Initial revision

4 files changed, 284 insertions, 0 deletions

diff --git a/modules/pam_securetty/.cvsignore b/modules/pam_securetty/.cvsignore
new file mode 100644
index 00000000..380a834a
--- /dev/null
+++ b/modules/pam_securetty/.cvsignore
@@ -0,0 +1 @@
+dynamic
diff --git a/modules/pam_securetty/Makefile b/modules/pam_securetty/Makefile
new file mode 100644
index 00000000..d8a09ea1
--- /dev/null
+++ b/modules/pam_securetty/Makefile
@@ -0,0 +1,83 @@
+#
+# This Makefile controls a build process of $(TITLE) module for
+# Linux-PAM. You should not modify this Makefile (unless you know
+# what you are doing!).
+#
+
+TITLE=pam_securetty
+
+#
+
+LIBSRC = $(TITLE).c
+LIBOBJ = $(TITLE).o
+LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
+LIBOBJS = $(addprefix static/,$(LIBOBJ))
+
+dynamic/%.o : %.c
+	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
+
+static/%.o : %.c
+	$(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
+
+
+ifdef DYNAMIC
+LIBSHARED = $(TITLE).so
+endif
+
+ifdef STATIC
+LIBSTATIC = lib$(TITLE).o
+endif
+
+####################### don't edit below #######################
+
+dummy:
+
+	@echo "**** This is not a top-level Makefile "
+	exit
+
+all: dirs $(LIBSHARED) $(LIBSTATIC) register
+
+dirs:
+ifdef DYNAMIC
+	$(MKDIR) ./dynamic
+endif
+ifdef STATIC
+	$(MKDIR) ./static
+endif
+
+register:
+ifdef STATIC
+	( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) )
+endif
+
+ifdef DYNAMIC
+$(LIBOBJD): $(LIBSRC)
+
+$(LIBSHARED):	$(LIBOBJD)
+	$(LD_D) -o $@ $(LIBOBJD)
+endif
+
+ifdef STATIC
+$(LIBOBJS): $(LIBSRC)
+
+$(LIBSTATIC): $(LIBOBJS)
+	$(LD) -r -o $@ $(LIBOBJS)
+endif
+
+install: all
+	$(MKDIR) $(FAKEROOT)$(SECUREDIR)
+ifdef DYNAMIC
+	$(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)
+endif
+
+remove:
+	rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so
+
+clean:
+	rm -f $(LIBOBJD) $(LIBOBJS) core *~
+
+extraclean: clean
+	rm -f *.a *.o *.so *.bak dynamic/* static/*
+
+.c.o:	
+	$(CC) $(CFLAGS) -c $<
diff --git a/modules/pam_securetty/README b/modules/pam_securetty/README
new file mode 100644
index 00000000..1df095c9
--- /dev/null
+++ b/modules/pam_securetty/README
@@ -0,0 +1,9 @@
+pam_securetty:
+	Allows root logins only if the user is logging in on a
+	"secure" tty, as defined by the listing in /etc/securetty
+
+	Also checks to make sure that /etc/securetty is a plain
+	file and not world writable.
+
+	- Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+		July 25, 1996.
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
new file mode 100644
index 00000000..9e6121e8
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.c
@@ -0,0 +1,191 @@
+/* pam_securetty module */
+
+#define SECURETTY_FILE "/etc/securetty"
+#define TTY_PREFIX     "/dev/"
+
+/*
+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+ * July 25, 1996.
+ * This code shamelessly ripped from the pam_rootok module.
+ * Slight modifications AGM. 1996/12/3
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <string.h>
+
+#define PAM_SM_AUTH
+
+/*
+ * here, we make a definition for the externally accessible function
+ * in this file (this definition is required for static a module
+ * but strongly encouraged generally) it is used to instruct the
+ * modules include file to define the function prototypes.
+ */
+
+#define PAM_SM_AUTH
+
+#include <security/pam_modules.h>
+
+/* some syslogging */
+
+static void _pam_log(int err, const char *format, ...)
