diff options
Diffstat (limited to 'lib/libpam/modules/pam_wheel')
| -rw-r--r-- | lib/libpam/modules/pam_wheel/Makefile | 3 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.8 | 94 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.c | 145 |
3 files changed, 240 insertions, 2 deletions
diff --git a/lib/libpam/modules/pam_wheel/Makefile b/lib/libpam/modules/pam_wheel/Makefile index d211df6..b889a18 100644 --- a/lib/libpam/modules/pam_wheel/Makefile +++ b/lib/libpam/modules/pam_wheel/Makefile @@ -27,7 +27,6 @@ LIB= pam_wheel SHLIB_NAME= pam_wheel.so SRCS= pam_wheel.c +MAN= pam_wheel.8 .include <bsd.lib.mk> - -.PATH: ${PAMDIR}/modules/pam_wheel diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.8 b/lib/libpam/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 0000000..c493f89 --- /dev/null +++ b/lib/libpam/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_WHEEL 8 +.Os +.Sh NAME +.Nm pam_wheel +.Nd Wheel PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_wheel +.Op Ar options +.Sh DESCRIPTION +The Wheel authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss Wheel Authentication Module +The Wheel authentication component +.Pq Fn pam_sm_authenticate , +permit authentication to members of a group, +which defaults to +.Dv wheel. +.Em ie, +if +.Xr getuid 2 +returns 0. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm use_uid +check for wheel membership against +the current uid +.Pq given by Fn getuid . +.It Cm trust +return +.Dv PAM_SUCCESS +instead of +.Dv PAM_IGNORE +if the user is a member of the group (default is +.Dv wheel ). +.It Cm deny +invert the operation +if is a member of the +.Pq default Dv wheel ) +group. +.Pq return failure instead of success. +mainly of use with the ``group=foo'' option. +.It Cm group=foo +checking for membership of group ``foo'' +instead of the default group +.Dv wheel. +.El +.Sh SEE ALSO +.Xr group 5 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c new file mode 100644 index 0000000..e5005e3 --- /dev/null +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -0,0 +1,145 @@ +/*- + * Copyright (c) 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define _BSD_SOURCE + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <syslog.h> +#include <stdarg.h> +#include <sys/types.h> +#include <pwd.h> +#include <grp.h> + +#define PAM_SM_AUTH +#include <security/pam_modules.h> +#include <pam_mod_misc.h> + +enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST, + PAM_OPT_USE_UID }; + +static struct opttab other_options[] = { + { "deny", PAM_OPT_DENY }, + { "group", PAM_OPT_GROUP }, + { "trust", PAM_OPT_TRUST }, + { "use_uid", PAM_OPT_USE_UID }, + { NULL, 0 } +}; + +/* Is member in list? */ +static int +in_list(char *const *list, const char *member) +{ + for (; *list; list++) + if (strcmp(*list, member) == 0) + return 1; + return 0; +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) +{ + struct options options; + struct passwd *pwd, *temppwd; + struct group *grp; + int retval; + const char *user; + char *fromsu, *use_group; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + pwd = getpwnam(user); + if (!pwd) + PAM_RETURN(PAM_USER_UNKNOWN); + + PAM_LOG("Got user: %s", user); + + /* Ignore if already uid 0 */ + if (pwd->pw_uid) + PAM_RETURN(PAM_IGNORE); + + PAM_LOG("Not superuser"); + + if (pam_test_option(&options, PAM_OPT_USE_UID, NULL)) { + temppwd = getpwuid(getuid()); + if (temppwd == NULL) + PAM_RETURN(PAM_SERVICE_ERR); + fromsu = temppwd->pw_name; + } + else { + fromsu = getlogin(); + if (!fromsu) + PAM_RETURN(PAM_SERVICE_ERR); + } + + PAM_LOG("Got fromsu: %s", fromsu); + + if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) { + if ((grp = getgrnam("wheel")) == NULL) + grp = getgrgid(0); + } + else + grp = getgrnam(use_group); + + if (grp == NULL || grp->gr_mem == NULL) { + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_IGNORE); + else + PAM_RETURN(PAM_AUTH_ERR); + } + + PAM_LOG("Got group: %s", grp->gr_name); + + if (in_list(grp->gr_mem, fromsu)) { + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_PERM_DENIED); + if (pam_test_option(&options, PAM_OPT_TRUST, NULL)) + PAM_RETURN(PAM_SUCCESS); + PAM_RETURN(PAM_IGNORE); + } + + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_SUCCESS); + + PAM_RETURN(PAM_PERM_DENIED); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_MODULE_ENTRY("pam_wheel"); |
