1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
|
/* pam_access module */
/*
* Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15
* (I took login_access from logdaemon-5.6 and converted it to PAM
* using parts of pam_time code.)
*
************************************************************************
* Copyright message from logdaemon-5.6 (original file name DISCLAIMER)
************************************************************************
* Copyright 1995 by Wietse Venema. All rights reserved. Individual files
* may be covered by other copyrights (as noted in the file itself.)
*
* This material was originally written and compiled by Wietse Venema at
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
* 1992, 1993, 1994 and 1995.
*
* Redistribution and use in source and binary forms are permitted
* provided that this entire copyright notice is duplicated in all such
* copies.
*
* This software is provided "as is" and without any expressed or implied
* warranties, including, without limitation, the implied warranties of
* merchantibility and fitness for any particular purpose.
*************************************************************************
*/
#include <security/_pam_aconf.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>
#include <syslog.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <grp.h>
#include <errno.h>
#include <ctype.h>
#include <sys/utsname.h>
#include <rpcsvc/ypclnt.h>
#ifndef BROKEN_NETWORK_MATCH
# include <netdb.h>
# include <sys/socket.h>
#endif
/*
* here, we make definitions for the externally accessible functions
* in this file (these definitions are required for static modules
* but strongly encouraged generally) they are used to instruct the
* modules include file to define their prototypes.
*/
#define PAM_SM_ACCOUNT
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
#include <security/_pam_modutil.h>
/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */
/*
* This module implements a simple but effective form of login access
* control based on login names and on host (or domain) names, internet
* addresses (or network numbers), or on terminal line names in case of
* non-networked logins. Diagnostics are reported through syslog(3).
*
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
#undef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 256
#endif
#ifdef DEFAULT_CONF_FILE
# define PAM_ACCESS_CONFIG DEFAULT_CONF_FILE
#else
# define PAM_ACCESS_CONFIG "/etc/security/access.conf"
#endif
/* Delimiters for fields and for lists of users, ttys or hosts. */
static const char *fs = ":"; /* field separator */
static const char sep[] = ", \t"; /* list-element separator */
/* Constants to be used in assignments only, not in comparisons... */
#define YES 1
#define NO 0
/*
* A structure to bundle up all login-related information to keep the
* functional interfaces as generic as possible.
*/
struct login_info {
struct passwd *user;
char *from;
const char *config_file;
const char *service;
};
/* --- static functions for checking whether the user should be let in --- */
static void _log_err(const char *format, ... )
{
va_list args;
va_start(args, format);
openlog("pam_access", LOG_CONS|LOG_PID, LOG_AUTH);
vsyslog(LOG_ERR, format, args);
va_end(args);
closelog();
}
/* Parse module config arguments */
static int parse_args(struct login_info *loginfo, int argc, const char **argv)
{
int i;
for (i=0; i<argc; ++i) {
if (!strncmp("fieldsep=", argv[i], 9)) {
/* the admin wants to override the default field separators */
fs = argv[i]+9;
} else if (!strncmp("accessfile=", argv[i], 11)) {
FILE *fp = fopen(11 + argv[i], "r");
if (fp) {
loginfo->config_file = 11 + argv[i];
fclose(fp);
} else {
_log_err("for service [%s] failed to open accessfile=[%s]"
, loginfo->service, 11 + argv[i]);
return 0;
}
} else {
_log_err("unrecognized option [%s]", argv[i]);
}
}
return 1; /* OK */
}
typedef int match_func (pam_handle_t *, char *, struct login_info *);
static int list_match (pam_handle_t *, char *, struct login_info *,
match_func *);
static int user_match (pam_handle_t *, char *, struct login_info *);
static int from_match (pam_handle_t *, char *, struct login_info *);
static int string_match (pam_handle_t *, char *, char *);
/* login_access - match username/group and host/tty with access control file */
static int
login_access (pam_handle_t *pamh, struct login_info *item)
{
FILE *fp;
char line[BUFSIZ];
char *perm; /* becomes permission field */
char *users; /* becomes list of login names */
char *froms; /* becomes list of terminals or hosts */
int match = NO;
int end;
int lineno = 0; /* for diagnostics */
/*
* Process the table one line at a time and stop at the first match.
