From 65d6735c5949ec233df9813f734e918a93fa36cf Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com> Date: Mon, 16 Sep 2019 17:17:49 +0200 Subject: Add support for a vendor directory and libeconf (#136) With this, it is possible for Linux distributors to store their supplied default configuration files somewhere below /usr, while /etc only contains the changes made by the user. The new option --enable-vendordir defines where Linux-PAM should additional look for pam.d/*, login.defs and securetty if this files are not in /etc. libeconf is a key/value configuration file reading library, which handles the split of configuration files in different locations and merges them transparently for the application. --- modules/pam_securetty/Makefile.am | 8 ++++++++ modules/pam_securetty/pam_securetty.8.xml | 15 +++++++++------ modules/pam_securetty/pam_securetty.c | 28 +++++++++++++++++++++++++--- 3 files changed, 42 insertions(+), 9 deletions(-) (limited to 'modules') diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 30cc879a..9bcbbd95 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -20,6 +20,9 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif +if HAVE_VENDORDIR + AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" +endif securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la @@ -27,5 +30,10 @@ pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_securetty.8.xml +if HAVE_VENDORDIR +XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) +else +XSLTPROC_CUSTOM = --stringparam vendordir "" +endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml index 48215f5f..b5e83691 100644 --- a/modules/pam_securetty/pam_securetty.8.xml +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -31,9 +31,12 @@ pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing - in /etc/securetty. pam_securetty also checks - to make sure that /etc/securetty is a plain - file and not world writable. It will also allow root logins on + in the securetty file. pam_securetty checks at + first, if /etc/securetty exists. If not and + it was built with vendordir support, it will use + %vendordir%/securetty. pam_securetty also + checks that the securetty files are plain + files and not world writable. It will also allow root logins on the tty specified with switch on the kernel command line and on ttys from the /sys/class/tty/console/active. @@ -73,7 +76,7 @@ Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the - /etc/securetty file. + securetty file. @@ -106,7 +109,7 @@ Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the - /etc/securetty file is world writable or + securetty file is world writable or not a normal file. @@ -127,7 +130,7 @@ An error occurred while the module was determining the user's name or tty, or the module could not open - /etc/securetty. + the securetty file. diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index cb1da252..e8a9273b 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,6 +1,9 @@ /* pam_securetty module */ #define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif #define TTY_PREFIX "/dev/" #define CMDLINE_FILE "/proc/cmdline" #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" @@ -25,6 +28,7 @@ #include #include #include +#include /* * here, we make a definition for the externally accessible function @@ -70,6 +74,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *function_name) { int retval = PAM_AUTH_ERR; + const char *securettyfile; const char *username; const char *uttyname; const void *void_uttyname; @@ -111,10 +116,27 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } if (stat(SECURETTY_FILE, &ttyfileinfo)) { +#ifdef VENDORDIR + if (errno == ENOENT) { + if (stat(SECURETTY2_FILE, &ttyfileinfo)) { + pam_syslog(pamh, LOG_NOTICE, + "Couldn't open %s: %m", SECURETTY2_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + securettyfile = SECURETTY2_FILE; + } else { +#endif pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ +#ifdef VENDORDIR + } +#endif + } else { + securettyfile = SECURETTY_FILE; } if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { @@ -122,13 +144,13 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, normal file, return error */ pam_syslog(pamh, LOG_ERR, "%s is either world writable or not a normal file", - SECURETTY_FILE); + securettyfile); return PAM_AUTH_ERR; } - ttyfile = fopen(SECURETTY_FILE,"r"); + ttyfile = fopen(securettyfile,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile); return PAM_SERVICE_ERR; } -- cgit v1.2.3