Completed pam_rootok and pam_securetty

author: Seraphim Mellos <mellos@ceid.upatras.gr> 2008-06-21 14:00:36 +0300
committer: Seraphim Mellos <mellos@ceid.upatras.gr> 2008-06-21 14:00:36 +0300
commit: 0280555a431021f2f5164cba09ad86efcdeddde2 (patch)
tree: 10676aac175eee800716508128da185610a43070 /modules/pam_unix
parent: Completed update_passwd function for pam_unix (diff)
download: openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.gz
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.bz2
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.zip
2 files changed, 147 insertions, 24 deletions
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index a14dbe6..ea1b75d 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -15,7 +15,8 @@
 
 #define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
 
 #ifndef __linux__
 #include <login_cap.h> /* for BSD login classes */
@@ -32,6 +33,7 @@
 
 #include <security/pam_modules.h>
 #include <security/pam_appl.h>
+#include <security/openpam.h>
 #include <security/pam_mod_misc.h>
 
 
@@ -56,7 +58,7 @@ void makesalt(char salt[SALTSIZE]);
 
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags,
-		int argc , const char **argv ) {
+		int argc , const char *argv[] ) {
 
 #ifndef __linux__
 	login_cap_t *lc;
@@ -78,7 +80,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 
 	        pwd = getpwnam(user);
 	}
-	
+	puts("authenticating as user:");
+	puts(user);
 	PAM_LOG("Authenticating user: [%s]", user);
 
 	/* get password */
@@ -227,17 +230,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	}
 #endif
 	/* Check if pw_lstchg or sp_expire is set */
-
+/*
 	if (pwd->sp_lstchg || pwd->sp_expire) 
 		curtime = time(NULL) / (60 * 60 * 24);
+	puts("before all");
 	if (pwd->sp_expire) {
+		puts(ctime(&(pwd->sp_expire)));
+		puts(ctime(&curtime));
 		if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {  
 #ifndef __linux__ 		
 			login_close(lc);
-#endif	
+#endif
+			puts("expire 1");
 			PAM_ERROR("Account has expired!");
 			return (PAM_ACCT_EXPIRED);
 		} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+			puts("expire 2");
 			PAM_ERROR("Warning: your account expires on %s",
 					ctime(&pwd->sp_expire));
 		}
@@ -246,8 +254,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	if (pwd->sp_lstchg == 0 ) {
 		return (PAM_NEW_AUTHTOK_REQD);
 	}
-	
-	/* check all other possibilities (mostly stolen from pam_tcb) */
+	puts("before tcb OK!");	
+	* check all other possibilities (mostly stolen from pam_tcb) *
 	
 	if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
 			(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +263,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 		PAM_ERROR("Account has expired!");
 		return (PAM_ACCT_EXPIRED);
 	}
+	puts("after 1");
 	
 	if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
 		        (pwd->sp_max != -1)) {
 		PAM_ERROR("Account has expired!");
 		return (PAM_ACCT_EXPIRED);
 	}
+	puts("after 2");
 
 	if ((curtime - pwd->sp_lstchg > pwd->sp_max)
 			&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 		return (PAM_ACCT_EXPIRED);
 	}
 
-	pam_err = (PAM_SUCCESS);
+	puts("after 3");
+*/	pam_err = (PAM_SUCCESS);
 
 #ifndef __linux__
 
@@ -485,6 +496,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 }
 
 
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags, 
+		int argc, const char * argv[]) 
+{
+
+	char *user, *service;
+	int pam_err;
+
+	pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+	if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+		PAM_ERROR("Open session - Error recovering username");
+		return (PAM_SESSION_ERR);
+	}
+
+	pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+	if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { 
+		PAM_ERROR("Open session - Error recovering service");
+		return (PAM_SESSION_ERR);
+	}
+
+	PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(), 
+			(unsigned long) getuid());
+
+	return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags, 
+		int argc, const char * argv[]) 
+{
+	char *user, *service;
+	int pam_err;
+
+	pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+	if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+		PAM_ERROR("Close session - Error recovering username");
+		return (PAM_SESSION_ERR);
+	}
+
+	pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+	if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { 
+		PAM_ERROR("Close session - Error recovering service");
+		return (PAM_SESSION_ERR);
+	}
+
+	PAM_LOG("Closed session for user [%s]", user);
+
+	return PAM_SUCCESS;
+}
 
 #ifdef __linux__
 
@@ -493,7 +554,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
  * Update shadow with new user password
  */
 
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+		const char * newhashedpwd ) {
 	FILE *oldshadow, *newshadow;
 	struct spwd *pwd,*cur_pwd;
 	struct stat filestat;
@@ -592,7 +654,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
 
 #define NEW_PASSWD "/etc/.passwd"
 
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+		const char * newhashedpwd ) {
 	FILE *oldpasswd, *newpasswd;
 	struct passwd *pwd,*cur_pwd;
 	struct stat filestat;
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index d1410c9..9a504d0 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -15,7 +15,8 @@
 
 #define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
 
 #ifndef __linux__
 #include <login_cap.h> /* for BSD login classes */
@@ -56,7 +57,7 @@ void makesalt(char salt[SALTSIZE]);
 
