1 /* $NetBSD: pam_lastlog.c,v 1.15 2014/01/07 02:07:43 joerg Exp $ */
2
3 /*-
4 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 * Copyright (c) 2001 Mark R V Murray
7 * All rights reserved.
8 * Copyright (c) 2001 Networks Associates Technology, Inc.
9 * All rights reserved.
10 * Copyright (c) 2004 Joe R. Doupnik
11 * All rights reserved.
12 *
13 * Portions of this software were developed for the FreeBSD Project by
14 * ThinkSec AS and NAI Labs, the Security Research Division of Network
15 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
16 * ("CBOSS"), as part of the DARPA CHATS research program.
17 *
18 * Redistribution and use in source and binary forms, with or without
19 * modification, are permitted provided that the following conditions
20 * are met:
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
26 * 3. The name of the author may not be used to endorse or promote
27 * products derived from this software without specific prior written
28 * permission.
29 * 4. Neither the name of the University nor the names of its contributors
30 * may be used to endorse or promote products derived from this software
31 * without specific prior written permission.
32 *
33 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
34 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
35 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
36 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
37 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
38 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
39 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
40 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
41 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
42 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43 * SUCH DAMAGE.
44 */
45
46 #include <sys/cdefs.h>
47 #ifdef __FreeBSD__
48 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_lastlog/pam_lastlog.c,v 1.20 2004/01/26 19:28:37 des Exp $");
49 #else
50 __RCSID("$NetBSD: pam_lastlog.c,v 1.15 2014/01/07 02:07:43 joerg Exp $");
51 #endif
52
53 #include <sys/param.h>
54
55 #include <fcntl.h>
56 #include <util.h>
57 #include <paths.h>
58 #include <pwd.h>
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 #include <syslog.h>
63 #include <errno.h>
64 #include <time.h>
65 #include <unistd.h>
66 #include <stdarg.h>
67 #ifdef LOGIN_CAP
68 #include <login_cap.h>
69 #endif
70
71 #define PAM_SM_SESSION
72
73 #include <security/pam_appl.h>
74 #include <security/pam_modules.h>
75 #include <security/pam_mod_misc.h>
76
77 #ifdef SUPPORT_UTMP
78 #include <utmp.h>
79 static void doutmp(const char *, const char *, const char *,
80 const struct timeval *);
81 static void dolastlog(pam_handle_t *, int, const struct passwd *, const char *,
82 const char *, const struct timeval *);
83 #endif
84
85 #ifdef SUPPORT_UTMPX
86 #include <utmpx.h>
87 static void doutmpx(const char *, const char *, const char *,
88 const struct sockaddr_storage *ss, const struct timeval *);
89 static void dolastlogx(pam_handle_t *, int, const struct passwd *, const char *,
90 const char *, const struct sockaddr_storage *ss, const struct timeval *);
91 #endif
92
93 #if defined(SUPPORT_UTMPX) || defined(SUPPORT_UTMP)
94 static void domsg(pam_handle_t *, time_t, const char *, size_t, const char *,
95 size_t);
96 #endif
97
98 __printflike(2, 3)
99 static void
logit(int level,const char * fmt,...)100 logit(int level, const char *fmt, ...)
101 {
102 va_list ap;
103 struct syslog_data data = SYSLOG_DATA_INIT;
104
105 openlog_r("pam_lastlog", LOG_PID, LOG_AUTHPRIV, &data);
106 va_start(ap, fmt);
107 vsyslog_r(level, &data, fmt, ap);
108 va_end(ap);
109 closelog_r(&data);
110 }
111
112
113 PAM_EXTERN int
pam_sm_open_session(pam_handle_t * pamh,int flags,int argc __unused,const char * argv[]__unused)114 pam_sm_open_session(pam_handle_t *pamh, int flags,
115 int argc __unused, const char *argv[] __unused)
116 {
117 struct passwd *pwd, pwres;
118 struct timeval now;
119 const char *user, *rhost, *tty, *nuser;
120 const void *vrhost, *vtty, *vss, *vnuser;
