xref: /illumos-gate/usr/src/lib/pam_modules/unix_account/unix_acct.c (revision cbea7aca3fd7787405cbdbd93752998f03dfc25f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
26  */
27 
28 
29 #include <sys/types.h>
30 #include <sys/wait.h>
31 #include <sys/stat.h>
32 #include <fcntl.h>
33 #include <stdlib.h>
34 #include <security/pam_appl.h>
35 #include <security/pam_modules.h>
36 #include <security/pam_impl.h>
37 #include <syslog.h>
38 #include <pwd.h>
39 #include <shadow.h>
40 #include <lastlog.h>
41 #include <ctype.h>
42 #include <unistd.h>
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <libintl.h>
46 #include <signal.h>
47 #include <thread.h>
48 #include <synch.h>
49 #include <errno.h>
50 #include <time.h>
51 #include <string.h>
52 #include <crypt.h>
53 #include <assert.h>
54 #include <deflt.h>
55 #include <libintl.h>
56 #include <passwdutil.h>
57 
58 #define	LASTLOG		"/var/adm/lastlog"
59 #define	LOGINADMIN	"/etc/default/login"
60 #define	UNIX_AUTH_DATA		"SUNW-UNIX-AUTH-DATA"
61 #define	UNIX_AUTHTOK_DATA	"SUNW-UNIX-AUTHTOK-DATA"
62 
63 /*
64  * Function Declarations
65  */
66 extern void		setusershell();
67 extern int		_nfssys(int, void *);
68 
69 typedef struct _unix_authtok_data_ {
70 	int age_status;
71 }unix_authtok_data;
72 
73 /*ARGSUSED*/
74 static void
unix_cleanup(pam_handle_t * pamh,void * data,int pam_status)75 unix_cleanup(
76 	pam_handle_t *pamh,
77 	void *data,
78 	int pam_status)
79 {
80 	free((unix_authtok_data *)data);
81 }
82 
83 /*
84  * check_for_login_inactivity	- Check for login inactivity
85  *
86  */
87 
88 static int
check_for_login_inactivity(uid_t pw_uid,struct spwd * shpwd)89 check_for_login_inactivity(
90 	uid_t		pw_uid,
91 	struct 	spwd 	*shpwd)
92 {
93 	int		fdl;
94 	struct lastlog	ll;
95 	int		retval;
96 	offset_t	offset;
97 
98 	offset = (offset_t)pw_uid * (offset_t)sizeof (struct lastlog);
99 
100 	if ((fdl = open(LASTLOG, O_RDWR|O_CREAT, 0444)) >= 0) {
101 		/*
102 		 * Read the last login (ll) time
103 		 */
104 		if (llseek(fdl, offset, SEEK_SET) != offset) {
105 			__pam_log(LOG_AUTH | LOG_ERR,
106 			    "pam_unix_acct: pam_sm_acct_mgmt: "
107 			    "can't obtain last login info on uid %d "
108 			    "(uid too large)", pw_uid);
109 			(void) close(fdl);
110 			return (0);
111 		}
112 
113 		retval = read(fdl, (char *)&ll, sizeof (ll));
114 
115 		/* Check for login inactivity */
116 
117 		if ((shpwd->sp_inact > 0) && (retval == sizeof (ll)) &&
118 		    ll.ll_time) {
119 			/*
120 			 * account inactive too long.
121 			 * and no update password set
122 			 * and no last pwd change date in shadow file
123 			 * and last pwd change more than inactive time
124 			 * then account inactive too long and no access.
