diff options
author | green <green@FreeBSD.org> | 2002-03-07 02:23:19 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2002-03-07 02:23:19 +0000 |
commit | ccf626b89e93465c236c4eeb75bc85c3642ebc37 (patch) | |
tree | 335ae1f235cf402b0f8d59259e0f8efb54ea5fa4 /lib/libpam | |
parent | 981c5de6f7ec93d2bcd65035ba94b79f995e09df (diff) | |
download | FreeBSD-src-ccf626b89e93465c236c4eeb75bc85c3642ebc37.zip FreeBSD-src-ccf626b89e93465c236c4eeb75bc85c3642ebc37.tar.gz |
Now pam_alreadyloggedin lives in the ports.
Diffstat (limited to 'lib/libpam')
-rw-r--r-- | lib/libpam/modules/modules.inc | 1 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/Makefile | 32 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 | 99 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c | 234 |
4 files changed, 0 insertions, 366 deletions
diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc index d74808e..c61ec16 100644 --- a/lib/libpam/modules/modules.inc +++ b/lib/libpam/modules/modules.inc @@ -1,7 +1,6 @@ # $FreeBSD$ MODULES = -MODULES += pam_alreadyloggedin MODULES += pam_deny MODULES += pam_ftp .if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL) diff --git a/lib/libpam/modules/pam_alreadyloggedin/Makefile b/lib/libpam/modules/pam_alreadyloggedin/Makefile deleted file mode 100644 index 0f1797c..0000000 --- a/lib/libpam/modules/pam_alreadyloggedin/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 1999 Max Khon. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ - -LIB= pam_alreadyloggedin -SHLIB_NAME= pam_alreadyloggedin.so -SRCS= pam_alreadyloggedin.c -MAN= pam_alreadyloggedin.8 - -.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 deleted file mode 100644 index 8ade00a..0000000 --- a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 +++ /dev/null @@ -1,99 +0,0 @@ -.\" Copyright (c) 2002 Brian Fundakowski Feldman -.\" All rights reserved. -.\" Copyright (c) 2002 Networks Associates Technologies, Inc. -.\" All rights reserved. -.\" -.\" Portions of this software were developed for the FreeBSD Project by -.\" ThinkSec AS and NAI Labs, the Security Research Division of Network -.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.\" ("CBOSS"), as part of the DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd March 6, 2002 -.Dt PAM_ALREADYLOGGEDIN 8 -.Os -.Sh NAME -.Nm pam_alreadyloggedin -.Nd Already-logged-in PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_alreadyloggedin -.Op Ar options -.Sh DESCRIPTION -The Already-logged-in authentication service module for PAM, -.Nm -provides functionality for only one PAM category: -authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -It also provides null functions for other PAM categories. -.Ss Already-logged-in Authentication Module -The Already-logged-in authentication component -.Pq Fn pam_sm_authenticate , -returns success if and only if the target user's ID is identical to a current login specified in the -.Xr utmp 5 -database and verified with matching permissions on that login's respective terminal in -.Pa /dev . -If a user shows up in -.Xr w 8 -output, they will generally be allowed to authenticate using this method. -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm restrict_tty Ns = Ns Ar ttyfoo*" -.It Cm no_root -Never allow login with a target user ID of zero. -.It Cm restrict_tty Ns = Ns Ar ttyglob* -Only allow login if the terminal device currently being authenticated on matches -.Ar ttyglob* . -The -.Ar ttyglob* -argument is specified as a shell glob, and checked using the -.Xr fnmatch 3 -function. -.El -.Sh SEE ALSO -.Xr fnmatch 3 , -.Xr getuid 2 , -.Xr stat 2 , -.Xr utmp 5 , -.Xr w 8 , -.Xr pam.conf 5 , -.Xr pam 8 -.Sh AUTHORS -The -.Nm -module and this manual page were developed for the FreeBSD Project by -NAI Labs and ThinkSec AS, the Security Research Division of Network -Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c deleted file mode 100644 index e40bb74..0000000 --- a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c +++ /dev/null @@ -1,234 +0,0 @@ -/*- - * Copyright (c) 2002 Brian Fundakowski