diff options
-rw-r--r-- | lib/libpam/modules/modules.inc | 1 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/Makefile | 32 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 | 99 | ||||
-rw-r--r-- | lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c | 234 |
4 files changed, 366 insertions, 0 deletions
diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc index c61ec16..d74808e 100644 --- a/lib/libpam/modules/modules.inc +++ b/lib/libpam/modules/modules.inc @@ -1,6 +1,7 @@ # $FreeBSD$ MODULES = +MODULES += pam_alreadyloggedin MODULES += pam_deny MODULES += pam_ftp .if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL) diff --git a/lib/libpam/modules/pam_alreadyloggedin/Makefile b/lib/libpam/modules/pam_alreadyloggedin/Makefile new file mode 100644 index 0000000..0f1797c --- /dev/null +++ b/lib/libpam/modules/pam_alreadyloggedin/Makefile @@ -0,0 +1,32 @@ +# Copyright 1999 Max Khon. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ + +LIB= pam_alreadyloggedin +SHLIB_NAME= pam_alreadyloggedin.so +SRCS= pam_alreadyloggedin.c +MAN= pam_alreadyloggedin.8 + +.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 new file mode 100644 index 0000000..8ade00a --- /dev/null +++ b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.8 @@ -0,0 +1,99 @@ +.\" Copyright (c) 2002 Brian Fundakowski Feldman +.\" All rights reserved. +.\" Copyright (c) 2002 Networks Associates Technologies, Inc. +.\" All rights reserved. +.\" +.\" Portions of this software were developed for the FreeBSD Project by +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 +.\" ("CBOSS"), as part of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd March 6, 2002 +.Dt PAM_ALREADYLOGGEDIN 8 +.Os +.Sh NAME +.Nm pam_alreadyloggedin +.Nd Already-logged-in PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_alreadyloggedin +.Op Ar options +.Sh DESCRIPTION +The Already-logged-in authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dq Li auth +feature. +It also provides null functions for other PAM categories. +.Ss Already-logged-in Authentication Module +The Already-logged-in authentication component +.Pq Fn pam_sm_authenticate , +returns success if and only if the target user's ID is identical to a current login specified in the +.Xr utmp 5 +database and verified with matching permissions on that login's respective terminal in +.Pa /dev . +If a user shows up in +.Xr w 8 +output, they will generally be allowed to authenticate using this method. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -width ".Cm restrict_tty Ns = Ns Ar ttyfoo*" +.It Cm no_root +Never allow login with a target user ID of zero. +.It Cm restrict_tty Ns = Ns Ar ttyglob* +Only allow login if the terminal device currently being authenticated on matches +.Ar ttyglob* . +The +.Ar ttyglob* +argument is specified as a shell glob, and checked using the +.Xr fnmatch 3 +function. +.El +.Sh SEE ALSO +.Xr fnmatch 3 , +.Xr getuid 2 , +.Xr stat 2 , +.Xr utmp 5 , +.Xr w 8 , +.Xr pam.conf 5 , +.Xr pam 8 +.Sh AUTHORS +The +.Nm +module and this manual page were developed for the FreeBSD Project by +NAI Labs and ThinkSec AS, the Security Research Division of Network +Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 +.Pq Dq CBOSS , +as part of the DARPA CHATS research program. diff --git a/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c new file mode 100644 index 0000000..e40bb74 --- /dev/null +++ b/lib/libpam/modules/pam_alreadyloggedin/pam_alreadyloggedin.c @@ -0,0 +1,234 @@ +/*- + * Copyright (c) 2002 Brian Fundakowski Feldman + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. + * + * This software was developed by Robert Watson and Ilmar Habibulin for the + * TrustedBSD Project. + * + * This software was developed for the FreeBSD Project in part by NAI Labs, + * the Security Research Division of Network Associates, Inc. under + * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA + * CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The names of the authors may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * Implement a PAM module which will, given restrictions upon whether the + * user to be authenticated is root or logging in on a given terminal, + * will allow the user to be authenticated successfully if the user + * is currently already logged in on another terminal. + */ + +#include <sys/types.h> +#include <sys/param.h> +#include <sys/stat.h> + +#include <err.h> +#include <fcntl.h> +#include <fnmatch.h> +#include <pwd.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <utmp.h> + +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#include <security/pam_mod_misc.h> + +enum { PAM_OPT_NO_ROOT = PAM_OPT_STD_MAX, PAM_OPT_RESTRICT_TTY }; +static struct opttab other_options[] = { + { "no_root", PAM_OPT_NO_ROOT }, + { "restrict_tty", PAM_OPT_RESTRICT_TTY }, + { NULL, 0 } +}; + +int getutmp(int *fd, struct utmp *utmp); +int inutmp(struct utmp *utmp, const char *username, uid_t uid); + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, + const char **argv) +{ + struct utmp utmp; + struct options options; + struct passwd *pw; + const char *logname; + char *lineglob = NULL; + unsigned int matched = 0; + int retval, fd = -1; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &logname, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + if (pam_test_option(&options, PAM_OPT_RESTRICT_TTY, &lineglob) && + lineglob != NULL) { + const char *pam_tty; + + PAM_LOG("Using a restrict_tty glob of `%s'", lineglob); + retval = pam_get_item(pamh, PAM_TTY, (const void **)&pam_tty); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + if (fnmatch(lineglob, pam_tty, 0) != 0) + PAM_RETURN(PAM_AUTH_ERR); + } + pw = getpwnam(logname); + if (pw == NULL) { + warn("Can't look up user `%s'", logname); + PAM_RETURN(PAM_AUTH_ERR); + } + if (pw->pw_uid == 0 && + pam_test_option(&options, PAM_OPT_NO_ROOT, NULL)) + PAM_RETURN(PAM_AUTH_ERR); + while (getutmp(&fd, &utmp) == 1) { + if (inutmp(&utmp, logname, pw->pw_uid) == 1) + matched++; + } + if (matched) + PAM_RETURN(PAM_SUCCESS); + PAM_RETURN(PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, + const char **argv) +{ + struct options options; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc, + const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, + const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, + const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, + const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_MODULE_ENTRY("pam_alreadyloggedin"); + +int +getutmp(int *fd, struct utmp *utmp) +{ + + if (*fd == -1) { + *fd = open(_PATH_UTMP, O_RDONLY); + if (*fd == -1) { + warn("Failure opening %s", _PATH_UTMP); + return (-1); + } + } + if (read(*fd, utmp, sizeof(*utmp)) == sizeof(*utmp)) + return (1); + (void)close(*fd); + return (0); +} + +int +inutmp(struct utmp *utmp, const char *username, uid_t uid) +{ + char ttypath[MAXPATHLEN]; + struct stat sb; + + if (utmp->ut_name[0] == '\0' || utmp->ut_line[0] == '\0') + return (0); + utmp->ut_line[sizeof(utmp->ut_line) - 1] = '\0'; + utmp->ut_name[sizeof(utmp->ut_name) - 1] = '\0'; + if (utmp->ut_line[strcspn(utmp->ut_line, "./")] != '\0') { + warnx("Evil utmp line: `%s'", utmp->ut_line); + return (-1); + } + if (*username && strcmp(username, utmp->ut_name) != 0) + return (0); + /* can't fail */ + (void)snprintf(ttypath, sizeof(ttypath), "/dev/%s", utmp->ut_line); + if (stat(ttypath, &sb) == -1) { + warn("Can't stat line `%s'", ttypath); + return (-1); + } + if (sb.st_uid != uid) { + warnx("Line's uid %d does not match %d", sb.st_uid, + uid); + return (-1); + } + return (1); +} |