177714Smarkm/*- 277714Smarkm * Copyright (c) 2001 Mark R V Murray 377714Smarkm * All rights reserved. 492297Sdes * Copyright (c) 2001 Networks Associates Technology, Inc. 587398Sdes * All rights reserved. 677714Smarkm * 787398Sdes * Portions of this software were developed for the FreeBSD Project by 887398Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 987398Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 1087398Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1187398Sdes * 1277714Smarkm * Redistribution and use in source and binary forms, with or without 1377714Smarkm * modification, are permitted provided that the following conditions 1477714Smarkm * are met: 1577714Smarkm * 1. Redistributions of source code must retain the above copyright 1677714Smarkm * notice, this list of conditions and the following disclaimer. 1777714Smarkm * 2. Redistributions in binary form must reproduce the above copyright 1877714Smarkm * notice, this list of conditions and the following disclaimer in the 1977714Smarkm * documentation and/or other materials provided with the distribution. 2087398Sdes * 3. The name of the author may not be used to endorse or promote 2187398Sdes * products derived from this software without specific prior written 2287398Sdes * permission. 2377714Smarkm * 2477714Smarkm * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2577714Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2677714Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2777714Smarkm * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2877714Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2977714Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 3077714Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3177714Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3277714Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3377714Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3477714Smarkm * SUCH DAMAGE. 3577714Smarkm */ 3677714Smarkm 3784218Sdillon#include <sys/cdefs.h> 3884218Sdillon__FBSDID("$FreeBSD: releng/10.3/lib/libpam/modules/pam_securetty/pam_securetty.c 125650 2004-02-10 10:13:21Z des $"); 3984218Sdillon 4077714Smarkm#include <sys/types.h> 4177714Smarkm#include <sys/stat.h> 4277714Smarkm#include <pwd.h> 4377714Smarkm#include <ttyent.h> 4477714Smarkm#include <string.h> 4577714Smarkm 4687398Sdes#define PAM_SM_ACCOUNT 4787398Sdes 4890229Sdes#include <security/pam_appl.h> 4977714Smarkm#include <security/pam_modules.h> 5090229Sdes#include <security/pam_mod_misc.h> 5177714Smarkm 5277714Smarkm#define TTY_PREFIX "/dev/" 5377714Smarkm 5487398SdesPAM_EXTERN int 5594564Sdespam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, 5694564Sdes int argc __unused, const char *argv[] __unused) 5787398Sdes{ 5889991Sdes struct passwd *pwd; 5989991Sdes struct ttyent *ty; 60123448Sdes const char *user; 61123448Sdes const void *tty; 6289991Sdes int pam_err; 6387398Sdes 6489991Sdes pam_err = pam_get_user(pamh, &user, NULL); 6589991Sdes if (pam_err != PAM_SUCCESS) 6694564Sdes return (pam_err); 6789991Sdes if (user == NULL || (pwd = getpwnam(user)) == NULL) 6894564Sdes return (PAM_SERVICE_ERR); 6989991Sdes 7089991Sdes PAM_LOG("Got user: %s", user); 7189991Sdes 7289991Sdes /* If the user is not root, secure ttys do not apply */ 7389991Sdes if (pwd->pw_uid != 0) 7494564Sdes return (PAM_SUCCESS); 7589991Sdes 76123448Sdes pam_err = pam_get_item(pamh, PAM_TTY, &tty); 7789991Sdes if (pam_err != PAM_SUCCESS) 7894564Sdes return (pam_err); 7989991Sdes 80125650Sdes PAM_LOG("Got TTY: %s", (const char *)tty); 8189991Sdes 8289991Sdes /* Ignore any "/dev/" on the PAM_TTY item */ 8389991Sdes if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) { 8489991Sdes PAM_LOG("WARNING: PAM_TTY starts with " TTY_PREFIX); 85123448Sdes tty = (const char *)tty + sizeof(TTY_PREFIX) - 1; 8689991Sdes } 8789991Sdes 8889991Sdes if (tty != NULL && (ty = getttynam(tty)) != NULL && 8989991Sdes (ty->ty_status & TTY_SECURE) != 0) 9094564Sdes return (PAM_SUCCESS); 9194564Sdes 9289991Sdes PAM_VERBOSE_ERROR("Not on secure TTY"); 9394564Sdes return (PAM_AUTH_ERR); 9487398Sdes} 9587398Sdes 9677714SmarkmPAM_MODULE_ENTRY("pam_securetty"); 97