summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_limits/pam_limits.c83
1 files changed, 38 insertions, 45 deletions
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 10ff8969..ffd51e78 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -93,18 +93,7 @@ struct pam_limit_s {
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include <security/_pam_modutil.h>
-
-/* logging */
-static void _pam_log(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pam_limits", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
+#include <security/pam_ext.h>
/* argument parsing */
@@ -112,7 +101,9 @@ static void _pam_log(int err, const char *format, ...)
#define PAM_DO_SETREUID 0x0002
#define PAM_UTMP_EARLY 0x0004
-static int _pam_parse(int argc, const char **argv, struct pam_limit_s *pl)
+static int
+_pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
+ struct pam_limit_s *pl)
{
int ctrl=0;
@@ -130,7 +121,7 @@ static int _pam_parse(int argc, const char **argv, struct pam_limit_s *pl)
} else if (!strcmp(*argv,"utmp_early")) {
ctrl |= PAM_UTMP_EARLY;
} else {
- _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
+ pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
}
}
pl->conf_file[sizeof(pl->conf_file) - 1] = '\0';
@@ -152,14 +143,14 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
int count;
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "checking logins for '%s' (maximum of %d)\n",
+ pam_syslog(pamh,LOG_DEBUG, "checking logins for '%s' (maximum of %d)\n",
name, limit);
}
if (limit < 0)
return 0; /* no limits imposed */
if (limit == 0) /* maximum 0 logins ? */ {
- _pam_log(LOG_WARNING, "No logins allowed for '%s'\n", name);
+ pam_syslog(pamh,LOG_WARNING, "No logins allowed for '%s'\n", name);
return LOGIN_ERR;
}
@@ -209,10 +200,10 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
endutent();
if (count > limit) {
if (name) {
- _pam_log(LOG_WARNING, "Too many logins (max %d) for %s",
+ pam_syslog(pamh,LOG_WARNING, "Too many logins (max %d) for %s",
limit, name);
} else {
- _pam_log(LOG_WARNING, "Too many system logins (max %d)", limit);
+ pam_syslog(pamh,LOG_WARNING, "Too many system logins (max %d)", limit);
}
return LOGIN_ERR;
}
@@ -250,9 +241,10 @@ static int init_limits(struct pam_limit_s *pl)
return retval;
}
-static void process_limit(int source, const char *lim_type,
- const char *lim_item, const char *lim_value,
- int ctrl, struct pam_limit_s *pl)
+static void
+process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
+ const char *lim_item, const char *lim_value,
+ int ctrl, struct pam_limit_s *pl)
{
int limit_item;
int limit_type = 0;
@@ -262,7 +254,7 @@ static void process_limit(int source, const char *lim_type,
const char *value_orig = lim_value;
if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG, "%s: processing %s %s %s for %s\n",
+ pam_syslog(pamh,LOG_DEBUG, "%s: processing %s %s %s for %s\n",
__FUNCTION__,lim_type,lim_item,lim_value,
limits_def_names[source]);
@@ -315,7 +307,7 @@ static void process_limit(int source, const char *lim_type,
} else if (strcmp(lim_item, "priority") == 0) {
limit_item = LIMIT_PRI;
} else {
- _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item);
+ pam_syslog(pamh,LOG_DEBUG,"unknown limit item '%s'", lim_item);
return;
}
@@ -326,7 +318,7 @@ static void process_limit(int source, const char *lim_type,
else if (strcmp(lim_type,"-")==0)
limit_type=LIMIT_SOFT | LIMIT_HARD;
else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) {
- _pam_log(LOG_DEBUG,"unknown limit type '%s'", lim_type);
+ pam_syslog(pamh,LOG_DEBUG,"unknown limit type '%s'", lim_type);
return;
}
if (limit_item != LIMIT_PRI
@@ -348,7 +340,7 @@ static void process_limit(int source, const char *lim_type,
temp = temp < INT_MAX ? temp : INT_MAX;
int_value = temp > INT_MIN ? temp : INT_MIN;
if (int_value == 0 && value_orig == endptr) {
- _pam_log(LOG_DEBUG, "wrong limit value '%s' for limit type '%s'",
+ pam_syslog(pamh,LOG_DEBUG, "wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
return;
}
@@ -359,7 +351,7 @@ static void process_limit(int source, const char *lim_type,
rlimit_value = strtoul (lim_value, &endptr, 10);
#endif
if (rlimit_value == 0 && value_orig == endptr) {
- _pam_log(LOG_DEBUG, "wrong limit value '%s' for limit type '%s'",
+ pam_syslog(pamh,LOG_DEBUG, "wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
