1112857Sdes/*- 2112857Sdes * Copyright (c) 2003 Networks Associates Technology, Inc. 3112857Sdes * All rights reserved. 4112857Sdes * 5112857Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and 6112857Sdes * NAI Labs, the Security Research Division of Network Associates, Inc. 7112857Sdes * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8112857Sdes * DARPA CHATS research program. 9112857Sdes * 10112857Sdes * Redistribution and use in source and binary forms, with or without 11112857Sdes * modification, are permitted provided that the following conditions 12112857Sdes * are met: 13112857Sdes * 1. Redistributions of source code must retain the above copyright 14112857Sdes * notice, this list of conditions and the following disclaimer. 15112857Sdes * 2. Redistributions in binary form must reproduce the above copyright 16112857Sdes * notice, this list of conditions and the following disclaimer in the 17112857Sdes * documentation and/or other materials provided with the distribution. 18112857Sdes * 3. The name of the author may not be used to endorse or promote 19112857Sdes * products derived from this software without specific prior written 20112857Sdes * permission. 21112857Sdes * 22112857Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23112857Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24112857Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25112857Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26112857Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27112857Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28112857Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29112857Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30112857Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31112857Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32112857Sdes * SUCH DAMAGE. 33112857Sdes */ 34112857Sdes 35112857Sdes#include <sys/cdefs.h> 36112857Sdes__FBSDID("$FreeBSD: releng/10.3/lib/libpam/modules/pam_chroot/pam_chroot.c 114262 2003-04-30 00:40:24Z des $"); 37112857Sdes 38112857Sdes#include <sys/param.h> 39112857Sdes 40112857Sdes#include <pwd.h> 41112857Sdes#include <stdio.h> 42112857Sdes#include <string.h> 43112857Sdes#include <unistd.h> 44112857Sdes 45112857Sdes#define PAM_SM_SESSION 46112857Sdes 47112857Sdes#include <security/pam_appl.h> 48112857Sdes#include <security/pam_modules.h> 49112857Sdes#include <security/openpam.h> 50112857Sdes 51112857SdesPAM_EXTERN int 52112857Sdespam_sm_open_session(pam_handle_t *pamh, int flags __unused, 53112857Sdes int argc __unused, const char *argv[] __unused) 54112857Sdes{ 55113260Sdes const char *dir, *end, *cwd, *user; 56112857Sdes struct passwd *pwd; 57112857Sdes char buf[PATH_MAX]; 58112857Sdes 59112857Sdes if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || 60112857Sdes user == NULL || (pwd = getpwnam(user)) == NULL) 61112857Sdes return (PAM_SESSION_ERR); 62112857Sdes if (pwd->pw_uid == 0 && !openpam_get_option(pamh, "also_root")) 63112857Sdes return (PAM_SUCCESS); 64112857Sdes if (pwd->pw_dir == NULL) 65112857Sdes return (PAM_SESSION_ERR); 66112857Sdes if ((end = strstr(pwd->pw_dir, "/./")) != NULL) { 67112857Sdes if (snprintf(buf, sizeof(buf), "%.*s", 68112857Sdes (int)(end - pwd->pw_dir), pwd->pw_dir) > (int)sizeof(buf)) { 69112857Sdes openpam_log(PAM_LOG_ERROR, 70112857Sdes "%s's home directory is too long", user); 71112857Sdes return (PAM_SESSION_ERR); 72112857Sdes } 73112857Sdes dir = buf; 74113260Sdes cwd = end + 2; 75113260Sdes } else if ((dir = openpam_get_option(pamh, "dir")) != NULL) { 76113260Sdes if ((cwd = openpam_get_option(pamh, "cwd")) == NULL) 77113260Sdes cwd = "/"; 78113260Sdes } else { 79112857Sdes if (openpam_get_option(pamh, "always")) { 80112857Sdes openpam_log(PAM_LOG_ERROR, 81112857Sdes "%s has no chroot directory", user); 82112857Sdes return (PAM_SESSION_ERR); 83112857Sdes } 84112857Sdes return (PAM_SUCCESS); 85112857Sdes } 86112857Sdes 87112857Sdes openpam_log(PAM_LOG_DEBUG, "chrooting %s to %s", dir, user); 88112857Sdes 89112857Sdes if (chroot(dir) == -1) { 90112857Sdes openpam_log(PAM_LOG_ERROR, "chroot(): %m"); 91112857Sdes return (PAM_SESSION_ERR); 92112857Sdes } 93113260Sdes if (chdir(cwd) == -1) { 94113260Sdes openpam_log(PAM_LOG_ERROR, "chdir(): %m"); 95113260Sdes return (PAM_SESSION_ERR); 96113260Sdes } 97114262Sdes pam_setenv(pamh, "HOME", cwd, 1); 98112857Sdes return (PAM_SUCCESS); 99112857Sdes} 100112857Sdes 101112857SdesPAM_EXTERN int 102112857Sdespam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, 103112857Sdes int argc __unused, const char *argv[] __unused) 104112857Sdes{ 105112857Sdes 106112857Sdes return (PAM_SUCCESS); 107112857Sdes} 108112857Sdes 109112857SdesPAM_MODULE_ENTRY("pam_chroot"); 110