Index: Linux-PAM/modules/pam_securetty/pam_securetty.c =================================================================== --- Linux-PAM/modules/pam_securetty/pam_securetty.c.orig +++ Linux-PAM/modules/pam_securetty/pam_securetty.c @@ -1,8 +1,5 @@ /* pam_securetty module */ -#define SECURETTY_FILE "/etc/securetty" -#define TTY_PREFIX "/dev/" - /* * by Elliot Lee , Red Hat Software. * July 25, 1996. @@ -37,6 +34,9 @@ #include #include +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, + const char *uttyname); + #define PAM_DEBUG_ARG 0x0001 static int @@ -67,11 +67,7 @@ const char *username; const char *uttyname; const void *void_uttyname; - char ttyfileline[256]; - char ptname[256]; - struct stat ttyfileinfo; struct passwd *user_pwd; - FILE *ttyfile; /* log a trail for debugging */ if (ctrl & PAM_DEBUG_ARG) { @@ -101,63 +97,10 @@ return PAM_SERVICE_ERR; } - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { - uttyname += sizeof(TTY_PREFIX)-1; - } - - if (stat(SECURETTY_FILE, &ttyfileinfo)) { - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); - return PAM_SUCCESS; /* for compatibility with old securetty handling, - this needs to succeed. But we still log the - error. */ - } - - if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - pam_syslog(pamh, LOG_ERR, - "%s is either world writable or not a normal file", - SECURETTY_FILE); - return PAM_AUTH_ERR; - } - - ttyfile = fopen(SECURETTY_FILE,"r"); - if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); - return PAM_SERVICE_ERR; - } - - if (isdigit(uttyname[0])) { - snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); - } else { - ptname[0] = '\0'; - } - - retval = 1; - - while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) - && retval) { - if (ttyfileline[strlen(ttyfileline) - 1] == '\n') - ttyfileline[strlen(ttyfileline) - 1] = '\0'; - - retval = ( strcmp(ttyfileline, uttyname) - && (!ptname[0] || strcmp(ptname, uttyname)) ); - } - fclose(ttyfile); - - if (retval) { - pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); - - retval = PAM_AUTH_ERR; - } else { - if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { - pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", - username, uttyname); - } - retval = PAM_SUCCESS; - + retval = _pammodutil_tty_secure(pamh, uttyname); + if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { + pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", + username, uttyname); } return retval; Index: Linux-PAM/modules/pam_securetty/tty_secure.c =================================================================== --- /dev/null +++ Linux-PAM/modules/pam_securetty/tty_secure.c @@ -0,0 +1,92 @@ +/* + * A function to determine if a particular line is in /etc/securetty + */ + + +#define SECURETTY_FILE "/etc/securetty" +#define TTY_PREFIX "/dev/" + +/* This function taken out of pam_securetty by Sam Hartman + * */ +/* + * by Elliot Lee , Red Hat Software. + * July 25, 1996. + * Slight modifications AGM. 1996/12/3 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, + const char *uttyname); + +int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) +{ + int retval = PAM_AUTH_ERR; + char ttyfileline[256]; + char ptname[256]; + struct stat ttyfileinfo; + FILE *ttyfile; + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) + uttyname += sizeof(TTY_PREFIX)-1; + + if (stat(SECURETTY_FILE, &ttyfileinfo)) { + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", + SECURETTY_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { + /* If the file is world writable or is not a + normal file, return error */ + pam_syslog(pamh, LOG_ERR, + "%s is either world writable or not a normal file", + SECURETTY_FILE); + return PAM_AUTH_ERR; + } + + ttyfile = fopen(SECURETTY_FILE,"r"); + if(ttyfile == NULL) { /* Check that we opened it successfully */ + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + return PAM_SERVICE_ERR; + } + + if (isdigit(uttyname[0])) { + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); + } else { + ptname[0] = '\0'; + } + + retval = 1; + + while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) + && retval) { + if(ttyfileline[strlen(ttyfileline) - 1] == '\n') + ttyfileline[strlen(ttyfileline) - 1] = '\0'; + retval = ( strcmp(ttyfileline,uttyname) + && (!ptname[0] || strcmp(ptname, uttyname)) ); + } + fclose(ttyfile); + + if(retval) { + pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", + uttyname); + retval = PAM_AUTH_ERR; + } + + return retval; +} Index: Linux-PAM/modules/pam_securetty/Makefile.am =================================================================== --- Linux-PAM/modules/pam_securetty/Makefile.am.orig +++ Linux-PAM/modules/pam_securetty/Makefile.am @@ -23,6 +23,10 @@ securelib_LTLIBRARIES = pam_securetty.la +pam_securetty_la_SOURCES = \ + pam_securetty.c \ + tty_secure.c + if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_securetty.8.xml