125 			 */
126 			if (((time_t)((ll.ll_time / DAY) + shpwd->sp_inact)
127 			    < DAY_NOW) &&
128 			    (shpwd->sp_lstchg != 0) &&
129 			    (shpwd->sp_lstchg != -1) &&
130 			    ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) {
131 				/*
132 				 * Account inactive for too long
133 				 */
134 				(void) close(fdl);
135 				return (1);
136 			}
137 		}
138 
139 		(void) close(fdl);
140 	}
141 	return (0);
142 }
143 
144 /*
145  * new_password_check()
146  *
147  * check to see if the user needs to change their password
148  */
149 
150 static int
new_password_check(shpwd,flags)151 new_password_check(shpwd, flags)
152 	struct 	spwd 	*shpwd;
153 	int 		flags;
154 {
155 	time_t	now  = DAY_NOW;
156 
157 	/*
158 	 * We want to make sure that we change the password only if
159 	 * passwords are required for the system, the user does not
160 	 * have a password, AND the user's NULL password can be changed
161 	 * according to its password aging information
162 	 */
163 
164 	if ((flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
165 		if (shpwd->sp_pwdp[0] == '\0') {
166 			if (((shpwd->sp_max == -1) ||
167 				((time_t)shpwd->sp_lstchg > now) ||
168 				((now >= (time_t)(shpwd->sp_lstchg +
169 							shpwd->sp_min)) &&
170 				(shpwd->sp_max >= shpwd->sp_min)))) {
171 					return (PAM_NEW_AUTHTOK_REQD);
172 			}
173 		}
174 	}
175 	return (PAM_SUCCESS);
176 }
177 
178 /*
179  * perform_passwd_aging_check
180  *		- Check for password exipration.
181  */
182 static	int
perform_passwd_aging_check(pam_handle_t * pamh,struct spwd * shpwd,int flags)183 perform_passwd_aging_check(
184 	pam_handle_t *pamh,
185 	struct 	spwd 	*shpwd,
186 	int	flags)
187 {
188 	time_t 	now = DAY_NOW;
189 	int	idledays = -1;
190 	char	*ptr;
191 	char	messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
192 	void	*defp;
193 
194 
195 	if ((defp = defopen_r(LOGINADMIN)) != NULL) {
196 		if ((ptr = defread_r("IDLEWEEKS=", defp)) != NULL)
197 			idledays = 7 * atoi(ptr);
198 		defclose_r(defp);
199 	}
200 
201 	/*
202 	 * if (sp_lstchg == 0), the administrator has forced the
203 	 * user to change their passwd
204 	 */
205 	if (shpwd->sp_lstchg == 0)
206 		return (PAM_NEW_AUTHTOK_REQD);
207 
208 	/* If password aging is disabled (or min>max), all is well */
209 	if (shpwd->sp_max < 0 || shpwd->sp_max < shpwd->sp_min)
210 		return (PAM_SUCCESS);
211 
212 	/* Password aging is enabled. See if the password has aged */
213 	if (now < (time_t)(shpwd->sp_lstchg + shpwd->sp_max))
214 		return (PAM_SUCCESS);
215 
216 	/* Password has aged. Has it aged more than idledays ? */
217 	if (idledays < 0)			/* IDLEWEEKS not configured */
218 		return (PAM_NEW_AUTHTOK_REQD);
219 
220 	/* idledays is configured */
221 	if (idledays > 0 && (now < (time_t)(shpwd->sp_lstchg + idledays)))
222 		return (PAM_NEW_AUTHTOK_REQD);
223 
224 	/* password has aged more that allowed for by IDLEWEEKS */
225 	if (!(flags & PAM_SILENT)) {
226 		(void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
227 		    "Your password has been expired for too long."),
228 		    sizeof (messages[0]));
229 		(void) strlcpy(messages[1], dgettext(TEXT_DOMAIN,
230 		    "Please contact the system administrator."),
231 		    sizeof (messages[0]));
232 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 2, messages,
233 		    NULL);
234 	}
235 	return (PAM_AUTHTOK_EXPIRED);
236 }
237 
238 /*
239  * warn_user_passwd_will_expire	- warn the user when the password will
240  *					  expire.