return;
}
@@ -369,7 +361,7 @@ static void process_limit(int source, const char *lim_type,
if ((source == LIMITS_DEF_ALL || source == LIMITS_DEF_ALLGROUP)
&& (limit_item != LIMIT_LOGIN)) {
if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,
+ pam_syslog(pamh,LOG_DEBUG,
"'%%' domain valid for maxlogins type only");
return;
}
@@ -442,10 +434,11 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl,
#define CONF_FILE (pl->conf_file[0])?pl->conf_file:LIMITS_FILE
/* check for the LIMITS_FILE */
if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_DEBUG,"reading settings from '%s'", CONF_FILE);
+ pam_syslog(pamh,LOG_DEBUG,"reading settings from '%s'", CONF_FILE);
fil = fopen(CONF_FILE, "r");
if (fil == NULL) {
- _pam_log (LOG_WARNING, "can not read settings from %s", CONF_FILE);
+ pam_syslog (pamh, LOG_WARNING,
+ "can not read settings from %s", CONF_FILE);
return PAM_SERVICE_ERR;
}
#undef CONF_FILE
@@ -501,48 +494,48 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl,
if (i == 4) { /* a complete line */
if (strcmp(uname, domain) == 0) /* this user have a limit */
- process_limit(LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
else if (domain[0]=='@') {
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "checking if %s is in group %s",
+ pam_syslog(pamh,LOG_DEBUG, "checking if %s is in group %s",
uname, domain + 1);
}
if (_pammodutil_user_in_group_nam_nam(pamh, uname, domain+1))
- process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
pl);
} else if (domain[0]=='%') {
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "checking if %s is in group %s",
+ pam_syslog(pamh,LOG_DEBUG, "checking if %s is in group %s",
uname, domain + 1);
}
if (strcmp(domain,"%") == 0)
- process_limit(LIMITS_DEF_ALL, ltype, item, value, ctrl,
+ process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl,
pl);
else if (_pammodutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
strcpy(pl->login_group, domain+1);
- process_limit(LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
pl);
}
} else if (strcmp(domain, "*") == 0)
- process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
pl);
} else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
if (strcmp(uname, domain) == 0) {
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "no limits for '%s'", uname);
+ pam_syslog(pamh,LOG_DEBUG, "no limits for '%s'", uname);
}
fclose(fil);
return PAM_IGNORE;
} else if (domain[0] == '@' && _pammodutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "no limits for '%s' in group '%s'",
+ pam_syslog(pamh,LOG_DEBUG, "no limits for '%s' in group '%s'",
uname, domain+1);
}
fclose(fil);
return PAM_IGNORE;
}
} else {
- _pam_log(LOG_DEBUG,"invalid line '%s' - skipped", buf);
+ pam_syslog(pamh,LOG_DEBUG,"invalid line '%s' - skipped", buf);
}
}
fclose(fil);
@@ -561,7 +554,7 @@ static int setup_limits(pam_handle_t *pamh,
/* do not impose limits (+ve limits anyway) on the superuser */
if (pl->priority > 0) {
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_DEBUG, "user '%s' has UID 0 - no limits imposed",
+ pam_syslog(pamh,LOG_DEBUG, "user '%s' has UID 0 - no limits imposed",
uname);
}
pl->priority = 0;
@@ -620,24 +613,24 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
memset(&pl, 0, sizeof(pl));
- ctrl = _pam_parse(argc, argv, &pl);
+ ctrl = _pam_parse(pamh, argc, argv, &pl);
retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _pam_log(LOG_CRIT, "open_session - error recovering username");
+ pam_syslog(pamh,LOG_CRIT, "open_session - error recovering username");
return PAM_SESSION_ERR;
}
pwd = getpwnam(user_name);
if (!pwd) {
if (ctrl & PAM_DEBUG_ARG)
- _pam_log(LOG_WARNING, "open_session username '%s' does not exist",
+ pam_syslog(pamh,LOG_WARNING, "open_session username '%s' does not exist",
user_name);
return PAM_SESSION_ERR;
}
retval = init_limits(&pl);
if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "cannot initialize");
+ pam_syslog(pamh,LOG_WARNING, "cannot initialize");
return PAM_ABORT;
}
@@ -647,7 +640,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
return PAM_SUCCESS;
}
if (retval != PAM_SUCCESS) {
- _pam_log(LOG_WARNING, "error parsing the configuration file");
+ pam_syslog(pamh,LOG_WARNING, "error parsing the configuration file");
return retval;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 06:28:35 +0000