pam_group.c revision 110453
1110453Sdes/*- 2110453Sdes * Copyright (c) 2003 Networks Associates Technology, Inc. 3110453Sdes * All rights reserved. 4110453Sdes * 5110453Sdes * Portions of this software were developed for the FreeBSD Project by 6110453Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 7110453Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 8110453Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 9110453Sdes * 10110453Sdes * Redistribution and use in source and binary forms, with or without 11110453Sdes * modification, are permitted provided that the following conditions 12110453Sdes * are met: 13110453Sdes * 1. Redistributions of source code must retain the above copyright 14110453Sdes * notice, this list of conditions and the following disclaimer. 15110453Sdes * 2. Redistributions in binary form must reproduce the above copyright 16110453Sdes * notice, this list of conditions and the following disclaimer in the 17110453Sdes * documentation and/or other materials provided with the distribution. 18110453Sdes * 3. The name of the author may not be used to endorse or promote 19110453Sdes * products derived from this software without specific prior written 20110453Sdes * permission. 21110453Sdes * 22110453Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23110453Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24110453Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25110453Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26110453Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27110453Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28110453Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29110453Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30110453Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31110453Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32110453Sdes * SUCH DAMAGE. 33110453Sdes */ 34110453Sdes 35110453Sdes#include <sys/cdefs.h> 36110453Sdes__FBSDID("$FreeBSD: head/lib/libpam/modules/pam_group/pam_group.c 110453 2003-02-06 14:24:14Z des $"); 37110453Sdes 38110453Sdes#include <sys/types.h> 39110453Sdes 40110453Sdes#include <grp.h> 41110453Sdes#include <pwd.h> 42110453Sdes#include <stdarg.h> 43110453Sdes#include <stdio.h> 44110453Sdes#include <string.h> 45110453Sdes#include <syslog.h> 46110453Sdes#include <unistd.h> 47110453Sdes 48110453Sdes#define PAM_SM_AUTH 49110453Sdes 50110453Sdes#include <security/pam_appl.h> 51110453Sdes#include <security/pam_modules.h> 52110453Sdes#include <security/openpam.h> 53110453Sdes 54110453Sdes 55110453SdesPAM_EXTERN int 56110453Sdespam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 57110453Sdes int argc __unused, const char *argv[] __unused) 58110453Sdes{ 59110453Sdes const char *group, *user, *ruser; 60110453Sdes char *const *list; 61110453Sdes struct passwd *pwd; 62110453Sdes struct group *grp; 63110453Sdes 64110453Sdes /* get target account */ 65110453Sdes if (pam_get_item(pamh, PAM_USER, (const void **)&user) != PAM_SUCCESS 66110453Sdes || user == NULL || (pwd = getpwnam(user)) == NULL) 67110453Sdes return (PAM_AUTH_ERR); 68110453Sdes if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only")) 69110453Sdes return (PAM_IGNORE); 70110453Sdes 71110453Sdes /* get applicant */ 72110453Sdes if (pam_get_item(pamh, PAM_RUSER, (const void **)&ruser) != PAM_SUCCESS 73110453Sdes || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) 74110453Sdes return (PAM_AUTH_ERR); 75110453Sdes 76110453Sdes /* get regulating group */ 77110453Sdes if ((group = openpam_get_option(pamh, "group")) == NULL) 78110453Sdes group = "wheel"; 79110453Sdes if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL) 80110453Sdes goto failed; 81110453Sdes 82110453Sdes /* check if the group is empty */ 83110453Sdes if (*grp->gr_mem == NULL) 84110453Sdes goto failed; 85110453Sdes 86110453Sdes /* check membership */ 87110453Sdes if (pwd->pw_gid == grp->gr_gid) 88110453Sdes goto found; 89110453Sdes for (list = grp->gr_mem; *list != NULL; ++list) 90110453Sdes if (strcmp(*list, pwd->pw_name) == 0) 91110453Sdes goto found; 92110453Sdes 93110453Sdes not_found: 94110453Sdes fprintf(stderr, "couldn't find %s in %s\n", ruser, group); 95110453Sdes if (openpam_get_option(pamh, "deny")) 96110453Sdes return (PAM_SUCCESS); 97110453Sdes return (PAM_AUTH_ERR); 98110453Sdes found: 99110453Sdes fprintf(stderr, "found %s in %s\n", ruser, group); 100110453Sdes if (openpam_get_option(pamh, "deny")) 101110453Sdes return (PAM_AUTH_ERR); 102110453Sdes return (PAM_SUCCESS); 103110453Sdes failed: 104110453Sdes if (openpam_get_option(pamh, "fail_safe")) 105110453Sdes goto found; 106110453Sdes else 107110453Sdes goto not_found; 108110453Sdes} 109110453Sdes 110110453SdesPAM_EXTERN int 111110453Sdespam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, 112110453Sdes int argc __unused, const char *argv[] __unused) 113110453Sdes{ 114110453Sdes 115110453Sdes return (PAM_SUCCESS); 116110453Sdes} 117110453Sdes 118110453SdesPAM_MODULE_ENTRY("pam_group"); 119