diff options
Diffstat (limited to 'lib/libpam/modules/pam_securetty')
| -rw-r--r-- | lib/libpam/modules/pam_securetty/Makefile | 1 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_securetty/pam_securetty.8 | 82 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_securetty/pam_securetty.c | 43 |
3 files changed, 108 insertions, 18 deletions
diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 1bf77db..764dfb0 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -27,5 +27,6 @@ LIB= pam_securetty SHLIB_NAME= pam_securetty.so SRCS= pam_securetty.c +MAN= pam_securetty.8 .include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.8 b/lib/libpam/modules/pam_securetty/pam_securetty.8 new file mode 100644 index 0000000..33267a3 --- /dev/null +++ b/lib/libpam/modules/pam_securetty/pam_securetty.8 @@ -0,0 +1,82 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_SECURETTY 8 +.Os +.Sh NAME +.Nm pam_securetty +.Nd SecureTTY PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_securetty +.Op Ar options +.Sh DESCRIPTION +The SecureTTY authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss SecureTTY Authentication Module +The SecureTTY authentication component +.Pq Fn pam_sm_authenticate , +returns success if the user is attempting to authenticate as superuser, +and the process is attached to a secure TTY. +Alternatively, +if the user is not authenticating as superuser, +the module always returns success. +.Pp +A TTY is defined as secure if its entry is fetchable from +.Pa /etc/ttys +by +.Xr getttynam 3 +(see +.Xr ttys 5 ) , +and the entry (a struct ttyent) has the +.Dv TTY_SECURE +flag set. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh SEE ALSO +.Xr getttyynam 3 , +.Xr syslog 3 , +.Xr ttys 5 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.c b/lib/libpam/modules/pam_securetty/pam_securetty.c index fe04b3c..aecabce 100644 --- a/lib/libpam/modules/pam_securetty/pam_securetty.c +++ b/lib/libpam/modules/pam_securetty/pam_securetty.c @@ -41,42 +41,51 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { - struct ttyent *ttyfileinfo; - struct passwd *user_pwd; - int i, options, retval; - const char *username, *ttyname; + struct options options; + struct ttyent *ttyfileinfo; + struct passwd *user_pwd; + int retval; + const char *user, *ttyname; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); + pam_std_option(&options, NULL, argc, argv); - retval = pam_get_user(pamh, &username, NULL); + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - return retval; + PAM_RETURN(retval); + + PAM_LOG("Got user: %s", user); retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname); if (retval != PAM_SUCCESS) - return retval; + PAM_RETURN(retval); + + PAM_LOG("Got TTY: %s", ttyname); /* Ignore any "/dev/" on the PAM_TTY item */ if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0) ttyname += sizeof(TTY_PREFIX) - 1; /* If the user is not root, secure ttys do not apply */ - user_pwd = getpwnam(username); + user_pwd = getpwnam(user); if (user_pwd == NULL) - return PAM_IGNORE; + PAM_RETURN(PAM_IGNORE); else if (user_pwd->pw_uid != 0) - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); + + PAM_LOG("User is not root"); ttyfileinfo = getttynam(ttyname); if (ttyfileinfo == NULL) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); + + PAM_LOG("Got ttyfileinfo"); if (ttyfileinfo->ty_status & TTY_SECURE) - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); else - return PAM_PERM_DENIED; + PAM_RETURN(PAM_PERM_DENIED); } PAM_EXTERN @@ -86,6 +95,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } -/* end of module definition */ - PAM_MODULE_ENTRY("pam_securetty"); |