121 const struct sockaddr_storage *ss;
122 int pam_err;
123 char pwbuf[1024];
124 #ifdef LOGIN_CAP
125 login_cap_t *lc;
126 #endif
127
128 pam_err = pam_get_user(pamh, &user, NULL);
129 if (pam_err != PAM_SUCCESS)
130 return pam_err;
131
132 if (user == NULL ||
133 getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
134 pwd == NULL)
135 return PAM_SERVICE_ERR;
136
137 PAM_LOG("Got user: %s", user);
138
139 pam_err = pam_get_item(pamh, PAM_RHOST, &vrhost);
140 if (pam_err != PAM_SUCCESS)
141 goto err;
142 rhost = (const char *)vrhost;
143
144 pam_err = pam_get_item(pamh, PAM_SOCKADDR, &vss);
145 if (pam_err != PAM_SUCCESS)
146 goto err;
147 ss = (const struct sockaddr_storage *)vss;
148
149 pam_err = pam_get_item(pamh, PAM_TTY, &vtty);
150 if (pam_err != PAM_SUCCESS)
151 goto err;
152 tty = (const char *)vtty;
153
154 if (tty == NULL) {
155 pam_err = PAM_SERVICE_ERR;
156 goto err;
157 }
158
159 if (pam_get_item(pamh, PAM_NUSER, &vnuser) != PAM_SUCCESS)
160 nuser = NULL;
161 else
162 nuser = (const char *)vnuser;
163
164 if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
165 tty = tty + strlen(_PATH_DEV);
166
167 if (*tty == '\0') {
168 pam_err = PAM_SERVICE_ERR;
169 goto err;
170 }
171
172 (void)gettimeofday(&now, NULL);
173
174 if (openpam_get_option(pamh, "no_nested") == NULL || nuser == NULL) {
175 int quiet;
176 if ((flags & PAM_SILENT) != 0)
177 quiet = 1;
178 else {
179 #ifdef LOGIN_CAP
180 lc = login_getpwclass(pwd);
181 quiet = login_getcapbool(lc, "hushlogin", 0);
182 login_close(lc);
183 #else
184 quiet = 0;
185 #endif
186 }
187 #ifdef SUPPORT_UTMPX
188 doutmpx(user, rhost, tty, ss, &now);
189 dolastlogx(pamh, quiet, pwd, rhost, tty, ss, &now);
190 quiet = 1;
191 #endif
192 #ifdef SUPPORT_UTMP
193 doutmp(user, rhost, tty, &now);
194 dolastlog(pamh, quiet, pwd, rhost, tty, &now);
195 #endif
196 }
197 err:
198 if (openpam_get_option(pamh, "no_fail"))
199 return PAM_SUCCESS;
200 return pam_err;
201 }
202
203 PAM_EXTERN int
pam_sm_close_session(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)204 pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
205 int argc __unused, const char *argv[] __unused)
206 {
207 const void *vtty, *vnuser;
208 const char *tty, *nuser;
209
210 if (pam_get_item(pamh, PAM_NUSER, &vnuser) != PAM_SUCCESS)
211 nuser = NULL;
212 else
213 nuser = (const char *)vnuser;
214
215 pam_get_item(pamh, PAM_TTY, &vtty);
216 if (vtty == NULL)
217 return PAM_SERVICE_ERR;
218 tty = (const char *)vtty;
219
220 if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
221 tty = tty + strlen(_PATH_DEV);
222
223 if (*tty == '\0')
224 return PAM_SERVICE_ERR;
225
226 if (openpam_get_option(pamh, "no_nested") == NULL || nuser == NULL) {
227
228 #ifdef SUPPORT_UTMPX
229 if (logoutx(tty, 0, DEAD_PROCESS))
230 logwtmpx(tty, "", "", 0, DEAD_PROCESS);
231 else
232 logit(LOG_NOTICE, "%s(): no utmpx record for %s",
233 __func__, tty);
234 #endif
235
236 #ifdef SUPPORT_UTMP
237 if (logout(tty))
238 logwtmp(tty, "", "");
239 else
240 logit(LOG_NOTICE, "%s(): no utmp record for %s",
241 __func__, tty);
242 #endif
243 }
244 return PAM_SUCCESS;
245 }
246
247 #if defined(SUPPORT_UTMPX) || defined(SUPPORT_UTMP)
248 static void
domsg(pam_handle_t * pamh,time_t t,const char * host,size_t hsize,const char * line,size_t lsize)249 domsg(pam_handle_t *pamh, time_t t, const char *host, size_t hsize,
250 const char *line, size_t lsize)
251 {
252 char buf[MAXHOSTNAMELEN + 32], *promptresp = NULL;
253 int pam_err;
254
255 if (*host) {
256 (void)snprintf(buf, sizeof(buf), "from %.*s ",
257 (int)hsize, host);
258 host = buf;
259 }
260
261 pam_err = pam_prompt(pamh, PAM_TEXT_INFO, &promptresp,
262 "Last login: %.24s %son %.*s\n", ctime(&t), host, (int)lsize, line);
263
264 if (pam_err == PAM_SUCCESS && promptresp)
265 free(promptresp);
266 }
267 #endif
268
269 #ifdef SUPPORT_UTMPX
270 static void
doutmpx(const char * username,const char * hostname,const char * tty,const struct sockaddr_storage * ss,const struct timeval * now)271 doutmpx(const char *username, const char *hostname, const char *tty,
