aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_securetty/pam_securetty.c~')
-rw-r--r--modules/pam_securetty/pam_securetty.c~70
1 files changed, 70 insertions, 0 deletions
diff --git a/modules/pam_securetty/pam_securetty.c~ b/modules/pam_securetty/pam_securetty.c~
new file mode 100644
index 0000000..d0979de
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.c~
@@ -0,0 +1,70 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <ttyent.h>
+#include <pwd.h>
+
+
+#define PAM_SM_ACCOUNT
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#define TTY_PREFIX "/dev/"
+
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ struct passwd *pwd;
+ struct ttyent *ttyinfo;
+ const char *user;
+ const char *tty;
+ int pam_err;
+
+ if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS )
+ || ( user == NULL ) ) {
+ PAM_ERROR("Error recovering username.");
+ return (pam_err);
+ }
+
+ if ( (pwd = getpwnam(user)) == NULL ) {
+ PAM_ERROR("Could not get passwd entry for user [%s]",user);
+ return (PAM_SERVICE_ERR);
+ }
+
+ if ( pwd->pw_uid != 0 ) {
+ /* secure tty applies only to root */
+ return (PAM_SUCCESS);
+ }
+
+ if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) {
+ return (pam_err);
+ }
+
+ if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) {
+ PAM_LOG("tty starts with " TTY_PREFIX);
+ /* skip prefix */
+ tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
+ }
+
+ /*
+ * Linux-PAM, before checking the actual tty,
+ * opens /etc/securettys to check if it's world
+ * writable or not a normal file and only continues
+ * if neither is correct. Sounds like a good idea -
+ * maybe it should be done here as well...
+ */
+
+
+ if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL &&
+ (ttyinfo->ty_status & TTY_SECURE) != 0)
+ return (PAM_SUCCESS);
+
+ PAM_ERROR("Access denied: tty%s is not secure", tty);
+ return (PAM_AUTH_ERR);
+}
+
+PAM_MODULE_ENTRY("pam_securetty");