list.c revision ce0ce47a28e767d5bf7dec161e16b4f621aa39a1
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER START
fa9e4066f08beec538e775443c5be79dd423fcabahrens * The contents of this file are subject to the terms of the
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * Common Development and Distribution License (the "License").
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * You may not use this file except in compliance with the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fa9e4066f08beec538e775443c5be79dd423fcabahrens * See the License for the specific language governing permissions
fa9e4066f08beec538e775443c5be79dd423fcabahrens * and limitations under the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * When distributing Covered Code, include this CDDL HEADER in each
fa9e4066f08beec538e775443c5be79dd423fcabahrens * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * If applicable, add the following below this CDDL HEADER, with the
fa9e4066f08beec538e775443c5be79dd423fcabahrens * fields enclosed by brackets "[]" replaced with your own identifying
fa9e4066f08beec538e775443c5be79dd423fcabahrens * information: Portions Copyright [yyyy] [name of copyright owner]
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER END
fa9e4066f08beec538e775443c5be79dd423fcabahrens * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * Use is subject to license terms.
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick#define ILLEGAL_COMBINATION "pam_list: illegal combination of options"
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsontypedef enum {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonstatic const char *
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonstring_mode_type(pam_list_mode_t op_mode, boolean_t allow)
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson return ((op_mode == LIST_COMPAT_MODE) ? "compat" :
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonlog_illegal_combination(const char *s1, const char *s2)
fa9e4066f08beec538e775443c5be79dd423fcabahrens/*ARGSUSED*/
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilsonpam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
fa9e4066f08beec538e775443c5be79dd423fcabahrens for (i = 0; i < argc; ++i) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens if (strncasecmp(argv[i], "debug", sizeof ("debug")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens } else if (strncasecmp(argv[i], "user", sizeof ("user")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens sizeof ("nouser")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens } else if (strncasecmp(argv[i], "host", sizeof ("host")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens sizeof ("nohost")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens sizeof ("user_host_exact")) == 0) {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson if (((check_user || check_host || check_exact) == B_FALSE) ||
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson __pam_log(LOG_AUTH | LOG_ERR, ILLEGAL_COMBINATION);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson if ((op_mode == LIST_COMPAT_MODE) && (check_user == B_FALSE)) {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson "pam_list: check_user = %d, check_host = %d,"
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson "check_exact = %d\n",
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "pam_list: auth_file: %s, %s\n", allowdeny_filename,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick (op_mode == LIST_COMPAT_MODE) ? "compat mode" :
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick (void) pam_get_item(pamh, PAM_USER, (void**)&username);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick if ((check_user || check_exact) && ((username == NULL) ||
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "pam_list: username not supplied, critical error");
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick (void) pam_get_item(pamh, PAM_RHOST, (void**)&rhost);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick if ((check_host || check_exact) && ((rhost == NULL) ||
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick if (gethostname(hostname, MAXHOSTNAMELEN) == 0) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "pam_list: error by gethostname - %m");
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "pam_list: pam_sm_acct_mgmt for (%s,%s,)",
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "pam_list: file name not specified");
fa9e4066f08beec538e775443c5be79dd423fcabahrens if ((fd = fopen(allowdeny_filename, "rF")) == NULL) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens __pam_log(LOG_AUTH | LOG_ERR, "pam_list: fopen of %s: %s",
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* lines longer than BUFSIZ-1 */
fa9e4066f08beec538e775443c5be79dd423fcabahrens "pam_list: long line in file,"
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* remove unneeded colons if necessary */
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* ignore free values */
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* test for interesting lines = +/- in /etc/passwd */
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* simple + matches all */
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* simple - is not defined */
fa9e4066f08beec538e775443c5be79dd423fcabahrens "pam_list: simple minus unknown, "
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* @ is not allowed on the first position */
fa9e4066f08beec538e775443c5be79dd423fcabahrens "pam_list: @ is not allowed on the first "
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* -user or -@netgroup */
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* +user or +@netgroup */
fa9e4066f08beec538e775443c5be79dd423fcabahrens * if -> netgroup line
fa9e4066f08beec538e775443c5be79dd423fcabahrens * else -> user line
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick * No match found in /etc/passwd yet. For compat mode
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick * a failure to match should result in a return of
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick * PAM_PERM_DENIED which is achieved below if 'matched'
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick * is false and 'allow' is true.
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson "pam_list: %s for %s", matched ? "matched" : "no match",
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson return (allow ? PAM_SUCCESS : PAM_PERM_DENIED);
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson * For compatibility with passwd_compat mode to prevent root access