| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | Description: extract the securetty logic for use with the "nullok_secure" option |
| 2 | introduced in the "055_pam_unix_nullok_secure" patch. |
| 3 | |
| 4 | Upstream-Status: Pending |
| 5 | |
| 6 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
| 7 | =================================================================== |
| 8 | diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am |
| 9 | --- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800 |
| 10 | +++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800 |
| 11 | @@ -24,6 +24,10 @@ endif |
| 12 | securelib_LTLIBRARIES = pam_securetty.la |
| 13 | pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam |
| 14 | |
| 15 | +pam_securetty_la_SOURCES = \ |
| 16 | + pam_securetty.c \ |
| 17 | + tty_secure.c |
| 18 | + |
| 19 | if ENABLE_REGENERATE_MAN |
| 20 | noinst_DATA = README |
| 21 | README: pam_securetty.8.xml |
| 22 | diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c |
| 23 | --- a/modules/pam_securetty/pam_securetty.c 2013-07-05 11:07:50.064483568 +0800 |
| 24 | +++ b/modules/pam_securetty/pam_securetty.c 2013-07-05 11:12:23.994483344 +0800 |
| 25 | @@ -1,7 +1,5 @@ |
| 26 | /* pam_securetty module */ |
| 27 | |
| 28 | -#define SECURETTY_FILE "/etc/securetty" |
| 29 | -#define TTY_PREFIX "/dev/" |
| 30 | #define CMDLINE_FILE "/proc/cmdline" |
| 31 | #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" |
| 32 | |
| 33 | @@ -40,6 +38,9 @@ |
| 34 | #include <security/pam_modutil.h> |
| 35 | #include <security/pam_ext.h> |
| 36 | |
| 37 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, |
| 38 | + const char *uttyname); |
| 39 | + |
| 40 | #define PAM_DEBUG_ARG 0x0001 |
| 41 | #define PAM_NOCONSOLE_ARG 0x0002 |
| 42 | |
| 43 | @@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p |
| 44 | const char *username; |
| 45 | const char *uttyname; |
| 46 | const void *void_uttyname; |
| 47 | - char ttyfileline[256]; |
| 48 | - char ptname[256]; |
| 49 | - struct stat ttyfileinfo; |
| 50 | struct passwd *user_pwd; |
| 51 | - FILE *ttyfile; |
| 52 | |
| 53 | /* log a trail for debugging */ |
| 54 | if (ctrl & PAM_DEBUG_ARG) { |
| 55 | @@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p |
| 56 | return PAM_SERVICE_ERR; |
| 57 | } |
| 58 | |
| 59 | - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ |
| 60 | - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { |
| 61 | - uttyname += sizeof(TTY_PREFIX)-1; |
| 62 | - } |
| 63 | - |
| 64 | - if (stat(SECURETTY_FILE, &ttyfileinfo)) { |
| 65 | - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); |
| 66 | - return PAM_SUCCESS; /* for compatibility with old securetty handling, |
| 67 | - this needs to succeed. But we still log the |
| 68 | - error. */ |
| 69 | - } |
| 70 | - |
| 71 | - if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { |
| 72 | - /* If the file is world writable or is not a |
| 73 | - normal file, return error */ |
| 74 | - pam_syslog(pamh, LOG_ERR, |
| 75 | - "%s is either world writable or not a normal file", |
| 76 | - SECURETTY_FILE); |
| 77 | - return PAM_AUTH_ERR; |
| 78 | - } |
| 79 | - |
| 80 | - ttyfile = fopen(SECURETTY_FILE,"r"); |
| 81 | - if (ttyfile == NULL) { /* Check that we opened it successfully */ |
| 82 | - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); |
| 83 | - return PAM_SERVICE_ERR; |
| 84 | - } |
| 85 | - |
| 86 | - if (isdigit(uttyname[0])) { |
| 87 | - snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); |
| 88 | - } else { |
| 89 | - ptname[0] = '\0'; |
| 90 | - } |
| 91 | - |
| 92 | - retval = 1; |
| 93 | - |
| 94 | - while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) |
| 95 | - && retval) { |
| 96 | - if (ttyfileline[strlen(ttyfileline) - 1] == '\n') |
| 97 | - ttyfileline[strlen(ttyfileline) - 1] = '\0'; |
