diff options
| author | des <des@FreeBSD.org> | 2002-01-24 12:47:42 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2002-01-24 12:47:42 +0000 |
| commit | 305ac9f47f258cc0f350f28c1b02a88e0782d654 (patch) | |
| tree | 66d5b0595ab4d761f52df81514742aea122e49ab /lib | |
| parent | 33776f88dc7a21766cda77b39d94c1b57a18ddc2 (diff) | |
| download | FreeBSD-src-305ac9f47f258cc0f350f28c1b02a88e0782d654.zip FreeBSD-src-305ac9f47f258cc0f350f28c1b02a88e0782d654.tar.gz | |
Don't let root through unless the "even_root" option was specified.
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libpam/modules/pam_self/pam_self.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c index 1cbc832..5b6ff31 100644 --- a/lib/libpam/modules/pam_self/pam_self.c +++ b/lib/libpam/modules/pam_self/pam_self.c @@ -51,6 +51,15 @@ __FBSDID("$FreeBSD$"); #include <security/pam_modules.h> #include <pam_mod_misc.h> +enum { + PAM_OPT_EVEN_ROOT = PAM_OPT_STD_MAX, +}; + +static struct opttab other_options[] = { + { "even_root", PAM_OPT_EVEN_ROOT }, + { NULL, 0 } +}; + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -58,8 +67,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) struct passwd *pwd; const char *luser; int pam_err; + uid_t uid; - pam_std_option(&options, NULL, argc, argv); + pam_std_option(&options, other_options, argc, argv); PAM_LOG("Options processed"); @@ -69,7 +79,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) if (luser == NULL || (pwd = getpwnam(luser)) == NULL) PAM_RETURN(PAM_AUTH_ERR); - if (getuid() == (uid_t)pwd->pw_uid) + uid = getuid(); + if (uid == 0 && !pam_test_option(&options, PAM_OPT_EVEN_ROOT, NULL)) + PAM_RETURN(PAM_AUTH_ERR); + + if (uid == (uid_t)pwd->pw_uid) PAM_RETURN(PAM_SUCCESS); PAM_VERBOSE_ERROR("Refused; source and target users differ"); |
