From e54218e455d4c76d72d1315dfbc8d55538c3039c Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Mon, 16 Jun 2008 22:57:28 +0300 Subject: Added logging/debug msgs in pam_unix --- modules/pam_nologin/pam_nologin.c~ | 20 ++++++++++ modules/pam_rootok/Makefile | 41 +++++++++++++++++++ modules/pam_rootok/Makefile~ | 41 +++++++++++++++++++ modules/pam_rootok/pam_rootok.c~ | 31 +++++++++++++++ modules/pam_rootok/pam_rootok.o | Bin 0 -> 5364 bytes modules/pam_rootok/pam_rootok.so | Bin 0 -> 9484 bytes modules/pam_securetty/Makefile | 41 +++++++++++++++++++ modules/pam_securetty/Makefile~ | 41 +++++++++++++++++++ modules/pam_securetty/pam_securetty.c~ | 70 +++++++++++++++++++++++++++++++++ modules/pam_securetty/pam_securetty.o | Bin 0 -> 5372 bytes modules/pam_securetty/pam_securetty.so | Bin 0 -> 9074 bytes modules/pam_unix/pam_unix.c~ | 1 + modules/pam_unix/pam_unix.o | Bin 0 -> 25212 bytes modules/pam_unix/pam_unix.so | Bin 0 -> 26156 bytes 14 files changed, 286 insertions(+) create mode 100644 modules/pam_nologin/pam_nologin.c~ create mode 100644 modules/pam_rootok/Makefile create mode 100644 modules/pam_rootok/Makefile~ create mode 100644 modules/pam_rootok/pam_rootok.c~ create mode 100644 modules/pam_rootok/pam_rootok.o create mode 100755 modules/pam_rootok/pam_rootok.so create mode 100644 modules/pam_securetty/Makefile create mode 100644 modules/pam_securetty/Makefile~ create mode 100644 modules/pam_securetty/pam_securetty.c~ create mode 100644 modules/pam_securetty/pam_securetty.o create mode 100755 modules/pam_securetty/pam_securetty.so create mode 100644 modules/pam_unix/pam_unix.o create mode 100755 modules/pam_unix/pam_unix.so (limited to 'modules') diff --git a/modules/pam_nologin/pam_nologin.c~ b/modules/pam_nologin/pam_nologin.c~ new file mode 100644 index 0000000..db95fbe --- /dev/null +++ b/modules/pam_nologin/pam_nologin.c~ @@ -0,0 +1,20 @@ +#include +#include +#include +#include +#include +#include +#include + +#ifndef __linux__ +#include +#endif + +#define PAM_SM_AUTH + +#include +#include +#include + +#define NOLOGIN_FILE "/etc/nologin" + diff --git a/modules/pam_rootok/Makefile b/modules/pam_rootok/Makefile new file mode 100644 index 0000000..6115401 --- /dev/null +++ b/modules/pam_rootok/Makefile @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_rootok +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_rootok.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_rootok/Makefile~ b/modules/pam_rootok/Makefile~ new file mode 100644 index 0000000..4285e98 --- /dev/null +++ b/modules/pam_rootok/Makefile~ @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_rootok +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_unix.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_rootok/pam_rootok.c~ b/modules/pam_rootok/pam_rootok.c~ new file mode 100644 index 0000000..9adec8c --- /dev/null +++ b/modules/pam_rootok/pam_rootok.c~ @@ -0,0 +1,31 @@ +#include +#include +#include +#include + +#define PAM_SM_AUTH + +#include +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) +{ + + if (getuid() == 0) + return (PAM_SUCCESS); + + PAM_ERROR("User is not superuser"); + + return (PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc , const char *argv[] ) +{ + + return (PAM_SUCCESS); +} diff --git a/modules/pam_rootok/pam_rootok.o b/modules/pam_rootok/pam_rootok.o new file mode 100644 index 0000000..fbe51db Binary files /dev/null and b/modules/pam_rootok/pam_rootok.o differ diff --git a/modules/pam_rootok/pam_rootok.so b/modules/pam_rootok/pam_rootok.so new file mode 100755 index 0000000..271d34a Binary files /dev/null and b/modules/pam_rootok/pam_rootok.so differ diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile new file mode 100644 index 0000000..f382e4c --- /dev/null +++ b/modules/pam_securetty/Makefile @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_securetty +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_securetty.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_securetty/Makefile~ b/modules/pam_securetty/Makefile~ new file mode 100644 index 0000000..6115401 --- /dev/null +++ b/modules/pam_securetty/Makefile~ @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_rootok +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_rootok.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_securetty/pam_securetty.c~ b/modules/pam_securetty/pam_securetty.c~ new file mode 100644 index 0000000..d0979de --- /dev/null +++ b/modules/pam_securetty/pam_securetty.c~ @@ -0,0 +1,70 @@ +#include +#include +#include +#include +#include + + +#define PAM_SM_ACCOUNT + +#include +#include +#include + +#define TTY_PREFIX "/dev/" + + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + struct passwd *pwd; + struct ttyent *ttyinfo; + const char *user; + const char *tty; + int pam_err; + + if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) + || ( user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (pwd = getpwnam(user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",user); + return (PAM_SERVICE_ERR); + } + + if ( pwd->pw_uid != 0 ) { + /* secure tty applies only to root */ + return (PAM_SUCCESS); + } + + if ( (pam_err = pam_get_item(pamh, PAM_TTY,(void *) &tty) ) != PAM_SUCCESS ) { + return (pam_err); + } + + if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) { + PAM_LOG("tty starts with " TTY_PREFIX); + /* skip prefix */ + tty = (const char *)tty + sizeof(TTY_PREFIX) - 1; + } + + /* + * Linux-PAM, before checking the actual tty, + * opens /etc/securettys to check if it's world + * writable or not a normal file and only continues + * if neither is correct. Sounds like a good idea - + * maybe it should be done here as well... + */ + + + if ( tty != NULL && (ttyinfo = getttynam(tty)) != NULL && + (ttyinfo->ty_status & TTY_SECURE) != 0) + return (PAM_SUCCESS); + + PAM_ERROR("Access denied: tty%s is not secure", tty); + return (PAM_AUTH_ERR); +} + +PAM_MODULE_ENTRY("pam_securetty"); diff --git a/modules/pam_securetty/pam_securetty.o b/modules/pam_securetty/pam_securetty.o new file mode 100644 index 0000000..442e249 Binary files /dev/null and b/modules/pam_securetty/pam_securetty.o differ diff --git a/modules/pam_securetty/pam_securetty.so b/modules/pam_securetty/pam_securetty.so new file mode 100755 index 0000000..071e877 Binary files /dev/null and b/modules/pam_securetty/pam_securetty.so differ diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ index 9a504d0..ea1b75d 100644 --- a/modules/pam_unix/pam_unix.c~ +++ b/modules/pam_unix/pam_unix.c~ @@ -33,6 +33,7 @@ #include #include +#include #include diff --git a/modules/pam_unix/pam_unix.o b/modules/pam_unix/pam_unix.o new file mode 100644 index 0000000..b463d1b Binary files /dev/null and b/modules/pam_unix/pam_unix.o differ diff --git a/modules/pam_unix/pam_unix.so b/modules/pam_unix/pam_unix.so new file mode 100755 index 0000000..a77c352 Binary files /dev/null and b/modules/pam_unix/pam_unix.so differ -- cgit v1.2.3-65-gdbad