From 775cc18c70f9aa3fd81b76a0f2fc6eaa03a16bab Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Mon, 21 Jul 2008 14:56:25 +0300 Subject: Redesigned pam_securetty --- modules/pam_securetty/pam_securetty.c | 54 +++++++++++++++++++++++++++-------- 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index f6d7bc2..98e01bc 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -2,7 +2,7 @@ #include #include #include -#include +#include #include #define PAM_SM_AUTH @@ -12,15 +12,18 @@ #include #define TTY_PREFIX "/dev/" +#define SECURETTY "/etc/securetty" PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char * argv[]) { struct passwd *pwd; - struct ttyent *ttyinfo; + struct stat ttyfileinfo; const char *user; const char *tty; + char ttyfileline[256]; + FILE *ttyfile; int pam_err; if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) @@ -48,18 +51,45 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, /* get rid of prefix */ tty = (const char *)tty + sizeof(TTY_PREFIX) - 1; } - /* - * Linux-PAM, before checking the actual tty, - * opens /etc/securettys to check if it's world - * writable or not a normal file and only continues - * if neither is correct. Sounds like a good idea - - * maybe it should be done here as well... - */ - - if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL && - (ttyinfo->ty_status & TTY_SECURE) != 0) + + if ( stat(SECURETTY, &ttyfileinfo) ) { + PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY); + /* From LinuxPAM, they say that for compatibility issues, + * this needs to succeed. Who am I to judge... */ return (PAM_SUCCESS); + } + + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { + /* File is either world writable or not a regural file */ + PAM_ERROR("SECURETTY file cannot be trusted!"); + return (PAM_AUTH_ERR); + } + /* Open read-only file with securettys */ + if ( (ttyfile = fopen(SECURETTY,"r")) == NULL ) { + PAM_ERROR("Could not open SECURETTY file :%s", SECURETTY); + return (PAM_AUTH_ERR); + } + + pam_err = 1; + /* Search in SECURETTY for tty */ + while (fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL + && pam_err) { + if (ttyfileline[strlen(ttyfileline) - 1] == '\n') + ttyfileline[strlen(ttyfileline) - 1] = '\0'; + + pam_err = strcmp(ttyfileline, tty); + + } + + fclose(ttyfile); + + if (!pam_err) { + /* tty found in SECURETTY. Allow access */ + PAM_LOG("Access granted for %s on tty %s.", user, tty); + return (PAM_SUCCESS); + } + PAM_ERROR("Access denied: tty %s is not secure", tty); return (PAM_AUTH_ERR); } -- cgit v1.2.3-65-gdbad From 6f11cc854bfc894c52bcdc40ac51603d2079aeca Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Mon, 21 Jul 2008 18:40:17 +0300 Subject: Started pam_shells --- modules/pam_shells/pam_shells.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index e69de29..8b1397c 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -0,0 +1,18 @@ +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH + +#include +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + -- cgit v1.2.3-65-gdbad From 556854e001ca9babd96d6cbe322594057acd7889 Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Wed, 23 Jul 2008 12:37:57 +0300 Subject: pam_shells completed --- modules/Makefile | 2 +- modules/pam_deny/Makefile | 1 - modules/pam_nologin/Makefile | 1 - modules/pam_permit/Makefile | 1 - modules/pam_rootok/Makefile | 1 - modules/pam_securetty/Makefile | 1 - modules/pam_shells/pam_shells.c | 74 ++++++++++++++++++++++++++++++++++++++++- modules/pam_unix/Makefile | 1 - 8 files changed, 74 insertions(+), 8 deletions(-) diff --git a/modules/Makefile b/modules/Makefile index 3b5ace0..d985659 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -2,7 +2,7 @@ all install clean: $(MAKE) -C pam_unix $@ $(MAKE) -C pam_securetty $@ $(MAKE) -C pam_nologin $@ -# $(MAKE) -C pam_shells $@ + $(MAKE) -C pam_shells $@ # $(MAKE) -C pam_wheel $@ $(MAKE) -C