| 98 | - |
| 99 | - retval = ( strcmp(ttyfileline, uttyname) |
| 100 | - && (!ptname[0] || strcmp(ptname, uttyname)) ); |
| 101 | - } |
| 102 | - fclose(ttyfile); |
| 103 | + retval = _pammodutil_tty_secure(pamh, uttyname); |
| 104 | |
| 105 | if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { |
| 106 | FILE *cmdlinefile; |
| 107 | diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c |
| 108 | --- a/modules/pam_securetty/tty_secure.c 1970-01-01 08:30:00.000000000 +0830 |
| 109 | +++ b/modules/pam_securetty/tty_secure.c 2013-07-05 11:14:21.534482900 +0800 |
| 110 | @@ -0,0 +1,90 @@ |
| 111 | +/* |
| 112 | + * A function to determine if a particular line is in /etc/securetty |
| 113 | + */ |
| 114 | + |
| 115 | + |
| 116 | +#define SECURETTY_FILE "/etc/securetty" |
| 117 | +#define TTY_PREFIX "/dev/" |
| 118 | + |
| 119 | +/* This function taken out of pam_securetty by Sam Hartman |
| 120 | + * <hartmans@debian.org>*/ |
| 121 | +/* |
| 122 | + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. |
| 123 | + * July 25, 1996. |
| 124 | + * Slight modifications AGM. 1996/12/3 |
| 125 | + */ |
| 126 | + |
| 127 | +#include <unistd.h> |
| 128 | +#include <sys/types.h> |
| 129 | +#include <sys/stat.h> |
| 130 | +#include <security/pam_modules.h> |
| 131 | +#include <stdarg.h> |
| 132 | +#include <syslog.h> |
| 133 | +#include <sys/syslog.h> |
| 134 | +#include <stdio.h> |
| 135 | +#include <string.h> |
| 136 | +#include <stdlib.h> |
| 137 | +#include <ctype.h> |
| 138 | +#include <security/pam_modutil.h> |
| 139 | +#include <security/pam_ext.h> |
| 140 | + |
| 141 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, |
| 142 | + const char *uttyname); |
| 143 | + |
| 144 | +int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) |
| 145 | +{ |
| 146 | + int retval = PAM_AUTH_ERR; |
| 147 | + char ttyfileline[256]; |
| 148 | + char ptname[256]; |
| 149 | + struct stat ttyfileinfo; |
| 150 | + FILE *ttyfile; |
| 151 | + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ |
| 152 | + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) |
| 153 | + uttyname += sizeof(TTY_PREFIX)-1; |
| 154 | + |
| 155 | + if (stat(SECURETTY_FILE, &ttyfileinfo)) { |
| 156 | + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", |
| 157 | + SECURETTY_FILE); |
| 158 | + return PAM_SUCCESS; /* for compatibility with old securetty handling, |
| 159 | + this needs to succeed. But we still log the |
| 160 | + error. */ |
| 161 | + } |
| 162 | + |
| 163 | + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { |
| 164 | + /* If the file is world writable or is not a |
| 165 | + normal file, return error */ |
| 166 | + pam_syslog(pamh, LOG_ERR, |
| 167 | + "%s is either world writable or not a normal file", |
| 168 | + SECURETTY_FILE); |
| 169 | + return PAM_AUTH_ERR; |
| 170 | + } |
| 171 | + |
| 172 | + ttyfile = fopen(SECURETTY_FILE,"r"); |
| 173 | + if(ttyfile == NULL) { /* Check that we opened it successfully */ |
| 174 | + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); |
| 175 | + return PAM_SERVICE_ERR; |
| 176 | + } |
| 177 | + |
| 178 | + if (isdigit(uttyname[0])) { |
| 179 | + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); |
| 180 | + } else { |
| 181 | + ptname[0] = '\0'; |
| 182 | + } |
| 183 | + |
| 184 | + retval = 1; |
| 185 | + |
| 186 | + while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) |
| 187 | + && retval) { |
| 188 | + if(ttyfileline[strlen(ttyfileline) - 1] == '\n') |
| 189 | + ttyfileline[strlen(ttyfileline) - 1] = '\0'; |
| 190 | + retval = ( strcmp(ttyfileline,uttyname) |
| 191 | + && (!ptname[0] || strcmp(ptname, uttyname)) ); |
| 192 | + } |
| 193 | + fclose(ttyfile); |
| 194 | + |
| 195 | + if(retval) { |
| 196 | + retval = PAM_AUTH_ERR; |
| 197 | + } |
| 198 | + |
| 199 | + return retval; |
| 200 | +} |