Home | History | Annotate | Download | only in sample
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  */
     21 /*
     22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
     23  * Use is subject to license terms.
     24  */
     25 
     26 #include <syslog.h>
     27 #include <pwd.h>
     28 #include <unistd.h>
     29 #include <strings.h>
     30 #include <security/pam_appl.h>
     31 #include <security/pam_modules.h>
     32 #include <libintl.h>
     33 
     34 static int parse_allow_name(char *, char *);
     35 
     36 /*
     37  * pam_sm_acct_mgmt	main account managment routine.
     38  *			XXX: The routine just prints out a warning message.
     39  *			     It may need to force the user to change his/her
     40  *			     passwd.
     41  */
     42 
     43 int
     44 pam_sm_acct_mgmt(
     45 	pam_handle_t *pamh,
     46 	int	flags,
     47 	int	argc,
     48 	const char **argv)
     49 {
     50 	char	*user;
     51 	char	*pg;
     52 	int	i;
     53 	/*LINTED - set but not used. Would be used in a real module. */
     54 	int	debug = 0;
     55 	/*LINTED - set but not used. Would be used in a real module. */
     56 	int	nowarn = 0;
     57 	int	error = 0;
     58 
     59 	if (argc == 0)
     60 		return (PAM_SUCCESS);
     61 
     62 	if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS)
     63 		return (PAM_SERVICE_ERR);
     64 
     65 	if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS)
     66 		return (PAM_SERVICE_ERR);
     67 
     68 	/*
     69 	 * kludge alert. su needs to be handled specially for allow policy.
     70 	 * we want to use the policy of the current user not the "destination"
     71 	 * user. This will enable us to prevent su to root but not to rlogin,
     72 	 * telnet, rsh, ftp to root.
     73 	 *
     74 	 * description of problem: user name is the "destination" name. not
     75 	 * the current name. The allow policy needs to be applied to the
     76 	 * current name in the case of su. user is "root" in this case and
     77 	 * we will be getting the root policy instead of the user policy.
     78 	 */
     79 	if (strcmp(pg, "su") == 0) {
     80 		struct passwd *pw;
     81 		uid_t uid;
     82 		uid = getuid();
     83 		pw = getpwuid(uid);
     84 		if (pw == NULL)
     85 			return (PAM_SYSTEM_ERR);
     86 		user = pw->pw_name;
     87 	}
     88 
     89 	if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0))
     90 		return (PAM_SUCCESS);
     91 
     92 	for (i = 0; i < argc; i++) {
     93 		if (strcasecmp(argv[i], "debug") == 0)
     94 			debug = 1;
     95 		else if (strcasecmp(argv[i], "nowarn") == 0) {
     96 			nowarn = 1;
     97 			flags = flags | PAM_SILENT;
     98 		} else if (strncmp(argv[i], "allow=", 6) == 0)
     99 			error |= parse_allow_name(user, (char *)(argv[i]+6));
    100 		else
    101 			syslog(LOG_DEBUG, "illegal option %s", argv[i]);
    102 	}
    103 	return (error?PAM_SUCCESS:PAM_AUTH_ERR);
    104 }
    105 
    106 static char *getname();
    107 
    108 static int
    109 parse_allow_name(char *who, char *cp)
    110 {
    111 	char name[256];
    112 
    113 	/* catch "allow=" */
    114 	if (*cp == '\0')
    115 		return (0);
    116 	while (cp) {
    117 		cp = getname(cp, name);
    118 		/* catch things such as =, and ,, */
    119 		if (*name == '\0')
    120 			continue;
    121 		if (strcmp(who, name) == 0)
    122 			return (1);
    123 	}
    124 	return (0);
    125 }
    126 
    127 static char *
    128 getname(char *cp, char *name)
    129 {
    130 	/* force name to be initially null string */
    131 	*name = '\0';
    132 
    133 	/* end of string? */
    134 	if (*cp == '\0')
    135 		return ((char *)0);
    136 	while (*cp) {
    137 		/* end of name? */
    138 		if (*cp == ',' || *cp == '\0')
    139 			break;
    140 		*name++ = *cp++;
    141 	}
    142 	/* make name into string */
    143 	*name++ = '\0';
    144 	return ((*cp == '\0')? (char *)0 : ++cp);
    145 }
    146