diff options
Diffstat (limited to 'modules/pam_shells/pam_shells.c')
-rw-r--r-- | modules/pam_shells/pam_shells.c | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index e69de29..cce6824 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -0,0 +1,90 @@ +#include <sys/types.h> +#include <sys/stat.h> +#include <stdio.h> +#include <string.h> +#include <sys/stat.h> +#include <pwd.h> + +#define PAM_SM_AUTH + +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#include <security/pam_mod_misc.h> + +#define SHELLS "/etc/shells" + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags, + int argc, const char * argv[]) +{ + struct passwd *pwd; + struct stat shellfileinfo; + const char *user; + const char *shell; + char shellfileline[256]; + FILE *shellfile; + int pam_err; + + if ( ( (pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS ) + || ( user == NULL ) ) { + PAM_ERROR("Error recovering username."); + return (pam_err); + } + + if ( (pwd = getpwnam(user)) == NULL ) { + PAM_ERROR("Could not get passwd entry for user [%s]",user); + return (PAM_SERVICE_ERR); + } + + shell = pwd->pw_shell; + + if ( stat(SHELLS, &shellfileinfo) ) { + PAM_ERROR("Could not open SHELLS file :%s", SHELLS); + return (PAM_AUTH_ERR); + } + + if ((shellfileinfo.st_mode & S_IWOTH) || !S_ISREG(shellfileinfo.st_mode)) { + /* File is either world writable or not a regural file */ + PAM_ERROR("SHELLS file cannot be trusted!"); + return (PAM_AUTH_ERR); + } + + /* Open read-only file with shells */ + if ( (shellfile = fopen(SHELLS,"r")) == NULL ) { + PAM_ERROR("Could not open SHELLS file :%s", SHELLS); + return (PAM_SERVICE_ERR); + } + + pam_err = 1; + + /* Search in SHELLS for user shell */ + while (fgets(shellfileline, sizeof(shellfileline)-1, shellfile) != NULL + && pam_err) { + if (shellfileline[strlen(shellfileline) - 1] == '\n') + shellfileline[strlen(shellfileline) - 1] = '\0'; + + pam_err = strcmp(shellfileline, shell); + + } + + fclose(shellfile); + + if (!pam_err) { + /* user shell found in SHELLS. Allow access */ + PAM_LOG("Access granted for %s with shell %s.", user, shell); + return (PAM_SUCCESS); + } + + return (PAM_AUTH_ERR); +} + + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[]) +{ + + return (PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_shells"); |