blob: 9b8d4c297516d6c0cd64f990f14c4b51d897dbf2 [file] [log] [blame]
Andrew Geissler87ddd3e2021-01-28 18:27:13 -06001Description: extract the securetty logic for use with the "nullok_secure" option
2 introduced in the "055_pam_unix_nullok_secure" patch.
3
4Upstream-Status: Pending
5
6Signed-off-by: Ming Liu <ming.liu@windriver.com>
7===================================================================
8Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
9===================================================================
10--- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am
11+++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
12@@ -24,6 +24,10 @@ endif
13 securelib_LTLIBRARIES = pam_securetty.la
14 pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
15
16+pam_securetty_la_SOURCES = \
17+ pam_securetty.c \
18+ tty_secure.c
19+
20 if ENABLE_REGENERATE_MAN
21 noinst_DATA = README
22 README: pam_securetty.8.xml
23Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
24===================================================================
25--- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c
26+++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
27@@ -1,7 +1,5 @@
28 /* pam_securetty module */
29
30-#define SECURETTY_FILE "/etc/securetty"
31-#define TTY_PREFIX "/dev/"
32 #define CMDLINE_FILE "/proc/cmdline"
33 #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
34
35@@ -40,6 +38,9 @@
36 #include <security/pam_modutil.h>
37 #include <security/pam_ext.h>
38
39+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
40+ const char *uttyname);
41+
42 #define PAM_DEBUG_ARG 0x0001
43 #define PAM_NOCONSOLE_ARG 0x0002
44
45@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
46 const char *username;
47 const char *uttyname;
48 const void *void_uttyname;
49- char ttyfileline[256];
50- char ptname[256];
51- struct stat ttyfileinfo;
52 struct passwd *user_pwd;
53- FILE *ttyfile;
54
55 /* log a trail for debugging */
56 if (ctrl & PAM_DEBUG_ARG) {
57@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
58 return PAM_SERVICE_ERR;
59 }
60
61- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
62- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
63- uttyname += sizeof(TTY_PREFIX)-1;
64- }
65-
66- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
67- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
68- return PAM_SUCCESS; /* for compatibility with old securetty handling,
69- this needs to succeed. But we still log the
70- error. */
71- }
72-
73- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
74- /* If the file is world writable or is not a
75- normal file, return error */
76- pam_syslog(pamh, LOG_ERR,
77- "%s is either world writable or not a normal file",
78- SECURETTY_FILE);
79- return PAM_AUTH_ERR;
80- }
81-
82- ttyfile = fopen(SECURETTY_FILE,"r");
83- if (ttyfile == NULL) { /* Check that we opened it successfully */
84- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
85- return PAM_SERVICE_ERR;
86- }
87-
88- if (isdigit(uttyname[0])) {
89- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
90- } else {
91- ptname[0] = '\0';
92- }
93-
94- retval = 1;
95-
96- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
97- && retval) {
98- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
99- ttyfileline[strlen(ttyfileline) - 1] = '\0';
100-
101- retval = ( strcmp(ttyfileline, uttyname)
102- && (!ptname[0] || strcmp(ptname, uttyname)) );
103- }
104- fclose(ttyfile);
105+ retval = _pammodutil_tty_secure(pamh, uttyname);
106
107 if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
108 FILE *cmdlinefile;
109Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
110===================================================================
111--- /dev/null
112+++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
113@@ -0,0 +1,90 @@
114+/*
115+ * A function to determine if a particular line is in /etc/securetty
116+ */
117+
118+
119+#define SECURETTY_FILE "/etc/securetty"
120+#define TTY_PREFIX "/dev/"
121+
122+/* This function taken out of pam_securetty by Sam Hartman
123+ * <hartmans@debian.org>*/
124+/*
125+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
126+ * July 25, 1996.
127+ * Slight modifications AGM. 1996/12/3
128+ */
129+
130+#include <unistd.h>
131+#include <sys/types.h>
132+#include <sys/stat.h>
133+#include <security/pam_modules.h>
134+#include <stdarg.h>
135+#include <syslog.h>
136+#include <sys/syslog.h>
137+#include <stdio.h>
138+#include <string.h>
139+#include <stdlib.h>
140+#include <ctype.h>
141+#include <security/pam_modutil.h>
142+#include <security/pam_ext.h>
143+
144+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
145+ const char *uttyname);
146+
147+int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
148+{
149+ int retval = PAM_AUTH_ERR;
150+ char ttyfileline[256];
151+ char ptname[256];
152+ struct stat ttyfileinfo;
153+ FILE *ttyfile;
154+ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
155+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
156+ uttyname += sizeof(TTY_PREFIX)-1;
157+
158+ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
159+ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
160+ SECURETTY_FILE);
161+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
162+ this needs to succeed. But we still log the
163+ error. */
164+ }
165+
166+ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
167+ /* If the file is world writable or is not a
168+ normal file, return error */
169+ pam_syslog(pamh, LOG_ERR,
170+ "%s is either world writable or not a normal file",
171+ SECURETTY_FILE);
172+ return PAM_AUTH_ERR;
173+ }
174+
175+ ttyfile = fopen(SECURETTY_FILE,"r");
176+ if(ttyfile == NULL) { /* Check that we opened it successfully */
177+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
178+ return PAM_SERVICE_ERR;
179+ }
180+
181+ if (isdigit(uttyname[0])) {
182+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
183+ } else {
184+ ptname[0] = '\0';
185+ }
186+
187+ retval = 1;
188+
189+ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
190+ && retval) {
191+ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
192+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
193+ retval = ( strcmp(ttyfileline,uttyname)
194+ && (!ptname[0] || strcmp(ptname, uttyname)) );
195+ }
196+ fclose(ttyfile);
197+
198+ if(retval) {
199+ retval = PAM_AUTH_ERR;
200+ }
201+
202+ return retval;
203+}