From efd31890b5ed496a5a00c08a262da240e66a4ddc Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 3 Jan 2019 12:44:11 -0800 Subject: New upstream version 0.76 --- modules/pam_listfile/.cvsignore | 1 - modules/pam_listfile/Makefile | 15 -- modules/pam_listfile/README | 25 -- modules/pam_listfile/pam_listfile.c | 439 ------------------------------------ 4 files changed, 480 deletions(-) delete mode 100644 modules/pam_listfile/.cvsignore delete mode 100644 modules/pam_listfile/Makefile delete mode 100644 modules/pam_listfile/README delete mode 100644 modules/pam_listfile/pam_listfile.c (limited to 'modules/pam_listfile') diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore deleted file mode 100644 index 380a834a..00000000 --- a/modules/pam_listfile/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -dynamic diff --git a/modules/pam_listfile/Makefile b/modules/pam_listfile/Makefile deleted file mode 100644 index 18315256..00000000 --- a/modules/pam_listfile/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id$ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_listfile - -include ../Simple.Rules diff --git a/modules/pam_listfile/README b/modules/pam_listfile/README deleted file mode 100644 index b65e7dbb..00000000 --- a/modules/pam_listfile/README +++ /dev/null @@ -1,25 +0,0 @@ -SUMMARY: - pam_listfile: - Checks a specified item against a list in a file. - Options: - * item=[tty|user|rhost|ruser|group|shell] - * sense=[allow|deny] (action to take if found in file, - if the item is NOT found in the file, then - the opposite action is requested) - * file=/the/file/to/get/the/list/from - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * apply=[user|@group] - restrict the user class for which the restriction - apply. Note that with item=[user|ruser|group] this - does not make sense, but for item=[tty|rhost|shell] - it have a meaning. (Cristian Gafton) - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Elliot Lee , Red Hat Software. - v0.9 August 16, 1996. - -BUGS: - Bugs? diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c deleted file mode 100644 index b560b4b6..00000000 --- a/modules/pam_listfile/pam_listfile.c +++ /dev/null @@ -1,439 +0,0 @@ -/* - * $Id$ - * - */ - -/* - * by Elliot Lee , Red Hat Software. July 25, 1996. - * log refused access error christopher mccrory 1998/7/11 - * - * This code began life as the pam_rootok module. - */ - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef DEBUG -#include -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include -#include - -/* some syslogging */ - -#define LOCAL_LOG_PREFIX "PAM-listfile: " - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - vsyslog(LOG_AUTH | err, format, args); - va_end(args); -} - -/* checks if a user is on a list of members */ -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* Checks if a user is a member of a group */ -static int is_on_group(const char *user_name, const char *group_name) -{ - struct passwd *pwd; - struct group *grp, *pgrp; - char uname[BUFSIZ], gname[BUFSIZ]; - - if (!strlen(user_name)) - return 0; - if (!strlen(group_name)) - return 0; - bzero(uname, sizeof(uname)); - strncpy(uname, user_name, sizeof(uname)-1); - bzero(gname, sizeof(gname)); - strncpy(gname, group_name, sizeof(gname)-1); - - pwd = getpwnam(uname); - if (!pwd) - return 0; - - /* the info about this group */ - grp = getgrnam(gname); - if (!grp) - return 0; - - /* first check: is a member of the group_name group ? */ - if (is_on_list(grp->gr_mem, uname)) - return 1; - - /* next check: user primary group is group_name ? */ - pgrp = getgrgid(pwd->pw_gid); - if (!pgrp) - return 0; - if (!strcmp(pgrp->gr_name, gname)) - return 1; - - return 0; -} - -/* --- authentication management functions (only) --- */ - -/* Extended Items that are not directly available via pam_get_item() */ -#define EI_GROUP (1 << 0) -#define EI_SHELL (1 << 1) - -/* Constants for apply= parameter */ -#define APPLY_TYPE_NULL 0 -#define APPLY_TYPE_NONE 1 -#define APPLY_TYPE_USER 2 -#define APPLY_TYPE_GROUP 3 - -#define LESSER(a, b) ((a) < (b) ? (a) : (b)) - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; - const char *citemp; - char *ifname=NULL; - char aline[256]; - char mybuf[256],myval[256]; - struct stat fileinfo; - FILE *inf; - char apply_val[256]; - int apply_type; - - /* Stuff for "extended" items */ - struct passwd *userinfo; - struct group *grpinfo; - char *itemlist[256]; /* Maximum of 256 items */ - - D(("called.")); - - apply_type=APPLY_TYPE_NULL; - memset(apply_val,0,sizeof(apply_val)); - - for(i=0; i < argc; i++) { - { - const char *junk; - - memset(mybuf,'\0',sizeof(mybuf)); - memset(myval,'\0',sizeof(mybuf)); - junk = strchr(argv[i], '='); - if((junk == NULL) || (junk - argv[i]) >= sizeof(mybuf)) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Bad option: \"%s\"", - argv[i]); - continue; - } - strncpy(mybuf, argv[i], LESSER(junk - argv[i], sizeof(mybuf) - 1)); - strncpy(myval, junk + 1, sizeof(myval) - 1); - } - if(!strcmp(mybuf,"onerr")) - if(!strcmp(myval,"succeed")) - onerr = PAM_SUCCESS; - else if(!strcmp(myval,"fail")) - onerr = PAM_SERVICE_ERR; - else - return PAM_SERVICE_ERR; - else if(!strcmp(mybuf,"sense")) - if(!strcmp(myval,"allow")) - sense=0; - else if(!strcmp(myval,"deny")) - sense=1; - else - return onerr; - else if(!strcmp(mybuf,"file")) { - ifname = (char *)malloc(strlen(myval)+1); - strcpy(ifname,myval); - } else if(!strcmp(mybuf,"item")) - if(!strcmp(myval,"user")) - citem = PAM_USER; - else if(!strcmp(myval,"tty")) - citem = PAM_TTY; - else if(!strcmp(myval,"rhost")) - citem = PAM_RHOST; - else if(!strcmp(myval,"ruser")) - citem = PAM_RUSER; - else { /* These items are related to the user, but are not - directly gettable with pam_get_item */ - citem = PAM_USER; - if(!strcmp(myval,"group")) - extitem = EI_GROUP; - else if(!strcmp(myval,"shell")) - extitem = EI_SHELL; - else - citem = 0; - } else if(!strcmp(mybuf,"apply")) { - apply_type=APPLY_TYPE_NONE; - memset(apply_val,'\0',sizeof(apply_val)); - if (myval[0]=='@') { - apply_type=APPLY_TYPE_GROUP; - strncpy(apply_val,myval+1,sizeof(apply_val)-1); - } else { - apply_type=APPLY_TYPE_USER; - strncpy(apply_val,myval,sizeof(apply_val)-1); - } - } else { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Unknown option: %s",mybuf); - return onerr; - } - } - - if(!citem) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Unknown item or item not specified"); - return onerr; - } else if(!ifname) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "List filename not specified"); - return onerr; - } else if(sense == 2) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Unknown sense or sense not specified"); - return onerr; - } else if( - (apply_type==APPLY_TYPE_NONE) || - ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0')) - ) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Invalid usage for apply= parameter"); - return onerr; - } - - /* Check if it makes sense to use the apply= parameter */ - if (apply_type != APPLY_TYPE_NULL) { - if((citem==PAM_USER) || (citem==PAM_RUSER)) { - _pam_log(LOG_WARNING, - LOCAL_LOG_PREFIX "Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - if(extitem && (extitem==EI_GROUP)) { - _pam_log(LOG_WARNING, - LOCAL_LOG_PREFIX "Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - } - - /* Short-circuit - test if this session apply for this user */ - { - const char *user_name; - int rval; - - rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name[0]) { - /* Got it ? Valid ? */ - if(apply_type==APPLY_TYPE_USER) { - if(strcmp(user_name, apply_val)) { - /* Does not apply to this user */ -#ifdef DEBUG - _pam_log(LOG_DEBUG, - LOCAL_LOG_PREFIX "don't apply: apply=%s, user=%s", - apply_val,user_name); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } else