diff options
Diffstat (limited to 'modules/pam_securetty/pam_securetty.c')
| -rw-r--r-- | modules/pam_securetty/pam_securetty.c | 54 |
1 files changed, 42 insertions, 12 deletions
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index f6d7bc2..98e01bc 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -2,7 +2,7 @@ #include <sys/stat.h> #include <stdio.h> #include <string.h> -#include <ttyent.h> +#include <sys/stat.h> #include <pwd.h> #define PAM_SM_AUTH @@ -12,15 +12,18 @@ #include <security/pam_mod_misc.h> #define TTY_PREFIX "/dev/" +#define SECURETTY "/etc/securetty" PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char * argv[]) { struct passwd *pwd; - struct ttyent *ttyinfo; + struct stat ttyfileinfo; const char *user; const char *tty; + char ttyfileline[256]; + FILE *ttyfile; int pam_err; if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) @@ -48,18 +51,45 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, /* get rid of prefix */ tty = (const char *)tty + sizeof(TTY_PREFIX) - 1; } - /* - * Linux-PAM, before checking the actual tty, - * opens /etc/securettys to check if it's world - * writable or not a normal file and only continues - * if neither is correct. Sounds like a good idea - - * maybe it should be done here as well... - */ - - if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL && - (ttyinfo->ty_status & TTY_SECURE) != 0) + + if ( stat(SECURETTY, &ttyfileinfo) ) { + PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY); + /* From LinuxPAM, they say that for compatibility issues, + * this needs to succeed. Who am I to judge... */ return (PAM_SUCCESS); + } + + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { + /* File is either world writable or not a regural file */ + PAM_ERROR("SECURETTY file cannot be trusted!"); + return (PAM_AUTH_ERR); + } + /* Open read-only file with securettys */ + if ( (ttyfile = fopen(SECURETTY,"r")) == NULL ) { + PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY); + return (PAM_AUTH_ERR); + } + + pam_err = 1; + /* Search in SECURETTY for tty */ + while (fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL + && pam_err) { + if (ttyfileline[strlen(ttyfileline) - 1] == '\n') + ttyfileline[strlen(ttyfileline) - 1] = '\0'; + + pam_err = strcmp(ttyfileline, tty); + + } + + fclose(ttyfile); + + if (!pam_err) { + /* tty found in SECURETTY. Allow access */ + PAM_LOG("Access granted for %s on tty %s.", user, tty); + return (PAM_SUCCESS); + } + PAM_ERROR("Access denied: tty %s is not secure", tty); return (PAM_AUTH_ERR); } |