<tag><bf>Author:</bf></tag>
Written by Michael K. Johnson <johnsonm@redhat.com><newline>
-(based on code taken from a module written by Andrew G. Morgan
-<morgan@kernel.org>).
<tag><bf>Maintainer:</bf></tag>
-Michael K. Johnson <johnsonm@redhat.com>
<tag><bf>Management groups provided:</bf></tag>
-authentication
+account; authentication
<tag><bf>Cryptographically sensitive:</bf></tag>
<tag><bf>Security rating:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
-1 warning about dropping const
<tag><bf>System dependencies:</bf></tag>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
+successok, file=<<em/filename/>
<tag><bf>Description:</bf></tag>
Provides standard Unix <em/nologin/ authentication. If the file
<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
-users are turned away with an error message. All users (root or
+users are turned away with an error message (and the module returns
+<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/). All users (root or
otherwise) are shown the contents of <tt>/etc/nologin</tt>.
<p>
-If the file <tt>/etc/nologin</tt> does not exist, this module succeeds
-silently.
+If the file <tt>/etc/nologin</tt> does not exist, this module defaults
+to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument
+causes it to return <tt/PAM_SUCCESS/ in this case.
+
+<p>
+The administrator can override the default nologin file with the
+<tt/file=/<em/pathname/ module argument.
<tag><bf>Examples/suggested usage:</bf></tag>
-In order to make this module effective, all login methods should
-be secured by it. It should be used as a <tt>required</tt>
-method listed before any <tt>sufficient</tt> methods in order to
-get standard Unix nologin semantics.
+In order to make this module effective, all login methods should be
+secured by it. It should be used as a <tt>required</tt> method listed
+before any <tt>sufficient</tt> methods in order to get standard Unix
+nologin semantics. Note, the use of <tt/successok/ module argument
+causes the module to return <tt/PAM_SUCCESS/ and as such would break
+such a configuration - failing <tt/sufficient/ modules would lead to a
+successful login because the nologin module <em/succeeded/.
</descrip>
#include <security/pam_modules.h>
-/* --- authentication management functions (only) --- */
+#include <security/_pam_modutil.h>
+
+/*
+ * parse some command line options
+ */
+struct opt_s {
+ int retval_when_nofile;
+ const char *nologin_file;
+};
+
+static void parse_args(pam_handle_t *pamh, int argc, const char **argv,
+ struct opt_s *opts)
+{
+ int i;
+
+ memset(opts, 0, sizeof(*opts));
+
+ opts->retval_when_nofile = PAM_IGNORE;
+ opts->nologin_file = "/etc/nologin";
+
+ for (i=0; i<argc; ++i) {
+ if (!strcmp("successok", argv[i])) {
+ opts->retval_when_nofile = PAM_SUCCESS;
+ } else if (!memcmp("file=", argv[i], 5)) {
+ opts->nologin_file = argv[i] + 5;
+ } else {
+ /* XXX - ignore for now. Later, we'll use the logging
+ function in pammodutils */
+ }
+ }
+}
+
+/*
+ * do the meat of the work for this module
+ */
+
+static int perform_check(pam_handle_t *pamh, struct opt_s *opts)
+{
+ const char *username;
+ int retval = PAM_SUCCESS;
+ int fd;
+
+ retval = opts->retval_when_nofile;
+
+ if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) {
+ return PAM_USER_UNKNOWN;
+ }
+
+ if ((fd = open(opts->nologin_file, O_RDONLY, 0)) >= 0) {
+
+ char *mtmp=NULL;
+ struct passwd *user_pwd;
+ struct pam_conv *conversation;
+ struct pam_message message;
+ struct pam_message *pmessage = &message;
+ struct pam_response *resp = NULL;
+ struct stat st;
+
+ user_pwd = _pammodutil_getpwnam(pamh, username);
+ if (user_pwd == NULL) {
+
+ retval = PAM_USER_UNKNOWN;
+ message.msg_style = PAM_ERROR_MSG;
+
+ } else if (user_pwd->pw_uid) {
+
+ retval = PAM_AUTH_ERR;
+ message.msg_style = PAM_ERROR_MSG;
+
+ } else {
+
+ /* root can still log in; lusers cannot */
+ message.msg_style = PAM_TEXT_INFO;
+
+ }
+
+ /* fill in message buffer with contents of /etc/nologin */
+ if (fstat(fd, &st) < 0) {
+ /* give up trying to display message */
+ goto clean_up_fd;
+ }
+
+ message.msg = mtmp = malloc(st.st_size+1);
+ if (!message.msg) {
+ /* if malloc failed... */
+ retval = PAM_BUF_ERR;
+ goto clean_up_fd;
+ }
+
+ read(fd, mtmp, st.st_size);
+ mtmp[st.st_size] = '\000';
+
+ /*
+ * Use conversation function to give user contents of /etc/nologin
+ */
+
+ pam_get_item(pamh, PAM_CONV, (const void **)&conversation);
+ (void) conversation->conv(1, (const struct pam_message **)&pmessage,
+ &resp, conversation->appdata_ptr);
+ free(mtmp);
+
+ if (resp) {
+ _pam_drop_reply(resp, 1);
+ }
+
+ clean_up_fd:
+
+ close(fd);
+ }
+
+ return retval;
+}
+
+/* --- authentication management functions --- */
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
- int retval = PAM_SUCCESS;
- int fd;
- const char *username;
- char *mtmp=NULL;
- struct passwd *user_pwd;
- struct pam_conv *conversation;
- struct pam_message message;
- struct pam_message *pmessage = &message;
- struct pam_response *resp = NULL;
- struct stat st;
-
- if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) {
- /* root can still log in; lusers cannot */
- if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)
- || !username) {
- return PAM_SERVICE_ERR;
- }
- user_pwd = getpwnam(username);
- if (user_pwd && user_pwd->pw_uid == 0) {
- message.msg_style = PAM_TEXT_INFO;
- } else {
- if (!user_pwd) {
- retval = PAM_USER_UNKNOWN;
- } else {
- retval = PAM_AUTH_ERR;
- }
- message.msg_style = PAM_ERROR_MSG;
- }
-
- /* fill in message buffer with contents of /etc/nologin */
- if (fstat(fd, &st) < 0) /* give up trying to display message */
- return retval;
- message.msg = mtmp = malloc(st.st_size+1);
- /* if malloc failed... */
- if (!message.msg) return retval;
- read(fd, mtmp, st.st_size);
- mtmp[st.st_size] = '\000';
-
- /* Use conversation function to give user contents of /etc/nologin */
- pam_get_item(pamh, PAM_CONV, (const void **)&conversation);
- conversation->conv(1, (const struct pam_message **)&pmessage,
- &resp, conversation->appdata_ptr);
- free(mtmp);
- if (resp)
- _pam_drop_reply(resp, 1);
- }
-
- return retval;
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return perform_check(pamh, &opts);
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
- return PAM_SUCCESS;
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return opts.retval_when_nofile;
+}
+
+/* --- account management function --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ struct opt_s opts;
+
+ parse_args(pamh, argc, argv, &opts);
+
+ return perform_check(pamh, &opts);
}
"pam_nologin",
pam_sm_authenticate,
pam_sm_setcred,
- NULL,
+ pam_sm_acct_mgmt,
NULL,
NULL,
NULL,
projects / linux-pam / commitdiff