1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
* Copyright (c) 2016 by Delphix. All rights reserved.
*/
#include <syslog.h>
#include <pwd.h>
#include <unistd.h>
#include <strings.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <libintl.h>
static int parse_allow_name(char *, char *);
/*
* pam_sm_acct_mgmt main account managment routine.
* XXX: The routine just prints out a warning message.
* It may need to force the user to change their
* passwd.
*/
int
pam_sm_acct_mgmt(
pam_handle_t *pamh,
int flags,
int argc,
const char **argv)
{
char *user;
char *pg;
int i;
/*LINTED - set but not used. Would be used in a real module. */
int debug __unused = 0;
/*LINTED - set but not used. Would be used in a real module. */
int nowarn __unused = 0;
int error = 0;
if (argc == 0)
return (PAM_SUCCESS);
if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS)
return (PAM_SERVICE_ERR);
if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS)
return (PAM_SERVICE_ERR);
/*
* kludge alert. su needs to be handled specially for allow policy.
* we want to use the policy of the current user not the "destination"
* user. This will enable us to prevent su to root but not to rlogin,
* telnet, rsh, ftp to root.
*
* description of problem: user name is the "destination" name. not
* the current name. The allow policy needs to be applied to the
* current name in the case of su. user is "root" in this case and
* we will be getting the root policy instead of the user policy.
*/
if (strcmp(pg, "su") == 0) {
struct passwd *pw;
uid_t uid;
uid = getuid();
pw = getpwuid(uid);
if (pw == NULL)
return (PAM_SYSTEM_ERR);
user = pw->pw_name;
}
if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0))
return (PAM_SUCCESS);
for (i = 0; i < argc; i++) {
if (strcasecmp(argv[i], "debug") == 0)
debug = 1;
else if (strcasecmp(argv[i], "nowarn") == 0) {
nowarn = 1;
flags = flags | PAM_SILENT;
} else if (strncmp(argv[i], "allow=", 6) == 0)
error |= parse_allow_name(user, (char *)(argv[i]+6));
else
syslog(LOG_DEBUG, "illegal option %s", argv[i]);
}
return (error?PAM_SUCCESS:PAM_AUTH_ERR);
}
static char *getname();
static int
parse_allow_name(char *who, char *cp)
{
char name[256];
/* catch "allow=" */
if (*cp == '\0')
return (0);
while (cp) {
cp = getname(cp, name);
/* catch things such as =, and ,, */
if (*name == '\0')
continue;
if (strcmp(who, name) == 0)
return (1);
}
return (0);
}
static char *
getname(char *cp, char *name)
{
/* force name to be initially null string */
*name = '\0';
/* end of string? */
if (*cp == '\0')
return ((char *)0);
while (*cp) {
/* end of name? */
if (*cp == ',' || *cp == '\0')
break;
*name++ = *cp++;
}
/* make name into string */
*name++ = '\0';
return ((*cp == '\0')? (char *)0 : ++cp);
}
|
