aboutsummaryrefslogtreecommitdiff
blob: c22b0ce8af854c60f4f387797a26203e7f810000 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <pwd.h>

#define PAM_SM_AUTH

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>

#define TTY_PREFIX      "/dev/"
#define SECURETTY 	"/etc/securetty"

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags,
		int argc, const char * argv[]) 
{
	struct passwd *pwd;
	struct stat ttyfileinfo;
	const char *user;
	const char *tty; 
	char ttyfileline[256];
	FILE *ttyfile;
	int pam_err;

	if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) 
			|| ( user == NULL ) )  {
		PAM_ERROR("Error recovering username.");
		return (pam_err);
	}

	if ( (pwd = getpwnam(user)) == NULL ) { 
		PAM_ERROR("Could not get passwd entry for user [%s]",user);
		return (PAM_SERVICE_ERR);
	}

	if ( pwd->pw_uid  != 0 ) { 
		/* secure tty applies only to root */
		return (PAM_SUCCESS);
	}

	if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) { 
		return (pam_err);
	}	

	if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) {
		PAM_LOG("tty starts with " TTY_PREFIX);
		/* get rid of prefix */
		tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
	}
	
	if ( stat(SECURETTY, &ttyfileinfo) ) { 
		PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY);
		/* From LinuxPAM, they say that for compatibility issues, 
		 * this needs to succeed. Who am I to judge... */
		return (PAM_SUCCESS);
	}

	if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
		/* File is either world writable or not a regural file */
		PAM_ERROR("SECURETTY file cannot be trusted!");
		return (PAM_AUTH_ERR);
	}
	
	/* Open read-only file with securettys */
	if ( (ttyfile = fopen(SECURETTY,"r")) ==  NULL ) { 
		PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY);
		return (PAM_AUTH_ERR);
	}

	pam_err = 1;
	/* Search in SECURETTY for tty */
	while (fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL 
		&& pam_err) { 
	        if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
	        	ttyfileline[strlen(ttyfileline) - 1] = '\0';

		pam_err = strcmp(ttyfileline, tty);

	}

	fclose(ttyfile);

	if (!pam_err) { 
		/* tty found in SECURETTY. Allow access */
		PAM_LOG("Access granted for %s on tty %s.", user, tty);
		return (PAM_SUCCESS); 
	}

	PAM_ERROR("Access denied: tty %s is not secure", tty);
	return (PAM_AUTH_ERR);
}


PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh , int flags ,
		int argc , const char *argv[])
{
	                return (PAM_SUCCESS);
}

PAM_MODULE_ENTRY("pam_securetty");