diff options
Diffstat (limited to 'modules/pam_localuser')
| -rw-r--r-- | modules/pam_localuser/Makefile | 14 | ||||
| -rw-r--r-- | modules/pam_localuser/README | 17 | ||||
| -rw-r--r-- | modules/pam_localuser/pam_localuser.8 | 36 | ||||
| -rw-r--r-- | modules/pam_localuser/pam_localuser.c | 159 |
4 files changed, 0 insertions, 226 deletions
diff --git a/modules/pam_localuser/Makefile b/modules/pam_localuser/Makefile deleted file mode 100644 index 13946eb4..00000000 --- a/modules/pam_localuser/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# $Id$ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# - -include ../../Make.Rules - -TITLE=pam_localuser -MAN8=pam_localuser.8 - -include ../Simple.Rules diff --git a/modules/pam_localuser/README b/modules/pam_localuser/README deleted file mode 100644 index b8cdf524..00000000 --- a/modules/pam_localuser/README +++ /dev/null @@ -1,17 +0,0 @@ -pam_localuser: - Succeeds iff the PAM_USER is listed in /etc/passwd. This seems to be a - common policy need (allowing only a subset of network-wide users, and - any locally-defined users, to access services). Simpler than using - awk to generate a file for use with pam_listfile (-F: '{print $1}'), - I guess. - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - file=FILE scan FILE instead of /etc/passwd - -MODULE SERVICES PROVIDED: - auth,account scan the FILE (/etc/passwd by default) and return - a success code if an entry is found for the user - -AUTHOR: - Nalin Dahyabhai <nalin@redhat.com> diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 deleted file mode 100644 index ce0a9465..00000000 --- a/modules/pam_localuser/pam_localuser.8 +++ /dev/null @@ -1,36 +0,0 @@ -.\" Copyright 2000 Red Hat, Inc. -.TH pam_localuser 8 2000/7/21 "Red Hat" "System Administrator's Manual" - -.SH NAME -pam_localuser \- require users to be listed in /etc/passwd - -.SH SYNOPSIS -.B account sufficient /lib/security/pam_localuser.so \fIargs\fP -.br -.B account required /lib/security/pam_wheel.so group=devel - -.SH DESCRIPTION -pam_localuser.so exists to help implement site-wide login policies, where -they typically include a subset of the network's users and a few accounts -that are local to a particular workstation. Using pam_localuser.so and -pam_wheel.so or pam_listfile.so is an effective way to restrict access to -either local users and/or a subset of the network's users. - -This could also be implemented using pam_listfile.so and a very short awk -script invoked by cron, but it's common enough to have been separated out. - -.SH ARGUMENTS -.IP debug -turns on debugging -.IP file=\fBFILE\fP -uses a file other than \fB/etc/passwd\fP. - -.SH FILES -/etc/passwd - -.SH BUGS -Let's hope not, but if you find any, please report them via the "Bug Track" -link at http://bugzilla.redhat.com/bugzilla/ - -.SH AUTHOR -Nalin Dahyabhai <nalin@redhat.com> diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c deleted file mode 100644 index e5496089..00000000 --- a/modules/pam_localuser/pam_localuser.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - * Copyright 2001, 2004 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "../../_pam_aconf.h" - -#include <errno.h> -#include <limits.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <stdio.h> -#include <stdarg.h> -#include <time.h> -#include <unistd.h> -#include <sys/stat.h> -#include <sys/types.h> - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#include "../../libpam/include/security/pam_modules.h" -#include "../../libpam/include/security/_pam_macros.h" - -#define MODULE_NAME "pam_localuser" - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - int i, ret = PAM_SUCCESS; - FILE *fp; - int debug = 0; - const char *filename = "/etc/passwd"; - char line[LINE_MAX], name[LINE_MAX]; - const char* user; - - /* process arguments */ - for(i = 0; i < argc; i++) { - if(strcmp("debug", argv[i]) == 0) { - debug = 1; - } - } - for(i = 0; i < argc; i++) { - if(strncmp("file=", argv[i], 5) == 0) { - filename = argv[i] + 5; - if(debug) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_DEBUG, "set filename to \"%s\"", - filename); - closelog(); - } - } - } - - /* open the file */ - fp = fopen(filename, "r"); - if(fp == NULL) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "error opening \"%s\": %s", filename, - strerror(errno)); - closelog(); - return PAM_SYSTEM_ERR; - } - - if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "user name not specified yet"); - closelog(); - fclose(fp); - return PAM_SYSTEM_ERR; - } - - if ((user == NULL) || (strlen(user) == 0)) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "user name not valid"); - closelog(); - fclose(fp); - return PAM_SYSTEM_ERR; - } - - /* scan the file, using fgets() instead of fgetpwent() because i - * don't want to mess with applications which call fgetpwent() */ - ret = PAM_PERM_DENIED; - snprintf(name, sizeof(name), "%s:", user); - i = strlen(name); - while(fgets(line, sizeof(line), fp) != NULL) { - if(debug) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_DEBUG, "checking \"%s\"", line); - closelog(); - } - if(strncmp(name, line, i) == 0) { - ret = PAM_SUCCESS; - break; - } - } - - /* okay, we're done */ - fclose(fp); - return ret; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return pam_sm_authenticate(pamh, flags, argc, argv); -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_localuser_modstruct = { - "pam_localuser", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL, -}; - -#endif |