1242be47eSzrj /*-
2*c98db407SSascha Wildner * SPDX-License-Identifier: BSD-3-Clause
3*c98db407SSascha Wildner *
4242be47eSzrj * Copyright (c) 2001 Mark R V Murray
5242be47eSzrj * All rights reserved.
6242be47eSzrj * Copyright (c) 2001 Networks Associates Technology, Inc.
7242be47eSzrj * All rights reserved.
8242be47eSzrj *
9242be47eSzrj * Portions of this software were developed for the FreeBSD Project by
10242be47eSzrj * ThinkSec AS and NAI Labs, the Security Research Division of Network
11242be47eSzrj * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
12242be47eSzrj * ("CBOSS"), as part of the DARPA CHATS research program.
13242be47eSzrj *
14242be47eSzrj * Redistribution and use in source and binary forms, with or without
15242be47eSzrj * modification, are permitted provided that the following conditions
16242be47eSzrj * are met:
17242be47eSzrj * 1. Redistributions of source code must retain the above copyright
18242be47eSzrj * notice, this list of conditions and the following disclaimer.
19242be47eSzrj * 2. Redistributions in binary form must reproduce the above copyright
20242be47eSzrj * notice, this list of conditions and the following disclaimer in the
21242be47eSzrj * documentation and/or other materials provided with the distribution.
22242be47eSzrj * 3. The name of the author may not be used to endorse or promote
23242be47eSzrj * products derived from this software without specific prior written
24242be47eSzrj * permission.
25242be47eSzrj *
26242be47eSzrj * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27242be47eSzrj * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28242be47eSzrj * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29242be47eSzrj * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30242be47eSzrj * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31242be47eSzrj * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32242be47eSzrj * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33242be47eSzrj * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34242be47eSzrj * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35242be47eSzrj * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36242be47eSzrj * SUCH DAMAGE.
37242be47eSzrj *
38*c98db407SSascha Wildner * $FreeBSD: head/lib/libpam/modules/pam_login_access/pam_login_access.c 326219 2017-11-26 02:00:33Z pfg $
39242be47eSzrj */
40242be47eSzrj
41242be47eSzrj #define _BSD_SOURCE
42242be47eSzrj
43242be47eSzrj #include <sys/param.h>
44242be47eSzrj
45242be47eSzrj #include <syslog.h>
46242be47eSzrj #include <unistd.h>
47242be47eSzrj
48242be47eSzrj #define PAM_SM_ACCOUNT
49242be47eSzrj
50242be47eSzrj #include <security/pam_appl.h>
51242be47eSzrj #include <security/pam_modules.h>
52242be47eSzrj #include <security/pam_mod_misc.h>
53242be47eSzrj
54242be47eSzrj #include "pam_login_access.h"
55242be47eSzrj
56242be47eSzrj PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)57242be47eSzrj pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
58242be47eSzrj int argc __unused, const char *argv[] __unused)
59242be47eSzrj {
60242be47eSzrj const void *rhost, *tty, *user;
61242be47eSzrj char hostname[MAXHOSTNAMELEN];
62242be47eSzrj int pam_err;
63242be47eSzrj
64242be47eSzrj pam_err = pam_get_item(pamh, PAM_USER, &user);
65242be47eSzrj if (pam_err != PAM_SUCCESS)
66242be47eSzrj return (pam_err);
67242be47eSzrj
68242be47eSzrj if (user == NULL)
69242be47eSzrj return (PAM_SERVICE_ERR);
70242be47eSzrj
71242be47eSzrj PAM_LOG("Got user: %s", (const char *)user);
72242be47eSzrj
73242be47eSzrj pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);
74242be47eSzrj if (pam_err != PAM_SUCCESS)
75242be47eSzrj return (pam_err);
76242be47eSzrj
77242be47eSzrj pam_err = pam_get_item(pamh, PAM_TTY, &tty);
78242be47eSzrj if (pam_err != PAM_SUCCESS)
79242be47eSzrj return (pam_err);
80242be47eSzrj
81242be47eSzrj gethostname(hostname, sizeof hostname);
82242be47eSzrj
83*c98db407SSascha Wildner if (rhost != NULL && *(const char *)rhost != '\0') {
84*c98db407SSascha Wildner PAM_LOG("Checking login.access for user %s from host %s",
85*c98db407SSascha Wildner (const char *)user, (const char *)rhost);
86*c98db407SSascha Wildner if (login_access(user, rhost) != 0)
87*c98db407SSascha Wildner return (PAM_SUCCESS);
88*c98db407SSascha Wildner PAM_VERBOSE_ERROR("%s is not allowed to log in from %s",
89*c98db407SSascha Wildner (const char *)user, (const char *)rhost);
90*c98db407SSascha Wildner } else if (tty != NULL && *(const char *)tty != '\0') {
91242be47eSzrj PAM_LOG("Checking login.access for user %s on tty %s",
92242be47eSzrj (const char *)user, (const char *)tty);
93242be47eSzrj if (login_access(user, tty) != 0)
94242be47eSzrj return (PAM_SUCCESS);
95242be47eSzrj PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
96242be47eSzrj (const char *)user, (const char *)tty);
97242be47eSzrj } else {
98*c98db407SSascha Wildner PAM_LOG("Checking login.access for user %s",
99*c98db407SSascha Wildner (const char *)user);
100*c98db407SSascha Wildner if (login_access(user, "***unknown***") != 0)
101242be47eSzrj return (PAM_SUCCESS);
102*c98db407SSascha Wildner PAM_VERBOSE_ERROR("%s is not allowed to log in",
103*c98db407SSascha Wildner (const char *)user);
104242be47eSzrj }
105242be47eSzrj
106242be47eSzrj return (PAM_AUTH_ERR);
107242be47eSzrj }
108242be47eSzrj
109242be47eSzrj PAM_MODULE_ENTRY("pam_login_access");
110