist[i] = NULL;
- break;
- case EI_SHELL:
- /* Assume that we have already gotten PAM_USER in
- pam_get_item() - a valid assumption since citem
- gets set to PAM_USER in the extitem switch */
- userinfo = pam_modutil_getpwnam(pamh, citemp);
- if (userinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed",
- citemp);
- free(ifname);
- return onerr;
- }
- citemp = userinfo->pw_shell;
- break;
- default:
- pam_syslog(pamh,LOG_ERR,
-
- "Internal weirdness, unknown extended item %d",
- extitem);
- free(ifname);
- return onerr;
- }
- }
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
-
- "Got file = %s, item = %d, value = %s, sense = %d",
- ifname, citem, citemp, sense);
-#endif
- if(lstat(ifname,&fileinfo)) {
- pam_syslog(pamh,LOG_ERR, "Couldn't open %s",ifname);
- free(ifname);
- return onerr;
- }
-
- if((fileinfo.st_mode & S_IWOTH)
- || !S_ISREG(fileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- pam_syslog(pamh,LOG_ERR,
- "%s is either world writable or not a normal file",
- ifname);
- free(ifname);
- return PAM_AUTH_ERR;
- }
-
- inf = fopen(ifname,"r");
- if(inf == NULL) { /* Check that we opened it successfully */
- if (onerr == PAM_SERVICE_ERR) {
- /* Only report if it's an error... */
- pam_syslog(pamh,LOG_ERR, "Error opening %s", ifname);
- }
- free(ifname);
- return onerr;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
-#ifdef DEBUG
- assert(PAM_SUCCESS == 0);
- assert(PAM_AUTH_ERR != 0);
-#endif
- if(extitem == EI_GROUP) {
- while((fgets(aline,sizeof(aline),inf) != NULL)
- && retval) {
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- for(i=0;itemlist[i];)
- /* If any of the items match, strcmp() == 0, and we get out
- of this loop */
- retval = (strcmp(aline,itemlist[i++]) && retval);
- }
- for(i=0;itemlist[i];)
- free(itemlist[i++]);
- } else {
- while((fgets(aline,sizeof(aline),inf) != NULL)
- && retval) {
- char *a = aline;
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\r')
- aline[strlen(aline) - 1] = '\0';
- if(citem == PAM_TTY)
- if(strncmp(a, "/dev/", 5) == 0)
- a += 5;
- retval = strcmp(a,citemp);
- }
- }
- fclose(inf);
- free(ifname);
- if ((sense && retval) || (!sense && !retval)) {
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
- "Returning PAM_SUCCESS, retval = %d", retval);
-#endif
- return PAM_SUCCESS;
- }
- else {
- const void *service;
- const char *user_name;
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
- "Returning PAM_AUTH_ERR, retval = %d", retval);
-#endif
- (void) pam_get_item(pamh, PAM_SERVICE, &service);
- (void) pam_get_user(pamh, &user_name, NULL);
- if (!quiet)
- pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s",
- user_name, (const char *)service);
- return PAM_AUTH_ERR;
- }
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_chauthtok (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_listfile_modstruct = {
- "pam_listfile",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif /* PAM_STATIC */
-
-/* end of module definition */
diff --git a/modules/pam_listfile/tst-pam_listfile b/modules/pam_listfile/tst-pam_listfile
deleted file mode 100755
index f555a9f5..00000000
--- a/modules/pam_listfile/tst-pam_listfile
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_listfile.so
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 15:44:49 +0000