aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/Makefile2
-rw-r--r--modules/pam_deny/Makefile1
-rw-r--r--modules/pam_nologin/Makefile1
-rw-r--r--modules/pam_permit/Makefile1
-rw-r--r--modules/pam_rootok/Makefile1
-rw-r--r--modules/pam_securetty/Makefile1
-rw-r--r--modules/pam_securetty/pam_securetty.c54
-rw-r--r--modules/pam_shells/Makefile40
-rw-r--r--modules/pam_shells/pam_shells.c90
-rw-r--r--modules/pam_unix/Makefile1
10 files changed, 173 insertions, 19 deletions
diff --git a/modules/Makefile b/modules/Makefile
index 3b5ace0..d985659 100644
--- a/modules/Makefile
+++ b/modules/Makefile
@@ -2,7 +2,7 @@ all install clean:
$(MAKE) -C pam_unix $@
$(MAKE) -C pam_securetty $@
$(MAKE) -C pam_nologin $@
-# $(MAKE) -C pam_shells $@
+ $(MAKE) -C pam_shells $@
# $(MAKE) -C pam_wheel $@
$(MAKE) -C pam_rootok $@
$(MAKE) -C pam_permit $@
diff --git a/modules/pam_deny/Makefile b/modules/pam_deny/Makefile
index 4ebffb1..4fa5c5f 100644
--- a/modules/pam_deny/Makefile
+++ b/modules/pam_deny/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac
diff --git a/modules/pam_nologin/Makefile b/modules/pam_nologin/Makefile
index 981d3ae..2324da2 100644
--- a/modules/pam_nologin/Makefile
+++ b/modules/pam_nologin/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac
diff --git a/modules/pam_permit/Makefile b/modules/pam_permit/Makefile
index 793e176..1d8b0bb 100644
--- a/modules/pam_permit/Makefile
+++ b/modules/pam_permit/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac
diff --git a/modules/pam_rootok/Makefile b/modules/pam_rootok/Makefile
index 6115401..986dea7 100644
--- a/modules/pam_rootok/Makefile
+++ b/modules/pam_rootok/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac
diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile
index f382e4c..e2b85f7 100644
--- a/modules/pam_securetty/Makefile
+++ b/modules/pam_securetty/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index aa2d717..c22b0ce 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -2,7 +2,7 @@
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
-#include <ttyent.h>
+#include <sys/stat.h>
#include <pwd.h>
#define PAM_SM_AUTH
@@ -12,15 +12,18 @@
#include <security/pam_mod_misc.h>
#define TTY_PREFIX "/dev/"
+#define SECURETTY "/etc/securetty"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags,
int argc, const char * argv[])
{
struct passwd *pwd;
- struct ttyent *ttyinfo;
+ struct stat ttyfileinfo;
const char *user;
const char *tty;
+ char ttyfileline[256];
+ FILE *ttyfile;
int pam_err;
if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS )
@@ -48,18 +51,45 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags,
/* get rid of prefix */
tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
}
- /*
- * Linux-PAM, before checking the actual tty,
- * opens /etc/securettys to check if it's world
- * writable or not a normal file and only continues
- * if neither is correct. Sounds like a good idea -
- * maybe it should be done here as well...
- */
-
- if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL &&
- (ttyinfo->ty_status & TTY_SECURE) != 0)
+
+ if ( stat(SECURETTY, &ttyfileinfo) ) {
+ PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY);
+ /* From LinuxPAM, they say that for compatibility issues,
+ * this needs to succeed. Who am I to judge... */
return (PAM_SUCCESS);
+ }
+
+ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+ /* File is either world writable or not a regural file */
+ PAM_ERROR("SECURETTY file cannot be trusted!");
+ return (PAM_AUTH_ERR);
+ }
+ /* Open read-only file with securettys */
+ if ( (ttyfile = fopen(SECURETTY,"r")) == NULL ) {
+ PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY);
+ return (PAM_AUTH_ERR);
+ }
+
+ pam_err = 1;
+ /* Search in SECURETTY for tty */
+ while (fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL
+ && pam_err) {
+ if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
+
+ pam_err = strcmp(ttyfileline, tty);
+
+ }
+
+ fclose(ttyfile);
+
+ if (!pam_err) {
+ /* tty found in SECURETTY. Allow access */
+ PAM_LOG("Access granted for %s on tty %s.", user, tty);
+ return (PAM_SUCCESS);
+ }
+
PAM_ERROR("Access denied: tty %s is not secure", tty);
return (PAM_AUTH_ERR);
}
diff --git a/modules/pam_shells/Makefile b/modules/pam_shells/Makefile
new file mode 100644
index 0000000..0d736a5
--- /dev/null
+++ b/modules/pam_shells/Makefile
@@ -0,0 +1,40 @@
+#
+## Copyright (c) 2008 by Seraphim Mellos. See LICENSE.
