Andrew Geissler | 87ddd3e | 2021-01-28 18:27:13 -0600 | [diff] [blame] | 1 | Description: extract the securetty logic for use with the "nullok_secure" option |
| 2 | introduced in the "055_pam_unix_nullok_secure" patch. |
| 3 | |
| 4 | Upstream-Status: Pending |
| 5 | |
| 6 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
| 7 | =================================================================== |
| 8 | Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am |
| 9 | =================================================================== |
| 10 | --- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am |
| 11 | +++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am |
| 12 | @@ -24,6 +24,10 @@ endif |
| 13 | securelib_LTLIBRARIES = pam_securetty.la |
| 14 | pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la |
| 15 | |
| 16 | +pam_securetty_la_SOURCES = \ |
| 17 | + pam_securetty.c \ |
| 18 | + tty_secure.c |
| 19 | + |
| 20 | if ENABLE_REGENERATE_MAN |
| 21 | noinst_DATA = README |
| 22 | README: pam_securetty.8.xml |
| 23 | Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c |
| 24 | =================================================================== |
| 25 | --- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c |
| 26 | +++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c |
| 27 | @@ -1,7 +1,5 @@ |
| 28 | /* pam_securetty module */ |
| 29 | |
| 30 | -#define SECURETTY_FILE "/etc/securetty" |
| 31 | -#define TTY_PREFIX "/dev/" |
| 32 | #define CMDLINE_FILE "/proc/cmdline" |
| 33 | #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" |
| 34 | |
| 35 | @@ -40,6 +38,9 @@ |
| 36 | #include <security/pam_modutil.h> |
| 37 | #include <security/pam_ext.h> |
| 38 | |
| 39 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, |
| 40 | + const char *uttyname); |
| 41 | + |
| 42 | #define PAM_DEBUG_ARG 0x0001 |
| 43 | #define PAM_NOCONSOLE_ARG 0x0002 |
| 44 | |
| 45 | @@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p |
| 46 | const char *username; |
| 47 | const char *uttyname; |
| 48 | const void *void_uttyname; |
| 49 | - char ttyfileline[256]; |
| 50 | - char ptname[256]; |
| 51 | - struct stat ttyfileinfo; |
| 52 | struct passwd *user_pwd; |
| 53 | - FILE *ttyfile; |
| 54 | |
| 55 | /* log a trail for debugging */ |
| 56 | if (ctrl & PAM_DEBUG_ARG) { |
| 57 | @@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p |
| 58 | return PAM_SERVICE_ERR; |
| 59 | } |
| 60 | |
| 61 | - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ |
| 62 | - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { |
| 63 | - uttyname += sizeof(TTY_PREFIX)-1; |
| 64 | - } |
| 65 | - |
| 66 | - if (stat(SECURETTY_FILE, &ttyfileinfo)) { |
| 67 | - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); |
| 68 | - return PAM_SUCCESS; /* for compatibility with old securetty handling, |
| 69 | - this needs to succeed. But we still log the |
| 70 | - error. */ |
| 71 | - } |
| 72 | - |
| 73 | - if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { |
| 74 | - /* If the file is world writable or is not a |
| 75 | - normal file, return error */ |
| 76 | - pam_syslog(pamh, LOG_ERR, |
| 77 | - "%s is either world writable or not a normal file", |
| 78 | - SECURETTY_FILE); |
| 79 | - return PAM_AUTH_ERR; |
| 80 | - } |
| 81 | - |
| 82 | - ttyfile = fopen(SECURETTY_FILE,"r"); |
| 83 | - if (ttyfile == NULL) { /* Check that we opened it successfully */ |
| 84 | - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); |
| 85 | - return PAM_SERVICE_ERR; |
| 86 | - } |
| 87 | - |
| 88 | - if (isdigit(uttyname[0])) { |
| 89 | - snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); |
| 90 | - } else { |
| 91 | - ptname[0] = '\0'; |
| 92 | - } |
| 93 | - |
| 94 | - retval = 1; |
| 95 | - |
| 96 | - while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) |
| 97 | - && retval) { |
| 98 | - if (ttyfileline[strlen(ttyfileline) - 1] == '\n') |