if(apply_type==APPLY_TYPE_GROUP) { - if(!is_on_group(user_name,apply_val)) { - /* Not a member of apply= group */ -#ifdef DEBUG - _pam_log(LOG_DEBUG, - LOCAL_LOG_PREFIX - "don't apply: %s not a member of group %s", - user_name,apply_val); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } - } - } - - retval = pam_get_item(pamh,citem,(const void **)&citemp); - if(retval != PAM_SUCCESS) { - return onerr; - } - if((citem == PAM_USER) && !citemp) { - pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - } - - if(!citemp || (strlen(citemp) <= 0)) { - /* The item was NULL - we are sure not to match */ - return sense?PAM_SUCCESS:PAM_AUTH_ERR; - } - - if(extitem) { - switch(extitem) { - case EI_GROUP: - userinfo = getpwnam(citemp); - if (userinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getpwnam(%s) failed", - citemp); - return onerr; - } - grpinfo = getgrgid(userinfo->pw_gid); - if (grpinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getgrgid(%d) failed", - (int)userinfo->pw_gid); - return onerr; - } - itemlist[0] = x_strdup(grpinfo->gr_name); - setgrent(); - for (i=1; (i < sizeof(itemlist)/sizeof(itemlist[0])-1) && - (grpinfo = getgrent()); ) { - if (is_on_list(grpinfo->gr_mem,citemp)) { - itemlist[i++] = x_strdup(grpinfo->gr_name); - } - } - endgrent(); - itemlist[i] = NULL; - break; - case EI_SHELL: - /* Assume that we have already gotten PAM_USER in - pam_get_item() - a valid assumption since citem - gets set to PAM_USER in the extitem switch */ - userinfo = getpwnam(citemp); - if (userinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getpwnam(%s) failed", - citemp); - return onerr; - } - citemp = userinfo->pw_shell; - break; - default: - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX - "Internal weirdness, unknown extended item %d", - extitem); - return onerr; - } - } -#ifdef DEBUG - _pam_log(LOG_INFO, - LOCAL_LOG_PREFIX - "Got file = %s, item = %d, value = %s, sense = %d", - ifname, citem, citemp, sense); -#endif - if(lstat(ifname,&fileinfo)) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Couldn't open %s",ifname); - return onerr; - } - - if((fileinfo.st_mode & S_IWOTH) - || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX - "%s is either world writable or not a normal file", - ifname); - return PAM_AUTH_ERR; - } - - inf = fopen(ifname,"r"); - if(inf == NULL) { /* Check that we opened it successfully */ - if (onerr == PAM_SERVICE_ERR) { - /* Only report if it's an error... */ - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Error opening %s", ifname); - } - return onerr; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ -#ifdef DEBUG - assert(PAM_SUCCESS == 0); - assert(PAM_AUTH_ERR != 0); -#endif - if(extitem == EI_GROUP) { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - for(i=0;itemlist[i];) - /* If any of the items match, strcmp() == 0, and we get out - of this loop */ - retval = (strcmp(aline,itemlist[i++]) && retval); - } - for(i=0;itemlist[i];) - free(itemlist[i++]); - } else { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - retval = strcmp(aline,citemp); - } - } - fclose(inf); - free(ifname); - if ((sense && retval) || (!sense && !retval)) { -#ifdef DEBUG - _pam_log(LOG_INFO, LOCAL_LOG_PREFIX - "Returning PAM_SUCCESS, retval = %d", retval); -#endif - return PAM_SUCCESS; - } - else { - const char *service, *user_name; -#ifdef DEBUG - _pam_log(LOG_INFO,LOCAL_LOG_PREFIX - "Returning PAM_AUTH_ERR, retval = %d", retval); -#endif - (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); - (void) pam_get_user(pamh, &user_name, NULL); - _pam_log(LOG_ALERT,LOCAL_LOG_PREFIX "Refused user %s for service %s", - user_name, service); - return PAM_AUTH_ERR; - } -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_listfile_modstruct = { - "pam_listfile", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ - -- cgit v1.2.3