aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-21 14:00:36 +0300
committerSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-21 14:00:36 +0300
commit0280555a431021f2f5164cba09ad86efcdeddde2 (patch)
tree10676aac175eee800716508128da185610a43070
parentCompleted update_passwd function for pam_unix (diff)
downloadopenpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.gz
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.bz2
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.zip
Completed pam_rootok and pam_securetty
-rw-r--r--Make.defs2
-rw-r--r--modules/pam_rootok/pam_rootok.c33
-rw-r--r--modules/pam_securetty/pam_securetty.c70
-rw-r--r--modules/pam_unix/pam_unix.c83
-rw-r--r--modules/pam_unix/pam_unix.c~88
5 files changed, 251 insertions, 25 deletions
diff --git a/Make.defs b/Make.defs
index c39353d..1edfcb0 100644
--- a/Make.defs
+++ b/Make.defs
@@ -7,7 +7,7 @@ LD = $(CC)
RM = rm -f
MKDIR = mkdir -p
INSTALL = install -c
-CFLAGS = -Wall -g -fPIC -I../../include -I/opt/local/include -O2 -D_XOPEN_SOURCE=500 -D_SVID_SOURCE
+CFLAGS = -Wall -g -fPIC -I../../include -I/opt/local/include -O2 -D_XOPEN_SOURCE=500 -D_SVID_SOURCE # -fno-stack-protector
LDFLAGS = -shared -L/opt/local/lib # -Wl,$(LINKEROPTS)
LINKEROPTS =
LDLIBS = -lpam -lcrypt
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
index e69de29..d103282 100644
--- a/modules/pam_rootok/pam_rootok.c
+++ b/modules/pam_rootok/pam_rootok.c
@@ -0,0 +1,33 @@
+#include <sys/cdefs.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <stdio.h>
+
+#define PAM_SM_AUTH
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags ,
+ int argc , const char *argv[] )
+{
+
+ if (getuid() == 0)
+ return (PAM_SUCCESS);
+
+ PAM_ERROR("User is not superuser");
+
+ return (PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+ int argc , const char *argv[] )
+{
+
+ return (PAM_SUCCESS);
+}
+
+PAM_MODULE_ENTRY("pam_rootok");
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index e69de29..bd81ea5 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -0,0 +1,70 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <ttyent.h>
+#include <pwd.h>
+
+
+#define PAM_SM_ACCOUNT
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#define TTY_PREFIX "/dev/"
+
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ struct passwd *pwd;
+ struct ttyent *ttyinfo;
+ const char *user;
+ const char *tty;
+ int pam_err;
+
+ if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS )
+ || ( user == NULL ) ) {
+ PAM_ERROR("Error recovering username.");
+ return (pam_err);
+ }
+
+ if ( (pwd = getpwnam(user)) == NULL ) {
+ PAM_ERROR("Could not get passwd entry for user [%s]",user);
+ return (PAM_SERVICE_ERR);
+ }
+
+ if ( pwd->pw_uid != 0 ) {
+ /* secure tty applies only to root */
+ return (PAM_SUCCESS);
+ }
+
+ if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) {
+ return (pam_err);
+ }
+
+ if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) {
+ PAM_LOG("tty starts with " TTY_PREFIX);
+ /* skip prefix */
+ tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
+ }
+
+ /*
+ * Linux-PAM, before checking the actual tty,
+ * opens /etc/securettys to check if it's world
+ * writable or not a normal file and only continues
+ * if neither is correct. Sounds like a good idea -
+ * maybe it should be done here as well...
