1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <syslog.h> 29 #include <pwd.h> 30 #include <unistd.h> 31 #include <strings.h> 32 #include <security/pam_appl.h> 33 #include <security/pam_modules.h> 34 #include <libintl.h> 35 #include <pwd.h> 36 #include <user_attr.h> 37 #include <secdb.h> 38 #include <nss_dbdefs.h> 39 #include <security/pam_impl.h> 40 41 static int roleinlist(); 42 43 /* 44 * pam_sm_acct_mgmt(): 45 * Account management module 46 * This module disallows roles for primary logins and adds special 47 * checks to allow roles for secondary logins. 48 */ 49 50 /*ARGSUSED*/ 51 int 52 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) 53 { 54 uid_t uid; 55 userattr_t *user_entry; 56 char *kva_value; 57 char *username; 58 char *auser; 59 char *ruser; 60 char *rhost; 61 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 62 struct passwd *pw_entry, pwd; 63 char buf[NSS_BUFLEN_PASSWD]; 64 65 int i; 66 int debug = 0; 67 int allow_remote = 0; 68 69 (void) pam_get_item(pamh, PAM_USER, (void **)&username); 70 71 (void) pam_get_item(pamh, PAM_AUSER, (void **)&auser); 72 73 (void) pam_get_item(pamh, PAM_RUSER, (void **)&ruser); 74 75 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); 76 77 for (i = 0; i < argc; i++) { 78 if (strcmp(argv[i], "allow_remote") == 0) { 79 allow_remote = 1; 80 } else if (strcmp(argv[i], "debug") == 0) { 81 debug = 1; 82 } else { 83 __pam_log(LOG_AUTH | LOG_ERR, 84 "pam_roles:pam_sm_acct_mgmt: illegal module " 85 "option %s", argv[i]); 86 } 87 } 88 89 if (debug) { 90 char *service; 91 92 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service); 93 __pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: " 94 "service = %s, allow_remote = %d, user = %s auser = %s " 95 "ruser = %s rhost = %s\n", 96 (service) ? service : "not set", 97 allow_remote, 98 (username) ? username : "not set", 99 (auser) ? auser: "not set", 100 (ruser) ? ruser: "not set", 101 (rhost) ? rhost: "not set"); 102 } 103 104 if (username == NULL) 105 return (PAM_USER_UNKNOWN); 106 107 /* stop masquerades by mapping username to uid to username */ 108 109 if ((pw_entry = getpwnam_r(username, &pwd, buf, sizeof (buf))) == NULL) 110 return (PAM_USER_UNKNOWN); 111 if ((pw_entry = getpwuid_r(pw_entry->pw_uid, &pwd, buf, 112 sizeof (buf))) == NULL) 113 return (PAM_USER_UNKNOWN); 114 /* 115 * If there's no user_attr entry for the primary user or it's not a 116 * role, no further checks are needed. 117 */ 118 119 if (((user_entry = getusernam(pw_entry->pw_name)) == NULL) || 120 ((kva_value = kva_match((kva_t *)user_entry->attr, 121 USERATTR_TYPE_KW)) == NULL) || 122 ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) != 0) && 123 (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) != 0))) { 124 free_userattr(user_entry); 125 return (PAM_IGNORE); 126 } 127 free_userattr(user_entry); 128 129 /* username is a role */ 130 131 if (strcmp(username, pw_entry->pw_name) != 0) { 132 __pam_log(LOG_AUTH | LOG_ALERT, 133 "pam_roles:pam_sm_acct_mgmt: user name %s " 134 "maps to user id %d which is user name %s", 135 username, pw_entry->pw_uid, pw_entry->pw_name); 136 137 } 138 139 /* Who's the user requesting the role? */ 140 141 if (auser != NULL && *auser != '\0') { 142 /* authenticated requesting user */ 143 144 user_entry = getusernam(auser); 145 } else if ((ruser != NULL && *ruser != '\0') && 146 (rhost == NULL || *rhost == '\0')) { 147 /* 148 * PAM_RUSER is set but PAM_RHOST is not; this is 149 * used by SMC and is a temporary solution until SMC 150 * is converted to use the proper PAM_AUSER to specify 151 * the "come-from" username. 152 */ 153 if (strcmp(username, ruser) == 0) { 154 return (PAM_IGNORE); 155 } 156 user_entry = getusernam(ruser); 157 } else { 158 /* user is implied by real UID */ 159 160 if ((uid = getuid()) == 0) { 161 /* 162 * Root user_attr entry cannot have roles. 163 * Force error and deny access. 164 */ 165 user_entry = NULL; 166 } else { 167 if ((pw_entry = getpwuid_r(uid, &pwd, buf, 168 sizeof (buf))) == NULL) { 169 return (PAM_USER_UNKNOWN); 170 } 171 user_entry = getusernam(pw_entry->pw_name); 172 } 173 } 174 175 if ((rhost != NULL && *rhost != '\0') && 176 allow_remote == 0) { 177 /* don't allow remote roles for this service */ 178 179 free_userattr(user_entry); 180 return (PAM_PERM_DENIED); 181 } 182 183 /* 184 * If the original user does not have a user_attr entry or isn't 185 * assigned the role being assumed, fail. 186 */ 187 188 if ((user_entry == NULL) || 189 ((kva_value = kva_match((kva_t *)user_entry->attr, 190 USERATTR_ROLES_KW)) == NULL) || 191 (roleinlist(kva_value, username) == 0)) { 192 free_userattr(user_entry); 193 (void) strlcpy(messages[0], dgettext(TEXT_DOMAIN, 194 "Roles can only be assumed by authorized users"), 195 sizeof (messages[0])); 196 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, 197 NULL); 198 return (PAM_PERM_DENIED); 199 } 200 201 free_userattr(user_entry); 202 return (PAM_IGNORE); 203 } 204 205 int 206 roleinlist(char *list, char *role) 207 { 208 char *lasts = (char *)NULL; 209 char *rolename = (char *)strtok_r(list, ",", &lasts); 210 211 while (rolename) { 212 if (strcmp(rolename, role) == 0) 213 return (1); 214 else 215 rolename = (char *)strtok_r(NULL, ",", &lasts); 216 } 217 return (0); 218 } 219