diff options
Diffstat (limited to 'modules/pam_time')
-rw-r--r-- | modules/pam_time/.cvsignore | 9 | ||||
-rw-r--r-- | modules/pam_time/Makefile.am | 32 | ||||
-rw-r--r-- | modules/pam_time/README.xml | 34 | ||||
-rw-r--r-- | modules/pam_time/pam_time.8.xml | 183 | ||||
-rw-r--r-- | modules/pam_time/pam_time.c | 687 | ||||
-rw-r--r-- | modules/pam_time/time.conf | 65 | ||||
-rw-r--r-- | modules/pam_time/time.conf.5.xml | 143 | ||||
-rwxr-xr-x | modules/pam_time/tst-pam_time | 2 |
8 files changed, 0 insertions, 1155 deletions
diff --git a/modules/pam_time/.cvsignore b/modules/pam_time/.cvsignore deleted file mode 100644 index cac9cca3..00000000 --- a/modules/pam_time/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_time.8 -time.conf.5 diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am deleted file mode 100644 index 9c63ee5e..00000000 --- a/modules/pam_time/Makefile.am +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> -# - -CLEANFILES = *~ - -EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time - -man_MANS = time.conf.5 pam_time.8 -XMLS = README.xml time.conf.5.xml pam_time.8.xml - -TESTS = tst-pam_time - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" -AM_LDFLAGS = -no-undefined -avoid-version -module -if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif -pam_time_la_LIBADD = -L$(top_builddir)/libpam -lpam - -securelib_LTLIBRARIES = pam_time.la -secureconf_DATA = time.conf - -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_time.8.xml time.conf.5.xml --include $(top_srcdir)/Make.xml.rules -endif diff --git a/modules/pam_time/README.xml b/modules/pam_time/README.xml deleted file mode 100644 index 6c11eec1..00000000 --- a/modules/pam_time/README.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamtime SYSTEM "pam_time.8.xml"> ---> -<!-- -<!ENTITY timeconf SYSTEM "time.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_time-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> - </section> - -</article> diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml deleted file mode 100644 index e0b149a7..00000000 --- a/modules/pam_time/pam_time.8.xml +++ /dev/null @@ -1,183 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_time'> - - <refmeta> - <refentrytitle>pam_time</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_time-name'> - <refname>pam_time</refname> - <refpurpose> - PAM module for time control access - </refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <cmdsynopsis id="pam_time-cmdsynopsis"> - <command>pam_time.so</command> - <arg choice="opt"> - debug - </arg> - <arg choice="opt"> - noaudit - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_time-description"> - <title>DESCRIPTION</title> - <para> - The pam_time PAM module does not authenticate the user, but instead - it restricts access to a system and or specific applications at - various times of the day and on specific days or over various - terminal lines. This module can be configured to deny access to - (individual) users based on their name, the time of day, the day of - week, the service they are applying for and their terminal from which - they are making their request. - </para> - <para> - By default rules for time/port access are taken from config file - <filename>/etc/security/time.conf</filename>. - </para> - <para> - If Linux PAM is compiled with audit support the module will report - when it denies access. - </para> - </refsect1> - - <refsect1 id="pam_time-options"> - <title>OPTIONS</title> - <variablelist> - - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - Some debug informations are printed with - <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>noaudit</option> - </term> - <listitem> - <para> - Do not report logins at disallowed time to the audit subsystem. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1 id="pam_time-services"> - <title>MODULE SERVICES PROVIDED</title> - <para> - Only the <option>account</option> service is supported. - </para> - </refsect1> - - <refsect1 id="pam_time-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Access was granted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - Not all relevant data could be gotten. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Access was not granted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - The user is not known to the system. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_time-files"> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/etc/security/time.conf</filename></term> - <listitem> - <para>Default configuration file</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_time-examples'> - <title>EXAMPLES</title> - <programlisting> -#%PAM-1.0 -# -# apply pam_time accounting to login requests -# -login account required pam_time.so - </programlisting> - </refsect1> - - <refsect1 id="pam_time-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>time.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>. - </para> - </refsect1> - - <refsect1 id="pam_time-authors"> - <title>AUTHOR</title> - <para> - pam_time was written by Andrew G. Morgan <morgan@kernel.org>. - </para> - </refsect1> -</refentry> diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c deleted file mode 100644 index 8e3b2486..00000000 --- a/modules/pam_time/pam_time.c +++ /dev/null @@ -1,687 +0,0 @@ -/* pam_time module */ - -/* - * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/6/22 - * (File syntax and much other inspiration from the shadow package - * shadow-960129) - */ - -#include "config.h" - -#include <sys/file.h> -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <unistd.h> -#include <stdarg.h> -#include <time.h> -#include <syslog.h> -#include <string.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <netdb.h> - -#ifdef HAVE_LIBAUDIT -#include <libaudit.h> -#endif - -#define PAM_TIME_BUFLEN 1000 -#define FIELD_SEPARATOR ';' /* this is new as of .02 */ - -#define PAM_DEBUG_ARG 0x0001 -#define PAM_NO_AUDIT 0x0002 - -#ifndef TRUE -# define TRUE 1 -#endif -#ifndef FALSE -# define FALSE 0 -#endif - -typedef enum { AND, OR } operator; - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> -#include <security/pam_ext.h> -#include <security/pam_modutil.h> - -static int -_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) -{ - int ctrl = 0; - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv, "debug")) { - ctrl |= PAM_DEBUG_ARG; - } else if (!strcmp(*argv, "noaudit")) { - ctrl |= PAM_NO_AUDIT; - } else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } - } - - return ctrl; -} - -/* --- static functions for checking whether the user should be let in --- */ - -static void -shift_bytes(char *mem, int from, int by) -{ - while (by-- > 0) { - *mem = mem[from]; - ++mem; - } -} - -static int -read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *to) -{ - /* is buf set ? */ - - if (! *buf) { - *buf = (char *) malloc(PAM_TIME_BUFLEN); - if (! *buf) { - pam_syslog(pamh, LOG_ERR, "out of memory"); - D(("no memory")); - return -1; - } - *from = *to = 0; - fd = open(PAM_TIME_CONF, O_RDONLY); - } - - /* do we have a file open ? return error */ - - if (fd < 0 && *to <= 0) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", PAM_TIME_CONF); - memset(*buf, 0, PAM_TIME_BUFLEN); - _pam_drop(*buf); - return -1; - } - - /* check if there was a newline last time */ - - if ((*to > *from) && (*to > 0) - && ((*buf)[*from] == '\0')) { /* previous line ended */ - (*from)++; - (*buf)[0] = '\0'; - return fd; - } - - /* ready for more data: first shift the buffer's remaining data */ - - *to -= *from; - shift_bytes(*buf, *from, *to); - *from = 0; - (*buf)[*to] = '\0'; - - while (fd >= 0 && *to < PAM_TIME_BUFLEN) { - int i; - - /* now try to fill the remainder of the buffer */ - - i = read(fd, *to + *buf, PAM_TIME_BUFLEN - *to); - if (i < 0) { - pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_TIME_CONF); - close(fd); - return -1; - } else if (!i) { - close(fd); - fd = -1; /* end of file reached */ - } else - *to += i; - - /* - * contract the buffer. Delete any comments, and replace all - * multiple spaces with single commas - */ - - i = 0; -#ifdef DEBUG_DUMP - D(("buffer=<%s>",*buf)); -#endif - while (i < *to) { - if ((*buf)[i] == ',') { - int j; - - for (j=++i; j<*to && (*buf)[j] == ','; ++j); - if (j!