Главная   Изменения   Спек   Патчи   Исходники   Загрузить   Gear   Bugs and FR  Repocop 

modules/000075500000000000000000000000001100137636100125225ustar00rootroot00000000000000modules/pam_listfile/000075500000000000000000000000001100137636100151725ustar00rootroot00000000000000modules/pam_listfile/pam_listfile.c000064400000000000000000000343111100137636100200100ustar00rootroot00000000000000/*
 * Pam_listfile written by Michael Tokarev <mjt at corpit.ru> Dec, 2000
 * based on ideas and original work
 * by Elliot Lee <sopwith at redhat.com>, Red Hat Software. July 25, 1996.
 * log refused access error
 * christopher mccrory <chrismcc at netus.com> 1998/7/11
 *
 * This code began life as the pam_rootok module.
 */

#include "config.h"

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <syslog.h>
#include <stdarg.h>
#include <string.h>
#include <pwd.h>
#include <grp.h>

#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION

#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>

#ifdef HAVE_FNMATCH
# ifdef HAVE_FNMATCH_H
#  include <fnmatch.h>
# else
   extern int fnmatch(const char *, const char *, int);
# endif
# define match(pattern, string) (fnmatch(pattern, string, 0) == 0)
#else
  /* we can implement simple matcher here */
# define match(pattern, string) (strcmp(pattern, string) == 0)
#endif

static int
in_list(const char *member, const char * const *list)
{
  while (*list)
    if (strcmp(*list++, member) == 0)
      return 1;
  return 0;
}

static int
match_list(const char *pattern, const char *const *list)
{
  while(*list)
    if (match(pattern, *list++))
      return 1;
  return 0;
}

/* Extended Items that are not directly available via pam_get_item() */
#define EI_GROUP 1
#define EI_SHELL 2
#define EI_HOME  3

static int
pam_list(pam_handle_t *pamh, int argc, const char **argv)
{
  /* defaults */
  int item = 0; /* item to get from PAM */
  int eitem = 0; /* for "extended" (EI_*) items from struct passwd */
  int onerr = PAM_SERVICE_ERR; /* what to do in case of error */
  int sense = -1; /* what to do: allow(0)/deny(1)/unknown(-1) */
  const char *list = NULL; /* file or direct list */
  const char *apply = NULL; /* for apply= */
  const void *void_item; /* for pam_get_item */
  int r;

  const char *user = NULL; /* PAM_USER */

#define MAXITEMS 128 /* max. 256 items to check */
  const char *items[MAXITEMS+1];

  /* process arguments */
  r = 1; /* 0 means error */
  while(argc--) {
    const char *a = *argv++;

    if (!strcmp(a, "onerr=succeed") || !strcmp(a, "errsucceed") || !strcmp(a, "errok"))
      onerr = PAM_SUCCESS;
    else if (!strcmp(a, "onerr=fail") || !strcmp(a, "errfail"))
      onerr = PAM_SERVICE_ERR;

    else if (sense < 0 && (!strcmp(a, "sense=allow") || !strcmp(a, "allow")))
      sense = 0;
    else if (sense < 0 && (!strcmp(a, "sense=deny") || !strcmp(a, "deny")))
      sense = 1;

    else if (!list && (!strncmp(a, "file=", 5) || !strncmp(a, "list=", 5)))
      list = a + 5;

    else if (!list && sense < 0 && !strncmp(a, "allow=", 6))
      list = a + 6, sense = 0;
    else if (!list && sense < 0 && !strncmp(a, "deny=", 5))
      list = a + 5, sense = 1;

