1397fa725SMark Murray /*- 2397fa725SMark Murray * Copyright (c) 2001 Mark R V Murray 3397fa725SMark Murray * All rights reserved. 48d3978c1SDag-Erling Smørgrav * Copyright (c) 2001 Networks Associates Technologies, Inc. 58d3978c1SDag-Erling Smørgrav * All rights reserved. 68d3978c1SDag-Erling Smørgrav * 78d3978c1SDag-Erling Smørgrav * Portions of this software were developed for the FreeBSD Project by 88d3978c1SDag-Erling Smørgrav * ThinkSec AS and NAI Labs, the Security Research Division of Network 98d3978c1SDag-Erling Smørgrav * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 108d3978c1SDag-Erling Smørgrav * ("CBOSS"), as part of the DARPA CHATS research program. 11397fa725SMark Murray * 12397fa725SMark Murray * Redistribution and use in source and binary forms, with or without 13397fa725SMark Murray * modification, are permitted provided that the following conditions 14397fa725SMark Murray * are met: 15397fa725SMark Murray * 1. Redistributions of source code must retain the above copyright 16397fa725SMark Murray * notice, this list of conditions and the following disclaimer. 17397fa725SMark Murray * 2. Redistributions in binary form must reproduce the above copyright 18397fa725SMark Murray * notice, this list of conditions and the following disclaimer in the 19397fa725SMark Murray * documentation and/or other materials provided with the distribution. 208d3978c1SDag-Erling Smørgrav * 3. The name of the author may not be used to endorse or promote 218d3978c1SDag-Erling Smørgrav * products derived from this software without specific prior written 228d3978c1SDag-Erling Smørgrav * permission. 23397fa725SMark Murray * 24397fa725SMark Murray * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25397fa725SMark Murray * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26397fa725SMark Murray * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27397fa725SMark Murray * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28397fa725SMark Murray * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29397fa725SMark Murray * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30397fa725SMark Murray * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31397fa725SMark Murray * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32397fa725SMark Murray * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33397fa725SMark Murray * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34397fa725SMark Murray * SUCH DAMAGE. 35397fa725SMark Murray */ 36397fa725SMark Murray 37ceaf33f5SMatthew Dillon #include <sys/cdefs.h> 38ceaf33f5SMatthew Dillon __FBSDID("$FreeBSD$"); 39ceaf33f5SMatthew Dillon 40397fa725SMark Murray #include <sys/types.h> 41397fa725SMark Murray #include <sys/stat.h> 42397fa725SMark Murray #include <pwd.h> 43397fa725SMark Murray #include <ttyent.h> 44397fa725SMark Murray #include <string.h> 45397fa725SMark Murray 46397fa725SMark Murray #define PAM_SM_AUTH 478d3978c1SDag-Erling Smørgrav #define PAM_SM_ACCOUNT 488d3978c1SDag-Erling Smørgrav #define PAM_SM_SESSION 498d3978c1SDag-Erling Smørgrav #define PAM_SM_PASSWORD 508d3978c1SDag-Erling Smørgrav 51397fa725SMark Murray #include <security/pam_modules.h> 52397fa725SMark Murray #include <pam_mod_misc.h> 53397fa725SMark Murray 54397fa725SMark Murray #define TTY_PREFIX "/dev/" 55397fa725SMark Murray 56397fa725SMark Murray PAM_EXTERN int 57397fa725SMark Murray pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) 58397fa725SMark Murray { 591642eb1aSMark Murray struct options options; 60397fa725SMark Murray struct ttyent *ttyfileinfo; 6134beb374SMark Murray struct passwd *pwd; 621642eb1aSMark Murray int retval; 631642eb1aSMark Murray const char *user, *ttyname; 64397fa725SMark Murray 651642eb1aSMark Murray pam_std_option(&options, NULL, argc, argv); 66397fa725SMark Murray 671642eb1aSMark Murray PAM_LOG("Options processed"); 681642eb1aSMark Murray 691642eb1aSMark Murray retval = pam_get_user(pamh, &user, NULL); 70397fa725SMark Murray if (retval != PAM_SUCCESS) 711642eb1aSMark Murray PAM_RETURN(retval); 721642eb1aSMark Murray 731642eb1aSMark Murray PAM_LOG("Got user: %s", user); 74397fa725SMark Murray 75397fa725SMark Murray retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname); 76397fa725SMark