* Blank lines and lines that begin with a '#' character are ignored.
* Non-comment lines are broken at the ':' character. All fields are
* mandatory. The first field should be a "+" or "-" character. A
* non-existing table means no access control.
*/
if ((fp = fopen(item->config_file, "r"))!=NULL) {
while (!match && fgets(line, sizeof(line), fp)) {
lineno++;
if (line[end = strlen(line) - 1] != '\n') {
_log_err("%s: line %d: missing newline or line too long",
item->config_file, lineno);
continue;
}
if (line[0] == '#')
continue; /* comment line */
while (end > 0 && isspace(line[end - 1]))
end--;
line[end] = 0; /* strip trailing whitespace */
if (line[0] == 0) /* skip blank lines */
continue;
/* Allow trailing: in last field fo froms */
if (!(perm = strtok(line, fs))
|| !(users = strtok((char *) 0, fs))
|| !(froms = strtok((char *) 0, fs))) {
_log_err("%s: line %d: bad field count",
item->config_file, lineno);
continue;
}
if (perm[0] != '+' && perm[0] != '-') {
_log_err("%s: line %d: bad first field",
item->config_file, lineno);
continue;
}
match = (list_match(pamh, froms, item, from_match)
&& list_match(pamh, users, item, user_match));
}
(void) fclose(fp);
} else if (errno != ENOENT) {
_log_err("cannot open %s: %m", item->config_file);
return NO;
}
return (match == 0 || (line[0] == '+'));
}
/* list_match - match an item against a list of tokens with exceptions */
static int list_match(pam_handle_t *pamh,
char *list, struct login_info *item, match_func *match_fn)
{
char *tok;
int match = NO;
/*
* Process tokens one at a time. We have exhausted all possible matches
* when we reach an "EXCEPT" token or the end of the list. If we do find
* a match, look for an "EXCEPT" list and recurse to determine whether
* the match is affected by any exceptions.
*/
for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */
break;
if ((match = (*match_fn) (pamh, tok, item))) /* YES */
break;
}
/* Process exceptions to matches. */
if (match != NO) {
while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT"))
/* VOID */ ;
if (tok == 0 || list_match(pamh, (char *) 0, item, match_fn) == NO)
return (match);
}
return (NO);
}
/* myhostname - figure out local machine name */
static char * myhostname(void)
{
static char name[MAXHOSTNAMELEN + 1];
if (gethostname(name, MAXHOSTNAMELEN) == 0) {
name[MAXHOSTNAMELEN] = 0;
return (name);
}
return NULL;
}
/* netgroup_match - match group against machine or user */
static int netgroup_match(char *group, char *machine, char *user)
{
static char *mydomain = NULL;
if (mydomain == 0)
yp_get_default_domain(&mydomain);
return (innetgr(group, machine, user, mydomain));
}
/* user_match - match a username against one token */
static int user_match(pam_handle_t *pamh, char *tok, struct login_info *item)
{
char *string = item->user->pw_name;
struct login_info fake_item;
char *at;
/*
* If a token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the username, if the
* token is a group that contains the username, or if the token is the
* name of the user's primary group.
*/
if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
*at = 0;
fake_item.from = myhostname();
if (fake_item.from == NULL)
return NO;
return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item));
} else if (tok[0] == '@') /* netgroup */
return (netgroup_match(tok + 1, (char *) 0, string));
else if (string_match (pamh, tok, string)) /* ALL or exact match */
return YES;
else if (_pammodutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok))
/* try group membership */
return YES;
return NO;
}
/* from_match - match a host or tty against a list of tokens */
static int
from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
{
char *string = item->from;
int tok_len;
int str_len;
/*
* If a token has the magic value "ALL" the match always succeeds. Return
* YES if the token fully matches the string. If the token is a domain
* name, return YES if it matches the last fields of the string. If the
* token has the magic value "LOCAL", return YES if the string does not
* contain a "." character. If the token is a network number, return YES
* if it matches the head of the string.
