1 /*        $NetBSD: pam_nologin.c,v 1.10 2013/12/29 22:54:58 christos Exp $      */
2 
3 /*-
4  * Copyright 2001 Mark R V Murray
5  * All rights reserved.
6  * Copyright (c) 2001 Networks Associates Technology, Inc.
7  * All rights reserved.
8  *
9  * Portions of this software were developed for the FreeBSD Project by
10  * ThinkSec AS and NAI Labs, the Security Research Division of Network
11  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
12  * ("CBOSS"), as part of the DARPA CHATS research program.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. The name of the author may not be used to endorse or promote
23  *    products derived from this software without specific prior written
24  *    permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  */
38 
39 #include <sys/cdefs.h>
40 #ifdef __FreeBSD__
41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.10 2002/04/12 22:27:21 des Exp $");
42 #else
43 __RCSID("$NetBSD: pam_nologin.c,v 1.10 2013/12/29 22:54:58 christos Exp $");
44 #endif
45 
46 
47 #include <sys/types.h>
48 #include <sys/stat.h>
49 #include <fcntl.h>
50 #include <login_cap.h>
51 #include <pwd.h>
52 #include <errno.h>
53 #include <string.h>
54 #include <stdio.h>
55 #include <stdlib.h>
56 #include <unistd.h>
57 
58 #define PAM_SM_AUTH
59 
60 #include <security/pam_appl.h>
61 #include <security/pam_modules.h>
62 #include <security/pam_mod_misc.h>
63 
64 #define   NOLOGIN   "/etc/nologin"
65 
66 static char nologin_def[] = NOLOGIN;
67 
68 PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)69 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
70     int argc __unused, const char *argv[] __unused)
71 {
72           login_cap_t *lc;
73           struct passwd *pwd, pwres;
74           struct stat st;
75           int retval, fd;
76           int ignorenologin = 0;
77           u_int rootlogin = 0;
78           const char *user, *nologin;
79           char *mtmp;
80           char pwbuf[1024];
81 
82           if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
83                     return retval;
84 
85           PAM_LOG("Got user: %s", user);
86 
87           /*
88            * For root, the default is to ignore nologin, but the
89            * ignorenologin capability can override this, so we
90            * set the default appropriately.
91            *
92            * Do not allow login of unexisting users, so that a directory
93            * failure will not cause the nologin capability to be ignored.
94            */
95           if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
96               pwd == NULL) {
97                     return PAM_USER_UNKNOWN;
98           } else {
99                     if (pwd->pw_uid == 0)
100                               rootlogin = 1;
101           }
102 
103           lc = login_getpwclass(pwd);
104           ignorenologin = login_getcapbool(lc, "ignorenologin", rootlogin);
105           nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
106           login_close(lc);
107           lc = NULL;
108 
109           if (ignorenologin)
110                     return PAM_SUCCESS;
111 
112           if ((fd = open(nologin, O_RDONLY, 0)) == -1) {
113                     /*
114                      * The file does not exist, login is granted
115                      */
116                     if (errno == ENOENT)
117                               return PAM_SUCCESS;
118 
119                     /*
120                      * open failed, but the file exists. This could be
121                      * a temporary problem (system resources exausted):
122                      * Refuse the login.
123                      */
124                     PAM_LOG("Cannot open %s file: %s", nologin, strerror(errno));
125                     return PAM_AUTH_ERR;
126           }
127 
128           PAM_LOG("Opened %s file", nologin);
129 
130           if (fstat(fd, &st) < 0) {
131                     close(fd);
132                     return PAM_AUTH_ERR;
133           }
134 
135           size_t len = (size_t)st.st_size;
136           mtmp = malloc(len + 1);
137           if (mtmp != NULL) {
138                     read(fd, mtmp, len);
139                     mtmp[len] = '\0';
140                     pam_error(pamh, "%s", mtmp);
141                     free(mtmp);
142           }
143           close(fd);
144 
145           PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
146 
147           return PAM_AUTH_ERR;
148 }
149 
150 PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)151 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
152     int argc __unused, const char *argv[] __unused)
153 {
154 
155           return (PAM_SUCCESS);
156 }
157 
158 PAM_MODULE_ENTRY("pam_nologin");
159