diff options
| -rw-r--r-- | README | 3 | ||||
| -rw-r--r-- | modules/pam_nologin/pam_nologin.c | 107 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix.c | 63 |
3 files changed, 140 insertions, 33 deletions
@@ -1,4 +1 @@ info later - -Project is still incomplete. Do _NOT_ install project on your base system! -You've been warned... diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index e69de29..a467421 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -0,0 +1,107 @@ +#include <sys/types.h> +#include <sys/stat.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <unistd.h> +#include <pwd.h> + +#ifndef __linux__ +#include <login_cap.h> +#endif + +#define PAM_SM_AUTH + +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#include <security/pam_mod_misc.h> + +#define NOLOGIN "/etc/nologin" + +PAM_EXTERN int +pam_sm_authenticate( pam_handle_t *pamh, int flags, + int argc, const char * argv[] ) +{ + struct passwd *pwd; + struct stat st; + char *mtmp = NULL; + const char * user; + int pam_err, fd; +#ifndef __linux__ + login_cap_t *lc; +#endif + + if( (pam_err = pam_get_user(pamh,&user, NULL)) != PAM_SUCCESS || + (user == NULL) ) { + PAM_ERROR("Could not determine user"); + return (PAM_USER_UNKNOWN); + } + + +#ifndef __linux__ + lc = login_getclass(NULL); + nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def); + login_close(lc); + lc = NULL; + + fd = open(nologin, O_RDONLY, 0); +#else + fd = open(NOLOGIN, O_RDONLY, 0); +#endif + /* + * LinuxPAM's nologin returns PAM_IGNORE when no 'nologin' file is + * present while freebsd's nologin returns PAM_SUCCESS. We'll go + * with PAM_IGNORE + * */ + + if (fd < 0 ) + return (PAM_IGNORE); + + pwd = getpwnam(user); + if(pwd && pwd->pw_uid == 0 ) + pam_err = PAM_SUCCESS; + else { + if ( ! pwd ) + pam_err = PAM_USER_UNKNOWN; + else + pam_err = PAM_AUTH_ERR; + } + + /* get contents of /etc/nologin */ + if (fstat(fd,&st) < 0) { + close(fd); + free(mtmp); + return (pam_err); + } + + + mtmp = malloc(st.st_size + 1); + if (!mtmp) { + PAM_ERROR("Out of memory"); + close(fd); + free(mtmp); + return (PAM_BUF_ERR); + } + + if ( read(fd, mtmp, st.st_size) == st.st_size ) { + mtmp[st.st_size] = '\0'; + PAM_ERROR("%s", mtmp); + } else + pam_err = PAM_SYSTEM_ERR; + + close(fd); + free (mtmp); + + return (pam_err); + +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[]) +{ + + return (PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_nologin"); diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index 8e1351c..e516162 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -191,7 +191,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pam_err != PAM_SUCCESS) return (pam_err); - if (user == NULL || (pwd = getpwnam(user)) == NULL) + if (user == NULL || (pwd = getspnam(user)) == NULL) return (PAM_SERVICE_ERR); @@ -227,11 +227,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , return (PAM_SERVICE_ERR); } #endif - /* Check if pw_lstchg or sp_expire is set */ -/* - if (pwd->sp_lstchg || pwd->sp_expire) - curtime = time(NULL) / (60 * 60 * 24); - if (pwd->sp_expire) { + /* Calculate current time */ + curtime = time(NULL) / (60 * 60 * 24); + + /* Check for account expiration */ + if (pwd->sp_expire > 0) { + fprintf(stdout, "Account expiration data value is %ld\n", pwd->sp_expire); if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { #ifndef __linux__ login_close(lc); @@ -242,35 +243,37 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , PAM_ERROR("Warning: your account expires on %s", ctime(&pwd->sp_expire)); } - } + - if (pwd->sp_lstchg == 0 ) { - return (PAM_NEW_AUTHTOK_REQD); - } - * check all other possibilities (mostly stolen from pam_tcb) * + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ - if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && - (pwd->sp_max != -1) && (pwd->sp_inact != -1) && - (pwd->sp_lstchg != 0)) { - PAM_ERROR("Account has expired!"); - return (PAM_ACCT_EXPIRED); - } + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) { + PAM_ERROR("Account has expired!"); + return (PAM_ACCT_EXPIRED); + } - if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && - (pwd->sp_max != -1)) { - PAM_ERROR("Account has expired!"); - return (PAM_ACCT_EXPIRED); - } + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) { + PAM_ERROR("Account has expired!"); + return (PAM_ACCT_EXPIRED); + } - if ((curtime - pwd->sp_lstchg > pwd->sp_max) - && (curtime - pwd->sp_lstchg > pwd->sp_inact) - && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) - && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) { - PAM_ERROR("Account has expired!"); - return (PAM_ACCT_EXPIRED); - } + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) { + PAM_ERROR("Account has expired!"); + return (PAM_ACCT_EXPIRED); + } -*/ pam_err = (PAM_SUCCESS); + } + pam_err = (PAM_SUCCESS); #ifndef __linux__ |