+2010-11-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_securetty/pam_securetty.c: Parse console= kernel
+ option, add noconsole option.
+ * modules/pam_securetty/pam_securetty.8.xml: Document new behavior
+ for serial console.
+ Patch from Lennart Poettering.
+
2010-11-24 Tomas Mraz <tm@t8m.info>
* modules/pam_limits/limits.conf.5.xml: Document the %group syntax.
#define SECURETTY_FILE "/etc/securetty"
#define TTY_PREFIX "/dev/"
+#define CMDLINE_FILE "/proc/cmdline"
/*
* by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
#include <pwd.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
/*
* here, we make a definition for the externally accessible function
#include <security/pam_ext.h>
#define PAM_DEBUG_ARG 0x0001
+#define PAM_NOCONSOLE_ARG 0x0002
static int
_pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
if (!strcmp(*argv,"debug"))
ctrl |= PAM_DEBUG_ARG;
+ else if (!strcmp(*argv, "noconsole"))
+ ctrl |= PAM_NOCONSOLE_ARG;
else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
}
fclose(ttyfile);
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+ FILE *cmdlinefile;
+
+ /* Allow access from the kernel console, if enabled */
+ cmdlinefile = fopen(CMDLINE_FILE, "r");
+
+ if (cmdlinefile != NULL) {
+ char line[LINE_MAX], *p;
+
+ line[0] = 0;
+ fgets(line, sizeof(line), cmdlinefile);
+ fclose(cmdlinefile);
+
+ for (p = line; p; p = strstr(p+1, "console=")) {
+ char *e;
+
+ /* Test whether this is a beginning of a word? */
+ if (p > line && p[-1] != ' ')
+ continue;
+
+ /* Ist this our console? */
+ if (strncmp(p + 8, uttyname, strlen(uttyname)))
+ continue;
+
+ /* Is there any garbage after the TTY name? */
+ e = p + 8 + strlen(uttyname);
+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
+ retval = 0;
+ break;
+ }
+ }
+ }
+ }
+
if (retval) {
pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
uttyname);
projects / linux-pam / commitdiff