Added logging/debug msgs in pam_unix

author: Seraphim Mellos <mellos@ceid.upatras.gr> 2008-06-16 22:57:28 +0300
committer: Seraphim Mellos <mellos@ceid.upatras.gr> 2008-06-22 05:59:36 +0300
commit: e54218e455d4c76d72d1315dfbc8d55538c3039c (patch)
tree: 123293a88083f199ac9025cce9237a7a12f09e88
parent: Completed pam_rootok and pam_securetty (diff)
download: openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.tar.gz
openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.tar.bz2
openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.zip
15 files changed, 299 insertions, 0 deletions
diff --git a/Make.defs~ b/Make.defs~
new file mode 100644
index 0000000..cbaea77
--- /dev/null
+++ b/Make.defs~
@@ -0,0 +1,13 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos.  See LICENSE.
+#
+
+CC = gcc
+LD = $(CC)
+RM = rm -f
+MKDIR = mkdir -p
+INSTALL = install -c
+CFLAGS = -Wall -g -fPIC -I../../include -I/opt/local/include -O2 -D_XOPEN_SOURCE=500 -D_SVID_SOURCE -fno-stack-protector
+LDFLAGS = -shared -L/opt/local/lib # -Wl,$(LINKEROPTS)
+LINKEROPTS = 
+LDLIBS = -lpam -lcrypt
diff --git a/modules/pam_nologin/pam_nologin.c~ b/modules/pam_nologin/pam_nologin.c~
new file mode 100644
index 0000000..db95fbe
--- /dev/null
+++ b/modules/pam_nologin/pam_nologin.c~
@@ -0,0 +1,20 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifndef __linux__
+#include <login_cap.h>
+#endif
+
+#define PAM_SM_AUTH
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#define NOLOGIN_FILE "/etc/nologin"
+
diff --git a/modules/pam_rootok/Makefile b/modules/pam_rootok/Makefile
new file mode 100644
index 0000000..6115401
--- /dev/null
+++ b/modules/pam_rootok/Makefile
@@ -0,0 +1,41 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos.  See LICENSE.
+#
+
+include ../../Make.defs
+
+TITLE = pam_rootok
+PAM_SO_SUFFIX = 
+LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
+SHLIBMODE = 755
+MAN8 = $(TITLE).8
+MANMODE = 644
+#SECUREDIR = /lib/security
+#MANDIR = /usr/share/man
+#DESTDIR =
+
+
+
+PROJ = $(LIBSHARED)
+OBJS = pam_rootok.o
+
+all:
+	case "`uname -s`" in \
+	Linux)  $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+			LDLIBS="$(LDLIBS)" $(PROJ);;\
+	FreeBSD) echo "Not yet supported.";;\
+	*) 	 echo "OS not supported.";;\
+	esac
+
+$(LIBSHARED): $(OBJS) 
+	$(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $*.c
+
+
+clean:
+	$(RM) $(PROJ) *.o
+
+
+
diff --git a/modules/pam_rootok/Makefile~ b/modules/pam_rootok/Makefile~
new file mode 100644
index 0000000..4285e98
--- /dev/null
+++ b/modules/pam_rootok/Makefile~
@@ -0,0 +1,41 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos.  See LICENSE.
+#
+
+include ../../Make.defs
+
+TITLE = pam_rootok
+PAM_SO_SUFFIX = 
+LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
+SHLIBMODE = 755
+MAN8 = $(TITLE).8
+MANMODE = 644
+#SECUREDIR = /lib/security
+#MANDIR = /usr/share/man
+#DESTDIR =
+
+
+
+PROJ = $(LIBSHARED)
+OBJS = pam_unix.o
+
+all:
+	case "`uname -s`" in \
+	Linux)  $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+			LDLIBS="$(LDLIBS)" $(PROJ);;\
+	FreeBSD) echo "Not yet supported.";;\
+	*) 	 echo "OS not supported.";;\
+	esac
+
+$(LIBSHARED): $(OBJS) 
+	$(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $*.c
+
+
+clean:
+	$(RM) $(PROJ) *.o
+
+
+
diff --git a/modules/pam_rootok/pam_rootok.c~ b/modules/pam_rootok/pam_rootok.c~
new file mode 100644
index 0000000..9adec8c
--- /dev/null
+++ b/modules/pam_rootok/pam_rootok.c~
@@ -0,0 +1,31 @@
+#include <sys/cdefs.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <stdio.h>
+
+#define PAM_SM_AUTH
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags ,
+    int argc  ,  const char *argv[]  )
+{
+
+        if (getuid() == 0)
+                return (PAM_SUCCESS);
+
+        PAM_ERROR("User is not superuser");
+
+        return (PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+    int argc  , const char *argv[] ) 
+{        
+          
+        return (PAM_SUCCESS);
+}
diff --git a/modules/pam_rootok/pam_rootok.o b/modules/pam_rootok/pam_rootok.o
new file mode 100644
index 0000000..fbe51db
--- /dev/null
+++ b/modules/pam_rootok/pam_rootok.o
diff --git a/modules/pam_rootok/pam_rootok.so b/modules/pam_rootok/pam_rootok.so
new file mode 100755
index 0000000..271d34a
--- /dev/null
+++ b/modules/pam_rootok/pam_rootok.so
diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile
new file mode 100644
index 0000000..f382e4c
--- /dev/null
+++ b/modules/pam_securetty/Makefile
@@ -0,0 +1,41 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos.  See LICENSE.
+#
+
+include ../../Make.defs
+
+TITLE = pam_securetty
+PAM_SO_SUFFIX = 
+LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
+SHLIBMODE = 755