=i) { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - } - } - switch ((*buf)[i]) { - int j,c; - case '#': - c = 0; - for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); - if (j >= *to) { - (*buf)[*to = ++i] = '\0'; - } else if (c == '\n') { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - ++i; - } else { - pam_syslog(pamh, LOG_CRIT, - "internal error in file %s at line %d", - __FILE__, __LINE__); - close(fd); - return -1; - } - break; - case '\\': - if ((*buf)[i+1] == '\n') { - shift_bytes(i + *buf, 2, *to - (i+2)); - *to -= 2; - } else { - ++i; /* we don't escape non-newline characters */ - } - break; - case '!': - case ' ': - case '\t': - if ((*buf)[i] != '!') - (*buf)[i] = ','; - /* delete any trailing spaces */ - for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' - || c == '\t' ); ++j); - shift_bytes(i + *buf, j-i, (*to)-j ); - *to -= j-i; - break; - default: - ++i; - } - } - } - - (*buf)[*to] = '\0'; - - /* now return the next field (set the from/to markers) */ - { - int i; - - for (i=0; i<*to; ++i) { - switch ((*buf)[i]) { - case '#': - case '\n': /* end of the line/file */ - (*buf)[i] = '\0'; - *from = i; - return fd; - case FIELD_SEPARATOR: /* end of the field */ - (*buf)[i] = '\0'; - *from = ++i; - return fd; - } - } - *from = i; - (*buf)[*from] = '\0'; - } - - if (*to <= 0) { - D(("[end of text]")); - *buf = NULL; - } - - return fd; -} - -/* read a member from a field */ - -static int -logic_member(const char *string, int *at) -{ - int c,to; - int done=0; - int token=0; - - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.' || c == '/' || c == ':') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -typedef enum { VAL, OP } expect; - -static int -logic_field(pam_handle_t *pamh, const void *me, const char *x, int rule, - int (*agrees)(pam_handle_t *pamh, - const void *, const char *, int, int)) -{ - int left=FALSE, right, not=FALSE; - operator oper=OR; - int at=0, l; - expect next=VAL; - - while ((l = logic_member(x,&at))) { - int c = x[at]; - - if (next == VAL) { - if (c == '!') - not = !not; - else if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.' || c == '/' || c == ':') { - right = not ^ agrees(pamh, me, x+at, l, rule); - if (oper == AND) - left &= right; - else - left |= right; - next = OP; - } else { - pam_syslog(pamh, LOG_ERR, - "garbled syntax; expected name (rule #%d)", - rule); - return FALSE; - } - } else { /* OP */ - switch (c) { - case '&': - oper = AND; - break; - case '|': - oper = OR; - break; - default: - pam_syslog(pamh, LOG_ERR, - "garbled syntax; expected & or | (rule #%d)", - rule); - D(("%c at %d",c,at)); - return FALSE; - } - next = VAL; - } - at += l; - } - - return left; -} - -static int -is_same(pam_handle_t *pamh UNUSED, const void *A, const char *b, - int len, int rule UNUSED) -{ - int i; - const char *a; - - a = A; - for (i=0; len > 0; ++i, --len) { - if (b[i] != a[i]) { - if (b[i++] == '*') { - return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); - } else - return FALSE; - } - } - - /* Ok, we know that b is a substring from A and does not contain - wildcards, but now the length of both strings must be the same, - too. */ - if (strlen (a) != strlen(b)) - return FALSE; - - return ( !len ); -} - -typedef struct { - int day; /* array of 7 bits, one set for today */ - int minute; /* integer, hour*100+minute for now */ -} TIME; - -static struct day { - const char *d; - int bit; -} const days[11] = { - { "su", 01 }, - { "mo", 02 }, - { "tu", 04 }, - { "we", 010 }, - { "th", 020 }, - { "fr", 040 }, - { "sa", 0100 }, - { "wk", 076 }, - { "wd", 0101 }, - { "al", 0177 }, - { NULL, 0 } -}; - -static TIME -time_now(void) -{ - struct tm *local; - time_t the_time; - TIME this; - - the_time = time((time_t *)0); /* get the current time */ - local = localtime(&the_time); - this.day = days[local->tm_wday].bit; - this.minute = local->tm_hour*100 + local->tm_min; - - D(("day: 0%o, time: %.4d", this.day, this.minute)); - return this; -} - -/* take the current date and see if the range "date" passes it */ -static int -check_time(pam_handle_t *pamh, const void *AT, const char *times, - int len, int rule) -{ - int not,pass; - int marked_day, time_start, time_end; - const TIME *at; - int i,j=0; - - at = AT; - D(("chcking: 0%o/%.4d vs. %s", at->day, at->minute, times)); - - if (times == NULL) { - /* this should not happen */ - pam_syslog(pamh, LOG_CRIT, - "internal error in file %s at line %d", - __FILE__, __LINE__); - return FALSE; - } - - if (times[j] == '!') { - ++j; - not = TRUE; - } else { - not = FALSE; - } - - for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { - int this_day=-1; - - D(("%c%c ?", times[j], times[j+1])); - for (i=0; days[i].d != NULL; ++i) { - if (tolower(times[j]) == days[i].d[0] - && tolower(times[j+1]) == days[i].d[1] ) { - this_day = days[i].bit; - break; - } - } - j += 2; - if (this_day == -1) { - pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule); - return FALSE; - } - marked_day ^= this_day; - } - if (marked_day == 0) { - pam_syslog(pamh, LOG_ERR, "no day specified"); - return FALSE; - } - D(("day range = 0%o", marked_day)); - - time_start = 0; - for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { - time_start *= 10; - time_start += times[i+j]-'0'; /* is this portable? */ - } - j += i; - - if (times[j] == '-') { - time_end = 0; - for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { - time_end *= 10; - time_end += times[i+j]-'0'; /* is this portable */ - } - j += i; - } else - time_end = -1; - - D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); - if (i != 5 || time_end == -1) { - pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule); - return TRUE; - } - D(("times(%d to %d)", time_start,time_end)); - D(("marked_day = 0%o", marked_day)); - - /* compare with the actual time now */ - - pass = FALSE; - if (time_start < time_end) { /* start < end ? --> same day */ - if ((at->day & marked_day) && (at->minute >= time_start) - && (at->minute < time_end)) { - D(("time is listed")); - pass = TRUE; - } - } else { /* spans two days */ - if ((at->day & marked_day) && (at->minute >= time_start)) { - D(("caught on first day")); - pass = TRUE; - } else { - marked_day <<= 1; - marked_day |= (marked_day & 0200) ? 1:0; - D(("next day = 0%o", marked_day)); - if ((at->day & marked_day) && (at->minute <= time_end)) { - D(("caught on second day")); - pass = TRUE; - } - } - } - - return (not ^ pass); -} - -static int -check_account(pam_handle_t *pamh, const char *service, - const char *tty, const char *user) -{ - int from=0,to=0,fd=-1; - char *buffer=NULL; - int count=0; - TIME here_and_now; - int retval=PAM_SUCCESS; - - here_and_now = time_now(); /* find current time */ - do { - int good=TRUE,intime; - - /* here we get the service name field */ - - fd = read_field(pamh, fd, &buffer, &from, &to); - - if (!buffer || !buffer[0]) { - /* empty line .. ? */ - continue; - } - ++count; - - good = logic_field(pamh, service, buffer, count, is_same); - D(("with service: %s", good ? "passes":"fails" )); - - /* here we get the terminal name field */ - - fd = read_field(pamh, fd, &buffer, &from, &to); - if (!buffer || !buffer[0]) { - pam_syslog(pamh, LOG_ERR, - "%s: no tty entry #%d", PAM_TIME_CONF, count); - continue; - } - good &= logic_field(pamh, tty, buffer, count, is_same); - D(("with tty: %s", good ? "passes":"fails" )); - - /* here we get the username field */ - - fd = read_field(pamh, fd, &buffer, &from, &to); - if (!buffer || !buffer[0]) { - pam_syslog(pamh, LOG_ERR, - "%s: no user entry #%d", PAM_TIME_CONF, count); - continue; - } - /* If buffer starts with @, we are using netgroups */ - if (buffer[0] == '@') - good &= innetgr (&buffer[1], NULL, user, NULL); - else - good &= logic_field(pamh, user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); - - /* here we get the time field */ - - fd = read_field(pamh, fd, &buffer, &from, &to); - if (!buffer || !buffer[0]) { - pam_syslog(pamh, LOG_ERR, - "%s: no time entry #%d", PAM_TIME_CONF, count); - continue; - } - - intime = logic_field(pamh, &here_and_now, buffer, count, check_time); - D(("with time: %s", intime ? "passes":"fails" )); - - fd = read_field(pamh, fd, &buffer, &from, &to); - if (buffer && buffer[0]) { - pam_syslog(pamh, LOG_ERR, - "%s: poorly terminated rule #%d", PAM_TIME_CONF, count); - continue; - } - - if (good && !intime) { - /* - * for security parse whole file.. also need to ensure - * that the buffer is free()'d and the file is closed. - */ - retval = PAM_PERM_DENIED; - } else { - D(("rule passed")); - } - } while (buffer); - - return retval; -} - -/* --- public account management functions --- */ - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - const void *service=NULL, *void_tty=NULL; - const char *tty; - const char *user=NULL; - int ctrl; - int rv; - - ctrl = _pam_parse(pamh, argc, argv); - - /* set service name */ - - if (pam_get_item(pamh, PAM_SERVICE, &service) - != PAM_SUCCESS || service == NULL) { - pam_syslog(pamh, LOG_ERR, "cannot find the current service name"); - return PAM_ABORT; - } - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "can not get the username"); - return PAM_USER_UNKNOWN; - } - - /* set tty name */ - - if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS - || void_tty == NULL) { - D(("PAM_TTY not set, probing stdin")); - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - tty = ""; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); - return PAM_ABORT; - } - } - else - tty = void_tty; - - if (tty[0] == '/') { /* full path */ - const char *t; - tty++; - if ((t = strchr(tty, '/')) != NULL) { - tty = t + 1; - } - } - - /* good, now we have the service name, the user and the terminal name */ - - D(("service=%s", service)); - D(("user=%s", user)); - D(("tty=%s", tty)); - - rv = check_account(pamh, service, tty, user); - if (rv != PAM_SUCCESS) { -#ifdef HAVE_LIBAUDIT - if (!(ctrl & PAM_NO_AUDIT)) { - pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME, - "pam_time", rv); /* ignore return value as we fail anyway */ - } -#endif - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, "user %s rejected", user); - } - } - return rv; -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_time_modstruct = { - "pam_time", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif diff --git a/modules/pam_time/time.conf b/modules/pam_time/time.conf deleted file mode 100644 index c7b7989c..00000000 --- a/modules/pam_time/time.conf +++ /dev/null @@ -1,65 +0,0 @@ -# this is an example configuration file for the pam_time module. Its syntax -# was initially based heavily on that of the shadow package (shadow-960129). -# -# the syntax of the lines is as follows: -# -# services;ttys;users;times -# -# white space is ignored and lines maybe extended with '\\n' (escaped -# newlines). As should be clear from reading these comments, -# text following a '#' is ignored to the end of the line. -# -# the combination of individual users/terminals etc is a logic list -# namely individual tokens that are optionally prefixed with '!' (logical -# not) and separated with '&' (logical and) and '|' (logical or). -# -# services -# is a logic list of PAM service names that the rule applies to. -# -# ttys -# is a logic list of terminal names that this rule applies to. -# -# users -# is a logic list of users or a netgroup of users to whom this -# rule applies. -# -# NB. For these items the simple wildcard '*' may be used only once. -# -# times -# the format here is a logic list of day/time-range -# entries the days are specified by a sequence of two character -# entries, MoTuSa for example is Monday Tuesday and Saturday. Note -# that repeated days are unset MoMo = no day, and MoWk = all weekdays -# bar Monday. The two character combinations accepted are -# -# Mo Tu We Th Fr Sa Su Wk Wd Al -# -# the last two being week-end days and all 7 days of the week -# respectively. As a final example, AlFr means all days except Friday. -# -# each day/time-range can be prefixed with a '!' to indicate "anything -# but" -# -# The time-range part is two 24-hour times HHMM separated by a hyphen -# indicating the start and finish time (if the finish time is smaller -# than the start time it is deemed to apply on the following day). -# -# for a rule to be active, ALL of service+ttys+users must be satisfied -# by the applying process. -# - -# -# Here is a simple example: running blank on tty* (any ttyXXX device), -# the users 'you' and 'me' are denied service all of the time -# - -#blank;tty* & !ttyp*;you|me;!Al0000-2400 - -# Another silly example, user 'root' is denied xsh access -# from pseudo terminals at the weekend and on mondays. - -#xsh;ttyp*;root;!WdMo0000-2400 - -# -# End of example file. -# diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml deleted file mode 100644 index 224fda34..00000000 --- a/modules/pam_time/time.conf.5.xml +++ /dev/null @@ -1,143 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="time.conf"> - - <refmeta> - <refentrytitle>time.conf</refentrytitle> - <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv> - <refname>time.conf</refname> - <refpurpose>configuration file for the pam_time