| 99 | - ttyfileline[strlen(ttyfileline) - 1] = '\0'; |
| 100 | - |
| 101 | - retval = ( strcmp(ttyfileline, uttyname) |
| 102 | - && (!ptname[0] || strcmp(ptname, uttyname)) ); |
| 103 | - } |
| 104 | - fclose(ttyfile); |
| 105 | + retval = _pammodutil_tty_secure(pamh, uttyname); |
| 106 | |
| 107 | if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { |
| 108 | FILE *cmdlinefile; |
| 109 | Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c |
| 110 | =================================================================== |
| 111 | --- /dev/null |
| 112 | +++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c |
| 113 | @@ -0,0 +1,90 @@ |
| 114 | +/* |
| 115 | + * A function to determine if a particular line is in /etc/securetty |
| 116 | + */ |
| 117 | + |
| 118 | + |
| 119 | +#define SECURETTY_FILE "/etc/securetty" |
| 120 | +#define TTY_PREFIX "/dev/" |
| 121 | + |
| 122 | +/* This function taken out of pam_securetty by Sam Hartman |
| 123 | + * <hartmans@debian.org>*/ |
| 124 | +/* |
| 125 | + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. |
| 126 | + * July 25, 1996. |
| 127 | + * Slight modifications AGM. 1996/12/3 |
| 128 | + */ |
| 129 | + |
| 130 | +#include <unistd.h> |
| 131 | +#include <sys/types.h> |
| 132 | +#include <sys/stat.h> |
| 133 | +#include <security/pam_modules.h> |
| 134 | +#include <stdarg.h> |
| 135 | +#include <syslog.h> |
| 136 | +#include <sys/syslog.h> |
| 137 | +#include <stdio.h> |
| 138 | +#include <string.h> |
| 139 | +#include <stdlib.h> |
| 140 | +#include <ctype.h> |
| 141 | +#include <security/pam_modutil.h> |
| 142 | +#include <security/pam_ext.h> |
| 143 | + |
| 144 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, |
| 145 | + const char *uttyname); |
| 146 | + |
| 147 | +int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) |
| 148 | +{ |
| 149 | + int retval = PAM_AUTH_ERR; |
| 150 | + char ttyfileline[256]; |
| 151 | + char ptname[256]; |
| 152 | + struct stat ttyfileinfo; |
| 153 | + FILE *ttyfile; |
| 154 | + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ |
| 155 | + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) |
| 156 | + uttyname += sizeof(TTY_PREFIX)-1; |
| 157 | + |
| 158 | + if (stat(SECURETTY_FILE, &ttyfileinfo)) { |
| 159 | + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", |
| 160 | + SECURETTY_FILE); |
| 161 | + return PAM_SUCCESS; /* for compatibility with old securetty handling, |
| 162 | + this needs to succeed. But we still log the |
| 163 | + error. */ |
| 164 | + } |
| 165 | + |
| 166 | + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { |
| 167 | + /* If the file is world writable or is not a |
| 168 | + normal file, return error */ |
| 169 | + pam_syslog(pamh, LOG_ERR, |
| 170 | + "%s is either world writable or not a normal file", |
| 171 | + SECURETTY_FILE); |
| 172 | + return PAM_AUTH_ERR; |
| 173 | + } |
| 174 | + |
| 175 | + ttyfile = fopen(SECURETTY_FILE,"r"); |
| 176 | + if(ttyfile == NULL) { /* Check that we opened it successfully */ |
| 177 | + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); |
| 178 | + return PAM_SERVICE_ERR; |
| 179 | + } |
| 180 | + |
| 181 | + if (isdigit(uttyname[0])) { |
| 182 | + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); |
| 183 | + } else { |
| 184 | + ptname[0] = '\0'; |
| 185 | + } |
| 186 | + |
| 187 | + retval = 1; |
| 188 | + |
| 189 | + while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) |
| 190 | + && retval) { |
| 191 | + if(ttyfileline[strlen(ttyfileline) - 1] == '\n') |
| 192 | + ttyfileline[strlen(ttyfileline) - 1] = '\0'; |
| 193 | + retval = ( strcmp(ttyfileline,uttyname) |
| 194 | + && (!ptname[0] || strcmp(ptname, uttyname)) ); |
| 195 | + } |
| 196 | + fclose(ttyfile); |
| 197 | + |
| 198 | + if(retval) { |
| 199 | + retval = PAM_AUTH_ERR; |
| 200 | + } |
| 201 | + |
| 202 | + return retval; |
| 203 | +} |