1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2016 by Delphix. All rights reserved. 25 */ 26 27 #include <syslog.h> 28 #include <pwd.h> 29 #include <unistd.h> 30 #include <strings.h> 31 #include <security/pam_appl.h> 32 #include <security/pam_modules.h> 33 #include <libintl.h> 34 35 static int parse_allow_name(char *, char *); 36 37 /* 38 * pam_sm_acct_mgmt main account managment routine. 39 * XXX: The routine just prints out a warning message. 40 * It may need to force the user to change their 41 * passwd. 42 */ 43 44 int 45 pam_sm_acct_mgmt( 46 pam_handle_t *pamh, 47 int flags, 48 int argc, 49 const char **argv) 50 { 51 char *user; 52 char *pg; 53 int i; 54 /*LINTED - set but not used. Would be used in a real module. */ 55 int debug = 0; 56 /*LINTED - set but not used. Would be used in a real module. */ 57 int nowarn = 0; 58 int error = 0; 59 60 if (argc == 0) 61 return (PAM_SUCCESS); 62 63 if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS) 64 return (PAM_SERVICE_ERR); 65 66 if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS) 67 return (PAM_SERVICE_ERR); 68 69 /* 70 * kludge alert. su needs to be handled specially for allow policy. 71 * we want to use the policy of the current user not the "destination" 72 * user. This will enable us to prevent su to root but not to rlogin, 73 * telnet, rsh, ftp to root. 74 * 75 * description of problem: user name is the "destination" name. not 76 * the current name. The allow policy needs to be applied to the 77 * current name in the case of su. user is "root" in this case and 78 * we will be getting the root policy instead of the user policy. 79 */ 80 if (strcmp(pg, "su") == 0) { 81 struct passwd *pw; 82 uid_t uid; 83 uid = getuid(); 84 pw = getpwuid(uid); 85 if (pw == NULL) 86 return (PAM_SYSTEM_ERR); 87 user = pw->pw_name; 88 } 89 90 if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0)) 91 return (PAM_SUCCESS); 92 93 for (i = 0; i < argc; i++) { 94 if (strcasecmp(argv[i], "debug") == 0) 95 debug = 1; 96 else if (strcasecmp(argv[i], "nowarn") == 0) { 97 nowarn = 1; 98 flags = flags | PAM_SILENT; 99 } else if (strncmp(argv[i], "allow=", 6) == 0) 100 error |= parse_allow_name(user, (char *)(argv[i]+6)); 101 else 102 syslog(LOG_DEBUG, "illegal option %s", argv[i]); 103 } 104 return (error?PAM_SUCCESS:PAM_AUTH_ERR); 105 } 106 107 static char *getname(); 108 109 static int 110 parse_allow_name(char *who, char *cp) 111 { 112 char name[256]; 113 114 /* catch "allow=" */ 115 if (*cp == '\0') 116 return (0); 117 while (cp) { 118 cp = getname(cp, name); 119 /* catch things such as =, and ,, */ 120 if (*name == '\0') 121 continue; 122 if (strcmp(who, name) == 0) 123 return (1); 124 } 125 return (0); 126 } 127 128 static char * 129 getname(char *cp, char *name) 130 { 131 /* force name to be initially null string */ 132 *name = '\0'; 133 134 /* end of string? */ 135 if (*cp == '\0') 136 return ((char *)0); 137 while (*cp) { 138 /* end of name? */ 139 if (*cp == ',' || *cp == '\0') 140 break; 141 *name++ = *cp++; 142 } 143 /* make name into string */ 144 *name++ = '\0'; 145 return ((*cp == '\0')? (char *)0 : ++cp); 146 } 147