xref: /netbsd-src/lib/libpam/modules/pam_rhosts/pam_rhosts.c (revision 2a62e4e1adf2bbce8892ea76bdc1ba4d0103e8ab)
1*2a62e4e1Schristos /*	$NetBSD: pam_rhosts.c,v 1.4 2005/04/19 03:15:36 christos Exp $	*/
2e7d22a2eSchristos 
36f11bdf1Schristos /*-
46f11bdf1Schristos  * Copyright (c) 2002 Danny Braniss
56f11bdf1Schristos  * All rights reserved.
66f11bdf1Schristos  * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
76f11bdf1Schristos  * All rights reserved.
86f11bdf1Schristos  *
96f11bdf1Schristos  * Portions of this software were developed for the FreeBSD Project by
106f11bdf1Schristos  * ThinkSec AS and NAI Labs, the Security Research Division of Network
116f11bdf1Schristos  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
126f11bdf1Schristos  * ("CBOSS"), as part of the DARPA CHATS research program.
136f11bdf1Schristos  *
146f11bdf1Schristos  * Redistribution and use in source and binary forms, with or without
156f11bdf1Schristos  * modification, are permitted provided that the following conditions
166f11bdf1Schristos  * are met:
176f11bdf1Schristos  * 1. Redistributions of source code must retain the above copyright
186f11bdf1Schristos  *    notice, this list of conditions and the following disclaimer.
196f11bdf1Schristos  * 2. Redistributions in binary form must reproduce the above copyright
206f11bdf1Schristos  *    notice, this list of conditions and the following disclaimer in the
216f11bdf1Schristos  *    documentation and/or other materials provided with the distribution.
226f11bdf1Schristos  * 3. The name of the author may not be used to endorse or promote
236f11bdf1Schristos  *    products derived from this software without specific prior written
246f11bdf1Schristos  *    permission.
256f11bdf1Schristos  *
266f11bdf1Schristos  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
276f11bdf1Schristos  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
286f11bdf1Schristos  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
296f11bdf1Schristos  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
306f11bdf1Schristos  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
316f11bdf1Schristos  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
326f11bdf1Schristos  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
336f11bdf1Schristos  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
346f11bdf1Schristos  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
356f11bdf1Schristos  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
366f11bdf1Schristos  * SUCH DAMAGE.
376f11bdf1Schristos  */
386f11bdf1Schristos 
396f11bdf1Schristos #include <sys/cdefs.h>
40e7d22a2eSchristos #ifdef __FreeBSD__
416f11bdf1Schristos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_rhosts/pam_rhosts.c,v 1.3 2003/12/11 13:55:16 des Exp $");
42e7d22a2eSchristos #else
43*2a62e4e1Schristos __RCSID("$NetBSD: pam_rhosts.c,v 1.4 2005/04/19 03:15:36 christos Exp $");
44e7d22a2eSchristos #endif
456f11bdf1Schristos 
466f11bdf1Schristos #include <pwd.h>
476f11bdf1Schristos #include <stddef.h>
486f11bdf1Schristos #include <string.h>
496f11bdf1Schristos #include <unistd.h>
506f11bdf1Schristos 
516f11bdf1Schristos #define PAM_SM_AUTH
526f11bdf1Schristos #include <security/pam_appl.h>
536f11bdf1Schristos #include <security/pam_modules.h>
546f11bdf1Schristos #include <security/pam_mod_misc.h>
556f11bdf1Schristos 
566f11bdf1Schristos #define OPT_ALLOW_ROOT "allow_root"
576f11bdf1Schristos 
586f11bdf1Schristos PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)596f11bdf1Schristos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
606f11bdf1Schristos     int argc __unused, const char *argv[] __unused)
616f11bdf1Schristos {
62*2a62e4e1Schristos 	struct passwd *pwd, pwres;
636f11bdf1Schristos 	const char *user;
646f11bdf1Schristos 	const void *ruser, *rhost;
656f11bdf1Schristos 	int err, superuser;
6659cbc9e2Sthorpej 	char pwbuf[1024];
676f11bdf1Schristos 
686f11bdf1Schristos 	err = pam_get_user(pamh, &user, NULL);
696f11bdf1Schristos 	if (err != PAM_SUCCESS)
706f11bdf1Schristos 		return (err);
716f11bdf1Schristos 
72*2a62e4e1Schristos 	if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
73*2a62e4e1Schristos 	    pwd == NULL)
746f11bdf1Schristos 		return (PAM_USER_UNKNOWN);
75*2a62e4e1Schristos 	if (pwd->pw_uid == 0 &&
766f11bdf1Schristos 	    openpam_get_option(pamh, OPT_ALLOW_ROOT) == NULL)
776f11bdf1Schristos 		return (PAM_AUTH_ERR);
786f11bdf1Schristos 
796f11bdf1Schristos 	err = pam_get_item(pamh, PAM_RUSER, &ruser);
806f11bdf1Schristos 	if (err != PAM_SUCCESS)
816f11bdf1Schristos 		return (PAM_AUTH_ERR);
826f11bdf1Schristos 
836f11bdf1Schristos 	err = pam_get_item(pamh, PAM_RHOST, &rhost);
846f11bdf1Schristos 	if (err != PAM_SUCCESS)
856f11bdf1Schristos 		return (PAM_AUTH_ERR);
866f11bdf1Schristos 
876f11bdf1Schristos 	superuser = (strcmp(user, "root") == 0);
886f11bdf1Schristos 	err = ruserok(rhost, superuser, ruser, user);
896f11bdf1Schristos 	if (err != 0)
906f11bdf1Schristos 		return (PAM_AUTH_ERR);
916f11bdf1Schristos 
926f11bdf1Schristos 	return (PAM_SUCCESS);
936f11bdf1Schristos }
946f11bdf1Schristos 
956f11bdf1Schristos PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)966f11bdf1Schristos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
976f11bdf1Schristos     int argc __unused, const char *argv[] __unused)
986f11bdf1Schristos {
996f11bdf1Schristos 
1006f11bdf1Schristos 	return (PAM_SUCCESS);
1016f11bdf1Schristos }
1026f11bdf1Schristos 
1036f11bdf1Schristos PAM_MODULE_ENTRY("pam_rhosts");
104