xref: /illumos-gate/usr/src/lib/pam_modules/sample/sample_acct_mgmt.c (revision 30165b7f6753bc3d48c52319bed7ec7b3ea36b3c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  */
26 
27 #include <syslog.h>
28 #include <pwd.h>
29 #include <unistd.h>
30 #include <strings.h>
31 #include <security/pam_appl.h>
32 #include <security/pam_modules.h>
33 #include <libintl.h>
34 
35 static int parse_allow_name(char *, char *);
36 
37 /*
38  * pam_sm_acct_mgmt	main account managment routine.
39  *			XXX: The routine just prints out a warning message.
40  *			     It may need to force the user to change their
41  *			     passwd.
42  */
43 
44 int
45 pam_sm_acct_mgmt(
46 	pam_handle_t *pamh,
47 	int	flags,
48 	int	argc,
49 	const char **argv)
50 {
51 	char	*user;
52 	char	*pg;
53 	int	i;
54 	/*LINTED - set but not used. Would be used in a real module. */
55 	int	debug __unused = 0;
56 	/*LINTED - set but not used. Would be used in a real module. */
57 	int	nowarn __unused = 0;
58 	int	error = 0;
59 
60 	if (argc == 0)
61 		return (PAM_SUCCESS);
62 
63 	if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS)
64 		return (PAM_SERVICE_ERR);
65 
66 	if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS)
67 		return (PAM_SERVICE_ERR);
68 
69 	/*
70 	 * kludge alert. su needs to be handled specially for allow policy.
71 	 * we want to use the policy of the current user not the "destination"
72 	 * user. This will enable us to prevent su to root but not to rlogin,
73 	 * telnet, rsh, ftp to root.
74 	 *
75 	 * description of problem: user name is the "destination" name. not
76 	 * the current name. The allow policy needs to be applied to the
77 	 * current name in the case of su. user is "root" in this case and
78 	 * we will be getting the root policy instead of the user policy.
79 	 */
80 	if (strcmp(pg, "su") == 0) {
81 		struct passwd *pw;
82 		uid_t uid;
83 		uid = getuid();
84 		pw = getpwuid(uid);
85 		if (pw == NULL)
86 			return (PAM_SYSTEM_ERR);
87 		user = pw->pw_name;
88 	}
89 
90 	if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0))
91 		return (PAM_SUCCESS);
92 
93 	for (i = 0; i < argc; i++) {
94 		if (strcasecmp(argv[i], "debug") == 0)
95 			debug = 1;
96 		else if (strcasecmp(argv[i], "nowarn") == 0) {
97 			nowarn = 1;
98 			flags = flags | PAM_SILENT;
99 		} else if (strncmp(argv[i], "allow=", 6) == 0)
100 			error |= parse_allow_name(user, (char *)(argv[i]+6));
101 		else
102 			syslog(LOG_DEBUG, "illegal option %s", argv[i]);
103 	}
104 	return (error?PAM_SUCCESS:PAM_AUTH_ERR);
105 }
106 
107 static char *getname();
108 
109 static int
110 parse_allow_name(char *who, char *cp)
111 {
112 	char name[256];
113 
114 	/* catch "allow=" */
115 	if (*cp == '\0')
116 		return (0);
117 	while (cp) {
118 		cp = getname(cp, name);
119 		/* catch things such as =, and ,, */
120 		if (*name == '\0')
121 			continue;
122 		if (strcmp(who, name) == 0)
123 			return (1);
124 	}
125 	return (0);
126 }
127 
128 static char *
129 getname(char *cp, char *name)
130 {
131 	/* force name to be initially null string */
132 	*name = '\0';
133 
134 	/* end of string? */
135 	if (*cp == '\0')
136 		return ((char *)0);
137 	while (*cp) {
138 		/* end of name? */
139 		if (*cp == ',' || *cp == '\0')
140 			break;
141 		*name++ = *cp++;
142 	}
143 	/* make name into string */
144 	*name++ = '\0';
145 	return ((*cp == '\0')? (char *)0 : ++cp);
146 }
147