diff options
Diffstat (limited to 'modules/pam_nologin/pam_nologin.c')
-rw-r--r-- | modules/pam_nologin/pam_nologin.c | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c new file mode 100644 index 0000000..5689767 --- /dev/null +++ b/modules/pam_nologin/pam_nologin.c @@ -0,0 +1,173 @@ +/* pam_nologin module */ + +/* + * $Id$ + * + * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 + * + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <syslog.h> +#include <pwd.h> + +#include <security/_pam_macros.h> +/* + * here, we make a definition for the externally accessible function + * in this file (this definition is required for static a module + * but strongly encouraged generally) it is used to instruct the + * modules include file to define the function prototypes. + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#define DEFAULT_NOLOGIN_PATH "/var/run/nologin" +#define COMPAT_NOLOGIN_PATH "/etc/nologin" + +/* + * parse some command line options + */ +struct opt_s { + int retval_when_nofile; + const char *nologin_file; +}; + +static void +parse_args(pam_handle_t *pamh, int argc, const char **argv, struct opt_s *opts) +{ + int i; + + memset(opts, 0, sizeof(*opts)); + + opts->retval_when_nofile = PAM_IGNORE; + + for (i=0; i<argc; ++i) { + if (!strcmp("successok", argv[i])) { + opts->retval_when_nofile = PAM_SUCCESS; + } else if (!strncmp("file=", argv[i], 5)) { + opts->nologin_file = argv[i] + 5; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]); + } + } +} + +/* + * do the meat of the work for this module + */ + +static int perform_check(pam_handle_t *pamh, struct opt_s *opts) +{ + const char *username; + int retval = opts->retval_when_nofile; + int fd = -1; + + if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { + pam_syslog(pamh, LOG_ERR, "cannot determine username"); + return PAM_USER_UNKNOWN; + } + + if (opts->nologin_file == NULL) { + if ((fd = open(DEFAULT_NOLOGIN_PATH, O_RDONLY, 0)) < 0) { + fd = open(COMPAT_NOLOGIN_PATH, O_RDONLY, 0); + } + } else { + fd = open(opts->nologin_file, O_RDONLY, 0); + } + + if (fd >= 0) { + + char *mtmp=NULL; + int msg_style = PAM_TEXT_INFO; + struct passwd *user_pwd; + struct stat st; + + user_pwd = pam_modutil_getpwnam(pamh, username); + if (user_pwd == NULL) { + retval = PAM_USER_UNKNOWN; + msg_style = PAM_ERROR_MSG; + } else if (user_pwd->pw_uid) { + retval = PAM_AUTH_ERR; + msg_style = PAM_ERROR_MSG; + } + + /* fill in message buffer with contents of /etc/nologin */ + if (fstat(fd, &st) < 0) { + /* give up trying to display message */ + goto clean_up_fd; + } + + mtmp = malloc(st.st_size+1); + if (!mtmp) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + retval = PAM_BUF_ERR; + goto clean_up_fd; + } + + if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { + mtmp[st.st_size] = '\0'; + (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); + } + else + retval = PAM_SYSTEM_ERR; + + free(mtmp); + + clean_up_fd: + + close(fd); + } + + return retval; +} + +/* --- authentication management functions --- */ + +int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct opt_s opts; + + parse_args(pamh, argc, argv, &opts); + + return perform_check(pamh, &opts); +} + +int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc, const char **argv) +{ + struct opt_s opts; + + parse_args(pamh, argc, argv, &opts); + + return opts.retval_when_nofile; +} + +/* --- account management function --- */ + +int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct opt_s opts; + + parse_args(pamh, argc, argv, &opts); + + return perform_check(pamh, &opts); +} + +/* end of module definition */ |