diff options
| author | markm <markm@FreeBSD.org> | 2001-08-26 18:09:00 +0000 |
|---|---|---|
| committer | markm <markm@FreeBSD.org> | 2001-08-26 18:09:00 +0000 |
| commit | 9e62e18a5938abcb9c07141a6359226377886a05 (patch) | |
| tree | 639ab1ec2a32f0b581079779236ddb37c3402949 /lib/libpam | |
| parent | c98dbe0779203037f1326ffdc3932cec3bd10d6f (diff) | |
| download | FreeBSD-src-9e62e18a5938abcb9c07141a6359226377886a05.zip FreeBSD-src-9e62e18a5938abcb9c07141a6359226377886a05.tar.gz | |
Introduce a "noroot_ok" option to make this module ignore authentications
to a non-superuser if required.
Diffstat (limited to 'lib/libpam')
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.8 | 8 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.c | 30 |
2 files changed, 33 insertions, 5 deletions
diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.8 b/lib/libpam/modules/pam_wheel/pam_wheel.8 index a25b1a2..bd412c8 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.8 +++ b/lib/libpam/modules/pam_wheel/pam_wheel.8 @@ -95,6 +95,14 @@ checking for membership of group .Ar foo instead of the default group .Dq Li wheel . +.It Cm noroot_ok +return +.Dv PAM_SUCCESS +instead of +.Dv PAM_IGNORE +if the user is authenticating +to a user +that is not the superuser. .El .Sh SEE ALSO .Xr getlogin 2 , diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c index 6635c94..559d890 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.c +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -42,13 +42,14 @@ #include <pam_mod_misc.h> enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST, - PAM_OPT_AUTH_AS_SELF }; + PAM_OPT_AUTH_AS_SELF, PAM_OPT_NOROOT_OK }; static struct opttab other_options[] = { { "deny", PAM_OPT_DENY }, { "group", PAM_OPT_GROUP }, { "trust", PAM_OPT_TRUST }, { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, + { "noroot_ok", PAM_OPT_NOROOT_OK }, { NULL, 0 } }; @@ -69,23 +70,35 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) struct passwd *pwd; struct group *grp; int retval; - const char *user; + uid_t tuid; + const char *user, *targetuser; char *use_group; pam_std_option(&options, other_options, argc, argv); PAM_LOG("Options processed"); + retval = pam_get_user(pamh, &targetuser, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + pwd = getpwnam(targetuser); + if (pwd != NULL) + tuid = pwd->pw_uid; + else + PAM_RETURN(PAM_AUTH_ERR); + + PAM_LOG("Got target user: %s uid: %d", targetuser, tuid); + if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { pwd = getpwnam(getlogin()); user = strdup(pwd->pw_name); } else { - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + user = targetuser; pwd = getpwnam(user); } + if (pwd == NULL) + PAM_RETURN(PAM_AUTH_ERR); PAM_LOG("Got user: %s", user); PAM_LOG("User's primary uid, gid: %d, %d", pwd->pw_uid, pwd->pw_gid); @@ -96,6 +109,13 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) PAM_LOG("Not superuser"); + /* If authenticating as something non-superuser, return OK */ + if (pam_test_option(&options, PAM_OPT_NOROOT_OK, NULL)) + if (tuid != 0) + PAM_RETURN(PAM_SUCCESS); + + PAM_LOG("Checking group"); + if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) { if ((grp = getgrnam("wheel")) == NULL) grp = getgrgid(0); |