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags,
-		int argc , const char **argv ) {
+		int argc , const char *argv[] ) {
 
 #ifndef __linux__
 	login_cap_t *lc;
@@ -78,7 +79,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 
 	        pwd = getpwnam(user);
 	}
-	
+	puts("authenticating as user:");
+	puts(user);
 	PAM_LOG("Authenticating user: [%s]", user);
 
 	/* get password */
@@ -227,17 +229,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	}
 #endif
 	/* Check if pw_lstchg or sp_expire is set */
-
+/*
 	if (pwd->sp_lstchg || pwd->sp_expire) 
 		curtime = time(NULL) / (60 * 60 * 24);
+	puts("before all");
 	if (pwd->sp_expire) {
+		puts(ctime(&(pwd->sp_expire)));
+		puts(ctime(&curtime));
 		if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {  
 #ifndef __linux__ 		
 			login_close(lc);
-#endif	
+#endif
+			puts("expire 1");
 			PAM_ERROR("Account has expired!");
 			return (PAM_ACCT_EXPIRED);
 		} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+			puts("expire 2");
 			PAM_ERROR("Warning: your account expires on %s",
 					ctime(&pwd->sp_expire));
 		}
@@ -246,8 +253,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	if (pwd->sp_lstchg == 0 ) {
 		return (PAM_NEW_AUTHTOK_REQD);
 	}
-	
-	/* check all other possibilities (mostly stolen from pam_tcb) */
+	puts("before tcb OK!");	
+	* check all other possibilities (mostly stolen from pam_tcb) *
 	
 	if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
 			(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +262,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 		PAM_ERROR("Account has expired!");
 		return (PAM_ACCT_EXPIRED);
 	}
+	puts("after 1");
 	
 	if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
 		        (pwd->sp_max != -1)) {
 		PAM_ERROR("Account has expired!");
 		return (PAM_ACCT_EXPIRED);
 	}
+	puts("after 2");
 
 	if ((curtime - pwd->sp_lstchg > pwd->sp_max)
 			&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +279,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 		return (PAM_ACCT_EXPIRED);
 	}
 
-	pam_err = (PAM_SUCCESS);
+	puts("after 3");
+*/	pam_err = (PAM_SUCCESS);
 
 #ifndef __linux__
 
@@ -313,8 +323,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 #endif
 	int pam_err, retries;
 	
-	int tmpflags = flags | PAM_UPDATE_AUTHTOK;
-
 	/* identify user */
 
 	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
@@ -355,7 +363,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 
 
 
-	if (tmpflags & PAM_PRELIM_CHECK) {
+	if (flags & PAM_PRELIM_CHECK) {
 		puts("DOING PRELIM");
 		PAM_LOG("Doing preliminary actions.");
 
@@ -390,7 +398,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 		if (strcmp(hashedpwd, old_pwd->pw_passwd) != 0)
 			return (PAM_PERM_DENIED);
 
-	} else if ( tmpflags & PAM_UPDATE_AUTHTOK ) {
+	} else if ( flags & PAM_UPDATE_AUTHTOK ) {
 		puts("DOING UPDATE");
 		PAM_LOG("Doing actual update.");
 
@@ -487,6 +495,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 }
 
 
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags, 
+		int argc, const char * argv[]) 
+{
+
+	char *user, *service;
+	int pam_err;
+
+	pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+	if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+		PAM_ERROR("Open session - Error recovering username");
+		return (PAM_SESSION_ERR);
+	}
+
+	pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+	if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { 
+		PAM_ERROR("Open session - Error recovering service");
+		return (PAM_SESSION_ERR);
+	}
+
+	PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(), 
+			(unsigned long) getuid());
+
+	return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags, 
+		int argc, const char * argv[]) 
+{
+	char *user, *service;
+	int pam_err;
+
+	pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+	if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+		PAM_ERROR("Close session - Error recovering username");
+		return (PAM_SESSION_ERR);
+	}
+
+	pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+	if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') { 
+		PAM_ERROR("Close session - Error recovering service");
+		return (PAM_SESSION_ERR);
+	}
+
+	PAM_LOG("Closed session for user [%s]", user);
+
+	return PAM_SUCCESS;
+}
 
 #ifdef __linux__
 
@@ -495,7 +553,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
  * Update shadow with new user password
  */
 
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+		const char * newhashedpwd ) {
 	FILE *oldshadow, *newshadow;
 	struct spwd *pwd,*cur_pwd;
 	struct stat filestat;
@@ -594,7 +653,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
 
 #define NEW_PASSWD "/etc/.passwd"
 
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+		const char * newhashedpwd ) {
 	FILE *oldpasswd, *newpasswd;
 	struct passwd *pwd,*cur_pwd;
 	struct stat filestat;
author	Seraphim Mellos <mellos@ceid.upatras.gr>	2008-06-21 14:00:36 +0300
committer	Seraphim Mellos <mellos@ceid.upatras.gr>	2008-06-21 14:00:36 +0300
commit	0280555a431021f2f5164cba09ad86efcdeddde2 (patch)
tree	10676aac175eee800716508128da185610a43070 /modules/pam_unix
parent	Completed update_passwd function for pam_unix (diff)
download	openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.gz openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.bz2 openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.zip