1 /* pam_securetty module */
3 #define SECURETTY_FILE "/etc/securetty"
4 #define TTY_PREFIX "/dev/"
7 * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
9 * This code shamelessly ripped from the pam_rootok module.
10 * Slight modifications AGM. 1996/12/3
17 #include <sys/types.h>
27 * here, we make a definition for the externally accessible function
28 * in this file (this definition is required for static a module
29 * but strongly encouraged generally) it is used to instruct the
30 * modules include file to define the function prototypes.
34 #define PAM_SM_ACCOUNT
36 #include <security/pam_modules.h>
37 #include <security/_pam_modutil.h>
41 static void _pam_log(int err, const char *format, ...)
45 va_start(args, format);
46 openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH);
47 vsyslog(err, format, args);
52 /* argument parsing */
54 #define PAM_DEBUG_ARG 0x0001
56 static int _pam_parse(int argc, const char **argv)
60 /* step through arguments */
61 for (ctrl=0; argc-- > 0; ++argv) {
65 if (!strcmp(*argv,"debug"))
66 ctrl |= PAM_DEBUG_ARG;
68 _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
75 static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl,
76 const char *function_name)
78 int retval = PAM_AUTH_ERR;
81 char ttyfileline[256];
83 struct stat ttyfileinfo;
84 struct passwd *user_pwd;
87 /* log a trail for debugging */
88 if (ctrl & PAM_DEBUG_ARG) {
89 _pam_log(LOG_DEBUG, "pam_securetty called via %s function",
93 retval = pam_get_user(pamh, &username, NULL);
94 if (retval != PAM_SUCCESS || username == NULL) {
95 if (ctrl & PAM_DEBUG_ARG) {
96 _pam_log(LOG_WARNING, "cannot determine username");
98 return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
101 user_pwd = _pammodutil_getpwnam(pamh, username);
102 if (user_pwd == NULL) {
104 } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
105 securetty's does not apply
110 retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname);
111 if (retval != PAM_SUCCESS || uttyname == NULL) {
112 if (ctrl & PAM_DEBUG_ARG) {
113 _pam_log(LOG_WARNING, "cannot determine user's tty");
115 return PAM_SERVICE_ERR;
118 /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
119 if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
120 uttyname += sizeof(TTY_PREFIX)-1;
123 if (stat(SECURETTY_FILE, &ttyfileinfo)) {
124 _pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE);
125 return PAM_SUCCESS; /* for compatibility with old securetty handling,
126 this needs to succeed. But we still log the
130 if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
131 /* If the file is world writable or is not a
132 normal file, return error */
133 _pam_log(LOG_ERR, SECURETTY_FILE
134 " is either world writable or not a normal file");
138 ttyfile = fopen(SECURETTY_FILE,"r");
139 if (ttyfile == NULL) { /* Check that we opened it successfully */
141 "Error opening " SECURETTY_FILE);
142 return PAM_SERVICE_ERR;
145 if (isdigit(uttyname[0])) {
146 snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
153 while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
155 if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
156 ttyfileline[strlen(ttyfileline) - 1] = '\0';
158 retval = ( strcmp(ttyfileline, uttyname)
159 && (!ptname[0] || strcmp(ptname, uttyname)) );
164 if (ctrl & PAM_DEBUG_ARG) {
165 _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !",
168 retval = PAM_AUTH_ERR;
171 if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) {
172 _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
175 retval = PAM_SUCCESS;
182 /* --- authentication management functions --- */
185 int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
190 /* parse the arguments */
191 ctrl = _pam_parse(argc, argv);
193 return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__);
197 int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
202 /* --- account management functions --- */
205 int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
210 /* parse the arguments */
211 ctrl = _pam_parse(argc, argv);
213 /* take the easy route */
214 return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__);
220 /* static module data */
222 struct pam_module _pam_securetty_modstruct = {
232 #endif /* PAM_STATIC */
234 /* end of module definition */