login_access.c revision 1.4
1 /* $NetBSD: login_access.c,v 1.4 2006/11/03 18:03:23 christos Exp $ */ 2 3 /* 4 * This module implements a simple but effective form of login access 5 * control based on login names and on host (or domain) names, internet 6 * addresses (or network numbers), or on terminal line names in case of 7 * non-networked logins. Diagnostics are reported through syslog(3). 8 * 9 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 10 */ 11 12 #if 0 13 #ifndef lint 14 static char sccsid[] = "%Z% %M% %I% %E% %U%"; 15 #endif 16 #endif 17 18 #include <sys/cdefs.h> 19 #ifdef __FreeBSD__ 20 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_login_access/login_access.c,v 1.12 2004/03/05 08:10:18 markm Exp $"); 21 #else 22 __RCSID("$NetBSD: login_access.c,v 1.4 2006/11/03 18:03:23 christos Exp $"); 23 #endif 24 25 #include <sys/types.h> 26 #include <ctype.h> 27 #include <errno.h> 28 #include <grp.h> 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <syslog.h> 33 #include <unistd.h> 34 #include <stdarg.h> 35 36 #include "pam_login_access.h" 37 38 #define _PATH_LOGACCESS "/etc/login.access" 39 40 /* Delimiters for fields and for lists of users, ttys or hosts. */ 41 42 static char fs[] = ":"; /* field separator */ 43 static char sep[] = ", \t"; /* list-element separator */ 44 45 /* Constants to be used in assignments only, not in comparisons... */ 46 47 #define YES 1 48 #define NO 0 49 50 static int from_match(const char *, const char *); 51 static int list_match(char *, const char *, 52 int (*)(const char *, const char *)); 53 static int netgroup_match(const char *, const char *, const char *); 54 static int string_match(const char *, const char *); 55 static int user_match(const char *, const char *); 56 57 /* login_access - match username/group and host/tty with access control file */ 58 59 static void 60 logit(int level, const char *fmt, ...) 61 { 62 va_list ap; 63 struct syslog_data data; 64 65 openlog_r("pam_login_access", LOG_PID, LOG_AUTHPRIV, &data); 66 va_start(ap, fmt); 67 vsyslog_r(level, &data, fmt, ap); 68 va_end(ap); 69 closelog_r(&data); 70 } 71 72 int 73 login_access(const char *user, const char *from) 74 { 75 FILE *fp; 76 char line[BUFSIZ]; 77 char *perm; /* becomes permission field */ 78 char *users; /* becomes list of login names */ 79 char *froms; /* becomes list of terminals or hosts */ 80 int match = NO; 81 int end; 82 int lineno = 0; /* for diagnostics */ 83 84 /* 85 * Process the table one line at a time and stop at the first match. 86 * Blank lines and lines that begin with a '#' character are ignored. 87 * Non-comment lines are broken at the ':' character. All fields are 88 * mandatory. The first field should be a "+" or "-" character. A 89 * non-existing table means no access control. 90 */ 91 92 if ((fp = fopen(_PATH_LOGACCESS, "r")) != NULL) { 93 while (!match && fgets(line, sizeof(line), fp)) { 94 lineno++; 95 if (line[end = strlen(line) - 1] != '\n') { 96 logit(LOG_ERR, "%s: line %d: missing newline or line too long", 97 _PATH_LOGACCESS, lineno); 98 continue; 99 } 100 if (line[0] == '#') 101 continue; /* comment line */ 102 while (end > 0 && isspace((unsigned char)line[end - 1])) 103 end--; 104 line[end] = 0; /* strip trailing whitespace */ 105 if (line[0] == 0) /* skip blank lines */ 106 continue; 107 if (!(perm = strtok(line, fs)) 108 || !(users = strtok((char *) 0, fs)) 109 || !(froms = strtok((char *) 0, fs)) 110 || strtok((char *) 0, fs)) { 111 logit(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS, 112 lineno); 113 continue; 114 } 115 if (perm[0] != '+' && perm[0] != '-') { 116 logit(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS, 117 lineno); 118 continue; 119 } 120 match = (list_match(froms, from, from_match) 121 && list_match(users, user, user_match)); 122 } 123 (void) fclose(fp); 124 } else if (errno != ENOENT) { 125 logit(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); 126 } 127 return (match == 0 || (line[0] == '+')); 128 } 129 130 /* list_match - match an item against a list of tokens with exceptions */ 131 132 static int 133 list_match(char *list, const char *item, 134 int (*match_fn)(const char *, const char *)) 135 { 136 char *tok; 137 int match = NO; 138 139 /* 140 * Process tokens one at a time. We have exhausted all possible matches 141 * when we reach an "EXCEPT" token or the end of the list. If we do find 142 * a match, look for an "EXCEPT" list and recurse to determine whether 143 * the match is affected by any exceptions. 