From 0280555a431021f2f5164cba09ad86efcdeddde2 Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Sat, 21 Jun 2008 14:00:36 +0300 Subject: Completed pam_rootok and pam_securetty --- Make.defs | 2 +- modules/pam_rootok/pam_rootok.c | 33 +++++++++++++ modules/pam_securetty/pam_securetty.c | 70 ++++++++++++++++++++++++++++ modules/pam_unix/pam_unix.c | 83 +++++++++++++++++++++++++++++---- modules/pam_unix/pam_unix.c~ | 88 +++++++++++++++++++++++++++++------ 5 files changed, 251 insertions(+), 25 deletions(-) diff --git a/Make.defs b/Make.defs index c39353d..1edfcb0 100644 --- a/Make.defs +++ b/Make.defs @@ -7,7 +7,7 @@ LD = $(CC) RM = rm -f MKDIR = mkdir -p INSTALL = install -c -CFLAGS = -Wall -g -fPIC -I../../include -I/opt/local/include -O2 -D_XOPEN_SOURCE=500 -D_SVID_SOURCE +CFLAGS = -Wall -g -fPIC -I../../include -I/opt/local/include -O2 -D_XOPEN_SOURCE=500 -D_SVID_SOURCE # -fno-stack-protector LDFLAGS = -shared -L/opt/local/lib # -Wl,$(LINKEROPTS) LINKEROPTS = LDLIBS = -lpam -lcrypt diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index e69de29..d103282 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -0,0 +1,33 @@ +#include +#include +#include +#include + +#define PAM_SM_AUTH + +#include +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) +{ + + if (getuid() == 0) + return (PAM_SUCCESS); + + PAM_ERROR("User is not superuser"); + + return (PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc , const char *argv[] ) +{ + + return (PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_rootok"); diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index e69de29..bd81ea5 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -0,0 +1,70 @@ +#include +#include +#include +#include +#include + + +#define PAM_SM_ACCOUNT + +#include +#include +#include + +#define TTY_PREFIX "/dev/" + + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + struct passwd *pwd; + struct ttyent *ttyinfo; + const char *user; + const char *tty; + int pam_err; + + if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) + || ( user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (pwd = getpwnam(user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",user); + return (PAM_SERVICE_ERR); + } + + if ( pwd->pw_uid != 0 ) { + /* secure tty applies only to root */ + return (PAM_SUCCESS); + } + + if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) { + return (pam_err); + } + + if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) { + PAM_LOG("tty starts with " TTY_PREFIX); + /* skip prefix */ + tty = (const char *)tty + sizeof(TTY_PREFIX) - 1; + } + + /* + * Linux-PAM, before checking the actual tty, + * opens /etc/securettys to check if it's world + * writable or not a normal file and only continues + * if neither is correct. Sounds like a good idea - + * maybe it should be done here as well... + */ + + + if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL && + (ttyinfo->ty_status & TTY_SECURE) != 0) + return (PAM_SUCCESS); + + PAM_ERROR("Access denied: tty %s is not secure", tty); + return (PAM_AUTH_ERR); +} + +PAM_MODULE_ENTRY("pam_securetty"); diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index a14dbe6..ea1b75d 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -15,7 +15,8 @@ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_PASSWORD +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION #ifndef __linux__ #include /* for BSD login classes */ @@ -32,6 +33,7 @@ #include #include +#include #include @@ -56,7 +58,7 @@ void makesalt(char salt[SALTSIZE]); PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc , const char **argv ) { + int argc , const char *argv[] ) { #ifndef __linux__ login_cap_t *lc; @@ -78,7 +80,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pwd = getpwnam(user); } - + puts("authenticating as user:"); + puts(user); PAM_LOG("Authenticating user: [%s]", user); /* get password */ @@ -227,17 +230,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif /* Check if pw_lstchg or sp_expire is set */ - +/* if (pwd->sp_lstchg || pwd->sp_expire) curtime = time(NULL) / (60 * 60 * 24); + puts("before all"); if (pwd->sp_expire) { + puts(ctime(&(pwd->sp_expire))); + puts(ctime(&curtime)); if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { #ifndef __linux__ login_close(lc); -#endif +#endif + puts("expire 1"); PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { + puts("expire 2"); PAM_ERROR("Warning: your account expires on %s", ctime(&pwd->sp_expire)); } @@ -246,8 +254,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pwd->sp_lstchg == 0 ) { return (PAM_NEW_AUTHTOK_REQD); } - - /* check all other possibilities (mostly stolen from pam_tcb) */ + puts("before tcb OK!"); + * check all other possibilities (mostly stolen from pam_tcb) * if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && (pwd->sp_max != -1) && (pwd->sp_inact != -1) && @@ -255,12 +263,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } + puts("after 1"); if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && (pwd->sp_max != -1)) { PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } + puts("after 2"); if ((curtime - pwd->sp_lstchg > pwd->sp_max) && (curtime - pwd->sp_lstchg > pwd->sp_inact) @@ -270,7 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , return (PAM_ACCT_EXPIRED); } - pam_err = (PAM_SUCCESS); + puts("after 3"); +*/ pam_err = (PAM_SUCCESS); #ifndef __linux__ @@ -485,6 +496,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, } +PAM_EXTERN int +pam_sm_open_session( pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + + char *user, *service; + int pam_err; + + pam_err = pam_get_item(pamh, PAM_USER, (void *) &user); + if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') { + PAM_ERROR("Open session - Error recovering username"); + return (PAM_SESSION_ERR); + } + + pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service); + if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { + PAM_ERROR("Open session - Error recovering service"); + return (PAM_SESSION_ERR); + } + + PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(), + (unsigned long) getuid()); + + return PAM_SUCCESS; + +} + +PAM_EXTERN int +pam_sm_close_session( pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + char *user, *service; + int pam_err; + + pam_err = pam_get_item(pamh, PAM_USER, (void *) &user); + if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') { + PAM_ERROR("Close session - Error recovering username"); + return (PAM_SESSION_ERR); + } + + pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service); + if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { + PAM_ERROR("Close session - Error recovering service"); + return (PAM_SESSION_ERR); + } + + PAM_LOG("Closed session for user [%s]", user); + + return PAM_SUCCESS; +} #ifdef __linux__ @@ -493,7 +554,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, * Update shadow with new user password */ -static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) { +static int update_shadow( pam_handle_t * pamh , const char * user, + const char * newhashedpwd ) { FILE *oldshadow, *newshadow; struct spwd *pwd,*cur_pwd; struct stat filestat; @@ -592,7 +654,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char * #define NEW_PASSWD "/etc/.passwd" -static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) { +static int update_passwd( pam_handle_t * pamh, const char * user, + const char * newhashedpwd ) { FILE *oldpasswd, *newpasswd; struct passwd *pwd,*cur_pwd; struct stat filestat; diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ index d1410c9..9a504d0 100644 --- a/modules/pam_unix/pam_unix.c~ +++ b/modules/pam_unix/pam_unix.c~ @@ -15,7 +15,8 @@ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_PASSWORD +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION #ifndef __linux__ #include /* for BSD login classes */ @@ -56,7 +57,7 @@ void makesalt(char salt[SALTSIZE]); PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc , const char **argv ) { + int argc , const char *argv[] ) { #ifndef __linux__ login_cap_t *lc; @@ -78,7 +79,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pwd = getpwnam(user); } - + puts("authenticating as user:"); + puts(user); PAM_LOG("Authenticating user: [%s]", user); /* get password */ @@ -227,17 +229,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif /* Check if pw_lstchg or sp_expire is set */ - +/* if (pwd->sp_lstchg || pwd->sp_expire) curtime = time(NULL) / (60 * 60 * 24); + puts("before all"); if (pwd->sp_expire) { + puts(ctime(&(pwd->sp_expire))); + puts(ctime(&curtime)); if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { #ifndef __linux__ login_close(lc); -#endif +#endif + puts("expire 1"); PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { + puts("expire 2"); PAM_ERROR("Warning: your account expires on %s", ctime(&pwd->sp_expire)); } @@ -246,8 +253,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pwd->sp_lstchg == 0 ) { return (PAM_NEW_AUTHTOK_REQD); } - - /* check all other possibilities (mostly stolen from pam_tcb) */ + puts("before tcb OK!"); + * check all other possibilities (mostly stolen from pam_tcb) * if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && (pwd->sp_max != -1) && (pwd->sp_inact != -1) && @@ -255,12 +262,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } + puts("after 1"); if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && (pwd->sp_max != -1)) { PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } + puts("after 2"); if ((curtime - pwd->sp_lstchg > pwd->sp_max) && (curtime - pwd->sp_lstchg > pwd->sp_inact) @@ -270,7 +279,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , return (PAM_ACCT_EXPIRED); } - pam_err = (PAM_SUCCESS); + puts("after 3"); +*/ pam_err = (PAM_SUCCESS); #ifndef __linux__ @@ -313,8 +323,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, #endif int pam_err, retries; - int tmpflags = flags | PAM_UPDATE_AUTHTOK; - /* identify user */ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { @@ -355,7 +363,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, - if (tmpflags & PAM_PRELIM_CHECK) { + if (flags & PAM_PRELIM_CHECK) { puts("DOING PRELIM"); PAM_LOG("Doing preliminary actions."); @@ -390,7 +398,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (strcmp(hashedpwd, old_pwd->pw_passwd) != 0) return (PAM_PERM_DENIED); - } else if ( tmpflags & PAM_UPDATE_AUTHTOK ) { + } else if ( flags & PAM_UPDATE_AUTHTOK ) { puts("DOING UPDATE"); PAM_LOG("Doing actual update."); @@ -487,6 +495,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, } +PAM_EXTERN int +pam_sm_open_session( pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + + char *user, *service; + int pam_err; + + pam_err = pam_get_item(pamh, PAM_USER, (void *) &user); + if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') { + PAM_ERROR("Open session - Error recovering username"); + return (PAM_SESSION_ERR); + } + + pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service); + if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { + PAM_ERROR("Open session - Error recovering service"); + return (PAM_SESSION_ERR); + } + + PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(), + (unsigned long) getuid()); + + return PAM_SUCCESS; + +} + +PAM_EXTERN int +pam_sm_close_session( pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + char *user, *service; + int pam_err; + + pam_err = pam_get_item(pamh, PAM_USER, (void *) &user); + if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') { + PAM_ERROR("Close session - Error recovering username"); + return (PAM_SESSION_ERR); + } + + pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service); + if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { + PAM_ERROR("Close session - Error recovering service"); + return (PAM_SESSION_ERR); + } + + PAM_LOG("Closed session for user [%s]", user); + + return PAM_SUCCESS; +} #ifdef __linux__ @@ -495,7 +553,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, * Update shadow with new user password */ -static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) { +static int update_shadow( pam_handle_t * pamh , const char * user, + const char * newhashedpwd ) { FILE *oldshadow, *newshadow; struct spwd *pwd,*cur_pwd; struct stat filestat; @@ -594,7 +653,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char * #define NEW_PASSWD "/etc/.passwd" -static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) { +static int update_passwd( pam_handle_t * pamh, const char * user, + const char * newhashedpwd ) { FILE *oldpasswd, *newpasswd; struct passwd *pwd,*cur_pwd; struct stat filestat; -- cgit v1.2.3-65-gdbad