1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <syslog.h> 27 #include <pwd.h> 28 #include <unistd.h> 29 #include <strings.h> 30 #include <security/pam_appl.h> 31 #include <security/pam_modules.h> 32 #include <libintl.h> 33 34 static int parse_allow_name(char *, char *); 35 36 /* 37 * pam_sm_acct_mgmt main account managment routine. 38 * XXX: The routine just prints out a warning message. 39 * It may need to force the user to change his/her 40 * passwd. 41 */ 42 43 int 44 pam_sm_acct_mgmt( 45 pam_handle_t *pamh, 46 int flags, 47 int argc, 48 const char **argv) 49 { 50 char *user; 51 char *pg; 52 int i; 53 /*LINTED - set but not used. Would be used in a real module. */ 54 int debug = 0; 55 /*LINTED - set but not used. Would be used in a real module. */ 56 int nowarn = 0; 57 int error = 0; 58 59 if (argc == 0) 60 return (PAM_SUCCESS); 61 62 if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS) 63 return (PAM_SERVICE_ERR); 64 65 if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS) 66 return (PAM_SERVICE_ERR); 67 68 /* 69 * kludge alert. su needs to be handled specially for allow policy. 70 * we want to use the policy of the current user not the "destination" 71 * user. This will enable us to prevent su to root but not to rlogin, 72 * telnet, rsh, ftp to root. 73 * 74 * description of problem: user name is the "destination" name. not 75 * the current name. The allow policy needs to be applied to the 76 * current name in the case of su. user is "root" in this case and 77 * we will be getting the root policy instead of the user policy. 78 */ 79 if (strcmp(pg, "su") == 0) { 80 struct passwd *pw; 81 uid_t uid; 82 uid = getuid(); 83 pw = getpwuid(uid); 84 if (pw == NULL) 85 return (PAM_SYSTEM_ERR); 86 user = pw->pw_name; 87 } 88 89 if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0)) 90 return (PAM_SUCCESS); 91 92 for (i = 0; i < argc; i++) { 93 if (strcasecmp(argv[i], "debug") == 0) 94 debug = 1; 95 else if (strcasecmp(argv[i], "nowarn") == 0) { 96 nowarn = 1; 97 flags = flags | PAM_SILENT; 98 } else if (strncmp(argv[i], "allow=", 6) == 0) 99 error |= parse_allow_name(user, (char *)(argv[i]+6)); 100 else 101 syslog(LOG_DEBUG, "illegal option %s", argv[i]); 102 } 103 return (error?PAM_SUCCESS:PAM_AUTH_ERR); 104 } 105 106 static char *getname(); 107 108 static int 109 parse_allow_name(char *who, char *cp) 110 { 111 char name[256]; 112 113 /* catch "allow=" */ 114 if (*cp == '\0') 115 return (0); 116 while (cp) { 117 cp = getname(cp, name); 118 /* catch things such as =, and ,, */ 119 if (*name == '\0') 120 continue; 121 if (strcmp(who, name) == 0) 122 return (1); 123 } 124 return (0); 125 } 126 127 static char * 128 getname(char *cp, char *name) 129 { 130 /* force name to be initially null string */ 131 *name = '\0'; 132 133 /* end of string? */ 134 if (*cp == '\0') 135 return ((char *)0); 136 while (*cp) { 137 /* end of name? */ 138 if (*cp == ',' || *cp == '\0') 139 break; 140 *name++ = *cp++; 141 } 142 /* make name into string */ 143 *name++ = '\0'; 144 return ((*cp == '\0')? (char *)0 : ++cp); 145 } 146