+{
+    va_list args;
+
+    va_start(args, format);
+    openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH);
+    vsyslog(err, format, args);
+    va_end(args);
+    closelog();
+}
+
+/* argument parsing */
+
+#define PAM_DEBUG_ARG       0x0001
+
+static int _pam_parse(int argc, const char **argv)
+{
+    int ctrl=0;
+
+    /* step through arguments */
+    for (ctrl=0; argc-- > 0; ++argv) {
+
+	/* generic options */
+
+	if (!strcmp(*argv,"debug"))
+	    ctrl |= PAM_DEBUG_ARG;
+	else {
+	    _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
+	}
+    }
+
+    return ctrl;
+}
+
+/* --- authentication management functions (only) --- */
+
+PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
+			,const char **argv)
+{
+    int retval = PAM_AUTH_ERR;
+    const char *username;
+    char *uttyname;
+    char ttyfileline[256];
+    struct stat ttyfileinfo;
+    struct passwd *user_pwd;
+    FILE *ttyfile;
+    int ctrl;
+
+    /* parse the arguments */
+    ctrl = _pam_parse(argc, argv);
+
+    retval = pam_get_user(pamh, &username, NULL);
+    if (retval != PAM_SUCCESS || username == NULL) {
+	if (ctrl & PAM_DEBUG_ARG) {
+            _pam_log(LOG_WARNING, "cannot determine username");
+	}
+	return (retval == PAM_CONV_AGAIN
+		? PAM_INCOMPLETE:PAM_SERVICE_ERR);
+    }
+
+    retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname);
+    if (retval != PAM_SUCCESS || uttyname == NULL) {
+        if (ctrl & PAM_DEBUG_ARG) {
+            _pam_log(LOG_WARNING, "cannot determine user's tty");
+	}
+	return PAM_SERVICE_ERR;
+    }
+
+    /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+    if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
+	uttyname += sizeof(TTY_PREFIX)-1;
+
+    user_pwd = getpwnam(username);
+    if (user_pwd == NULL) {
+	return PAM_IGNORE;
+    } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
+					   securetty's does not apply
+					   to them */
+	return PAM_SUCCESS;
+    }
+
+    if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+	_pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE);
+	return PAM_SUCCESS; /* for compatibility with old securetty handling,
+			       this needs to succeed.  But we still log the
+			       error. */
+    }
+
+    if ((ttyfileinfo.st_mode & S_IWOTH)
+	|| !S_ISREG(ttyfileinfo.st_mode)) {
+	/* If the file is world writable or is not a
+	   normal file, return error */
+	_pam_log(LOG_ERR, SECURETTY_FILE
+		 " is either world writable or not a normal file");
+	return PAM_AUTH_ERR;
+    }
+
+    ttyfile = fopen(SECURETTY_FILE,"r");
+    if(ttyfile == NULL) { /* Check that we opened it successfully */
+	_pam_log(LOG_ERR,
+		 "Error opening " SECURETTY_FILE);
+	return PAM_SERVICE_ERR;
+    }
+    /* There should be no more errors from here on */
+    retval=PAM_AUTH_ERR;
+    /* This loop assumes that PAM_SUCCESS == 0
+       and PAM_AUTH_ERR != 0 */
+    while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) 
+	  && retval) {
+	if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
+	    ttyfileline[strlen(ttyfileline) - 1] = '\0';
+	retval = strcmp(ttyfileline,uttyname);
+    }
+    fclose(ttyfile);
+    if(retval) {
+	if (ctrl & PAM_DEBUG_ARG)
+	    _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !",
+		     uttyname);
+	retval = PAM_AUTH_ERR;
+    }
+    if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG))
+	_pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'",
+		 username, uttyname);
+    return retval;
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
+		   ,const char **argv)
+{
+     return PAM_SUCCESS;
+}
+
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_securetty_modstruct = {
+     "pam_securetty",
+     pam_sm_authenticate,
+     pam_sm_setcred,
+     NULL,
+     NULL,
+     NULL,
+     NULL,
+};
+
+#endif
+
+/* end of module definition */