From d65d8b10b0fdf3244a9e5a610d6620992b3bd725 Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Fri, 1 Aug 2008 12:46:33 +0300 Subject: Completed pam_wheel --- modules/pam_wheel/Makefile | 40 ++++++++++++++++++ modules/pam_wheel/pam_wheel.c | 97 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 modules/pam_wheel/Makefile diff --git a/modules/pam_wheel/Makefile b/modules/pam_wheel/Makefile new file mode 100644 index 0000000..fa4f8e4 --- /dev/null +++ b/modules/pam_wheel/Makefile @@ -0,0 +1,40 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_wheel +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_wheel.o + +all: + case "`uname -s`" in \ + Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ + LDLIBS="$(LDLIBS)" $(PROJ);;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index e69de29..e39d106 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -0,0 +1,97 @@ +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH + +#define PAM_OPT_ROOT_ONLY "root_only" + +#include +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + struct passwd *opwd,*tpwd; + struct group *group; + const char *orig_user, *target_user; + char **user_list; + int pam_err, member; + + /* Get info for target user. Who do you want to su to ? */ + + if ( ( (pam_err = pam_get_user(pamh, &target_user, NULL)) != PAM_SUCCESS ) + || ( orig_user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (tpwd = getpwnam(target_user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",target_user); + return (PAM_SERVICE_ERR); + } + + if ( openpam_get_option(pamh, PAM_OPT_ROOT_ONLY) ) { + /* if su to non-root -> ignore */ + if (tpwd->pw_uid != 0) + return (PAM_AUTH_ERR); + } + + /* Get info for originating user. Who called su? */ + + if ( ( (pam_err = pam_get_user(pamh, &orig_user, NULL)) != PAM_SUCCESS ) + || ( orig_user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (opwd = getpwnam(orig_user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",orig_user); + return (PAM_SERVICE_ERR); + } + + /* We now have all user info we need */ + + if ( (group = getgrnam("wheel")) == NULL ) { + group = getgrgid(0); + } + + /* Check wheel or group with GID 0 have any members */ + + if (!group || (!group->gr_mem && (opwd->pw_gid != group->gr_gid))) { + PAM_LOG("Group wheel or with GID 0 has no members"); + return (PAM_AUTH_ERR); + } + /* Check user's membership to the interested groups */ + member=0; + user_list = group->gr_mem; + while ( !member && user_list && *(user_list) ) { + if (strncmp(*user_list, orig_user, strlen(orig_user)-1 ) == 0) + member=1; + + user_list++; + } + + if ( member || ( opwd->pw_gid == group->gr_gid ) ) { + PAM_LOG("Access granted for user '%s' to user '%s'", orig_user, target_user); + return (PAM_SUCCESS); + } else { + PAM_ERROR("Access denied for user '%s' to user '%s'", orig_user, target_user); + return (PAM_PERM_DENIED); + } +} + + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[]) +{ + return (PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_wheel"); -- cgit v1.2.3-65-gdbad