pam_nologin_dfly.diff

schmidtm, 12/12/2007 11:45 AM

Download (9.66 KB)

View differences:

pam_module/Makefile 2007-12-12 13:12:39.000000000 +0100
1 1
# $DragonFly: src/lib/pam_module/Makefile,v 1.3 2005/09/06 18:55:22 dillon Exp $
2 2

  
3
SUBDIR=		pam_cleartext_pass_ok pam_deny pam_opie pam_opieaccess
4
SUBDIR+=	pam_permit pam_radius pam_ssh pam_tacplus pam_unix
3
SUBDIR=		pam_cleartext_pass_ok pam_deny pam_nologin pam_opie
4
SUBDIR+=	pam_opieaccess pam_permit pam_radius pam_ssh pam_tacplus
5
SUBDIR+=	pam_unix
5 6
.if defined(WANT_KERBEROS) && !defined(NO_CRYPT) && !defined(NO_OPENSSL)
6 7
SUBDIR+=	pam_krb5
7 8
.endif
pam_module/pam_nologin/Makefile 2007-12-12 13:30:58.000000000 +0100
1
# Copyright 2001 Mark R V Murray
2
# All rights reserved.
3
#
4
# Redistribution and use in source and binary forms, with or without
5
# modification, are permitted provided that the following conditions
6
# are met:
7
# 1. Redistributions of source code must retain the above copyright
8
#    notice, this list of conditions and the following disclaimer.
9
# 2. Redistributions in binary form must reproduce the above copyright
10
#    notice, this list of conditions and the following disclaimer in the
11
#    documentation and/or other materials provided with the distribution.
12
#
13
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23
# SUCH DAMAGE.
24
#
25
# $FreeBSD: src/lib/libpam/modules/pam_nologin/Makefile,v 1.7 2003/03/09 20:06:36 obrien Exp $
26

  
27
LIB=	pam_nologin
28
SRCS=	pam_nologin.c
29
WARNS?= 6
30
MAN=	pam_nologin.8
31

  
32
DPADD=	${LIBUTIL}
33
LDADD=	-lutil
34

  
35
.include <bsd.lib.mk>
36

  
37
.PATH: ${OPENPAM_DIR}/modules/pam_unix
pam_module/pam_nologin/pam_nologin.8 2007-12-12 12:56:38.000000000 +0100
1
.\" Copyright (c) 2001 Mark R V Murray
2
.\" All rights reserved.
3
.\"
4
.\" Redistribution and use in source and binary forms, with or without
5
.\" modification, are permitted provided that the following conditions
6
.\" are met:
7
.\" 1. Redistributions of source code must retain the above copyright
8
.\"    notice, this list of conditions and the following disclaimer.
9
.\" 2. Redistributions in binary form must reproduce the above copyright
10
.\"    notice, this list of conditions and the following disclaimer in the
11
.\"    documentation and/or other materials provided with the distribution.
12
.\"
13
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23
.\" SUCH DAMAGE.
24
.\"
25
.\" $FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.8,v 1.7 2007/06/14 13:07:06 yar Exp $
26
.\"
27
.Dd June 10, 2007
28
.Dt PAM_NOLOGIN 8
29
.Os
30
.Sh NAME
31
.Nm pam_nologin
32
.Nd NoLogin PAM module
33
.Sh SYNOPSIS
34
.Op Ar service-name
35
.Ar module-type
36
.Ar control-flag
37
.Pa pam_nologin
38
.Op Ar options
39
.Sh DESCRIPTION
40
The NoLogin service module for PAM,
41
.Nm
42
provides functionality for only one PAM category:
43
account management.
44
In terms of the
45
.Ar module-type
46
parameter, this is the
47
.Dq Li account
48
feature.
49
.Ss NoLogin Account Management Module
50
The NoLogin account management component,
51
.Fn pam_sm_acct_mgmt , 
52
verifies whether logins are administratively disabled via
53
.Xr nologin 5 .
54
It returns success if the user's login class has an "ignorenologin"
55
capability specified in
56
.Xr login.conf 5
57
or the
58
.Xr nologin 5
59
file does not exist.
60
If neither condition is met,
61
then the contents of
62
.Xr nologin 5
63
are echoed
64
before failure is returned.
65
The location of
66
.Xr nologin 5
67
is specified by a "nologin" capability in
68
.Xr login.conf 5 ,
69
which defaults to
70
.Pa /var/run/nologin .
71
.Pp
72
The following options may be passed to the module:
73
.Bl -tag -width ".Cm no_warn"
74
.It Cm debug
75
.Xr syslog 3
76
debugging information at
77
.Dv LOG_DEBUG
78
level.
79
.It Cm no_warn
80
suppress warning messages to the user.
81
These messages include
82
reasons why the user's
83
login attempt was declined.
84
.El
85
.Sh SEE ALSO
86
.Xr syslog 3 ,
87
.Xr login.conf 5 ,
88
.Xr nologin 5 ,
89
.Xr pam.conf 5 ,
90
.Xr pam 8
pam_module/pam_nologin/pam_nologin.c 2007-12-12 12:57:27.000000000 +0100
1
/*-
2
 * Copyright 2001 Mark R V Murray
3
 * All rights reserved.
4
 * Copyright (c) 2001 Networks Associates Technology, Inc.
5
 * All rights reserved.
6
 *
7
 * Portions of this software were developed for the FreeBSD Project by
8
 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9
 * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10
 * ("CBOSS"), as part of the DARPA CHATS research program.
11
 *
12
 * Redistribution and use in source and binary forms, with or without
13
 * modification, are permitted provided that the following conditions
14
 * are met:
15
 * 1. Redistributions of source code must retain the above copyright
16
 *    notice, this list of conditions and the following disclaimer.
17
 * 2. Redistributions in binary form must reproduce the above copyright
18
 *    notice, this list of conditions and the following disclaimer in the
19
 *    documentation and/or other materials provided with the distribution.
20
 * 3. The name of the author may not be used to endorse or promote
21
 *    products derived from this software without specific prior written
22
 *    permission.
23
 *
24
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34
 * SUCH DAMAGE.
35
 *
36
 * $FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.13 2007/06/14 13:07:06 yar Exp $
37
 */
38

