diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2020-08-11 14:54:29 -0700 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2020-08-11 14:54:29 -0700 |
| commit | f6d08ed47a3da3c08345bce2ca366e961c52ad7c (patch) | |
| tree | dcbd0efb229b17f696f7195671f05b354b4f70fc /modules/pam_securetty/pam_securetty.c | |
| parent | 668b13da8f830c38388cecac45539972e80cb246 (diff) | |
| parent | 9e5bea9e146dee574796259ca464ad2435be3590 (diff) | |
| download | pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.tar.gz pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.tar.bz2 pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.zip | |
New upstream version 1.4.0
Diffstat (limited to 'modules/pam_securetty/pam_securetty.c')
| -rw-r--r-- | modules/pam_securetty/pam_securetty.c | 71 |
1 files changed, 42 insertions, 29 deletions
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index cb1da252..b4d71751 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,11 +1,6 @@ -/* pam_securetty module */ - -#define SECURETTY_FILE "/etc/securetty" -#define TTY_PREFIX "/dev/" -#define CMDLINE_FILE "/proc/cmdline" -#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" - /* + * pam_securetty module + * * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. * July 25, 1996. * This code shamelessly ripped from the pam_rootok module. @@ -25,24 +20,24 @@ #include <string.h> #include <ctype.h> #include <limits.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT +#include <errno.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" #define PAM_DEBUG_ARG 0x0001 #define PAM_NOCONSOLE_ARG 0x0002 +#define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif +#define TTY_PREFIX "/dev/" +#define CMDLINE_FILE "/proc/cmdline" +#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { @@ -70,8 +65,10 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *function_name) { int retval = PAM_AUTH_ERR; + const char *securettyfile; const char *username; const char *uttyname; + const char *str; const void *void_uttyname; char ttyfileline[256]; char ptname[256]; @@ -86,9 +83,10 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } retval = pam_get_user(pamh, &username, NULL); - if (retval != PAM_SUCCESS || username == NULL) { - pam_syslog(pamh, LOG_WARNING, "cannot determine username"); - return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); + return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE : retval); } user_pwd = pam_modutil_getpwnam(pamh, username); @@ -106,15 +104,31 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { - uttyname += sizeof(TTY_PREFIX)-1; - } + if ((str = pam_str_skip_prefix(uttyname, TTY_PREFIX)) != NULL) + uttyname = str; if (stat(SECURETTY_FILE, &ttyfileinfo)) { +#ifdef VENDORDIR + if (errno == ENOENT) { + if (stat(SECURETTY2_FILE, &ttyfileinfo)) { + pam_syslog(pamh, LOG_NOTICE, + "Couldn't open %s: %m", SECURETTY2_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + securettyfile = SECURETTY2_FILE; + } else { +#endif pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ +#ifdef VENDORDIR + } +#endif + } else { + securettyfile = SECURETTY_FILE; } if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { @@ -122,13 +136,13 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, normal file, return error */ pam_syslog(pamh, LOG_ERR, "%s is either world writable or not a normal file", - SECURETTY_FILE); + securettyfile); return PAM_AUTH_ERR; } - ttyfile = fopen(SECURETTY_FILE,"r"); + ttyfile = fopen(securettyfile,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile); return PAM_SERVICE_ERR; } @@ -163,18 +177,17 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, fclose(cmdlinefile); for (; p; p = strstr(p+1, "console=")) { - char *e; + const char *e; /* Test whether this is a beginning of a word? */ if (p > line && p[-1] != ' ') continue; /* Is this our console? */ - if (strncmp(p + 8, uttyname, strlen(uttyname))) + if ((e = pam_str_skip_prefix_len(p + 8, uttyname, strlen(uttyname))) == NULL) continue; /* Is there any garbage after the TTY name? */ - e = p + 8 + strlen(uttyname); if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { retval = 0; break; |