Experimental pam_chroot module (not connected to the build)
This commit is contained in:
parent
b85f5808f8
commit
eac956b2d1
7
lib/libpam/modules/pam_chroot/Makefile
Normal file
7
lib/libpam/modules/pam_chroot/Makefile
Normal file
@ -0,0 +1,7 @@
|
||||
# $FreeBSD$
|
||||
|
||||
LIB= pam_chroot
|
||||
SRCS= pam_chroot.c
|
||||
MAN= pam_chroot.8
|
||||
|
||||
.include <bsd.lib.mk>
|
85
lib/libpam/modules/pam_chroot/pam_chroot.8
Normal file
85
lib/libpam/modules/pam_chroot/pam_chroot.8
Normal file
@ -0,0 +1,85 @@
|
||||
.\" Copyright (c) 2003 Networks Associates Technology, Inc.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Portions of this software were developed for the FreeBSD Project by
|
||||
.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.\" ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. The name of the author may not be used to endorse or promote
|
||||
.\" products derived from this software without specific prior written
|
||||
.\" permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd February 10, 2003
|
||||
.Dt PAM_CHROOT 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pam_chroot
|
||||
.Nd Chroot PAM module
|
||||
.Sh SYNOPSIS
|
||||
.Op Ar service-name
|
||||
.Ar module-type
|
||||
.Ar control-flag
|
||||
.Pa pam_chroot
|
||||
.Op Ar arguments
|
||||
.Sh DESCRIPTION
|
||||
The chroot service module for PAM chroots users into either a
|
||||
predetermined directory or one derived from their home directory.
|
||||
If a user's home directory as specified in the
|
||||
.Dv passwd
|
||||
structure returned by
|
||||
.Xr getpwnam 3
|
||||
contains the string
|
||||
.Dq /./ ,
|
||||
the portion of the directory name to the left of that string is used
|
||||
as the chroot directory.
|
||||
Otherwise, the directory specified by the
|
||||
.Cm dir
|
||||
option (see below) is used.
|
||||
.Bl -tag -width ".Cm also_root"
|
||||
.It Cm also_root
|
||||
Do not hold user id 0 exempt from the chroot requirement.
|
||||
.It Cm always
|
||||
Report a failure if a chroot directory could not be derived from the
|
||||
user's home directory, and the
|
||||
.Cm dir
|
||||
option was not specified.
|
||||
.It Cm dir Ns = Ns Ar directory
|
||||
Specify the chroot directory to use if one could not be derived from
|
||||
the user's home directory.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr pam.conf 5 ,
|
||||
.Xr pam 8
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
module and this manual page were developed for the
|
||||
.Fx
|
||||
Project by
|
||||
ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.Pq Dq CBOSS ,
|
||||
as part of the DARPA CHATS research program.
|
101
lib/libpam/modules/pam_chroot/pam_chroot.c
Normal file
101
lib/libpam/modules/pam_chroot/pam_chroot.c
Normal file
@ -0,0 +1,101 @@
|
||||
/*-
|
||||
* Copyright (c) 2003 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* NAI Labs, the Security Research Division of Network Associates, Inc.
|
||||
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
||||
* DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_SESSION
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
const char *dir, *end, *user;
|
||||
struct passwd *pwd;
|
||||
char buf[PATH_MAX];
|
||||
|
||||
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS ||
|
||||
user == NULL || (pwd = getpwnam(user)) == NULL)
|
||||
return (PAM_SESSION_ERR);
|
||||
if (pwd->pw_uid == 0 && !openpam_get_option(pamh, "also_root"))
|
||||
return (PAM_SUCCESS);
|
||||
if (pwd->pw_dir == NULL)
|
||||
return (PAM_SESSION_ERR);
|
||||
if ((end = strstr(pwd->pw_dir, "/./")) != NULL) {
|
||||
if (snprintf(buf, sizeof(buf), "%.*s",
|
||||
(int)(end - pwd->pw_dir), pwd->pw_dir) > (int)sizeof(buf)) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s's home directory is too long", user);
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
dir = buf;
|
||||
} else if ((dir = openpam_get_option(pamh, "dir")) == NULL) {
|
||||
if (openpam_get_option(pamh, "always")) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s has no chroot directory", user);
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
openpam_log(PAM_LOG_DEBUG, "chrooting %s to %s", dir, user);
|
||||
|
||||
if (chroot(dir) == -1) {
|
||||
openpam_log(PAM_LOG_ERROR, "chroot(): %m");
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
chdir("/");
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_chroot");
|
Loading…
Reference in New Issue
Block a user