summaryrefslogtreecommitdiff
path: root/modules/pam_nologin
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_nologin')
-rw-r--r--modules/pam_nologin/README15
-rw-r--r--modules/pam_nologin/pam_nologin.c189
2 files changed, 151 insertions, 53 deletions
diff --git a/modules/pam_nologin/README b/modules/pam_nologin/README
index 0586de66..11dc7635 100644
--- a/modules/pam_nologin/README
+++ b/modules/pam_nologin/README
@@ -5,8 +5,19 @@ This module always lets root in; it lets other users in only if the file
/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's
contents are displayed to the user.
+The default return value for this module is PAM_IGNORE, you can
+override this with the successok module argument.
+
module services provided:
- auth _authentication and _setcred (blank)
+ auth _authenticate and _setcred
+ account _acct_mgmt
+
+optional arguments:
+
+ file=<alternative-nologin-pathname> - choose a different file
+ successok - return PAM_SUCCESS if no file
+
+[Original README by Michael K. Johnson]
+
-Michael K. Johnson
diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c
index 708f86de..7b2394af 100644
--- a/modules/pam_nologin/pam_nologin.c
+++ b/modules/pam_nologin/pam_nologin.c
@@ -27,67 +27,154 @@
#include <security/pam_modules.h>
-/* --- authentication management functions (only) --- */
+#include <security/_pam_modutil.h>
+
+/*
+ * parse some command line options
+ */
+struct opt_s {
+ int retval_when_nofile;
+ const char *nologin_file;
+};
+
+static void parse_args(pam_handle_t *pamh, int argc, const char **argv,
+ struct opt_s *opts)
+{
+ int i;
+
+ memset(opts, 0, sizeof(*opts));
+
+ opts->retval_when_nofile = PAM_IGNORE;
+ opts->nologin_file = "/etc/nologin";
+
+ for (i=0; i<argc; ++i) {
+ if (!strcmp("successok", argv[i])) {
+ opts->retval_when_nofile = PAM_SUCCESS;
+ } else if (!memcmp("file=", argv[i], 5)) {
+ opts->nologin_file = argv[i] + 5;
+ } else {
+ /* XXX - ignore for now. Later, we'll use the logging
+ function in pammodutils */
+ }
+ }
+}
+
+/*
+ * do the meat of the work for this module
+ */
+
+static int perform_check(pam_handle_t *pamh, struct opt_s *opts)
+{
+ const char *username;
+ int retval = PAM_SUCCESS;
+ int fd;
+
+ retval = opts->retval_when_nofile;
+
+ if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) {
+ return PAM_USER_UNKNOWN;
+ }
+
+ if ((fd = open(opts->nologin_file, O_RDONLY, 0)) >= 0) {
+
+ char *mtmp=NULL;
+ struct passwd *user_pwd;
+ struct pam_conv *conversation;
+ struct pam_message message;
+ struct pam_message *pmessage = &message;
+ struct pam_response *resp = NULL;
+ struct stat st;
+
+ user_pwd = _pammodutil_getpwnam(pamh, username);
+ if (user_pwd == NULL) {
+
+ retval = PAM_USER_UNKNOWN;
+ message.msg_style = PAM_ERROR_MSG;
+
+ } else if (user_pwd->pw_uid) {
+
+ retval = PAM_AUTH_ERR;
+ message.msg_style = PAM_ERROR_MSG;
+
+ } else {
+
+ /* root can still log in; lusers cannot */
+ message.msg_style = PAM_TEXT_INFO;
+
+ }
+
+ /* fill in message buffer with contents of /etc/nologin */
+ if (fstat(fd, &st) < 0) {
+ /* give up trying to display message */
+ goto clean_up_fd;
+ }
+
+ message.msg = mtmp = malloc(st.st_size+1);
+ if (!message.msg) {
+ /* if malloc failed... */
+ retval = PAM_BUF_ERR;
+ goto clean_up_fd;
+ }
+
+ read(fd, mtmp, st.st_size);
+ mtmp[st.st_size] = '\000';
+
+ /*
+ * Use conversation function to give user contents of /etc/nologin
+ */
+
+ pam_get_item(pamh, PAM_CONV, (const void **)&conversation);
+ (void) conversation->conv(1, (const struct pam_message **)&pmessage,
+ &resp, conversation->appdata_ptr);
+ free(mtmp);
+
+ if (resp) {
+ _pam_drop_reply(resp, 1);
+ }
+
+ clean_up_fd:
+
+ close(fd);
+ }
+
+ return retval;
+}
+
+/* --- authentication management functions --- */
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
- int retval = PAM_SUCCESS;
- int fd;
- const char *username;
- char *mtmp=NULL;
- struct passwd *user_pwd;
- struct pam_conv *conversation;
- struct pam_message message;
- struct pam_message *pmessage = &message;
- struct pam_response *resp = NULL;
- struct stat st;
-
- if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) {
- /* root can still log in; lusers cannot */
- if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)
- || !username) {
- return PAM_SERVICE_ERR;
- }
- user_pwd = getpwnam(username);
- if (user_pwd && user_pwd->pw_uid == 0) {
- message.msg_style = PAM_TEXT_INFO;
- } else {
- if (!user_pwd) {
- retval = PAM_USER_UNKNOWN;
- } else {
- retval = PAM_AUTH_ERR;
- }
- message.msg_style = PAM_ERROR_MSG;
- }
-
- /* fill in message buffer with contents of /etc/nologin */
- if (fstat(fd, &st) < 0) /* give up trying to display message */
- return retval;
- message.msg = mtmp = malloc(st.st_size+1);
- /* if malloc failed... */
- if (!message.msg) return retval;
- read(fd, mtmp, st.st_size);
- mtmp[st.st_size] = '\000';
-
- /* Use conversation function to give user contents of /etc/nologin */
- pam_get_item(pamh, PAM_CONV, (const void **)&conversation);
- conversation->conv(1, (const struct pam_message **)&pmessage,
- &resp, conversation->appdata_ptr);
- free(mtmp);
- if (resp)
- _pam_drop_reply(resp, 1);
- }
-
- return retval;
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return perform_check(pamh, &opts);
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
- return PAM_SUCCESS;
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return opts.retval_when_nofile;
+}
+
+/* --- account management function --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return perform_check(pamh, &opts);
}
@@ -99,7 +186,7 @@ struct pam_module _pam_nologin_modstruct = {
"pam_nologin",
pam_sm_authenticate,
pam_sm_setcred,
- NULL,
+ pam_sm_acct_mgmt,
NULL,
NULL,
NULL,