+ */
+
+
+ if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL &&
+ (ttyinfo->ty_status & TTY_SECURE) != 0)
+ return (PAM_SUCCESS);
+
+ PAM_ERROR("Access denied: tty %s is not secure", tty);
+ return (PAM_AUTH_ERR);
+}
+
+PAM_MODULE_ENTRY("pam_securetty");
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index a14dbe6..ea1b75d 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -15,7 +15,8 @@
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
#ifndef __linux__
#include <login_cap.h> /* for BSD login classes */
@@ -32,6 +33,7 @@
#include <security/pam_modules.h>
#include <security/pam_appl.h>
+#include <security/openpam.h>
#include <security/pam_mod_misc.h>
@@ -56,7 +58,7 @@ void makesalt(char salt[SALTSIZE]);
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc , const char **argv ) {
+ int argc , const char *argv[] ) {
#ifndef __linux__
login_cap_t *lc;
@@ -78,7 +80,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = getpwnam(user);
}
-
+ puts("authenticating as user:");
+ puts(user);
PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -227,17 +230,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
#endif
/* Check if pw_lstchg or sp_expire is set */
-
+/*
if (pwd->sp_lstchg || pwd->sp_expire)
curtime = time(NULL) / (60 * 60 * 24);
+ puts("before all");
if (pwd->sp_expire) {
+ puts(ctime(&(pwd->sp_expire)));
+ puts(ctime(&curtime));
if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
#ifndef __linux__
login_close(lc);
-#endif
+#endif
+ puts("expire 1");
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+ puts("expire 2");
PAM_ERROR("Warning: your account expires on %s",
ctime(&pwd->sp_expire));
}
@@ -246,8 +254,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pwd->sp_lstchg == 0 ) {
return (PAM_NEW_AUTHTOK_REQD);
}
-
- /* check all other possibilities (mostly stolen from pam_tcb) */
+ puts("before tcb OK!");
+ * check all other possibilities (mostly stolen from pam_tcb) *
if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +263,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 1");
if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
(pwd->sp_max != -1)) {
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 2");
if ((curtime - pwd->sp_lstchg > pwd->sp_max)
&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
return (PAM_ACCT_EXPIRED);
}
- pam_err = (PAM_SUCCESS);
+ puts("after 3");
+*/ pam_err = (PAM_SUCCESS);
#ifndef __linux__
@@ -485,6 +496,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Open session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Open session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(),
+ (unsigned long) getuid());
+
+ return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Close session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Close session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Closed session for user [%s]", user);
+
+ return PAM_SUCCESS;
+}
#ifdef __linux__
@@ -493,7 +554,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
* Update shadow with new user password
*/
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+ const char * newhashedpwd ) {
FILE *oldshadow, *newshadow;
struct spwd *pwd,*cur_pwd;
struct stat filestat;
@@ -592,7 +654,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
#define NEW_PASSWD "/etc/.passwd"
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+ const char * newhashedpwd ) {
FILE *oldpasswd, *newpasswd;
struct passwd *pwd,*cur_pwd;
struct stat filestat;
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index d1410c9..9a504d0 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -15,7 +15,8 @@
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
#ifndef __linux__
#include <login_cap.h> /* for BSD login classes */
@@ -56,7 +57,7 @@ void makesalt(char salt[SALTSIZE]);
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc , const char **argv ) {
+ int argc , const char *argv[] ) {
#ifndef __linux__
login_cap_t *lc;
@@ -78,7 +79,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = getpwnam(user);
}
-
+ puts("authenticating as user:");
+ puts(user);
PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -227,17 +229,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
#endif
/* Check if pw_lstchg or sp_expire is set */
-
+/*
if (pwd->sp_lstchg || pwd->sp_expire)
curtime = time(NULL) / (60 * 60 * 24);
+ puts("before all");
if (pwd->sp_expire) {
+ puts(ctime(&(pwd->sp_expire)));
+ puts(ctime(&curtime));
if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
#ifndef __linux__
login_close(lc);
-#endif
+#endif
+ puts("expire 1");
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+ puts("expire 2");
PAM_ERROR("Warning: your account expires on %s",
ctime(&pwd->sp_expire));
}
@@ -246,8 +253,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pwd->sp_lstchg == 0 ) {
return (PAM_NEW_AUTHTOK_REQD);
}
-
- /* check all other possibilities (mostly stolen from pam_tcb) */
+ puts("before tcb OK!");
+ * check all other possibilities (mostly stolen from pam_tcb) *
if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +262,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 1");
if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
(pwd->sp_max != -1)) {
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 2");
if ((curtime - pwd->sp_lstchg > pwd->sp_max)
&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +279,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
return (PAM_ACCT_EXPIRED);
}
- pam_err = (PAM_SUCCESS);
+ puts("after 3");
+*/ pam_err = (PAM_SUCCESS);
#ifndef __linux__
@@ -313,8 +323,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
#endif
int pam_err, retries;
- int tmpflags = flags | PAM_UPDATE_AUTHTOK;
-
/* identify user */
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
@@ -355,7 +363,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- if (tmpflags & PAM_PRELIM_CHECK) {
+ if (flags & PAM_PRELIM_CHECK) {
puts("DOING PRELIM");
PAM_LOG("Doing preliminary actions.");
@@ -390,7 +398,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (strcmp(hashedpwd, old_pwd->pw_passwd) != 0)
return (PAM_PERM_DENIED);
- } else if ( tmpflags & PAM_UPDATE_AUTHTOK ) {
+ } else if ( flags & PAM_UPDATE_AUTHTOK ) {
puts("DOING UPDATE");
PAM_LOG("Doing actual update.");
@@ -487,6 +495,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Open session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Open session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(),
+ (unsigned long) getuid());
+
+ return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Close session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Close session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Closed session for user [%s]", user);
+
+ return PAM_SUCCESS;
+}
#ifdef __linux__
@@ -495,7 +553,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
* Update shadow with new user password
*/
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+ const char * newhashedpwd ) {
FILE *oldshadow, *newshadow;
struct spwd *pwd,*cur_pwd;
struct stat filestat;
@@ -594,7 +653,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
#define NEW_PASSWD "/etc/.passwd"
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+ const char * newhashedpwd ) {
FILE *oldpasswd, *newpasswd;
struct passwd *pwd,*cur_pwd;
struct stat filestat;