1 /*- 2 * Copyright (c) 2001 Mark R V Murray 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/types.h> 31 #include <sys/stat.h> 32 #include <pwd.h> 33 #include <ttyent.h> 34 #include <string.h> 35 36 #define PAM_SM_AUTH 37 #include <security/pam_modules.h> 38 #include <pam_mod_misc.h> 39 40 #define TTY_PREFIX "/dev/" 41 42 PAM_EXTERN int 43 pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) 44 { 45 struct options options; 46 struct ttyent *ttyfileinfo; 47 struct passwd *pwd; 48 int retval; 49 const char *user, *ttyname; 50 51 pam_std_option(&options, NULL, argc, argv); 52 53 PAM_LOG("Options processed"); 54 55 retval = pam_get_user(pamh, &user, NULL); 56 if (retval != PAM_SUCCESS) 57 PAM_RETURN(retval); 58 59 PAM_LOG("Got user: %s", user); 60 61 retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname); 62 if (retval != PAM_SUCCESS) 63 PAM_RETURN(retval); 64 65 PAM_LOG("Got TTY: %s", ttyname); 66 67 /* Ignore any "/dev/" on the PAM_TTY item */ 68 if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0) 69 ttyname += sizeof(TTY_PREFIX) - 1; 70 71 /* If the user is not root, secure ttys do not apply */ 72 pwd = getpwnam(user); 73 if (pwd == NULL) 74 PAM_RETURN(PAM_IGNORE); 75 else if (pwd->pw_uid != 0) 76 PAM_RETURN(PAM_SUCCESS); 77 78 PAM_LOG("User is not root"); 79 80 ttyfileinfo = getttynam(ttyname); 81 if (ttyfileinfo == NULL) 82 PAM_RETURN(PAM_SERVICE_ERR); 83 84 PAM_LOG("Got ttyfileinfo"); 85 86 if (ttyfileinfo->ty_status & TTY_SECURE) 87 PAM_RETURN(PAM_SUCCESS); 88 else { 89 PAM_VERBOSE_ERROR("Not on secure TTY"); 90 PAM_RETURN(PAM_PERM_DENIED); 91 } 92 } 93 94 PAM_EXTERN 95 int 96 pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) 97 { 98 struct options options; 99 100 pam_std_option(&options, NULL, argc, argv); 101 102 PAM_LOG("Options processed"); 103 104 PAM_RETURN(PAM_SUCCESS); 105 } 106 107 PAM_MODULE_ENTRY("pam_securetty"); 108