    else if (!item && (!strcmp(a, "item=user") || !strcmp(a, "user")))
      item = PAM_USER;
    else if (!item && (!strcmp(a, "item=tty") || !strcmp(a, "tty")))
      item = PAM_TTY;
    else if (!item && (!strcmp(a, "item=rhost") || !strcmp(a, "rhost")))
      item = PAM_RHOST;
    else if (!item && (!strcmp(a, "item=ruser") || !strcmp(a, "ruser")))
      item = PAM_RUSER;
    else if (!item && (!strcmp(a, "item=group") || !strcmp(a, "group")))
      item = PAM_USER, eitem = EI_GROUP;
    else if (!item && (!strcmp(a, "item=shell") || !strcmp(a, "shell")))
      item = PAM_USER, eitem = EI_SHELL;
    else if (!item && (!strcmp(a, "item=home") || !strcmp(a, "home")))
      item = PAM_USER, eitem = EI_HOME;

    else if (!item && !list && !strncmp(a, "user=", 5))
      item = PAM_USER, list = a + 5;
    else if (!item && !list && !strncmp(a, "tty=", 4))
      item = PAM_TTY, list = a + 4;
    else if (!item && !list && !strncmp(a, "rhost=", 6))
      item = PAM_RHOST, list = a + 6;
    else if (!item && !list && !strncmp(a, "ruser=", 6))
      item = PAM_RUSER, list = a + 6;
    else if (!item && !list && !strncmp(a, "group=", 6))
      item = PAM_USER, eitem = EI_GROUP, list = a + 6;
    else if (!item && !list && !strncmp(a, "shell=", 6))
      item = PAM_USER, eitem = EI_SHELL, list = a + 6;
    else if (!item && !list && !strncmp(a, "home=", 5))
      item = PAM_USER, eitem = EI_HOME, list = a + 5;

    else if (!apply && !strncmp(a, "apply=", 6) && a[6])
      apply = a + 6;

    else {
      pam_syslog(pamh, LOG_ERR, "Unknown, invalid, or duplicate option: %s", a);
      r = 0;
    }
  }

  if (!item)
    pam_syslog(pamh, LOG_ERR, "Item not specified"), r = 0;
  if (!list)
    pam_syslog(pamh, LOG_ERR, "List not specified"), r = 0;
  if (sense < 0)
    pam_syslog(pamh, LOG_ERR, "Sense not specified"), r = 0;

  /* if any command-line processing fails, we also fail, ignoring onerr= value.
     Command line should be fixed. */
  if (!r)
    return PAM_SERVICE_ERR;

  /* Check if it makes sense to use the apply= parameter */
  if (apply) {
    if (item == PAM_USER || item == PAM_RUSER || eitem == EI_GROUP) {
      /*XXX FIXME: why deny=user,... apply=@group is non-sense? */
      pam_syslog(pamh, LOG_WARNING, "Non-sense use for apply= parameter");
      //apply = NULL; /*XXX FIXME -- above */
    }
  }

  /* Note: fragile logic here -- be careful! */
  if (item == PAM_USER || apply) {
    /* for PAM_USER (ext)item and for apply= -- get user info */

    r = pam_get_user(pamh, &user, NULL); /* retrieve username from PAM */
    if (r != PAM_SUCCESS) {
      pam_syslog(pamh, LOG_WARNING, "unable to obtain user: %s", pam_strerror(pamh, r));
      return onerr;
    }
    if (!user || !*user) { /* empty user?! */
      pam_syslog(pamh, LOG_WARNING, "no user specified");
      if (apply)
        return PAM_IGNORE; /* assume "not apply" */
      else /* assume "not listed" */
        return sense ? PAM_SUCCESS : PAM_AUTH_ERR;
    }

    /* user is ok.  But it may not exist... */

    if (apply && *apply != '@') /* check apply=user */
      if (strcmp(user, apply)) /* applies */
        apply = NULL; /* apply done */
      else /* not applies */
        return PAM_IGNORE;

    if (apply) { /* apply to group */
      const struct group *gr = pam_modutil_getgrnam(pamh, ++apply); /* skip @ and get group name */
      if (!gr)
        pam_syslog(pamh, LOG_WARNING, "apply group %s does not exist", apply);
        /*XXXX FIXME: error or warning? Maybe command-line error... */
      else if (in_list(user, (const char **)gr->gr_mem))
	/* applies, found in group */
        apply = NULL; /* apply done */
      /* else for apply we need to check primary group also */
    }

