179476Smarkm/*- 279476Smarkm * Copyright 2001 Mark R V Murray 379476Smarkm * All rights reserved. 492297Sdes * Copyright (c) 2001 Networks Associates Technology, Inc. 587398Sdes * All rights reserved. 679476Smarkm * 787398Sdes * Portions of this software were developed for the FreeBSD Project by 887398Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 987398Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 1087398Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1187398Sdes * 1279476Smarkm * Redistribution and use in source and binary forms, with or without 1379476Smarkm * modification, are permitted provided that the following conditions 1479476Smarkm * are met: 1579476Smarkm * 1. Redistributions of source code must retain the above copyright 1679476Smarkm * notice, this list of conditions and the following disclaimer. 1779476Smarkm * 2. Redistributions in binary form must reproduce the above copyright 1879476Smarkm * notice, this list of conditions and the following disclaimer in the 1979476Smarkm * documentation and/or other materials provided with the distribution. 2087398Sdes * 3. The name of the author may not be used to endorse or promote 2187398Sdes * products derived from this software without specific prior written 2287398Sdes * permission. 2379476Smarkm * 2479476Smarkm * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2579476Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2679476Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2779476Smarkm * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2879476Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2979476Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 3079476Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3179476Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3279476Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3379476Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3479476Smarkm * SUCH DAMAGE. 3579476Smarkm */ 3679476Smarkm 3784218Sdillon#include <sys/cdefs.h> 3884218Sdillon__FBSDID("$FreeBSD$"); 3984218Sdillon 4082359Smarkm#include <sys/types.h> 4182359Smarkm#include <sys/stat.h> 4282359Smarkm#include <fcntl.h> 4382359Smarkm#include <login_cap.h> 4482359Smarkm#include <pwd.h> 4579476Smarkm#include <stdio.h> 4679476Smarkm#include <stdlib.h> 4779476Smarkm#include <unistd.h> 4879476Smarkm 49170510Syar#define PAM_SM_ACCOUNT 5087398Sdes 5190229Sdes#include <security/pam_appl.h> 5279476Smarkm#include <security/pam_modules.h> 5390229Sdes#include <security/pam_mod_misc.h> 5479476Smarkm 55170725Syar#define _PATH_NOLOGIN "/var/run/nologin" 5679476Smarkm 57170725Syarstatic char nologin_def[] = _PATH_NOLOGIN; 5889760Smarkm 5979476SmarkmPAM_EXTERN int 60170725Syarpam_sm_acct_mgmt(pam_handle_t *pamh, int flags, 6194564Sdes int argc __unused, const char *argv[] __unused) 6279476Smarkm{ 6382359Smarkm login_cap_t *lc; 6481472Smarkm struct passwd *pwd; 6579476Smarkm struct stat st; 6679476Smarkm int retval, fd; 67170725Syar ssize_t ss; 6882359Smarkm const char *user, *nologin; 6979476Smarkm char *mtmp; 7079476Smarkm 7179476Smarkm retval = pam_get_user(pamh, &user, NULL); 7279476Smarkm if (retval != PAM_SUCCESS) 7394564Sdes return (retval); 7479476Smarkm 7579476Smarkm PAM_LOG("Got user: %s", user); 7679476Smarkm 77170725Syar pwd = getpwnam(user); 78170725Syar if (pwd == NULL) 79170725Syar return (PAM_USER_UNKNOWN); 80170725Syar 81170725Syar /* 82170725Syar * login_getpwclass(3) will select the "root" class by default 83170725Syar * if pwd->pw_uid is 0. That class should have "ignorenologin" 84170725Syar * capability so that super-user can bypass nologin. 85170725Syar */ 86170725Syar lc = login_getpwclass(pwd); 87170725Syar if (lc == NULL) { 88170725Syar PAM_LOG("Unable to get login class for user %s", user); 89170725Syar return (PAM_SERVICE_ERR); 90170725Syar } 91170725Syar 92170725Syar if (login_getcapbool(lc, "ignorenologin", 0)) { 93170725Syar login_close(lc); 94170725Syar return (PAM_SUCCESS); 95170725Syar } 96170725Syar 9789760Smarkm nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def); 9882359Smarkm 9982359Smarkm fd = open(nologin, O_RDONLY, 0); 100170725Syar if (fd < 0) { 101170725Syar login_close(lc); 10294564Sdes return (PAM_SUCCESS); 103170725Syar } 10479476Smarkm 105170725Syar PAM_LOG("Opened %s file", nologin); 10679476Smarkm 107170725Syar if (fstat(fd, &st) == 0) { 108170725Syar mtmp = malloc(st.st_size + 1); 109170725Syar if (mtmp != NULL) { 110170725Syar ss = read(fd, mtmp, st.st_size); 111170725Syar if (ss > 0) { 112170725Syar mtmp[ss] = '\0'; 113170725Syar pam_error(pamh, "%s", mtmp); 114170725Syar } 115170725Syar free(mtmp); 116170725Syar } 11779476Smarkm } 11894564Sdes 119170725Syar PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin); 12079476Smarkm 121170725Syar close(fd); 122170725Syar login_close(lc); 12394564Sdes 124170725Syar return (PAM_AUTH_ERR); 12579476Smarkm} 12679476Smarkm 12779476SmarkmPAM_MODULE_ENTRY("pam_nologin"); 128