diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8 index e38be712b2d7..9448bf245654 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.8 +++ b/lib/libpam/modules/pam_nologin/pam_nologin.8 @@ -49,23 +49,24 @@ feature. .Ss NoLogin Account Management Module The NoLogin account management component, .Fn pam_sm_acct_mgmt , -always returns success for the superuser, -and returns success for all other users -if the file -.Pa /var/run/nologin -does not exist. -If -.Pa /var/run/nologin -does exist, -then its contents are echoed -to non-superusers +verifies whether logins are administratively disabled via +.Xr nologin 5 . +It returns success if the user's login class has an "ignorenologin" +capability specified in +.Xr login.conf 5 +or the +.Xr nologin 5 +file does not exist. +If neither condition is met, +then the contents of +.Xr nologin 5 +are echoed before failure is returned. -If a "nologin" capability -is specified in +The location of +.Xr nologin 5 +is specified by a "nologin" capability in .Xr login.conf 5 , -then the file thus specified -is used instead. -This usually defaults to +which defaults to .Pa /var/run/nologin . .Pp The following options may be passed to the module: diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index f4b28e547cba..1be63d287b8d 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -52,18 +52,19 @@ __FBSDID("$FreeBSD$"); #include #include -#define NOLOGIN "/var/run/nologin" +#define _PATH_NOLOGIN "/var/run/nologin" -static char nologin_def[] = NOLOGIN; +static char nologin_def[] = _PATH_NOLOGIN; PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc __unused, const char *argv[] __unused) { login_cap_t *lc; struct passwd *pwd; struct stat st; int retval, fd; + ssize_t ss; const char *user, *nologin; char *mtmp; @@ -73,42 +74,54 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got user: %s", user); - lc = login_getclass(NULL); + pwd = getpwnam(user); + if (pwd == NULL) + return (PAM_USER_UNKNOWN); + + /* + * login_getpwclass(3) will select the "root" class by default + * if pwd->pw_uid is 0. That class should have "ignorenologin" + * capability so that super-user can bypass nologin. + */ + lc = login_getpwclass(pwd); + if (lc == NULL) { + PAM_LOG("Unable to get login class for user %s", user); + return (PAM_SERVICE_ERR); + } + + if (login_getcapbool(lc, "ignorenologin", 0)) { + login_close(lc); + return (PAM_SUCCESS); + } + nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def); - login_close(lc); - lc = NULL; fd = open(nologin, O_RDONLY, 0); - if (fd < 0) + if (fd < 0) { + login_close(lc); return (PAM_SUCCESS); - - PAM_LOG("Opened %s file", NOLOGIN); - - pwd = getpwnam(user); - if (pwd && pwd->pw_uid == 0) - retval = PAM_SUCCESS; - else { - if (!pwd) - retval = PAM_USER_UNKNOWN; - else - retval = PAM_AUTH_ERR; } - if (fstat(fd, &st) < 0) - return (retval); + PAM_LOG("Opened %s file", nologin); - mtmp = malloc(st.st_size + 1); - if (mtmp != NULL) { - read(fd, mtmp, st.st_size); - mtmp[st.st_size] = '\0'; - pam_error(pamh, "%s", mtmp); - free(mtmp); + if (fstat(fd, &st) == 0) { + mtmp = malloc(st.st_size + 1); + if (mtmp != NULL) { + ss = read(fd, mtmp, st.st_size); + if (ss > 0) { + mtmp[ss] = '\0'; + pam_error(pamh, "%s", mtmp); + } + free(mtmp); + } } - if (retval != PAM_SUCCESS) - PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN); + PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin); - return (retval); + close(fd); + login_close(lc); + + return (PAM_AUTH_ERR); } PAM_MODULE_ENTRY("pam_nologin");