    if (apply || eitem) { /* for that, we need primary group */
      struct passwd *pw = pam_modutil_getpwnam(pamh, user);
      if (!pw) {
        if (apply) {
          pam_syslog(pamh, LOG_ERR, "user not found, can't apply group");
          return PAM_IGNORE;
        }
        if (eitem) /* assume "not listed" */
          return sense ? PAM_SUCCESS : PAM_AUTH_ERR;
        /* for item=user it is ok to continue without having passwd entry.
           If it is (eitem == 0), we will not look to here at all... */
      }

      if (apply || eitem == EI_GROUP) { /* need primary group */
        const struct group *gr = pam_modutil_getgrgid(pamh, pw->pw_gid);
        if (!gr) {
          pam_syslog(pamh, LOG_WARNING, "unable to find primary group %d for %s",
                   (int)pw->pw_gid, user);
          if (apply) /* not applies */
            return PAM_IGNORE;
          /* for EI_GROUP, supplement groups still can be matched */
          /*XXX FIXME: should we complain here? Log?  sense=group but no
            primary group? */
        }
        else if (apply && strcmp(apply, gr->gr_name)) /* last apply=, done */
          return PAM_IGNORE; /* does not apply */

        if (eitem == EI_GROUP) { /* init group list */
          int n = 0; /* count of group items */
          if (gr) { /* add primary group */
            if ((items[n++] = strdup(gr->gr_name)) == NULL) {
              pam_syslog(pamh, LOG_ERR, "no memory for primary group");
              return onerr;
            }
          }
          setgrent();
          while((gr = getgrent()) != NULL) {
            if (!in_list(user, (const char **)gr->gr_mem))
              continue;
            if (n == MAXITEMS) { /* items[] has additional entry for NULL */
              pam_syslog(pamh, LOG_WARNING, "too many groups for %s", user);
              break; /*XXX maybe return onerr here? */
            }
            if ((items[n++] = strdup(gr->gr_name)) == NULL) {
              while(n--) free((void*)items[n]);
              pam_syslog(pamh, LOG_ERR, "no memory for group list");
              return onerr;
            }
          }
          items[n] = NULL;
        } /* end of EI_GROUP */

      } /* end of apply || EI_GROUP */

      if (eitem == EI_SHELL)
        items[0] = pw->pw_shell && (pw->pw_shell)[0] ?
          pw->pw_shell : "/bin/sh"; /*XXX FIXME: should be _PATH_BSHELL */
      else if (eitem == EI_HOME)
        items[0] = pw->pw_dir;
      /* for eitem == 0 it is just user, eitem == EI_GROUP already done */

    } /* end of apply || eitem */

    if (item == PAM_USER && !eitem)
      items[0] = user;

  } /* end of item == PAM_USER || apply */

  if (item != PAM_USER) {
    /* get any PAM item */
    const char *val;
    void_item = NULL;
    r = pam_get_item(pamh, item, &void_item);
    val = void_item;
    if (r != PAM_SUCCESS) {
      pam_syslog(pamh, LOG_ERR, "unable to get pam item: %s", pam_strerror(pamh, r));
      return onerr;
    }
    if (!val || !*val)
      /* The item was NULL - we are sure not to match */
      return sense ? PAM_SUCCESS : PAM_AUTH_ERR;
    items[0] = val;
  }

  if (eitem != EI_GROUP)
    items[1] = NULL; /* NULL-terminate */

  /* fragile logic ends */

  /* here, we have NULL-terminated list of items[] to match for */

  if (*list != '/') { /* this is not a file, but direct list */

    char *next; /* pointer to next comma */

    r = 0; /* not found */
    do {
      int not = *list == '!' ? ++list, 1 : 0; /* negation? skip to next char */
      if ((next = strchr(list, ',')) != NULL)
        *next = '\0'; /* temporarily turn comma to zero inside argv[i] */
      r = *list && match_list(list, items);
      if (next)
        *next++ = ','; /* restore comma */
      if (r) {
        if (not) r = 0;
        break;
      }
    } while ((list = next) != NULL);