  
39
#include <sys/cdefs.h>
40

  
41
#include <sys/types.h>
42
#include <sys/stat.h>
43
#include <fcntl.h>
44
#include <login_cap.h>
45
#include <pwd.h>
46
#include <stdio.h>
47
#include <stdlib.h>
48
#include <unistd.h>
49

  
50
#define PAM_SM_ACCOUNT
51

  
52
#include <security/pam_appl.h>
53
#include <security/pam_modules.h>
54
#include <security/pam_mod_misc.h>
55

  
56
#define	_PATH_NOLOGIN	"/var/run/nologin"
57

  
58
static char nologin_def[] = _PATH_NOLOGIN;
59

  
60
PAM_EXTERN int
61
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
62
    int argc __unused, const char *argv[] __unused)
63
{
64
	login_cap_t *lc;
65
	struct passwd *pwd;
66
	struct stat st;
67
	int retval, fd;
68
	ssize_t ss;
69
	const char *user, *nologin;
70
	char *mtmp;
71

  
72
	retval = pam_get_user(pamh, &user, NULL);
73
	if (retval != PAM_SUCCESS)
74
		return (retval);
75

  
76
	PAM_LOG("Got user: %s", user);
77

  
78
	pwd = getpwnam(user);
79
	if (pwd == NULL)
80
		return (PAM_USER_UNKNOWN);
81

  
82
	/*
83
	 * login_getpwclass(3) will select the "root" class by default
84
	 * if pwd->pw_uid is 0.  That class should have "ignorenologin"
85
	 * capability so that super-user can bypass nologin.
86
	 */
87
	lc = login_getpwclass(pwd);
88
	if (lc == NULL) {
89
		PAM_LOG("Unable to get login class for user %s", user);
90
		return (PAM_SERVICE_ERR);
91
	}
92

  
93
	if (login_getcapbool(lc, "ignorenologin", 0)) {
94
		login_close(lc);
95
		return (PAM_SUCCESS);
96
	}
97

  
98
	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
99

  
100
	fd = open(nologin, O_RDONLY, 0);
101
	if (fd < 0) {
102
		login_close(lc);
103
		return (PAM_SUCCESS);
104
	}
105

  
106
	PAM_LOG("Opened %s file", nologin);
107

  
108
	if (fstat(fd, &st) == 0) {
109
		mtmp = malloc(st.st_size + 1);
110
		if (mtmp != NULL) {
111
			ss = read(fd, mtmp, st.st_size);
112
			if (ss > 0) {
113
				mtmp[ss] = '\0';
114
				pam_error(pamh, "%s", mtmp);
115
			}
116
			free(mtmp);
117
		}
118
	}
119

  
120
	PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
121

  
122
	close(fd);
123
	login_close(lc);
124

  
125
	return (PAM_AUTH_ERR);
126
}
127

  
128
PAM_MODULE_ENTRY("pam_nologin");