module</refpurpose> - </refnamediv> - - <refsect1 id='time.conf-description'> - <title>DESCRIPTION</title> - - <para> - The pam_time PAM module does not authenticate the user, but instead - it restricts access to a system and or specific applications at - various times of the day and on specific days or over various - terminal lines. This module can be configured to deny access to - (individual) users based on their name, the time of day, the day of - week, the service they are applying for and their terminal from which - they are making their request. - </para> - <para> - For this module to function correctly there must be a correctly - formatted <filename>/etc/security/time.conf</filename> file present. - White spaces are ignored and lines maybe extended with '\' (escaped - newlines). Text following a '#' is ignored to the end of the line. - </para> - - <para> - The syntax of the lines is as follows: - </para> - - <para> - <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable> - </para> - <para> - In words, each rule occupies a line, terminated with a newline - or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'. - It contains four fields separated with semicolons, - '<emphasis remap='B'>;</emphasis>'. - </para> - - <para> - The first field, the <replaceable>services</replaceable> field, - is a logic list of PAM service names that the rule applies to. - </para> - - <para> - The second field, the <replaceable>tty</replaceable> - field, is a logic list of terminal names that this rule applies to. - </para> - - <para> - The third field, the <replaceable>users</replaceable> - field, is a logic list of users or a netgroup of users to whom this - rule applies. - </para> - - <para> - For these items the simple wildcard '*' may be used only once. - With netgroups no wildcards or logic operators are allowed. - </para> - - <para> - The <replaceable>times</replaceable> field is used to indicate the times - at which this rule applies. The format here is a logic - list of day/time-range entries. The days are specified by a sequence of - two character entries, MoTuSa for example is Monday Tuesday and Saturday. - Note that repeated days are unset MoMo = no day, and MoWk = all weekdays - bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa - Su Wk Wd Al, the last two being week-end days and all 7 days of the week - respectively. As a final example, AlFr means all days except Friday. - </para> - <para> - Each day/time-range can be prefixed with a '!' to indicate - "anything but". - The time-range part is two 24-hour times HHMM, separated by a hyphen, - indicating the start and finish time (if the finish time is smaller - than the start time it is deemed to apply on the following day). - </para> - - <para> - For a rule to be active, ALL of service+ttys+users must be satisfied - by the applying process. - </para> - <para> - Note, currently there is no daemon enforcing the end of a session. - This needs to be remedied. - </para> - <para> - Poorly formatted rules are logged as errors using - <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para> - </refsect1> - - <refsect1 id="time.conf-examples"> - <title>EXAMPLES</title> - <para> - These are some example lines which might be specified in - <filename>/etc/security/time.conf</filename>. - </para> - <para> - All users except for <emphasis>root</emphasis> are denied access - to console-login at all times: - <programlisting> -login ; tty* & !ttyp* ; !root ; !Al0000-2400 - </programlisting> - </para> - - <para> - Games (configured to use PAM) are only to be accessed out of - working hours. This rule does not apply to the user - <emphasis>waster</emphasis>: - <programlisting> -games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 - </programlisting> - </para> - </refsect1> - - <refsect1 id="time.conf-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> - </para> - </refsect1> - - <refsect1 id="time.conf-author"> - <title>AUTHOR</title> - <para> - pam_time was written by Andrew G. Morgan <morgan@kernel.org>. - </para> - </refsect1> -</refentry> diff --git a/modules/pam_time/tst-pam_time b/modules/pam_time/tst-pam_time deleted file mode 100755 index 030717bb..00000000 --- a/modules/pam_time/tst-pam_time +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_time.so |