pam_timestamp.c revision 45405cce0657d01714b3d014a0facf3bdce45736
/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
*/
/*
* Copyright 2014 Nexenta Systems, Inc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <fcntl.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <syslog.h>
#include <unistd.h>
#include <libgen.h>
#include <errno.h>
#define TIMESTAMP_DIR "/var/run/tty_timestamps"
#define ROOT_UID 0 /* root uid */
#define ROOT_GID 0 /* root gid */
struct user_info {
};
int debug = 0;
int
char *user_tty,
char *timestampfile)
{
char *user;
char *auser;
char *ttyn;
/* get user, auser and users's tty */
"PAM_USER NULL or empty");
return (PAM_IGNORE);
}
"PAM_AUSER NULL or empty");
return (PAM_IGNORE);
}
"PAM_TTY NULL or empty");
return (PAM_IGNORE);
}
if (debug)
} else {
"invalid tty: %s", ttyn);
return (PAM_IGNORE);
}
/* format timestamp file name */
return (PAM_SUCCESS);
}
int
validate_dir(const char *dir)
{
/*
* check that the directory exist and has
* right owner and permissions.
*/
"directory %s does not exist", dir);
return (PAM_IGNORE);
}
"%s is not a directory", dir);
return (PAM_IGNORE);
}
"%s is a symbolic link", dir);
return (PAM_IGNORE);
}
"%s is not owned by root", dir);
return (PAM_IGNORE);
}
"%s has wrong permissions", dir);
return (PAM_IGNORE);
}
return (PAM_SUCCESS);
}
int
create_dir(char *dir)
{
/*
* create directory if it doesn't exist and attempt to set
* the owner to root.
*/
"can't create directory %s", dir);
return (PAM_IGNORE);
}
"can't set permissions on directory %s", dir);
return (PAM_IGNORE);
}
return (PAM_SUCCESS);
}
/*
* pam_sm_authenticate
*
* Read authentication from user, using cached successful authentication
* attempts.
*
* returns PAM_SUCCESS on success, otherwise always returns PAM_IGNORE:
* while this module has "sufficient" control value, in case of any failure
* user will be authenticated with the pam_unix_auth module.
* options -
* debug
* timeout= timeout in min, default is 5
*/
/*ARGSUSED*/
int
int flags,
int argc,
const char **argv)
{
long tmp = 0;
int result = PAM_IGNORE;
int i;
int fd = -1;
char *p;
char user_tty[MAXPATHLEN];
char timestampdir[MAXPATHLEN];
char timestampfile[MAXPATHLEN];
char *sudir;
/* check options passed to this module */
for (i = 0; i < argc; i++) {
debug = 1;
}
}
}
return (result);
return (result);
return (result);
/*
* check that timestamp file is exist and has right owner
* and permissions.
*/
(void) unlink(timestampfile);
"timestamp file %s is not a regular file",
return (result);
}
(void) unlink(timestampfile);
"timestamp file %s is not owned by root",
return (result);
}
(void) unlink(timestampfile);
"timestamp file %s is a symbolic link",
return (result);
}
(void) unlink(timestampfile);
"timestamp file %s has wrong permissions",
return (result);
}
} else {
if (debug)
"timestamp file %s does not exist: %m",
return (result);
}
"can't stat tty: %m");
return (result);
}
"can't open timestamp file %s for reading: %m",
return (result);
}
(void) unlink(timestampfile);
"timestamp file '%s' is corrupt: %m", timestampfile);
return (result);
}
(void) unlink(timestampfile);
"the content of the timestamp file '%s' is not valid",
return (result);
}
(void) unlink(timestampfile);
"timestamp file '%s' has expired, disallowing access",
return (result);
} else {
if (debug)
"timestamp file %s is not expired, "
"allowing access ", timestampfile);
}
return (result);
}
/*
* pam_sm_setcred
*
* Creates timestamp directory and writes
* timestamp file if it doesn't exist.
*
* returns PAM_SUCCESS on success, otherwise PAM_IGNORE
*/
/*ARGSUSED*/
int
int flags,
int argc,
const char **argv)
{
int result = PAM_IGNORE;
int fd = -1;
char user_tty[MAXPATHLEN];
char timestampdir[MAXPATHLEN];
char timestampfile[MAXPATHLEN];
/* validate flags */
!(flags & PAM_REINITIALIZE_CRED) &&
!(flags & PAM_REFRESH_CRED) &&
!(flags & PAM_DELETE_CRED) &&
!(flags & PAM_SILENT)) {
return (result);
}
return (result);
/*
* user doesn't need to authenticate for PAM_DELETE_CRED
*/
if (flags & PAM_DELETE_CRED) {
(void) unlink(timestampfile);
return (result);
}
/* if the timestamp file exist, there is nothing to do */
if (debug)
"timestamp file %s is not expired", timestampfile);
return (result);
}
return (result);
return (result);
"can't stat tty: %m");
return (result);
}
"can't open timestamp file %s for writing: %m",
return (result);
"can't set permissions on timestamp file %s: %m",
return (result);
}
"can't write timestamp file %s: %m", timestampfile);
return (result);
}
return (PAM_SUCCESS);
}