From 554a5def9a2eddc643cf157208ddfe7fee444240 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 24 Sep 2004 11:49:37 +0000 Subject: [PATCH] Relevant BUGIDs: Purpose of commit: Commit summary: --------------- new feature: Bug 436444: Add pam_localuser module --- modules/pam_localuser/Makefile | 14 +++ modules/pam_localuser/README | 17 +++ modules/pam_localuser/pam_localuser.8 | 36 ++++++ modules/pam_localuser/pam_localuser.c | 160 ++++++++++++++++++++++++++ 4 files changed, 227 insertions(+) create mode 100644 modules/pam_localuser/Makefile create mode 100644 modules/pam_localuser/README create mode 100644 modules/pam_localuser/pam_localuser.8 create mode 100644 modules/pam_localuser/pam_localuser.c diff --git a/modules/pam_localuser/Makefile b/modules/pam_localuser/Makefile new file mode 100644 index 00000000..13946eb4 --- /dev/null +++ b/modules/pam_localuser/Makefile @@ -0,0 +1,14 @@ +# $Id$ +# +# This Makefile controls a build process of $(TITLE) module for +# Linux-PAM. You should not modify this Makefile (unless you know +# what you are doing!). +# +# + +include ../../Make.Rules + +TITLE=pam_localuser +MAN8=pam_localuser.8 + +include ../Simple.Rules diff --git a/modules/pam_localuser/README b/modules/pam_localuser/README new file mode 100644 index 00000000..88aa7763 --- /dev/null +++ b/modules/pam_localuser/README @@ -0,0 +1,17 @@ +pam_localuser: + Succeeds iff the PAM_USER is listed in /etc/passwd. This seems to be a + common policy need (allowing only a subset of network-wide users, and + any locally-defined users, to access services). Simpler than using + awk to generate a file for use with pam_listfile (-F: '{print $1}'), + I guess. + +RECOGNIZED ARGUMENTS: + debug write debugging messages to syslog + passwd=FILE scan FILE instead of /etc/passwd + +MODULE SERVICES PROVIDED: + auth,account scan the FILE (/etc/passwd by default) and return + a success code if an entry is found for the user + +AUTHOR: + Nalin Dahyabhai diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 new file mode 100644 index 00000000..ce0a9465 --- /dev/null +++ b/modules/pam_localuser/pam_localuser.8 @@ -0,0 +1,36 @@ +.\" Copyright 2000 Red Hat, Inc. +.TH pam_localuser 8 2000/7/21 "Red Hat" "System Administrator's Manual" + +.SH NAME +pam_localuser \- require users to be listed in /etc/passwd + +.SH SYNOPSIS +.B account sufficient /lib/security/pam_localuser.so \fIargs\fP +.br +.B account required /lib/security/pam_wheel.so group=devel + +.SH DESCRIPTION +pam_localuser.so exists to help implement site-wide login policies, where +they typically include a subset of the network's users and a few accounts +that are local to a particular workstation. Using pam_localuser.so and +pam_wheel.so or pam_listfile.so is an effective way to restrict access to +either local users and/or a subset of the network's users. + +This could also be implemented using pam_listfile.so and a very short awk +script invoked by cron, but it's common enough to have been separated out. + +.SH ARGUMENTS +.IP debug +turns on debugging +.IP file=\fBFILE\fP +uses a file other than \fB/etc/passwd\fP. + +.SH FILES +/etc/passwd + +.SH BUGS +Let's hope not, but if you find any, please report them via the "Bug Track" +link at http://bugzilla.redhat.com/bugzilla/ + +.SH AUTHOR +Nalin Dahyabhai diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c new file mode 100644 index 00000000..f16e81d5 --- /dev/null +++ b/modules/pam_localuser/pam_localuser.c @@ -0,0 +1,160 @@ +/* + * Copyright 2001 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "../../_pam_aconf.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#include "../../libpam/include/security/pam_modules.h" +#include "../../libpam/include/security/_pam_macros.h" + +#define MODULE_NAME "pam_localuser" + +PAM_EXTERN +int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + int i, ret = PAM_SUCCESS; + FILE *fp; + int debug = 0; + char filename[PATH_MAX] = "/etc/passwd"; + char line[LINE_MAX], name[LINE_MAX]; + const char* user; + + /* process arguments */ + for(i = 0; i < argc; i++) { + if(strcmp("debug", argv[i]) == 0) { + debug = 1; + } + } + for(i = 0; i < argc; i++) { + if(strncmp("file=", argv[i], 5) == 0) { + strncpy(filename, argv[i] + 5, sizeof(filename) - 1); + filename[sizeof(filename) - 1] = '\0'; + if(debug) { + openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); + syslog(LOG_DEBUG, "set filename to \"%s\"", + filename); + closelog(); + } + } + } + + /* open the file */ + fp = fopen(filename, "r"); + if(fp == NULL) { + openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); + syslog(LOG_ERR, "error opening \"%s\": %s", filename, + strerror(errno)); + closelog(); + return PAM_SYSTEM_ERR; + } + + if(pam_get_item(pamh, PAM_USER, (const void**) &user) != PAM_SUCCESS) { + openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); + syslog(LOG_ERR, "user name not specified yet"); + closelog(); + fclose(fp); + return PAM_SYSTEM_ERR; + } + + if ((user == NULL) || (strlen(user) == 0)) { + openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); + syslog(LOG_ERR, "user name not valid"); + closelog(); + fclose(fp); + return PAM_SYSTEM_ERR; + } + + /* scan the file, using fgets() instead of fgetpwent() because i + * don't want to mess with applications which call fgetpwent() */ + ret = PAM_PERM_DENIED; + snprintf(name, sizeof(name), "%s:", user); + i = strlen(name); + while(fgets(line, sizeof(line), fp) != NULL) { + if(debug) { + openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); + syslog(LOG_DEBUG, "checking \"%s\"", line); + closelog(); + } + if(strncmp(name, line, i) == 0) { + ret = PAM_SUCCESS; + break; + } + } + + /* okay, we're done */ + fclose(fp); + return ret; +} + +PAM_EXTERN +int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_localuser_modstruct = { + "pam_localuser", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + NULL, + NULL, + NULL, +}; + +#endif -- 2.40.0