/* pam_securetty module */ #define SECURETTY_FILE "/etc/securetty" #define TTY_PREFIX "/dev/" /* * by Elliot Lee , Red Hat Software. * July 25, 1996. * This code shamelessly ripped from the pam_rootok module. * Slight modifications AGM. 1996/12/3 * $Log: pam_securetty.c,v $ * Revision 1.7 1997/04/05 06:24:23 morgan * changed return value on user unknown error * * Revision 1.6 1997/02/15 17:30:36 morgan * removed fixed length syslog buffer * * Revision 1.5 1997/02/09 02:22:24 morgan * added "debug" flag handling (Cristian Gafton) * */ #include #include #include #include #include #include #include #include #include #define PAM_SM_AUTH /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module * but strongly encouraged generally) it is used to instruct the * modules include file to define the function prototypes. */ #define PAM_SM_AUTH #include /* some syslogging */ static void _pam_log(int err, const char *format, ...) { va_list args; va_start(args, format); openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH); vsyslog(err, format, args); va_end(args); closelog(); } /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 static int _pam_parse(int argc, const char **argv) { int ctrl=0; /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { /* generic options */ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else { _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); } } return ctrl; } /* --- authentication management functions (only) --- */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc ,const char **argv) { int retval = PAM_AUTH_ERR; const char *username; char *uttyname; char ttyfileline[256]; struct stat ttyfileinfo; struct passwd *user_pwd; FILE *ttyfile; int ctrl; /* parse the arguments */ ctrl = _pam_parse(argc, argv); retval = pam_get_item(pamh,PAM_USER,(const void **)&username); if (retval == PAM_SUCCESS) retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname); if (retval != PAM_SUCCESS || uttyname == NULL) { /* If we couldn't get the username or the tty return error */ if (ctrl & PAM_DEBUG_ARG) _pam_log(LOG_WARNING, "can not determine tty I'm running on !"); return PAM_SERVICE_ERR; } /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) uttyname += sizeof(TTY_PREFIX)-1; /* If we didn't get a username, get one */ if(!username || (strlen(username) <= 0)) { /* Don't let them use a NULL username... */ (void) pam_set_item(pamh, PAM_USER, NULL); pam_get_user(pamh,&username,NULL); if (retval != PAM_SUCCESS || username == NULL || *username == '\0') { if (ctrl & PAM_DEBUG_ARG) _pam_log(LOG_WARNING, "can not determine username for this service!"); return PAM_SERVICE_ERR; } } user_pwd = getpwnam(username); if (user_pwd == NULL) return PAM_IGNORE; else if (user_pwd->pw_uid != 0) /* If the user is not root, securetty's does not apply to them */ return PAM_SUCCESS; if(stat(SECURETTY_FILE,&ttyfileinfo)) { _pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ } if((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { /* If the file is world writable or is not a normal file, return error */ _pam_log(LOG_ERR, SECURETTY_FILE " is either world writable or not a normal file"); return PAM_AUTH_ERR; } ttyfile = fopen(SECURETTY_FILE,"r"); if(ttyfile == NULL) { /* Check that we opened it successfully */ _pam_log(LOG_ERR, "Error opening " SECURETTY_FILE); return PAM_SERVICE_ERR; } /* There should be no more errors from here on */ retval=PAM_AUTH_ERR; /* This loop assumes that PAM_SUCCESS == 0 and PAM_AUTH_ERR != 0 */ while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) && retval) { if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ttyfileline[strlen(ttyfileline) - 1] = '\0'; retval = strcmp(ttyfileline,uttyname); } fclose(ttyfile); if(retval) { if (ctrl & PAM_DEBUG_ARG) _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", uttyname); retval = PAM_AUTH_ERR; } if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", username, uttyname); return retval; } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } #ifdef PAM_STATIC /* static module data */ struct pam_module _pam_securetty_modstruct = { "pam_securetty", pam_sm_authenticate, pam_sm_setcred, NULL, NULL, NULL, NULL, }; #endif /* end of module definition */