1 /******************************************************************************
2 * A simple user-attribute based module for PAM.
4 * Copyright (c) 2003 Red Hat, Inc.
5 * Written by Nalin Dahyabhai <nalin@redhat.com>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, and the entire permission notice in its entirety,
12 * including the disclaimer of warranties.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote
17 * products derived from this software without specific prior
20 * ALTERNATIVELY, this product may be distributed under the terms of
21 * the GNU Public License, in which case the provisions of the GPL are
22 * required INSTEAD OF the above restrictions. (This clause is
23 * necessary due to a potential bad interaction between the GPL and
24 * the restrictions contained in a BSD-style copyright.)
26 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
29 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
30 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
31 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
32 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
34 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
36 * OF THE POSSIBILITY OF SUCH DAMAGE.
40 #include <sys/types.h>
53 #include <security/pam_modules.h>
54 #include <security/_pam_modutil.h>
56 #define MODULE "pam_succeed_if"
59 log_error(int priority, const char *fmt, ...)
63 fmt2 = malloc(strlen(fmt) + strlen(MODULE) + 3);
66 vsyslog(LOG_AUTHPRIV | priority, fmt, va);
68 snprintf(fmt2, strlen(fmt) + strlen(MODULE) + 3,
69 "%s: %s", MODULE, fmt);
70 vsyslog(LOG_AUTHPRIV | priority, fmt2, va);
76 /* Basically, run cmp(atol(left), atol(right)), returning PAM_SUCCESS if
77 * the function returns non-zero, PAM_AUTH_ERR if it returns zero, and
78 * PAM_SYSTEM_ERR if the arguments can't be parsed as numbers. */
80 evaluate_num(const char *left, const char *right, int (*cmp)(int, int))
84 int ret = PAM_SUCCESS;
87 l = strtol(left, &p, 0);
88 if ((p == NULL) || (*p != '\0') || errno) {
89 log_error(LOG_INFO, "\"%s\" is not a number", left);
90 ret = PAM_SERVICE_ERR;
93 r = strtol(right, &p, 0);
94 if ((p == NULL) || (*p != '\0') || errno) {
95 log_error(LOG_INFO, "\"%s\" is not a number", right);
96 ret = PAM_SERVICE_ERR;
99 if (ret != PAM_SUCCESS) {
103 return cmp(l, r) ? PAM_SUCCESS : PAM_AUTH_ERR;
106 /* Simple numeric comparison callbacks. */
125 return lt(i, j) || eq(i, j);
135 return gt(i, j) || eq(i, j);
138 /* Test for numeric equality. */
140 evaluate_eqn(const char *left, const char *right)
142 return evaluate_num(left, right, eq);
144 /* Test for string equality. */
146 evaluate_eqs(const char *left, const char *right)
148 return (strcmp(left, right) == 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
150 /* Test for numeric inequality. */
152 evaluate_nen(const char *left, const char *right)
154 return evaluate_num(left, right, ne);
156 /* Test for string inequality. */
158 evaluate_nes(const char *left, const char *right)
160 return (strcmp(left, right) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
162 /* Test for numeric less-than-ness(?) */
164 evaluate_lt(const char *left, const char *right)
166 return evaluate_num(left, right, lt);
168 /* Test for numeric less-than-or-equal-ness(?) */
170 evaluate_le(const char *left, const char *right)
172 return evaluate_num(left, right, le);
174 /* Test for numeric greater-than-ness(?) */
176 evaluate_gt(const char *left, const char *right)
178 return evaluate_num(left, right, gt);
180 /* Test for numeric greater-than-or-equal-ness(?) */
182 evaluate_ge(const char *left, const char *right)
184 return evaluate_num(left, right, ge);
186 /* Check for file glob match. */
188 evaluate_glob(const char *left, const char *right)
190 return (fnmatch(right, left, 0) == 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
192 /* Check for file glob mismatch. */
194 evaluate_noglob(const char *left, const char *right)
196 return (fnmatch(right, left, 0) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
198 /* Return PAM_SUCCESS if the user is in the group. */
200 evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
203 ret = _pammodutil_user_in_group_nam_nam(pamh, user, group);
213 /* Return PAM_SUCCESS if the user is NOT in the group. */
215 evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
218 ret = _pammodutil_user_in_group_nam_nam(pamh, user, group);
229 /* Match a triple. */
231 evaluate(pam_handle_t *pamh, int debug,
232 const char *left, const char *qual, const char *right,
235 char buf[LINE_MAX] = "";
236 const char *attribute = left;
237 /* Figure out what we're evaluating here, and convert it to a string.*/
238 if ((strcasecmp(left, "login") == 0) ||