Murray if (retval != PAM_SUCCESS) 771642eb1aSMark Murray PAM_RETURN(retval); 781642eb1aSMark Murray 791642eb1aSMark Murray PAM_LOG("Got TTY: %s", ttyname); 80397fa725SMark Murray 81397fa725SMark Murray /* Ignore any "/dev/" on the PAM_TTY item */ 82397fa725SMark Murray if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0) 83397fa725SMark Murray ttyname += sizeof(TTY_PREFIX) - 1; 84397fa725SMark Murray 85397fa725SMark Murray /* If the user is not root, secure ttys do not apply */ 8634beb374SMark Murray pwd = getpwnam(user); 8734beb374SMark Murray if (pwd == NULL) 881642eb1aSMark Murray PAM_RETURN(PAM_IGNORE); 8934beb374SMark Murray else if (pwd->pw_uid != 0) 901642eb1aSMark Murray PAM_RETURN(PAM_SUCCESS); 911642eb1aSMark Murray 921642eb1aSMark Murray PAM_LOG("User is not root"); 93397fa725SMark Murray 94397fa725SMark Murray ttyfileinfo = getttynam(ttyname); 95397fa725SMark Murray if (ttyfileinfo == NULL) 961642eb1aSMark Murray PAM_RETURN(PAM_SERVICE_ERR); 971642eb1aSMark Murray 981642eb1aSMark Murray PAM_LOG("Got ttyfileinfo"); 99397fa725SMark Murray 100397fa725SMark Murray if (ttyfileinfo->ty_status & TTY_SECURE) 1011642eb1aSMark Murray PAM_RETURN(PAM_SUCCESS); 10234beb374SMark Murray else { 10334beb374SMark Murray PAM_VERBOSE_ERROR("Not on secure TTY"); 1041642eb1aSMark Murray PAM_RETURN(PAM_PERM_DENIED); 105397fa725SMark Murray } 10634beb374SMark Murray } 107397fa725SMark Murray 108397fa725SMark Murray PAM_EXTERN 109397fa725SMark Murray int 110397fa725SMark Murray pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) 111397fa725SMark Murray { 11234beb374SMark Murray struct options options; 11334beb374SMark Murray 11434beb374SMark Murray pam_std_option(&options, NULL, argc, argv); 11534beb374SMark Murray 11634beb374SMark Murray PAM_LOG("Options processed"); 11734beb374SMark Murray 11834beb374SMark Murray PAM_RETURN(PAM_SUCCESS); 119397fa725SMark Murray } 120397fa725SMark Murray 1218d3978c1SDag-Erling Smørgrav PAM_EXTERN int 1228d3978c1SDag-Erling Smørgrav pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) 1238d3978c1SDag-Erling Smørgrav { 1248d3978c1SDag-Erling Smørgrav struct options options; 1258d3978c1SDag-Erling Smørgrav 1268d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1278d3978c1SDag-Erling Smørgrav 1288d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1298d3978c1SDag-Erling Smørgrav 1308d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1318d3978c1SDag-Erling Smørgrav } 1328d3978c1SDag-Erling Smørgrav 1338d3978c1SDag-Erling Smørgrav PAM_EXTERN int 1348d3978c1SDag-Erling Smørgrav pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) 1358d3978c1SDag-Erling Smørgrav { 1368d3978c1SDag-Erling Smørgrav struct options options; 1378d3978c1SDag-Erling Smørgrav 1388d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1398d3978c1SDag-Erling Smørgrav 1408d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1418d3978c1SDag-Erling Smørgrav 1428d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1438d3978c1SDag-Erling Smørgrav } 1448d3978c1SDag-Erling Smørgrav 1458d3978c1SDag-Erling Smørgrav PAM_EXTERN int 1468d3978c1SDag-Erling Smørgrav pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) 1478d3978c1SDag-Erling Smørgrav { 1488d3978c1SDag-Erling Smørgrav struct options options; 1498d3978c1SDag-Erling Smørgrav 1508d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1518d3978c1SDag-Erling Smørgrav 1528d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1538d3978c1SDag-Erling Smørgrav 1548d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1558d3978c1SDag-Erling Smørgrav } 1568d3978c1SDag-Erling Smørgrav 1578d3978c1SDag-Erling Smørgrav PAM_EXTERN int 1588d3978c1SDag-Erling Smørgrav pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) 1598d3978c1SDag-Erling Smørgrav { 1608d3978c1SDag-Erling Smørgrav struct options options; 1618d3978c1SDag-Erling Smørgrav 1628d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1638d3978c1SDag-Erling Smørgrav 1648d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1658d3978c1SDag-Erling Smørgrav 1668d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1678d3978c1SDag-Erling Smørgrav } 1688d3978c1SDag-Erling Smørgrav 169397fa725SMark Murray PAM_MODULE_ENTRY("pam_securetty"); 170