1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <pwd.h>
#define PAM_SM_AUTH
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
#define SHELLS "/etc/shells"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags,
int argc, const char * argv[])
{
struct passwd *pwd;
struct stat shellfileinfo;
const char *user;
const char *shell;
char shellfileline[256];
FILE *shellfile;
int pam_err;
if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS )
|| ( user == NULL ) ) {
PAM_ERROR("Error recovering username.");
return (pam_err);
}
if ( (pwd = getpwnam(user)) == NULL ) {
PAM_ERROR("Could not get passwd entry for user [%s]",user);
return (PAM_SERVICE_ERR);
}
shell = pwd->pw_shell;
if ( stat(SHELLS, &shellfileinfo) ) {
PAM_ERROR("Could not open SHELLS file :%s", SHELLS);
return (PAM_AUTH_ERR);
}
if ((shellfileinfo.st_mode & S_IWOTH) || !S_ISREG(shellfileinfo.st_mode)) {
/* File is either world writable or not a regural file */
PAM_ERROR("SHELLS file cannot be trusted!");
return (PAM_AUTH_ERR);
}
/* Open read-only file with shells */
if ( (shellfile = fopen(SHELLS,"r")) == NULL ) {
PAM_ERROR("Could not open SHELLS file :%s", SHELLS);
return (PAM_SERVICE_ERR);
}
pam_err = 1;
/* Search in SHELLS for user shell */
while (fgets(shellfileline, sizeof(shellfileline)-1, shellfile) != NULL
&& pam_err) {
if (shellfileline[strlen(shellfileline) - 1] == '\n')
shellfileline[strlen(shellfileline) - 1] = '\0';
pam_err = strcmp(shellfileline, shell);
}
fclose(shellfile);
if (!pam_err) {
/* user shell found in SHELLS. Allow access */
PAM_LOG("Access granted for %s with shell %s.", user, shell);
return (PAM_SUCCESS);
}
return (PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh , int flags ,
int argc , const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_MODULE_ENTRY("pam_shells");
|