  }
  else { /* else it is a filename */

    struct stat st;
    FILE *f;

    /* check file */
    if (lstat(list, &st) != 0) {
      if (onerr == PAM_SERVICE_ERR) /* Only report if it's an error... */
        pam_syslog(pamh, LOG_ERR, "unable to stat %s", list);
      r = -1;
    }
    else if ((st.st_mode & S_IWOTH) || !S_ISREG(st.st_mode)) {
      /* If the file is world writable or is not a normal file, return error */
      pam_syslog(pamh, LOG_ERR,
         "%s is either world writable or not a normal file", list);
      r = -1;
    }
    else if ((f = fopen(list, "r")) == NULL) {
      if (onerr == PAM_SERVICE_ERR) /* Only report if it's an error... */
        pam_syslog(pamh, LOG_ERR, "unable to open %s", list);
      r = -1;
    }
    else {
      char line[256];
      int not = 0;
      r = 0; /* not found */
      while (fgets(line, sizeof(line), f) != NULL) {
        int l = strlen(line);
        char *p = line + l;
        if (!l) continue; /* should never happen? */
        if (p[-1] == '\n') /* line is terminated good */
          --p;
        else if ((l = getc(f)) != EOF) { /* oops, not terminated and !eof */
          pam_syslog(pamh, LOG_ERR, "line in %s is too long", list);
          while (l != '\n') /*XXX FIXME: skip this line completely? Or error? */
            if ((l = getc(f)) == EOF)
              break;
          continue;
        }
        /* strip trailing spaces */
        while(p > line && (p[-1] == ' ' || p[-1] == '\t')) --p;
        *p = '\0'; /* terminate */
        p = line;
        while(*p == ' ' || *p == '\t') ++p; /* skip leading spaces */
        if (*p == '!') { /* negation */
          not = 1;
          ++p;
          while(*p == ' ' || *p == '\t') ++p; /* skip further spaces */
        }
        else
          not = 0;
        if (*p && *p != '#' /* ignore empty line and comment(s) */
            && match_list(p, items)) {
          r = 1;
          break;
        }
      }
      if (!r && ferror(f)) {
        /* if not found but error */
        pam_syslog(pamh, LOG_ERR, "error reading %s", list);
        r = -1;
      }
      fclose(f);
      if (r == 1 && not) /* negate it */
        r = 0;
    }

  } /* list is file */

  if (eitem == EI_GROUP) { /* for EI_GROUP only -- free group list */
    char **ii = (char**)items;
    while(*ii)
      free(*(ii++));
  }

  if (r < 0) /* error of some kind, should be reported already */
    return onerr;

  if (r != sense)
    return PAM_SUCCESS;

  /* no, should deny either by deny= and !found or the opposite */
  void_item = ""; /* just temporary: service name */
  pam_get_item(pamh, PAM_SERVICE, &void_item);
  list = void_item;
  if (!user) { /* if user still unknown */
    void_item = NULL;
    pam_get_item(pamh, PAM_USER, &void_item);
    user = void_item;
  }
  pam_syslog(pamh, LOG_ERR, "Refused user %s for service %s", user, list);
  return PAM_AUTH_ERR;
}

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
		    int argc, const char **argv)
{
  return pam_list(pamh, argc, argv);
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
	       int argc UNUSED, const char **argv UNUSED)
{
  return PAM_SUCCESS;
}

PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
		 int argc, const char **argv)
{
  return pam_list(pamh, argc, argv);
}

PAM_EXTERN int
pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
		     int argc, const char **argv)
{
  return pam_list(pamh, argc, argv);
}

PAM_EXTERN int
pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED,
		      int argc, const char **argv)
{
  return pam_list(pamh, argc, argv);
}

PAM_EXTERN int
pam_sm_chauthtok (pam_handle_t *pamh, int flags UNUSED,
		  int argc, const char **argv)
{
  return pam_list(pamh, argc, argv);
}