241  */
242 
243 static void
warn_user_passwd_will_expire(pam_handle_t * pamh,struct spwd shpwd)244 warn_user_passwd_will_expire(
245 	pam_handle_t *pamh,
246 	struct 	spwd shpwd)
247 {
248 	time_t 	now	= DAY_NOW;
249 	char	messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
250 	time_t	days;
251 
252 
253 	if ((shpwd.sp_warn > 0) && (shpwd.sp_max > 0) &&
254 	    (now + shpwd.sp_warn) >= (time_t)(shpwd.sp_lstchg + shpwd.sp_max)) {
255 		days = (time_t)(shpwd.sp_lstchg + shpwd.sp_max) - now;
256 		if (days <= 0)
257 			(void) snprintf(messages[0],
258 			    sizeof (messages[0]),
259 			    dgettext(TEXT_DOMAIN,
260 			    "Your password will expire within 24 hours."));
261 		else if (days == 1)
262 			(void) snprintf(messages[0],
263 			    sizeof (messages[0]),
264 			    dgettext(TEXT_DOMAIN,
265 			    "Your password will expire in 1 day."));
266 		else
267 			(void) snprintf(messages[0],
268 			    sizeof (messages[0]),
269 			    dgettext(TEXT_DOMAIN,
270 			    "Your password will expire in %d days."),
271 			    (int)days);
272 
273 		(void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages,
274 		    NULL);
275 	}
276 }
277 
278 /*
279  * pam_sm_acct_mgmt	- 	main account managment routine.
280  *			  Returns: module error or specific error on failure
281  */
282 
283 int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags,int argc,const char ** argv)284 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
285 {
286 	uid_t pw_uid;
287 	char *repository_name = NULL;
288 	char *user;
289 	attrlist attr_pw[3];
290 	attrlist attr_spw[7];
291 	pwu_repository_t *pwu_rep = PWU_DEFAULT_REP;
292 	const pwu_repository_t *auth_rep = NULL;
293 	int error = PAM_ACCT_EXPIRED;
294 	int result;
295 	int i;
296 	int debug = 0;
297 	int server_policy = 0;
298 	unix_authtok_data *status;
299 	struct spwd shpwd = {NULL, NULL, -1, -1, -1, -1, -1, -1, 0};
300 
301 	for (i = 0; i < argc; i++) {
302 		if (strcasecmp(argv[i], "debug") == 0)
303 			debug = 1;
304 		else if (strcasecmp(argv[i], "server_policy") == 0)
305 			server_policy = 1;
306 		else if (strcasecmp(argv[i], "nowarn") == 0) {
307 			flags = flags | PAM_SILENT;
308 		} else {
309 			__pam_log(LOG_AUTH | LOG_ERR,
310 			    "ACCOUNT:pam_sm_acct_mgmt: illegal option %s",
311 			    argv[i]);
312 		}
313 	}
314 
315 	if (debug)
316 		__pam_log(LOG_AUTH | LOG_DEBUG,
317 		    "pam_unix_account: entering pam_sm_acct_mgmt()");
318 
319 	if ((error = pam_get_item(pamh, PAM_USER, (const void **)&user))
320 	    != PAM_SUCCESS)
321 		goto out;
322 
323 	if (user == NULL) {
324 		error = PAM_USER_UNKNOWN;
325 		goto out;
326 	} else
327 		shpwd.sp_namp = user;
328 
329 	if ((error = pam_get_item(pamh, PAM_REPOSITORY,
330 	    (const void **)&auth_rep)) != PAM_SUCCESS) {
331 		goto out;
332 	}
333 
334 	if (auth_rep == NULL) {
335 		pwu_rep = PWU_DEFAULT_REP;
336 	} else {
337 		if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) {
338 			error = PAM_BUF_ERR;
339 			goto out;
340 		}
341 		pwu_rep->type = auth_rep->type;
342 		pwu_rep->scope = auth_rep->scope;
343 		pwu_rep->scope_len = auth_rep->scope_len;
344 	}
345 
346 	/*
347 	 * First get the password information
348 	 */
349 	attr_pw[0].type =  ATTR_REP_NAME;	attr_pw[0].next = &attr_pw[1];
350 	attr_pw[1].type =  ATTR_UID;		attr_pw[1].next = &attr_pw[2];
