pam_group.c revision 123448
1110453Sdes/*- 2110453Sdes * Copyright (c) 2003 Networks Associates Technology, Inc. 3110453Sdes * All rights reserved. 4110453Sdes * 5110453Sdes * Portions of this software were developed for the FreeBSD Project by 6110453Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 7110453Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 8110453Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 9110453Sdes * 10110453Sdes * Redistribution and use in source and binary forms, with or without 11110453Sdes * modification, are permitted provided that the following conditions 12110453Sdes * are met: 13110453Sdes * 1. Redistributions of source code must retain the above copyright 14110453Sdes * notice, this list of conditions and the following disclaimer. 15110453Sdes * 2. Redistributions in binary form must reproduce the above copyright 16110453Sdes * notice, this list of conditions and the following disclaimer in the 17110453Sdes * documentation and/or other materials provided with the distribution. 18110453Sdes * 3. The name of the author may not be used to endorse or promote 19110453Sdes * products derived from this software without specific prior written 20110453Sdes * permission. 21110453Sdes * 22110453Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23110453Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24110453Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25110453Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26110453Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27110453Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28110453Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29110453Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30110453Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31110453Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32110453Sdes * SUCH DAMAGE. 33110453Sdes */ 34110453Sdes 35110453Sdes#include <sys/cdefs.h> 36110453Sdes__FBSDID("$FreeBSD: head/lib/libpam/modules/pam_group/pam_group.c 123448 2003-12-11 13:55:16Z des $"); 37110453Sdes 38110453Sdes#include <sys/types.h> 39110453Sdes 40110453Sdes#include <grp.h> 41110453Sdes#include <pwd.h> 42110453Sdes#include <stdarg.h> 43110453Sdes#include <stdio.h> 44110453Sdes#include <string.h> 45110453Sdes#include <syslog.h> 46110453Sdes#include <unistd.h> 47110453Sdes 48110453Sdes#define PAM_SM_AUTH 49110453Sdes 50110453Sdes#include <security/pam_appl.h> 51110453Sdes#include <security/pam_modules.h> 52110453Sdes#include <security/openpam.h> 53110453Sdes 54110453Sdes 55110453SdesPAM_EXTERN int 56110453Sdespam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 57110453Sdes int argc __unused, const char *argv[] __unused) 58110453Sdes{ 59123448Sdes const char *group, *user; 60123448Sdes const void *ruser; 61110453Sdes char *const *list; 62110453Sdes struct passwd *pwd; 63110453Sdes struct group *grp; 64110453Sdes 65110453Sdes /* get target account */ 66110653Sdes if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || 67110653Sdes user == NULL || (pwd = getpwnam(user)) == NULL) 68110453Sdes return (PAM_AUTH_ERR); 69110453Sdes if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only")) 70110453Sdes return (PAM_IGNORE); 71110453Sdes 72110453Sdes /* get applicant */ 73123448Sdes if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS 74110453Sdes || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) 75110453Sdes return (PAM_AUTH_ERR); 76110453Sdes 77110453Sdes /* get regulating group */ 78110453Sdes if ((group = openpam_get_option(pamh, "group")) == NULL) 79110453Sdes group = "wheel"; 80110453Sdes if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL) 81110453Sdes goto failed; 82110453Sdes 83110453Sdes /* check if the group is empty */ 84110453Sdes if (*grp->gr_mem == NULL) 85110453Sdes goto failed; 86110453Sdes 87110453Sdes /* check membership */ 88110453Sdes if (pwd->pw_gid == grp->gr_gid) 89110453Sdes goto found; 90110453Sdes for (list = grp->gr_mem; *list != NULL; ++list) 91110453Sdes if (strcmp(*list, pwd->pw_name) == 0) 92110453Sdes goto found; 93110453Sdes 94110453Sdes not_found: 95110453Sdes if (openpam_get_option(pamh, "deny")) 96110453Sdes return (PAM_SUCCESS); 97110453Sdes return (PAM_AUTH_ERR); 98110453Sdes found: 99110453Sdes if (openpam_get_option(pamh, "deny")) 100110453Sdes return (PAM_AUTH_ERR); 101110453Sdes return (PAM_SUCCESS); 102110453Sdes failed: 103110453Sdes if (openpam_get_option(pamh, "fail_safe")) 104110453Sdes goto found; 105110453Sdes else 106110453Sdes goto not_found; 107110453Sdes} 108110453Sdes 109110453SdesPAM_EXTERN int 110110453Sdespam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, 111110453Sdes int argc __unused, const char *argv[] __unused) 112110453Sdes{ 113110453Sdes 114110453Sdes return (PAM_SUCCESS); 115110453Sdes} 116110453Sdes 117110453SdesPAM_MODULE_ENTRY("pam_group"); 118