Home | History | Annotate | Line # | Download | only in pam_securetty 
      1 /*	$NetBSD: pam_securetty.c,v 1.7 2006/11/03 18:55:40 christos Exp $	*/
      2 
      3 /*-
      4  * Copyright (c) 2001 Mark R V Murray
      5  * All rights reserved.
      6  * Copyright (c) 2001 Networks Associates Technology, Inc.
      7  * All rights reserved.
      8  *
      9  * Portions of this software were developed for the FreeBSD Project by
     10  * ThinkSec AS and NAI Labs, the Security Research Division of Network
     11  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
     12  * ("CBOSS"), as part of the DARPA CHATS research program.
     13  *
     14  * Redistribution and use in source and binary forms, with or without
     15  * modification, are permitted provided that the following conditions
     16  * are met:
     17  * 1. Redistributions of source code must retain the above copyright
     18  *    notice, this list of conditions and the following disclaimer.
     19  * 2. Redistributions in binary form must reproduce the above copyright
     20  *    notice, this list of conditions and the following disclaimer in the
     21  *    documentation and/or other materials provided with the distribution.
     22  * 3. The name of the author may not be used to endorse or promote
     23  *    products derived from this software without specific prior written
     24  *    permission.
     25  *
     26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
     27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     36  * SUCH DAMAGE.
     37  */
     38 
     39 #include <sys/cdefs.h>
     40 #ifdef __FreeBSD__
     41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_securetty/pam_securetty.c,v 1.13 2004/02/10 10:13:21 des Exp $");
     42 #else
     43 __RCSID("$NetBSD: pam_securetty.c,v 1.7 2006/11/03 18:55:40 christos Exp $");
     44 #endif
     45 
     46 #include <sys/types.h>
     47 #include <sys/stat.h>
     48 #include <pwd.h>
     49 #include <ttyent.h>
     50 #include <string.h>
     51 #include <syslog.h>
     52 
     53 #define PAM_SM_ACCOUNT
     54 
     55 #include <security/pam_appl.h>
     56 #include <security/pam_modules.h>
     57 #include <security/pam_mod_misc.h>
     58 
     59 #define TTY_PREFIX	"/dev/"
     60 
     61 PAM_EXTERN int
     62 pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
     63     int argc __unused, const char *argv[] __unused)
     64 {
     65 	struct passwd *pwd, pwres;
     66 	struct ttyent *ty;
     67 	const char *user;
     68 	const void *tty;
     69 	const void *hostname;
     70 	int pam_err;
     71 	char pwbuf[1024];
     72 	struct syslog_data data = SYSLOG_DATA_INIT;
     73 
     74 	pam_err = pam_get_user(pamh, &user, NULL);
     75 	if (pam_err != PAM_SUCCESS)
     76 		return (pam_err);
     77 	if (user == NULL ||
     78 	    getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
     79 	    pwd == NULL)
     80 		return (PAM_SERVICE_ERR);
     81 
     82 	PAM_LOG("Got user: %s", user);
     83 
     84 	/* If the user is not root, secure ttys do not apply */
     85 	if (pwd->pw_uid != 0)
     86 		return (PAM_SUCCESS);
     87 
     88 	pam_err = pam_get_item(pamh, PAM_TTY, &tty);
     89 	if (pam_err != PAM_SUCCESS)
     90 		return (pam_err);
     91 
     92 	PAM_LOG("Got TTY: %s", (const char *)tty);
     93 
     94 	/* Ignore any "/dev/" on the PAM_TTY item */
     95 	if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) {
     96 		PAM_LOG("WARNING: PAM_TTY starts with " TTY_PREFIX);
     97 		tty = (const char *)tty + sizeof(TTY_PREFIX) - 1;
     98 	}
     99 
    100 	if (tty != NULL && (ty = getttynam(tty)) != NULL &&
    101 	    (ty->ty_status & TTY_SECURE) != 0)
    102 		return (PAM_SUCCESS);
    103 
    104 	pam_err = pam_get_item(pamh, PAM_RHOST, &hostname);
    105 	if (pam_err != PAM_SUCCESS)
    106 		hostname = NULL;
    107 
    108 	openlog_r("pam_securetty", LOG_PID, LOG_AUTHPRIV, &data);
    109 	if (hostname)
    110 		syslog_r(LOG_NOTICE, &data,
    111 		    "LOGIN %s REFUSED FROM %s ON TTY %s",
    112 		     pwd->pw_name, (const char *)hostname,
    113 		     (const char *)tty);
    114 	else
    115 		syslog_r(LOG_NOTICE, &data,
    116 		    "LOGIN %s REFUSED ON TTY %s",
    117 		     pwd->pw_name, (const char *)tty);
    118 	closelog_r(&data);
    119 
    120 
    121 	PAM_VERBOSE_ERROR("Not on secure TTY");
    122 	return (PAM_AUTH_ERR);
    123 }
    124 
    125 PAM_MODULE_ENTRY("pam_securetty");
    126