351 	attr_pw[2].type =  ATTR_PASSWD;		attr_pw[2].next = NULL;
352 	result = __get_authtoken_attr(user, pwu_rep, attr_pw);
353 
354 	if (result == PWU_NOT_FOUND) {
355 		error = PAM_USER_UNKNOWN;
356 		goto out;
357 	} else if (result == PWU_DENIED) {
358 		error = PAM_PERM_DENIED;
359 		goto out;
360 	} else if (result == PWU_NOMEM) {
361 		error = PAM_BUF_ERR;
362 		goto out;
363 	} else if (result != PWU_SUCCESS) {
364 		error = PAM_SERVICE_ERR;
365 		goto out;
366 	} else {
367 		repository_name = attr_pw[0].data.val_s;
368 		pw_uid = attr_pw[1].data.val_i;
369 		shpwd.sp_pwdp = attr_pw[2].data.val_s;
370 	}
371 
372 	/*
373 	 * if repository is not files|nis, and user wants server_policy,
374 	 * we don't care about aging and hence return PAM_IGNORE
375 	 */
376 	if (server_policy &&
377 	    strcmp(repository_name, "files") != 0 &&
378 	    strcmp(repository_name, "nis") != 0) {
379 		error = PAM_IGNORE;
380 		goto out;
381 	}
382 
383 	/*
384 	 * Now get the aging information
385 	 */
386 	attr_spw[0].type =  ATTR_LSTCHG;	attr_spw[0].next = &attr_spw[1];
387 	attr_spw[1].type =  ATTR_MIN;		attr_spw[1].next = &attr_spw[2];
388 	attr_spw[2].type =  ATTR_MAX;		attr_spw[2].next = &attr_spw[3];
389 	attr_spw[3].type =  ATTR_WARN;		attr_spw[3].next = &attr_spw[4];
390 	attr_spw[4].type =  ATTR_INACT;		attr_spw[4].next = &attr_spw[5];
391 	attr_spw[5].type =  ATTR_EXPIRE;	attr_spw[5].next = &attr_spw[6];
392 	attr_spw[6].type =  ATTR_FLAG;		attr_spw[6].next = NULL;
393 
394 	result = __get_authtoken_attr(user, pwu_rep, attr_spw);
395 	if (result == PWU_SUCCESS) {
396 		shpwd.sp_lstchg = attr_spw[0].data.val_i;
397 		shpwd.sp_min = attr_spw[1].data.val_i;
398 		shpwd.sp_max = attr_spw[2].data.val_i;
399 		shpwd.sp_warn = attr_spw[3].data.val_i;
400 		shpwd.sp_inact = attr_spw[4].data.val_i;
401 		shpwd.sp_expire = attr_spw[5].data.val_i;
402 		shpwd.sp_flag = attr_spw[6].data.val_i;
403 	}
404 
405 	if (debug) {
406 		char *pw = "Unix PW";
407 
408 		if (shpwd.sp_pwdp == NULL)
409 			pw = "NULL";
410 		else if (strncmp(shpwd.sp_pwdp, LOCKSTRING,
411 		    sizeof (LOCKSTRING) - 1) == 0)
412 			pw = LOCKSTRING;
413 		else if (strcmp(shpwd.sp_pwdp, NOPWDRTR) == 0)
414 			pw = NOPWDRTR;
415 
416 		if (result ==  PWU_DENIED) {
417 			__pam_log(LOG_AUTH | LOG_DEBUG,
418 			    "pam_unix_account: %s: permission denied "
419 			    "to access password aging information. "
420 			    "Using defaults.", user);
421 		}
422 
423 		__pam_log(LOG_AUTH | LOG_DEBUG,
424 		    "%s Policy:Unix, pw=%s, lstchg=%d, min=%d, max=%d, "
425 		    "warn=%d, inact=%d, expire=%d",
426 		    user, pw, shpwd.sp_lstchg, shpwd.sp_min, shpwd.sp_max,
427 		    shpwd.sp_warn, shpwd.sp_inact, shpwd.sp_expire);
428 	}
429 
430 	if (pwu_rep != PWU_DEFAULT_REP) {
431 		free(pwu_rep);
432 		pwu_rep = PWU_DEFAULT_REP;
433 	}
434 
435 	if (result == PWU_NOT_FOUND) {
436 		error = PAM_USER_UNKNOWN;
437 		goto out;
438 	} else if (result == PWU_NOMEM) {
439 		error = PAM_BUF_ERR;
440 		goto out;
441 	} else if (result != PWU_SUCCESS && result != PWU_DENIED) {
442 		error = PAM_SERVICE_ERR;
443 		goto out;
444 	}
445 
446 	/*
447 	 * Check for locked account
448 	 */
449 	if (shpwd.sp_pwdp != NULL &&
450 	    strncmp(shpwd.sp_pwdp, LOCKSTRING, sizeof (LOCKSTRING) - 1) == 0) {
