Add the pam_alreadyloggedin(8) module, which allows for authentication

based on information that the user is already logged in.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

4 files changed, 366 insertions, 0 deletions

diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc
index c61ec16..d74808e 100644
--- a/lib/libpam/modules/modules.inc
+++ b/lib/libpam/modules/modules.inc
@@ -1,6 +1,7 @@
 # $FreeBSD$
 
 MODULES		 =
+MODULES		+= pam_alreadyloggedin
 MODULES		+= pam_deny
 MODULES		+= pam_ftp
 .if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
diff --git a/lib/libpam/modules/pam_alreadyloggedin/Makefile b/lib/libpam/modules/pam_alreadyloggedin/Makefile
new file mode 100644
index 0000000..0f1797c
--- /dev/null
+++ b/lib/libpam/modules/pam_alreadyloggedin/Makefile
@@ -0,0 +1,32 @@
+# Copyright 1999 Max Khon.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$FreeBSD$
+
+LIB=		pam_alreadyloggedin
+SHLIB_NAME=	pam_alreadyloggedin.so
+SRCS=		pam_alreadyloggedin.c
+MAN=		pam_alreadyloggedin.8
+
+.include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8
new file mode 100644
index 0000000..8ade00a
--- /dev/null
+++ b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8
@@ -0,0 +1,99 @@
+.\" Copyright (c) 2002 Brian Fundakowski Feldman
+.\" All rights reserved.
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" Portions of this software were developed for the FreeBSD Project by
+.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
+.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd March 6, 2002
+.Dt PAM_ALREADYLOGGEDIN 8
+.Os
+.Sh NAME
+.Nm pam_alreadyloggedin
+.Nd Already-logged-in PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_alreadyloggedin
+.Op Ar options
+.Sh DESCRIPTION
+The Already-logged-in authentication service module for PAM,
+.Nm
+provides functionality for only one PAM category:
+authentication.
+In terms of the
+.Ar module-type
+parameter, this is the
+.Dq Li auth
+feature.
+It also provides null functions for other PAM categories.
+.Ss Already-logged-in Authentication Module
+The Already-logged-in authentication component
+.Pq Fn pam_sm_authenticate ,
+returns success if and only if the target user's ID is identical to a current login specified in the
+.Xr utmp 5
+database and verified with matching permissions on that login's respective terminal in
+.Pa /dev .
+If a user shows up in
+.Xr w 8
+output, they will generally be allowed to authenticate using this method.
+.Pp
+The following options may be passed to the authentication module:
+.Bl -tag -width ".Cm restrict_tty Ns = Ns Ar ttyfoo*"
+.It Cm no_root
+Never allow login with a target user ID of zero.
+.It Cm restrict_tty Ns = Ns Ar ttyglob*
+Only allow login if the terminal device currently being authenticated on matches
+.Ar ttyglob* .
+The
+.Ar ttyglob*
+argument is specified as a shell glob, and checked using the
+.Xr fnmatch 3 
+function.
+.El
+.Sh SEE ALSO
+.Xr fnmatch 3 ,
+.Xr getuid 2 ,
+.Xr stat 2 ,
+.Xr utmp 5 ,
+.Xr w 8 ,
+.Xr pam.conf 5 ,
+.Xr pam 8
+.Sh AUTHORS
+The
+.Nm
+module and this manual page were developed for the FreeBSD Project by
+NAI Labs and ThinkSec AS, the Security Research Division of Network
+Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+.Pq Dq CBOSS ,
+as part of the DARPA CHATS research program.
diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c
new file mode 100644
index 0000000..e40bb74
--- /dev/null
+++ b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c
@@ -0,0 +1,234 @@
+/*-
+ * Copyright (c) 2002 Brian Fundakowski Feldman
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson and Ilmar Habibulin for the
+ * TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Implement a PAM module which will, given restrictions upon whether the
+ * user to be authenticated is root or logging in on a given terminal,
+ * will allow the user to be authenticated successfully if the user