Feldman - * Copyright (c) 2002 Networks Associates Technologies, Inc. - * All rights reserved. - * - * This software was developed by Robert Watson and Ilmar Habibulin for the - * TrustedBSD Project. - * - * This software was developed for the FreeBSD Project in part by NAI Labs, - * the Security Research Division of Network Associates, Inc. under - * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA - * CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The names of the authors may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -/* - * Implement a PAM module which will, given restrictions upon whether the - * user to be authenticated is root or logging in on a given terminal, - * will allow the user to be authenticated successfully if the user - * is currently already logged in on another terminal. - */ - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/stat.h> - -#include <err.h> -#include <fcntl.h> -#include <fnmatch.h> -#include <pwd.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <utmp.h> - -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#include <security/pam_mod_misc.h> - -enum { PAM_OPT_NO_ROOT = PAM_OPT_STD_MAX, PAM_OPT_RESTRICT_TTY }; -static struct opttab other_options[] = { - { "no_root", PAM_OPT_NO_ROOT }, - { "restrict_tty", PAM_OPT_RESTRICT_TTY }, - { NULL, 0 } -}; - -int getutmp(int *fd, struct utmp *utmp); -int inutmp(struct utmp *utmp, const char *username, uid_t uid); - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, - const char **argv) -{ - struct utmp utmp; - struct options options; - struct passwd *pw; - const char *logname; - char *lineglob = NULL; - unsigned int matched = 0; - int retval, fd = -1; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - retval = pam_get_user(pamh, &logname, NULL); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - if (pam_test_option(&options, PAM_OPT_RESTRICT_TTY, &lineglob) && - lineglob != NULL) { - const char *pam_tty; - - PAM_LOG("Using a restrict_tty glob of `%s'", lineglob); - retval = pam_get_item(pamh, PAM_TTY, (const void **)&pam_tty); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - if (fnmatch(lineglob, pam_tty, 0) != 0) - PAM_RETURN(PAM_AUTH_ERR); - } - pw = getpwnam(logname); - if (pw == NULL) { - warn("Can't look up user `%s'", logname); - PAM_RETURN(PAM_AUTH_ERR); - } - if (pw->pw_uid == 0 && - pam_test_option(&options, PAM_OPT_NO_ROOT, NULL)) - PAM_RETURN(PAM_AUTH_ERR); - while (getutmp(&fd, &utmp) == 1) { - if (inutmp(&utmp, logname, pw->pw_uid) == 1) - matched++; - } - if (matched) - PAM_RETURN(PAM_SUCCESS); - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, - const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc, - const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, - const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, - const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, - const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_MODULE_ENTRY("pam_alreadyloggedin"); - -int -getutmp(int *fd, struct utmp *utmp) -{ - - if (*fd == -1) { - *fd = open(_PATH_UTMP, O_RDONLY); - if (*fd == -1) { - warn("Failure opening %s", _PATH_UTMP); - return (-1); - } - } - if (read(*fd, utmp, sizeof(*utmp)) == sizeof(*utmp)) - return (1); - (void)close(*fd); - return (0); -} - -int -inutmp(struct utmp *utmp, const char *username, uid_t uid) -{ - char ttypath[MAXPATHLEN]; - struct stat sb; - - if (utmp->ut_name[0] == '\0' || utmp->ut_line[0] == '\0') - return (0); - utmp->ut_line[sizeof(utmp->ut_line) - 1] = '\0'; - utmp->ut_name[sizeof(utmp->ut_name) - 1] = '\0'; - if (utmp->ut_line[strcspn(utmp->ut_line, "./")] != '\0') { - warnx("Evil utmp line: `%s'", utmp->ut_line); - return (-1); - } - if (*username && strcmp(username, utmp->ut_name) != 0) - return (0); - /* can't fail */ - (void)snprintf(ttypath, sizeof(ttypath), "/dev/%s", utmp->ut_line); - if (stat(ttypath, &sb) == -1) { - warn("Can't stat line `%s'", ttypath); - return (-1); - } - if (sb.st_uid != uid) { - warnx("Line's uid %d does not match %d", sb.st_uid, - uid); - return (-1); - } - return (1); -} |