*/
if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, string, (char *) 0));
} else if (string_match (pamh, tok, string)) /* ALL or exact match */
return YES;
else if (tok[0] == '.') { /* domain: match last fields */
if ((str_len = strlen(string)) > (tok_len = strlen(tok))
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return (YES);
} else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
if (strchr(string, '.') == 0)
return (YES);
#ifdef BROKEN_NETWORK_MATCH
} else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */
&& strncmp(tok, string, tok_len) == 0) {
return (YES);
#else /* BROKEN_NETWORK_MATCH */
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
/*
The code below does a more correct check if the address specified
by "string" starts from "tok".
1998/01/27 Andrey V. Savochkin <saw@msu.ru>
*/
struct hostent *h;
char hn[3+1+3+1+3+1+3+1+1];
int r;
h = gethostbyname(string);
if (h == NULL)
return (NO);
if (h->h_addrtype != AF_INET)
return (NO);
if (h->h_length != 4)
return (NO); /* only IPv4 addresses (SAW) */
r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u.",
(unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1],
(unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]);
if (r < 0 || r >= sizeof(hn))
return (NO);
if (!strncmp(tok, hn, tok_len))
return (YES);
#endif /* BROKEN_NETWORK_MATCH */
}
return (NO);
}
/* string_match - match a string against one token */
static int
string_match (pam_handle_t *pamh, char *tok, char *string)
{
/*
* If the token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the string.
*/
if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
return (YES);
} else if (strcasecmp(tok, string) == 0) { /* try exact match */
return (YES);
}
return (NO);
}
/* --- public account management functions --- */
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
,const char **argv)
{
struct login_info loginfo;
const char *user=NULL, *service=NULL;
char *from=NULL;
struct passwd *user_pw;
if ((pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
!= PAM_SUCCESS) || (service == NULL) || (*service == ' ')) {
_log_err("cannot find the service name");
return PAM_ABORT;
}
/* set username */
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
|| *user == '\0') {
_log_err("cannot determine the user's name");
return PAM_USER_UNKNOWN;
}
/* remote host name */
if (pam_get_item(pamh, PAM_RHOST, (const void **)&from)
!= PAM_SUCCESS) {
_log_err("cannot find the remote host name");
return PAM_ABORT;
}
if ((from==NULL) || (*from=='\0')) {
/* local login, set tty name */
if (pam_get_item(pamh, PAM_TTY, (const void **)&from) != PAM_SUCCESS
|| from == NULL) {
D(("PAM_TTY not set, probing stdin"));
from = ttyname(STDIN_FILENO);
if (from == NULL) {
_log_err("couldn't get the tty name");
return PAM_ABORT;
}
if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) {
_log_err("couldn't set tty name");
return PAM_ABORT;
}
}
if (from[0] == '/') { /* full path */
from++;
from = strchr(from, '/');
from++;
}
}
if ((user_pw=_pammodutil_getpwnam(pamh, user))==NULL) return (PAM_USER_UNKNOWN);
/*
* Bundle up the arguments to avoid unnecessary clumsiness later on.
*/
loginfo.user = user_pw;
loginfo.from = from;
loginfo.service = service;
loginfo.config_file = PAM_ACCESS_CONFIG;
/* parse the argument list */
if (!parse_args(&loginfo, argc, argv)) {
_log_err("failed to parse the module arguments");
return PAM_ABORT;
}
if (login_access(pamh, &loginfo)) {
return (PAM_SUCCESS);
} else {
_log_err("access denied for user `%s' from `%s'",user,from);
return (PAM_PERM_DENIED);
}
}
/* end of module definition */
#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_access_modstruct = {
"pam_access",
NULL,
NULL,
pam_sm_acct_mgmt,
NULL,
NULL,
NULL
};
#endif
|