+MAN8 = $(TITLE).8
+MANMODE = 644
+#SECUREDIR = /lib/security
+#MANDIR = /usr/share/man
+#DESTDIR =
+
+
+
+PROJ = $(LIBSHARED)
+OBJS = pam_securetty.o
+
+all:
+	case "`uname -s`" in \
+	Linux)  $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+			LDLIBS="$(LDLIBS)" $(PROJ);;\
+	FreeBSD) echo "Not yet supported.";;\
+	*) 	 echo "OS not supported.";;\
+	esac
+
+$(LIBSHARED): $(OBJS) 
+	$(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $*.c
+
+
+clean:
+	$(RM) $(PROJ) *.o
+
+
+
diff --git a/modules/pam_securetty/Makefile~ b/modules/pam_securetty/Makefile~
new file mode 100644
index 0000000..6115401
--- /dev/null
+++ b/modules/pam_securetty/Makefile~
@@ -0,0 +1,41 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos.  See LICENSE.
+#
+
+include ../../Make.defs
+
+TITLE = pam_rootok
+PAM_SO_SUFFIX = 
+LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
+SHLIBMODE = 755
+MAN8 = $(TITLE).8
+MANMODE = 644
+#SECUREDIR = /lib/security
+#MANDIR = /usr/share/man
+#DESTDIR =
+
+
+
+PROJ = $(LIBSHARED)
+OBJS = pam_rootok.o
+
+all:
+	case "`uname -s`" in \
+	Linux)  $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+			LDLIBS="$(LDLIBS)" $(PROJ);;\
+	FreeBSD) echo "Not yet supported.";;\
+	*) 	 echo "OS not supported.";;\
+	esac
+
+$(LIBSHARED): $(OBJS) 
+	$(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $*.c
+
+
+clean:
+	$(RM) $(PROJ) *.o
+
+
+
diff --git a/modules/pam_securetty/pam_securetty.c~ b/modules/pam_securetty/pam_securetty.c~
new file mode 100644
index 0000000..d0979de
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.c~
@@ -0,0 +1,70 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <ttyent.h>
+#include <pwd.h>
+
+
+#define PAM_SM_ACCOUNT
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#define TTY_PREFIX      "/dev/"
+
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
+		int argc, const char * argv[]) 
+{
+	struct passwd *pwd;
+	struct ttyent *ttyinfo;
+	const char *user;
+	const char *tty; 
+	int pam_err;
+
+	if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) 
+			|| ( user == NULL ) )  {
+		PAM_ERROR("Error recovering username.");
+		return (pam_err);
+	}
+
+	if ( (pwd = getpwnam(user)) == NULL ) { 
+		PAM_ERROR("Could not get passwd entry for user [%s]",user);
+		return (PAM_SERVICE_ERR);
+	}
+
+	if ( pwd->pw_uid  != 0 ) { 
+		/* secure tty applies only to root */
+		return (PAM_SUCCESS);
+	}
+
+	if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) { 
+		return (pam_err);
+	}	
+
+	if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) {
+		PAM_LOG("tty starts with " TTY_PREFIX);
+		/* skip prefix */
+		tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
+	}
+
+	/*
+	 * Linux-PAM, before checking the actual tty, 
+	 * opens /etc/securettys to check if it's world
+	 * writable or not a normal file and only continues 
+	 * if neither is correct. Sounds like a good idea - 
+	 * maybe it should be done here as well...
+	 */
+
+
+	if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL && 
+			(ttyinfo->ty_status & TTY_SECURE) != 0) 
+		return (PAM_SUCCESS);
+
+	PAM_ERROR("Access denied: tty%s is not secure", tty);
+	return (PAM_AUTH_ERR);
+}
+
+PAM_MODULE_ENTRY("pam_securetty");
diff --git a/modules/pam_securetty/pam_securetty.o b/modules/pam_securetty/pam_securetty.o
new file mode 100644
index 0000000..442e249
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.o
diff --git a/modules/pam_securetty/pam_securetty.so b/modules/pam_securetty/pam_securetty.so
new file mode 100755
index 0000000..071e877
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.so
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index 9a504d0..ea1b75d 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -33,6 +33,7 @@
 
 #include <security/pam_modules.h>
 #include <security/pam_appl.h>
+#include <security/openpam.h>
 #include <security/pam_mod_misc.h>
 
 
diff --git a/modules/pam_unix/pam_unix.o b/modules/pam_unix/pam_unix.o
new file mode 100644
index 0000000..b463d1b
--- /dev/null
+++ b/modules/pam_unix/pam_unix.o
diff --git a/modules/pam_unix/pam_unix.so b/modules/pam_unix/pam_unix.so
new file mode 100755
index 0000000..a77c352
--- /dev/null
+++ b/modules/pam_unix/pam_unix.so
author	Seraphim Mellos <mellos@ceid.upatras.gr>	2008-06-16 22:57:28 +0300
committer	Seraphim Mellos <mellos@ceid.upatras.gr>	2008-06-22 05:59:36 +0300
commit	e54218e455d4c76d72d1315dfbc8d55538c3039c (patch)
tree	123293a88083f199ac9025cce9237a7a12f09e88
parent	Completed pam_rootok and pam_securetty (diff)
download	openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.tar.gz openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.tar.bz2 openpam-modules-e54218e455d4c76d72d1315dfbc8d55538c3039c.zip