+#
+
+include ../../Make.defs
+
+TITLE = pam_shells
+PAM_SO_SUFFIX =
+LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
+SHLIBMODE = 755
+MAN8 = $(TITLE).8
+MANMODE = 644
+#SECUREDIR = /lib/security
+#MANDIR = /usr/share/man
+#DESTDIR =
+
+
+
+PROJ = $(LIBSHARED)
+OBJS = pam_shells.o
+
+all:
+ case "`uname -s`" in \
+ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+ LDLIBS="$(LDLIBS)" $(PROJ);;\
+ *) echo "OS not supported.";;\
+ esac
+
+$(LIBSHARED): $(OBJS)
+ $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
+
+.c.o:
+ $(CC) $(CFLAGS) -c $*.c
+
+
+clean:
+ $(RM) $(PROJ) *.o
+
+
+
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index e69de29..cce6824 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -0,0 +1,90 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <pwd.h>
+
+#define PAM_SM_AUTH
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#define SHELLS "/etc/shells"
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ struct passwd *pwd;
+ struct stat shellfileinfo;
+ const char *user;
+ const char *shell;
+ char shellfileline[256];
+ FILE *shellfile;
+ int pam_err;
+
+ if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS )
+ || ( user == NULL ) ) {
+ PAM_ERROR("Error recovering username.");
+ return (pam_err);
+ }
+
+ if ( (pwd = getpwnam(user)) == NULL ) {
+ PAM_ERROR("Could not get passwd entry for user [%s]",user);
+ return (PAM_SERVICE_ERR);
+ }
+
+ shell = pwd->pw_shell;
+
+ if ( stat(SHELLS, &shellfileinfo) ) {
+ PAM_ERROR("Could not open SHELLS file :%s", SHELLS);
+ return (PAM_AUTH_ERR);
+ }
+
+ if ((shellfileinfo.st_mode & S_IWOTH) || !S_ISREG(shellfileinfo.st_mode)) {
+ /* File is either world writable or not a regural file */
+ PAM_ERROR("SHELLS file cannot be trusted!");
+ return (PAM_AUTH_ERR);
+ }
+
+ /* Open read-only file with shells */
+ if ( (shellfile = fopen(SHELLS,"r")) == NULL ) {
+ PAM_ERROR("Could not open SHELLS file :%s", SHELLS);
+ return (PAM_SERVICE_ERR);
+ }
+
+ pam_err = 1;
+
+ /* Search in SHELLS for user shell */
+ while (fgets(shellfileline, sizeof(shellfileline)-1, shellfile) != NULL
+ && pam_err) {
+ if (shellfileline[strlen(shellfileline) - 1] == '\n')
+ shellfileline[strlen(shellfileline) - 1] = '\0';
+
+ pam_err = strcmp(shellfileline, shell);
+
+ }
+
+ fclose(shellfile);
+
+ if (!pam_err) {
+ /* user shell found in SHELLS. Allow access */
+ PAM_LOG("Access granted for %s with shell %s.", user, shell);
+ return (PAM_SUCCESS);
+ }
+
+ return (PAM_AUTH_ERR);
+}
+
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh , int flags ,
+ int argc , const char *argv[])
+{
+
+ return (PAM_SUCCESS);
+}
+
+PAM_MODULE_ENTRY("pam_shells");
diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile
index ae80af4..34ed3f0 100644
--- a/modules/pam_unix/Makefile
+++ b/modules/pam_unix/Makefile
@@ -23,7 +23,6 @@ all:
case "`uname -s`" in \
Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
*) echo "OS not supported.";;\
esac