diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:13:04 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:13:04 -0800 |
| commit | c55c14c5c6762139ec6695d84ea0e2e917da5264 (patch) | |
| tree | 9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_securetty/pam_securetty.c | |
| parent | f3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff) | |
| parent | fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff) | |
| download | pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.gz pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.bz2 pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.zip | |
New upstream version 1.1.5
Diffstat (limited to 'modules/pam_securetty/pam_securetty.c')
| -rw-r--r-- | modules/pam_securetty/pam_securetty.c | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index a3c2010d..4e97ef59 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -2,6 +2,8 @@ #define SECURETTY_FILE "/etc/securetty" #define TTY_PREFIX "/dev/" +#define CMDLINE_FILE "/proc/cmdline" +#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" /* * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. @@ -22,6 +24,7 @@ #include <pwd.h> #include <string.h> #include <ctype.h> +#include <limits.h> /* * here, we make a definition for the externally accessible function @@ -38,6 +41,7 @@ #include <security/pam_ext.h> #define PAM_DEBUG_ARG 0x0001 +#define PAM_NOCONSOLE_ARG 0x0002 static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) @@ -51,6 +55,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; + else if (!strcmp(*argv, "noconsole")) + ctrl |= PAM_NOCONSOLE_ARG; else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -144,6 +150,70 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } fclose(ttyfile); + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; + + /* Allow access from the kernel console, if enabled */ + cmdlinefile = fopen(CMDLINE_FILE, "r"); + + if (cmdlinefile != NULL) { + char line[LINE_MAX], *p; + + line[0] = 0; + fgets(line, sizeof(line), cmdlinefile); + fclose(cmdlinefile); + + for (p = line; p; p = strstr(p+1, "console=")) { + char *e; + + /* Test whether this is a beginning of a word? */ + if (p > line && p[-1] != ' ') + continue; + + /* Is this our console? */ + if (strncmp(p + 8, uttyname, strlen(uttyname))) + continue; + + /* Is there any garbage after the TTY name? */ + e = p + 8 + strlen(uttyname); + if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { + retval = 0; + break; + } + } + } + } + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *consoleactivefile; + + /* Allow access from the active console */ + consoleactivefile = fopen(CONSOLEACTIVE_FILE, "r"); + + if (consoleactivefile != NULL) { + char line[LINE_MAX], *p, *n; + + line[0] = 0; + p = fgets(line, sizeof(line), consoleactivefile); + fclose(consoleactivefile); + + if (p) { + /* remove the newline character at end */ + if (line[strlen(line)-1] == '\n') + line[strlen(line)-1] = 0; + + for (n = p; n != NULL; p = n+1) { + if ((n = strchr(p, ' ')) != NULL) + *n = '\0'; + + if (strcmp(p, uttyname) == 0) { + retval = 0; + break; + } + } + } + } + } + if (retval) { pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", uttyname); |