239 (strcasecmp(left, "name") == 0) ||
240 (strcasecmp(left, "user") == 0)) {
241 snprintf(buf, sizeof(buf), "%s", pwd->pw_name);
244 if (strcasecmp(left, "uid") == 0) {
245 snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_uid);
248 if (strcasecmp(left, "gid") == 0) {
249 snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_gid);
252 if (strcasecmp(left, "shell") == 0) {
253 snprintf(buf, sizeof(buf), "%s", pwd->pw_shell);
256 if ((strcasecmp(left, "home") == 0) ||
257 (strcasecmp(left, "dir") == 0) ||
258 (strcasecmp(left, "homedir") == 0)) {
259 snprintf(buf, sizeof(buf), "%s", pwd->pw_dir);
262 /* If we have no idea what's going on, return an error. */
264 log_error(LOG_CRIT, "unknown attribute \"%s\"", left);
265 return PAM_SERVICE_ERR;
268 log_error(LOG_DEBUG, "'%s' resolves to '%s'", attribute, left);
271 /* Attribute value < some threshold. */
272 if ((strcasecmp(qual, "<") == 0) ||
273 (strcasecmp(qual, "lt") == 0)) {
274 return evaluate_lt(left, right);
276 /* Attribute value <= some threshold. */
277 if ((strcasecmp(qual, "<=") == 0) ||
278 (strcasecmp(qual, "le") == 0)) {
279 return evaluate_le(left, right);
281 /* Attribute value > some threshold. */
282 if ((strcasecmp(qual, ">") == 0) ||
283 (strcasecmp(qual, "gt") == 0)) {
284 return evaluate_gt(left, right);
286 /* Attribute value >= some threshold. */
287 if ((strcasecmp(qual, ">=") == 0) ||
288 (strcasecmp(qual, "ge") == 0)) {
289 return evaluate_ge(left, right);
291 /* Attribute value == some threshold. */
292 if (strcasecmp(qual, "eq") == 0) {
293 return evaluate_eqn(left, right);
295 /* Attribute value = some string. */
296 if (strcasecmp(qual, "=") == 0) {
297 return evaluate_eqs(left, right);
299 /* Attribute value != some threshold. */
300 if (strcasecmp(qual, "ne") == 0) {
301 return evaluate_nen(left, right);
303 /* Attribute value != some string. */
304 if (strcasecmp(qual, "!=") == 0) {
305 return evaluate_nes(left, right);
307 /* Attribute value matches some pattern. */
308 if ((strcasecmp(qual, "=~") == 0) ||
309 (strcasecmp(qual, "glob") == 0)) {
310 return evaluate_glob(left, right);
312 if ((strcasecmp(qual, "!~") == 0) ||
313 (strcasecmp(qual, "noglob") == 0)) {
314 return evaluate_noglob(left, right);
316 /* User is in this group. */
317 if (strcasecmp(qual, "ingroup") == 0) {
318 return evaluate_ingroup(pamh, pwd->pw_name, right);
320 /* User is not in this group. */
321 if (strcasecmp(qual, "notingroup") == 0) {
322 return evaluate_notingroup(pamh, pwd->pw_name, right);
325 return PAM_SERVICE_ERR;
329 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
334 int ret, i, count, use_uid, debug;
335 const char *left, *right, *qual;
336 int quiet_fail, quiet_succ;
338 /* Get the user prompt. */
339 ret = pam_get_item(pamh, PAM_USER_PROMPT, (const void**) &prompt);
340 if ((ret != PAM_SUCCESS) || (prompt == NULL) || (strlen(prompt) == 0)) {
346 for (use_uid = 0, debug = 0, i = 0; i < argc; i++) {
347 if (strcmp(argv[i], "debug") == 0) {
350 if (strcmp(argv[i], "use_uid") == 0) {
353 if (strcmp(argv[i], "quiet") == 0) {
357 if (strcmp(argv[i], "quiet_fail") == 0) {
360 if (strcmp(argv[i], "quiet_success") == 0) {
366 /* Get information about the user. */
367 pwd = _pammodutil_getpwuid(pamh, getuid());
370 "error retrieving information about user %ld",
372 return PAM_SERVICE_ERR;
375 /* Get the user's name. */
376 ret = pam_get_user(pamh, &user, prompt);
377 if ((ret != PAM_SUCCESS) || (user == NULL)) {
378 log_error(LOG_CRIT, "error retrieving user name: %s",
379 pam_strerror(pamh, ret));
383 /* Get information about the user. */
384 pwd = _pammodutil_getpwnam(pamh, user);
387 "error retrieving information about user %s",
389 return PAM_SERVICE_ERR;
393 /* Walk the argument list. */
395 left = qual = right = NULL;
397 if ((left != NULL) && (qual != NULL) && (right != NULL)) {
398 ret = evaluate(pamh, debug,
401 if (ret != PAM_SUCCESS) {
404 "requirement \"%s %s %s\" "
405 "not met by user \"%s\"",
406 left, qual, right, user);
412 "requirement \"%s %s %s\" "
413 "was met by user \"%s\"",
414 left, qual, right, user);
415 left = qual = right = NULL;
417 if ((i < argc) && (strcmp(argv[i], "debug") == 0)) {
421 if ((i < argc) && (strcmp(argv[i], "use_uid") == 0)) {
425 if ((i < argc) && (strcmp(argv[i], "quiet") == 0)) {
429 if ((i < argc) && (strcmp(argv[i], "quiet_fail") == 0)) {
433 if ((i < argc) && (strcmp(argv[i], "quiet_success") == 0)) {
437 if ((i < argc) && (left == NULL)) {
442 if ((i < argc) && (qual == NULL)) {
447 if ((i < argc) && (right == NULL)) {
459 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
465 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
467 return pam_sm_authenticate(pamh, flags, argc, argv);