272 const struct sockaddr_storage *ss, const struct timeval *now)
273 {
274 struct utmpx utmpx;
275 const char *t;
276
277 memset((void *)&utmpx, 0, sizeof(utmpx));
278 utmpx.ut_tv = *now;
279 (void)strncpy(utmpx.ut_name, username, sizeof(utmpx.ut_name));
280 if (hostname) {
281 (void)strncpy(utmpx.ut_host, hostname, sizeof(utmpx.ut_host));
282 if (ss)
283 utmpx.ut_ss = *ss;
284 }
285 (void)strncpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line));
286 utmpx.ut_type = USER_PROCESS;
287 utmpx.ut_pid = getpid();
288 t = tty + strlen(tty);
289 if ((size_t)(t - tty) >= sizeof(utmpx.ut_id)) {
290 (void)strncpy(utmpx.ut_id, t - sizeof(utmpx.ut_id),
291 sizeof(utmpx.ut_id));
292 } else {
293 (void)strncpy(utmpx.ut_id, tty, sizeof(utmpx.ut_id));
294 }
295 if (pututxline(&utmpx) == NULL)
296 logit(LOG_NOTICE, "Cannot update utmpx: %s", strerror(errno));
297 endutxent();
298 if (updwtmpx(_PATH_WTMPX, &utmpx) != 0)
299 logit(LOG_NOTICE, "Cannot update wtmpx: %s", strerror(errno));
300 }
301
302 static void
dolastlogx(pam_handle_t * pamh,int quiet,const struct passwd * pwd,const char * hostname,const char * tty,const struct sockaddr_storage * ss,const struct timeval * now)303 dolastlogx(pam_handle_t *pamh, int quiet, const struct passwd *pwd,
304 const char *hostname, const char *tty, const struct sockaddr_storage *ss,
305 const struct timeval *now)
306 {
307 struct lastlogx ll;
308 if (!quiet) {
309 if (getlastlogx(_PATH_LASTLOGX, pwd->pw_uid, &ll) != NULL)
310 domsg(pamh, (time_t)ll.ll_tv.tv_sec, ll.ll_host,
311 sizeof(ll.ll_host), ll.ll_line,
312 sizeof(ll.ll_line));
313 }
314 ll.ll_tv = *now;
315 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
316
317 if (hostname)
318 (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
319 else
320 (void)memset(ll.ll_host, 0, sizeof(ll.ll_host));
321
322 if (ss)
323 ll.ll_ss = *ss;
324 else
325 (void)memset(&ll.ll_ss, 0, sizeof(ll.ll_ss));
326
327 if (updlastlogx(_PATH_LASTLOGX, pwd->pw_uid, &ll) != 0)
328 logit(LOG_NOTICE, "Cannot update lastlogx: %s", strerror(errno));
329 PAM_LOG("Login recorded in %s", _PATH_LASTLOGX);
330 }
331 #endif
332
333 #ifdef SUPPORT_UTMP
334 static void
doutmp(const char * username,const char * hostname,const char * tty,const struct timeval * now)335 doutmp(const char *username, const char *hostname, const char *tty,
336 const struct timeval *now)
337 {
338 struct utmp utmp;
339
340 (void)memset((void *)&utmp, 0, sizeof(utmp));
341 utmp.ut_time = now->tv_sec;
342 (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name));
343 if (hostname)
344 (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host));
345 (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
346 login(&utmp);
347 }
348
349 static void
dolastlog(pam_handle_t * pamh,int quiet,const struct passwd * pwd,const char * hostname,const char * tty,const struct timeval * now)350 dolastlog(pam_handle_t *pamh, int quiet, const struct passwd *pwd,
351 const char *hostname, const char *tty, const struct timeval *now)
352 {
353 struct lastlog ll;
354 int fd;
355
356 if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) == -1) {
357 logit(LOG_NOTICE, "Cannot open `%s': %s", _PATH_LASTLOG,
358 strerror(errno));
359 return;
360 }
361 (void)lseek(fd, (off_t)(pwd->pw_uid * sizeof(ll)), SEEK_SET);
362
363 if (!quiet) {
364 if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) &&
365 ll.ll_time != 0)
366 domsg(pamh, ll.ll_time, ll.ll_host,
367 sizeof(ll.ll_host), ll.ll_line,
368 sizeof(ll.ll_line));
369 (void)lseek(fd, (off_t)(pwd->pw_uid * sizeof(ll)), SEEK_SET);
370 }
371
372 ll.ll_time = now->tv_sec;
373 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
374
375 if (hostname)
376 (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
377 else
378 (void)memset(ll.ll_host, 0, sizeof(ll.ll_host));
379
380 (void)write(fd, &ll, sizeof(ll));
381 (void)close(fd);
382
383 PAM_LOG("Login recorded in %s", _PATH_LASTLOG);
384 }
385 #endif
386
387 PAM_MODULE_ENTRY("pam_lastlog");
388