From c95e6e34c26fc95f622b4d0535bccede3c655146 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sat, 13 Jul 2002 05:10:54 +0000 Subject: Relevant BUGIDs: 436435 Purpose of commit: new feature Commit summary: --------------- add account management to a bunch of modules. Submitted by Harald Welte. --- modules/pam_securetty/pam_securetty.c | 110 +++++++++++++++++++++++----------- 1 file changed, 76 insertions(+), 34 deletions(-) (limited to 'modules/pam_securetty') diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 9e6121e8..c69180ab 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -21,8 +21,7 @@ #include #include #include - -#define PAM_SM_AUTH +#include /* * here, we make a definition for the externally accessible function @@ -32,6 +31,7 @@ */ #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include @@ -71,31 +71,30 @@ static int _pam_parse(int argc, const char **argv) return ctrl; } -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, + const char *function_name) { int retval = PAM_AUTH_ERR; const char *username; char *uttyname; char ttyfileline[256]; + char ptname[256]; struct stat ttyfileinfo; struct passwd *user_pwd; FILE *ttyfile; - int ctrl; - /* parse the arguments */ - ctrl = _pam_parse(argc, argv); + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_DEBUG, "pam_securetty called via %s function", + function_name); + } retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS || username == NULL) { if (ctrl & PAM_DEBUG_ARG) { _pam_log(LOG_WARNING, "cannot determine username"); } - return (retval == PAM_CONV_AGAIN - ? PAM_INCOMPLETE:PAM_SERVICE_ERR); + return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); } retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname); @@ -107,8 +106,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc } /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { uttyname += sizeof(TTY_PREFIX)-1; + } user_pwd = getpwnam(username); if (user_pwd == NULL) { @@ -126,8 +126,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc error. */ } - if ((ttyfileinfo.st_mode & S_IWOTH) - || !S_ISREG(ttyfileinfo.st_mode)) { + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { /* If the file is world writable or is not a normal file, return error */ _pam_log(LOG_ERR, SECURETTY_FILE @@ -136,39 +135,82 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc } ttyfile = fopen(SECURETTY_FILE,"r"); - if(ttyfile == NULL) { /* Check that we opened it successfully */ + if (ttyfile == NULL) { /* Check that we opened it successfully */ _pam_log(LOG_ERR, "Error opening " SECURETTY_FILE); return PAM_SERVICE_ERR; } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ - while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) - && retval) { - if(ttyfileline[strlen(ttyfileline) - 1] == '\n') + + if (isdigit(uttyname[0])) { + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); + } else { + ptname[0] = '\0'; + } + + retval = 1; + + while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) + && retval) { + if (ttyfileline[strlen(ttyfileline) - 1] == '\n') ttyfileline[strlen(ttyfileline) - 1] = '\0'; - retval = strcmp(ttyfileline,uttyname); + + retval = ( strcmp(ttyfileline, uttyname) + && (!ptname[0] || strcmp(ptname, uttyname)) ); } fclose(ttyfile); - if(retval) { - if (ctrl & PAM_DEBUG_ARG) + + if (retval) { + if (ctrl & PAM_DEBUG_ARG) { _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", uttyname); + } retval = PAM_AUTH_ERR; + + } else { + if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { + _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", + username, uttyname); + } + retval = PAM_SUCCESS; + } - if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) - _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", - username, uttyname); + return retval; } +/* --- authentication management functions --- */ + PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + const char **argv) { - return PAM_SUCCESS; + int ctrl; + + /* parse the arguments */ + ctrl = _pam_parse(argc, argv); + + return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__); +} + +PAM_EXTERN +int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +/* --- account management functions --- */ + +PAM_EXTERN +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + int ctrl; + + /* parse the arguments */ + ctrl = _pam_parse(argc, argv); + + /* take the easy route */ + return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__); } @@ -180,12 +222,12 @@ struct pam_module _pam_securetty_modstruct = { "pam_securetty", pam_sm_authenticate, pam_sm_setcred, - NULL, + pam_sm_acct_mgmt, NULL, NULL, NULL, }; -#endif +#endif /* PAM_STATIC */ /* end of module definition */ -- cgit v1.2.3