summaryrefslogtreecommitdiff
path: root/modules/pam_securetty/pam_securetty.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_securetty/pam_securetty.c')
-rw-r--r--modules/pam_securetty/pam_securetty.c110
1 files changed, 76 insertions, 34 deletions
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 9e6121e8..c69180ab 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -21,8 +21,7 @@
#include <stdarg.h>
#include <pwd.h>
#include <string.h>
-
-#define PAM_SM_AUTH
+#include <ctype.h>
/*
* here, we make a definition for the externally accessible function
@@ -32,6 +31,7 @@
*/
#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
@@ -71,31 +71,30 @@ static int _pam_parse(int argc, const char **argv)
return ctrl;
}
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
+static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl,
+ const char *function_name)
{
int retval = PAM_AUTH_ERR;
const char *username;
char *uttyname;
char ttyfileline[256];
+ char ptname[256];
struct stat ttyfileinfo;
struct passwd *user_pwd;
FILE *ttyfile;
- int ctrl;
- /* parse the arguments */
- ctrl = _pam_parse(argc, argv);
+ /* log a trail for debugging */
+ if (ctrl & PAM_DEBUG_ARG) {
+ _pam_log(LOG_DEBUG, "pam_securetty called via %s function",
+ function_name);
+ }
retval = pam_get_user(pamh, &username, NULL);
if (retval != PAM_SUCCESS || username == NULL) {
if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_WARNING, "cannot determine username");
}
- return (retval == PAM_CONV_AGAIN
- ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
+ return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
}
retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname);
@@ -107,8 +106,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
}
/* The PAM_TTY item may be prefixed with "/dev/" - skip that */
- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
uttyname += sizeof(TTY_PREFIX)-1;
+ }
user_pwd = getpwnam(username);
if (user_pwd == NULL) {
@@ -126,8 +126,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
error. */
}
- if ((ttyfileinfo.st_mode & S_IWOTH)
- || !S_ISREG(ttyfileinfo.st_mode)) {
+ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
/* If the file is world writable or is not a
normal file, return error */
_pam_log(LOG_ERR, SECURETTY_FILE
@@ -136,39 +135,82 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
}
ttyfile = fopen(SECURETTY_FILE,"r");
- if(ttyfile == NULL) { /* Check that we opened it successfully */
+ if (ttyfile == NULL) { /* Check that we opened it successfully */
_pam_log(LOG_ERR,
"Error opening " SECURETTY_FILE);
return PAM_SERVICE_ERR;
}
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
- while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
- && retval) {
- if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
+
+ if (isdigit(uttyname[0])) {
+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+ } else {
+ ptname[0] = '\0';
+ }
+
+ retval = 1;
+
+ while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
+ && retval) {
+ if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
ttyfileline[strlen(ttyfileline) - 1] = '\0';
- retval = strcmp(ttyfileline,uttyname);
+
+ retval = ( strcmp(ttyfileline, uttyname)
+ && (!ptname[0] || strcmp(ptname, uttyname)) );
}
fclose(ttyfile);
- if(retval) {
- if (ctrl & PAM_DEBUG_ARG)
+
+ if (retval) {
+ if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !",
uttyname);
+ }
retval = PAM_AUTH_ERR;
+
+ } else {
+ if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) {
+ _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
+ username, uttyname);
+ }
+ retval = PAM_SUCCESS;
+
}
- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG))
- _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
- username, uttyname);
+
return retval;
}
+/* --- authentication management functions --- */
+
PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
{
- return PAM_SUCCESS;
+ int ctrl;
+
+ /* parse the arguments */
+ ctrl = _pam_parse(argc, argv);
+
+ return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__);
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+ return PAM_SUCCESS;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ int ctrl;
+
+ /* parse the arguments */
+ ctrl = _pam_parse(argc, argv);
+
+ /* take the easy route */
+ return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__);
}
@@ -180,12 +222,12 @@ struct pam_module _pam_securetty_modstruct = {
"pam_securetty",
pam_sm_authenticate,
pam_sm_setcred,
- NULL,
+ pam_sm_acct_mgmt,
NULL,
NULL,
NULL,
};
-#endif
+#endif /* PAM_STATIC */
/* end of module definition */