#ifdef PAM_STATIC

struct pam_module _pam_listfile_modstruct = {
  "pam_listfile",
  pam_sm_authenticate,
  pam_sm_setcred,
  pam_sm_acct_mgmt,
  pam_sm_open_session,
  pam_sm_close_session,
  pam_sm_chauthtok,
};

#endif /* PAM_STATIC */

/* end of module definition */
modules/pam_sameuid/000075500000000000000000000000001100137636100150065ustar00rootroot00000000000000modules/pam_sameuid/Makefile.am000064400000000000000000000006561100137636100170510ustar00rootroot00000000000000CLEANFILES = *~

EXTRA_DIST = README

securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)

AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
	-I$(top_srcdir)/modules/pammodutil/include/
AM_LDFLAGS = -no-undefined -avoid-version -module \
	-L$(top_builddir)/libpam -lpam
if HAVE_VERSIONING
  AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif

securelib_LTLIBRARIES = pam_sameuid.la
modules/pam_sameuid/README000064400000000000000000000004411100137636100156650ustar00rootroot00000000000000pam_sameuid:
	PAM_SUCCESS, if PAM_USER is same as current user.
	PAM_IGNORE, otherwise.

RECOGNIZED ARGUMENTS:
	debug	write a message to syslog indicating success or	failure.

MODULE SERVICES PROVIDED:
	auth	_authetication and _setcred (blank)

AUTHOR:
	Dmitry V. Levin <ldv@altlinux.org>
modules/pam_sameuid/pam_sameuid.c000064400000000000000000000075371100137636100174520ustar00rootroot00000000000000/* pam_sameuid module */

#include "config.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <syslog.h>
#include <stdarg.h>
#include <pwd.h>
#include <grp.h>

#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT

#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>

static int	debug = 0;

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
		    int argc, const char **argv)
{
	const char *username = NULL;
	struct passwd *pwd;
	uid_t   from_uid, to_uid;

	for (; argc-- > 0; ++argv)
	{
		if (!strcmp(*argv, "debug"))
			debug = 1;
		else
			pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
	}

	if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username)
	{
		pam_syslog(pamh, LOG_ERR, "username undefined");
		return PAM_SERVICE_ERR;
	}

	pwd = pam_modutil_getpwnam(pamh, username);
	if (!pwd)
	{
		if (debug)
			pam_syslog(pamh, LOG_WARNING,
				   "unknown user: %s", username);
		return PAM_USER_UNKNOWN;
	}

	to_uid = pwd->pw_uid;

	from_uid = getuid();
	pwd = pam_modutil_getpwuid(pamh, from_uid);
	if (!pwd)
	{
		pam_syslog(pamh, LOG_WARNING, "unknown uid: %u", from_uid);
		return PAM_SERVICE_ERR;
	}

	if (from_uid != to_uid)
	{
#if 0
		if (debug)
			pam_syslog(pamh, LOG_DEBUG,
				 "Access not yet granted to '%s' for '%s'",
				 username, pwd->pw_name);
#endif
		return PAM_IGNORE;
	} else
	{
		if (debug)
			pam_syslog(pamh, LOG_NOTICE,
				 "Access granted to '%s' for '%s'", username,
				 pwd->pw_name);
		return PAM_SUCCESS;
	}
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
	       int argc UNUSED, const char **argv UNUSED)
{
	return PAM_SUCCESS;
}

PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
	return pam_sm_authenticate(pamh, flags, argc, argv);
}

#ifdef PAM_STATIC

/* static module data */

struct pam_module _pam_sameuid_modstruct = {
	"pam_sameuid",
	pam_sm_authenticate,
	pam_sm_setcred,
	pam_sm_acct_mgmt,
	NULL,
	NULL,
	NULL,
};

#endif

/*
 * Copyright (c) Dmitry V. Levin <ldv@altlinux.org>, 2000, 2005.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU Public License, in which case the provisions of the GPL are
 * required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */