1*2a62e4e1Schristos /* $NetBSD: pam_rhosts.c,v 1.4 2005/04/19 03:15:36 christos Exp $ */
2e7d22a2eSchristos
36f11bdf1Schristos /*-
46f11bdf1Schristos * Copyright (c) 2002 Danny Braniss
56f11bdf1Schristos * All rights reserved.
66f11bdf1Schristos * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
76f11bdf1Schristos * All rights reserved.
86f11bdf1Schristos *
96f11bdf1Schristos * Portions of this software were developed for the FreeBSD Project by
106f11bdf1Schristos * ThinkSec AS and NAI Labs, the Security Research Division of Network
116f11bdf1Schristos * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
126f11bdf1Schristos * ("CBOSS"), as part of the DARPA CHATS research program.
136f11bdf1Schristos *
146f11bdf1Schristos * Redistribution and use in source and binary forms, with or without
156f11bdf1Schristos * modification, are permitted provided that the following conditions
166f11bdf1Schristos * are met:
176f11bdf1Schristos * 1. Redistributions of source code must retain the above copyright
186f11bdf1Schristos * notice, this list of conditions and the following disclaimer.
196f11bdf1Schristos * 2. Redistributions in binary form must reproduce the above copyright
206f11bdf1Schristos * notice, this list of conditions and the following disclaimer in the
216f11bdf1Schristos * documentation and/or other materials provided with the distribution.
226f11bdf1Schristos * 3. The name of the author may not be used to endorse or promote
236f11bdf1Schristos * products derived from this software without specific prior written
246f11bdf1Schristos * permission.
256f11bdf1Schristos *
266f11bdf1Schristos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
276f11bdf1Schristos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
286f11bdf1Schristos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
296f11bdf1Schristos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
306f11bdf1Schristos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
316f11bdf1Schristos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
326f11bdf1Schristos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
336f11bdf1Schristos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
346f11bdf1Schristos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
356f11bdf1Schristos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
366f11bdf1Schristos * SUCH DAMAGE.
376f11bdf1Schristos */
386f11bdf1Schristos
396f11bdf1Schristos #include <sys/cdefs.h>
40e7d22a2eSchristos #ifdef __FreeBSD__
416f11bdf1Schristos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_rhosts/pam_rhosts.c,v 1.3 2003/12/11 13:55:16 des Exp $");
42e7d22a2eSchristos #else
43*2a62e4e1Schristos __RCSID("$NetBSD: pam_rhosts.c,v 1.4 2005/04/19 03:15:36 christos Exp $");
44e7d22a2eSchristos #endif
456f11bdf1Schristos
466f11bdf1Schristos #include <pwd.h>
476f11bdf1Schristos #include <stddef.h>
486f11bdf1Schristos #include <string.h>
496f11bdf1Schristos #include <unistd.h>
506f11bdf1Schristos
516f11bdf1Schristos #define PAM_SM_AUTH
526f11bdf1Schristos #include <security/pam_appl.h>
536f11bdf1Schristos #include <security/pam_modules.h>
546f11bdf1Schristos #include <security/pam_mod_misc.h>
556f11bdf1Schristos
566f11bdf1Schristos #define OPT_ALLOW_ROOT "allow_root"
576f11bdf1Schristos
586f11bdf1Schristos PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)596f11bdf1Schristos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
606f11bdf1Schristos int argc __unused, const char *argv[] __unused)
616f11bdf1Schristos {
62*2a62e4e1Schristos struct passwd *pwd, pwres;
636f11bdf1Schristos const char *user;
646f11bdf1Schristos const void *ruser, *rhost;
656f11bdf1Schristos int err, superuser;
6659cbc9e2Sthorpej char pwbuf[1024];
676f11bdf1Schristos
686f11bdf1Schristos err = pam_get_user(pamh, &user, NULL);
696f11bdf1Schristos if (err != PAM_SUCCESS)
706f11bdf1Schristos return (err);
716f11bdf1Schristos
72*2a62e4e1Schristos if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
73*2a62e4e1Schristos pwd == NULL)
746f11bdf1Schristos return (PAM_USER_UNKNOWN);
75*2a62e4e1Schristos if (pwd->pw_uid == 0 &&
766f11bdf1Schristos openpam_get_option(pamh, OPT_ALLOW_ROOT) == NULL)
776f11bdf1Schristos return (PAM_AUTH_ERR);
786f11bdf1Schristos
796f11bdf1Schristos err = pam_get_item(pamh, PAM_RUSER, &ruser);
806f11bdf1Schristos if (err != PAM_SUCCESS)
816f11bdf1Schristos return (PAM_AUTH_ERR);
826f11bdf1Schristos
836f11bdf1Schristos err = pam_get_item(pamh, PAM_RHOST, &rhost);
846f11bdf1Schristos if (err != PAM_SUCCESS)
856f11bdf1Schristos return (PAM_AUTH_ERR);
866f11bdf1Schristos
876f11bdf1Schristos superuser = (strcmp(user, "root") == 0);
886f11bdf1Schristos err = ruserok(rhost, superuser, ruser, user);
896f11bdf1Schristos if (err != 0)
906f11bdf1Schristos return (PAM_AUTH_ERR);
916f11bdf1Schristos
926f11bdf1Schristos return (PAM_SUCCESS);
936f11bdf1Schristos }
946f11bdf1Schristos
956f11bdf1Schristos PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)966f11bdf1Schristos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
976f11bdf1Schristos int argc __unused, const char *argv[] __unused)
986f11bdf1Schristos {
996f11bdf1Schristos
1006f11bdf1Schristos return (PAM_SUCCESS);
1016f11bdf1Schristos }
1026f11bdf1Schristos
1036f11bdf1Schristos PAM_MODULE_ENTRY("pam_rhosts");
104