144 */ 145 146 for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { 147 if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ 148 break; 149 if ((match = (*match_fn)(tok, item)) != 0) /* YES */ 150 break; 151 } 152 /* Process exceptions to matches. */ 153 154 if (match != NO) { 155 while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) 156 /* VOID */ ; 157 if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) 158 return (match); 159 } 160 return (NO); 161 } 162 163 /* netgroup_match - match group against machine or user */ 164 165 static int 166 netgroup_match(const char *group __unused, 167 const char *machine __unused, const char *user __unused) 168 { 169 logit(LOG_ERR, "NIS netgroup support not configured"); 170 return 0; 171 } 172 173 /* user_match - match a username against one token */ 174 175 static int 176 user_match(const char *tok, const char *string) 177 { 178 struct group grres, *group; 179 char grbuf[1024]; 180 int i; 181 182 /* 183 * If a token has the magic value "ALL" the match always succeeds. 184 * Otherwise, return YES if the token fully matches the username, or if 185 * the token is a group that contains the username. 186 */ 187 188 if (tok[0] == '@') { /* netgroup */ 189 return (netgroup_match(tok + 1, (char *) 0, string)); 190 } else if (string_match(tok, string)) { /* ALL or exact match */ 191 return (YES); 192 } else if (getgrnam_r(tok, &grres, grbuf, sizeof(grbuf), &group) == 0 && 193 group != NULL) {/* try group membership */ 194 for (i = 0; group->gr_mem[i]; i++) 195 if (strcasecmp(string, group->gr_mem[i]) == 0) 196 return (YES); 197 } 198 return (NO); 199 } 200 201 /* from_match - match a host or tty against a list of tokens */ 202 203 static int 204 from_match(const char *tok, const char *string) 205 { 206 int tok_len; 207 int str_len; 208 209 /* 210 * If a token has the magic value "ALL" the match always succeeds. Return 211 * YES if the token fully matches the string. If the token is a domain 212 * name, return YES if it matches the last fields of the string. If the 213 * token has the magic value "LOCAL", return YES if the string does not 214 * contain a "." character. If the token is a network number, return YES 215 * if it matches the head of the string. 216 */ 217 218 if (tok[0] == '@') { /* netgroup */ 219 return (netgroup_match(tok + 1, string, (char *) 0)); 220 } else if (string_match(tok, string)) { /* ALL or exact match */ 221 return (YES); 222 } else if (tok[0] == '.') { /* domain: match last fields */ 223 if ((str_len = strlen(string)) > (tok_len = strlen(tok)) 224 && strcasecmp(tok, string + str_len - tok_len) == 0) 225 return (YES); 226 } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ 227 if (strchr(string, '.') == 0) 228 return (YES); 229 } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ 230 && strncmp(tok, string, tok_len) == 0) { 231 return (YES); 232 } 233 return (NO); 234 } 235 236 /* string_match - match a string against one token */ 237 238 static int 239 string_match(const char *tok, const char *string) 240 { 241 242 /* 243 * If the token has the magic value "ALL" the match always succeeds. 244 * Otherwise, return YES if the token fully matches the string. 245 */ 246 247 if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ 248 return (YES); 249 } else if (strcasecmp(tok, string) == 0) { /* try exact match */ 250 return (YES); 251 } 252 return (NO); 253 } 254
Indexes created Tue Sep 23 07:09:52 GMT 2025