451 		const char *service;
452 		const char *rhost = NULL;
453 
454 		(void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
455 		(void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
456 		__pam_log(LOG_AUTH | LOG_NOTICE,
457 		    "pam_unix_account: %s attempting to validate locked "
458 		    "account %s from %s",
459 		    service, user,
460 		    (rhost != NULL && *rhost != '\0') ? rhost : "local host");
461 		error = PAM_PERM_DENIED;
462 		goto out;
463 	}
464 
465 	/*
466 	 * Check for NULL password and, if so, see if such is allowed
467 	 */
468 	if (shpwd.sp_pwdp[0] == '\0' &&
469 	    (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
470 		const char *service;
471 		const char *rhost = NULL;
472 
473 		(void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
474 		(void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
475 
476 		__pam_log(LOG_AUTH | LOG_NOTICE,
477 		    "pam_unix_account: %s: empty password not allowed for "
478 		    "account %s from %s", service, user,
479 		    (rhost != NULL && *rhost != '\0') ? rhost : "local host");
480 		error = PAM_PERM_DENIED;
481 		goto out;
482 	}
483 
484 	/*
485 	 * Check for account expiration
486 	 */
487 	if (shpwd.sp_expire > 0 &&
488 	    (time_t)shpwd.sp_expire < DAY_NOW) {
489 		error = PAM_ACCT_EXPIRED;
490 		goto out;
491 	}
492 
493 	/*
494 	 * Check for excessive login account inactivity
495 	 */
496 	if (check_for_login_inactivity(pw_uid, &shpwd)) {
497 		error = PAM_PERM_DENIED;
498 		goto out;
499 	}
500 
501 	/*
502 	 * Check to see if the user needs to change their password
503 	 */
504 	if (error = new_password_check(&shpwd, flags)) {
505 		goto out;
506 	}
507 
508 	/*
509 	 * Check to make sure password aging information is okay
510 	 */
511 	if ((error = perform_passwd_aging_check(pamh, &shpwd, flags))
512 	    != PAM_SUCCESS) {
513 		goto out;
514 	}
515 
516 	/*
517 	 * Finally, warn the user if their password is about to expire.
518 	 */
519 	if (!(flags & PAM_SILENT)) {
520 		warn_user_passwd_will_expire(pamh, shpwd);
521 	}
522 
523 	/*
524 	 * All done, return Success
525 	 */
526 	error = PAM_SUCCESS;
527 
528 out:
529 
530 	{
531 		int pam_res;
532 		unix_authtok_data *authtok_data;
533 
534 		if (debug) {
535 			__pam_log(LOG_AUTH | LOG_DEBUG,
536 			    "pam_unix_account: %s: %s",
537 			    (user == NULL)?"NULL":user,
538 			    pam_strerror(pamh, error));
539 		}
540 
541 		if (repository_name)
542 			free(repository_name);
543 		if (pwu_rep != PWU_DEFAULT_REP)
544 			free(pwu_rep);
545 		if (shpwd.sp_pwdp) {
546 			(void) memset(shpwd.sp_pwdp, 0, strlen(shpwd.sp_pwdp));
547 			free(shpwd.sp_pwdp);
548 		}
549 
550 		/* store the password aging status in the pam handle */
551 		pam_res = pam_get_data(pamh, UNIX_AUTHTOK_DATA,
552 		    (const void **)&authtok_data);
553 
554 		if ((status = (unix_authtok_data *)calloc(1,
555 		    sizeof (unix_authtok_data))) == NULL) {
556 			return (PAM_BUF_ERR);
557 		}
558 
559 		if (pam_res == PAM_SUCCESS)
560 			(void) memcpy(status, authtok_data,
561 			    sizeof (unix_authtok_data));
562 
563 		status->age_status = error;
564 		if (pam_set_data(pamh, UNIX_AUTHTOK_DATA, status, unix_cleanup)
565 		    != PAM_SUCCESS) {
566 			free(status);
567 			return (PAM_SERVICE_ERR);
568 		}
569 	}
570 
571 	return (error);
572 }
573