pam_rootok $@ $(MAKE) -C pam_permit $@ diff --git a/modules/pam_deny/Makefile b/modules/pam_deny/Makefile index 4ebffb1..4fa5c5f 100644 --- a/modules/pam_deny/Makefile +++ b/modules/pam_deny/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac diff --git a/modules/pam_nologin/Makefile b/modules/pam_nologin/Makefile index 981d3ae..2324da2 100644 --- a/modules/pam_nologin/Makefile +++ b/modules/pam_nologin/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac diff --git a/modules/pam_permit/Makefile b/modules/pam_permit/Makefile index 793e176..1d8b0bb 100644 --- a/modules/pam_permit/Makefile +++ b/modules/pam_permit/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac diff --git a/modules/pam_rootok/Makefile b/modules/pam_rootok/Makefile index 6115401..986dea7 100644 --- a/modules/pam_rootok/Makefile +++ b/modules/pam_rootok/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile index f382e4c..e2b85f7 100644 --- a/modules/pam_securetty/Makefile +++ b/modules/pam_securetty/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index 8b1397c..cce6824 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -11,8 +11,80 @@ #include #include +#define SHELLS "/etc/shells" + PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, - int argc, const char * argv[]) + int argc, const char * argv[]) +{ + struct passwd *pwd; + struct stat shellfileinfo; + const char *user; + const char *shell; + char shellfileline[256]; + FILE *shellfile; + int pam_err; + + if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) + || ( user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (pwd = getpwnam(user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",user); + return (PAM_SERVICE_ERR); + } + + shell = pwd->pw_shell; + + if ( stat(SHELLS, &shellfileinfo) ) { + PAM_ERROR("Could not open SHELLS file :%s", SHELLS); + return (PAM_AUTH_ERR); + } + + if ((shellfileinfo.st_mode & S_IWOTH) || !S_ISREG(shellfileinfo.st_mode)) { + /* File is either world writable or not a regural file */ + PAM_ERROR("SHELLS file cannot be trusted!"); + return (PAM_AUTH_ERR); + } + + /* Open read-only file with shells */ + if ( (shellfile = fopen(SHELLS,"r")) == NULL ) { + PAM_ERROR("Could not open SHELLS file :%s", SHELLS); + return (PAM_SERVICE_ERR); + } + + pam_err = 1; + + /* Search in SHELLS for user shell */ + while (fgets(shellfileline, sizeof(shellfileline)-1, shellfile) != NULL + && pam_err) { + if (shellfileline[strlen(shellfileline) - 1] == '\n') + shellfileline[strlen(shellfileline) - 1] = '\0'; + + pam_err = strcmp(shellfileline, shell); + + } + + fclose(shellfile); + + if (!pam_err) { + /* user shell found in SHELLS. Allow access */ + PAM_LOG("Access granted for %s with shell %s.", user, shell); + return (PAM_SUCCESS); + } + + return (PAM_AUTH_ERR); +} + + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[]) { + return (PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_shells"); diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile index ae80af4..34ed3f0 100644 --- a/modules/pam_unix/Makefile +++ b/modules/pam_unix/Makefile @@ -23,7 +23,6 @@ all: case "`uname -s`" in \ Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ *) echo "OS not supported.";;\ esac -- cgit v1.2.3-65-gdbad From fefa5a6cf8a6b8bf3199969956e3a604a59e5795 Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Wed, 23 Jul 2008 12:53:11 +0300 Subject: Makefile corrections --- modules/pam_shells/Makefile | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 modules/pam_shells/Makefile diff --git a/modules/pam_shells/Makefile b/modules/pam_shells/Makefile new file mode 100644 index 0000000..0d736a5 --- /dev/null +++ b/modules/pam_shells/Makefile @@ -0,0 +1,40 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_shells +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_shells.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + -- cgit v1.2.3-65-gdbad