+ * is currently already logged in on another terminal.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+
+#include <err.h>
+#include <fcntl.h>
+#include <fnmatch.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <utmp.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+enum { PAM_OPT_NO_ROOT = PAM_OPT_STD_MAX, PAM_OPT_RESTRICT_TTY };
+static struct opttab other_options[] = {
+	{ "no_root", PAM_OPT_NO_ROOT },
+	{ "restrict_tty", PAM_OPT_RESTRICT_TTY },
+	{ NULL, 0 }
+};
+
+int getutmp(int *fd, struct utmp *utmp);
+int inutmp(struct utmp *utmp, const char *username, uid_t uid);
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
+    const char **argv)
+{
+	struct utmp utmp;
+	struct options options;
+	struct passwd *pw;
+	const char *logname;
+	char *lineglob = NULL;
+	unsigned int matched = 0;
+	int retval, fd = -1;
+	
+        pam_std_option(&options, other_options, argc, argv);
+
+        PAM_LOG("Options processed");
+
+        retval = pam_get_user(pamh, &logname, NULL);
+        if (retval != PAM_SUCCESS)
+                PAM_RETURN(retval);
+        if (pam_test_option(&options, PAM_OPT_RESTRICT_TTY, &lineglob) &&
+	    lineglob != NULL) {
+		const char *pam_tty;
+
+		PAM_LOG("Using a restrict_tty glob of `%s'", lineglob);
+		retval = pam_get_item(pamh, PAM_TTY, (const void **)&pam_tty);
+		if (retval != PAM_SUCCESS)
+			PAM_RETURN(retval);
+		if (fnmatch(lineglob, pam_tty, 0) != 0)
+			PAM_RETURN(PAM_AUTH_ERR);
+	}
+	pw = getpwnam(logname);
+	if (pw == NULL) {
+		warn("Can't look up user `%s'", logname);
+		PAM_RETURN(PAM_AUTH_ERR);
+	}
+	if (pw->pw_uid == 0 &&
+	    pam_test_option(&options, PAM_OPT_NO_ROOT, NULL))
+		PAM_RETURN(PAM_AUTH_ERR);
+	while (getutmp(&fd, &utmp) == 1) {
+		if (inutmp(&utmp, logname, pw->pw_uid) == 1)
+			matched++;
+	}
+	if (matched)
+		PAM_RETURN(PAM_SUCCESS);
+	PAM_RETURN(PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int 
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc,
+    const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, other_options, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_SUCCESS);
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc,
+    const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_IGNORE);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc,
+    const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_IGNORE);
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc,
+    const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_IGNORE);
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc,
+    const char **argv)
+{
+	struct options options;
+
+	pam_std_option(&options, NULL, argc, argv);
+
+	PAM_LOG("Options processed");
+
+	PAM_RETURN(PAM_IGNORE);
+}
+
+PAM_MODULE_ENTRY("pam_alreadyloggedin");
+
+int
+getutmp(int *fd, struct utmp *utmp)
+{
+
+	if (*fd == -1) {
+		*fd = open(_PATH_UTMP, O_RDONLY);
+		if (*fd == -1) {
+			warn("Failure opening %s", _PATH_UTMP);
+			return (-1);
+		}
+	}
+	if (read(*fd, utmp, sizeof(*utmp)) == sizeof(*utmp))
+		return (1);
+	(void)close(*fd);
+	return (0);
+}
+
+int
+inutmp(struct utmp *utmp, const char *username, uid_t uid)
+{
+	char ttypath[MAXPATHLEN];
+	struct stat sb;
+
+	if (utmp->ut_name[0] == '\0' || utmp->ut_line[0] == '\0')
+		return (0);
+	utmp->ut_line[sizeof(utmp->ut_line) - 1] = '\0';
+	utmp->ut_name[sizeof(utmp->ut_name) - 1] = '\0';
+	if (utmp->ut_line[strcspn(utmp->ut_line, "./")] != '\0') {
+		warnx("Evil utmp line: `%s'", utmp->ut_line);
+		return (-1);
+	}
+	if (*username && strcmp(username, utmp->ut_name) != 0)
+		return (0);
+	/* can't fail */
+	(void)snprintf(ttypath, sizeof(ttypath), "/dev/%s", utmp->ut_line);
+	if (stat(ttypath, &sb) == -1) {
+		warn("Can't stat line `%s'", ttypath);
+		return (-1);
+	}
+	if (sb.st_uid != uid) {
+		warnx("Line's uid %d does not match %d", sb.st_uid,
+		    uid);
+		return (-1);
+	}
+	return (1);
+}