[Midnightbsd-cvs] CVS Commit: modules/pam_nologin: Obtained from FreeBSD: pam_nologin(8)

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Sat Aug 18 03:58:02 EDT 2007 

Log Message:
-----------
Obtained from FreeBSD:

pam_nologin(8) starts to provide an account management function in
addition to the existing authentication function so that sshd(8) can
respect nologin(5) while the rest of PAM consumers work as earlier.
In turn, sshd(8) starts to use the new account management function
in pam_nologin(8) and thus respect nologin(5) even when doing public
key authentication with sshd's internal routines (PAM authentication
isn't called at all in that case).

Modified Files:
--------------
    src/lib/libpam/modules/pam_nologin:
        Makefile (r1.1.1.1 -> r1.2)
        pam_nologin.8 (r1.1.1.1 -> r1.2)
        pam_nologin.c (r1.1.1.1 -> r1.2)

-------------- next part --------------
Index: pam_nologin.c
===================================================================
RCS file: /home/cvs/src/lib/libpam/modules/pam_nologin/pam_nologin.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -Llib/libpam/modules/pam_nologin/pam_nologin.c -Llib/libpam/modules/pam_nologin/pam_nologin.c -u -r1.1.1.1 -r1.2
--- lib/libpam/modules/pam_nologin/pam_nologin.c
+++ lib/libpam/modules/pam_nologin/pam_nologin.c
@@ -1,3 +1,4 @@
+/* $MidnightBSD$ */
 /*-
  * Copyright 2001 Mark R V Murray
  * All rights reserved.
@@ -47,23 +48,24 @@
 #include <unistd.h>
 
 #define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <security/pam_mod_misc.h>
 
-#define	NOLOGIN	"/var/run/nologin"
+#define	_PATH_NOLOGIN	"/var/run/nologin"
 
-static char nologin_def[] = NOLOGIN;
+static char nologin_def[] = _PATH_NOLOGIN;
 
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
+static int
+pam_nologin_check(pam_handle_t *pamh, int flags)
 {
 	login_cap_t *lc;
 	struct passwd *pwd;
 	struct stat st;
 	int retval, fd;
+	ssize_t ss;
 	const char *user, *nologin;
 	char *mtmp;
 
@@ -73,42 +75,76 @@
 
 	PAM_LOG("Got user: %s", user);
 
-	lc = login_getclass(NULL);
+	pwd = getpwnam(user);
+	if (pwd == NULL)
+		return (PAM_USER_UNKNOWN);
+
+	/*
+	 * Old bug compatibility in RELENG_6: always let root in.
+	 */
+	if (pwd->pw_uid == 0)
+		return (PAM_SUCCESS);
+
+	/*
+	 * login_getpwclass(3) will select the "root" class by default
+	 * if pwd->pw_uid is 0.  That class should have "ignorenologin"
+	 * capability so that super-user can bypass nologin.
+	 */
+	lc = login_getpwclass(pwd);
+	if (lc == NULL) {
+		PAM_LOG("Unable to get login class for user %s", user);
+		return (PAM_SERVICE_ERR);
+	}
+
+	if (login_getcapbool(lc, "ignorenologin", 0)) {
+		login_close(lc);
+		return (PAM_SUCCESS);
+	}
+
 	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
-	login_close(lc);
-	lc = NULL;
 
 	fd = open(nologin, O_RDONLY, 0);
-	if (fd < 0)
+	if (fd < 0) {
+		login_close(lc);
 		return (PAM_SUCCESS);
+	}
 
-	PAM_LOG("Opened %s file", NOLOGIN);
+	PAM_LOG("Opened %s file", nologin);
 
-	pwd = getpwnam(user);
-	if (pwd && pwd->pw_uid == 0)
-		retval = PAM_SUCCESS;
-	else {
-		if (!pwd)
-			retval = PAM_USER_UNKNOWN;
-		else
-			retval = PAM_AUTH_ERR;
+	if (fstat(fd, &st) == 0) {
+		mtmp = malloc(st.st_size + 1);
+		if (mtmp != NULL) {
+			ss = read(fd, mtmp, st.st_size);
+			if (ss > 0) {
+				mtmp[ss] = '\0';
+				pam_error(pamh, "%s", mtmp);
+			}
+			free(mtmp);
+		}
 	}
 
-	if (fstat(fd, &st) < 0)
-		return (retval);
+	PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
 
-	mtmp = malloc(st.st_size + 1);
-	if (mtmp != NULL) {
-		read(fd, mtmp, st.st_size);
-		mtmp[st.st_size] = '\0';
-		pam_error(pamh, "%s", mtmp, NULL);
-		free(mtmp);
-	}
+	close(fd);
+	login_close(lc);
 
-	if (retval != PAM_SUCCESS)
-		PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN);
+	return (PAM_AUTH_ERR);
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+    int argc __unused, const char *argv[] __unused)
+{
+
+	return (pam_nologin_check(pamh, flags));
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+    int argc __unused, const char *argv[] __unused)
+{
 
-	return (retval);
+	return (pam_nologin_check(pamh, flags));
 }
 
 PAM_EXTERN int
Index: pam_nologin.8
===================================================================
RCS file: /home/cvs/src/lib/libpam/modules/pam_nologin/pam_nologin.8,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -Llib/libpam/modules/pam_nologin/pam_nologin.8 -Llib/libpam/modules/pam_nologin/pam_nologin.8 -u -r1.1.1.1 -r1.2
--- lib/libpam/modules/pam_nologin/pam_nologin.8
+++ lib/libpam/modules/pam_nologin/pam_nologin.8
@@ -22,9 +22,10 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
+.\" $MidnightBSD$
 .\" $FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.8,v 1.5 2001/08/26 18:05:35 markm Exp $
 .\"
-.Dd July 8, 2001
+.Dd August 18, 2007
 .Dt PAM_NOLOGIN 8
 .Os
 .Sh NAME
@@ -37,39 +38,42 @@
 .Pa pam_nologin
 .Op Ar options
 .Sh DESCRIPTION
-The NoLogin authentication service module for PAM,
+The NoLogin service module for PAM,
 .Nm
-provides functionality for only one PAM category:
-authentication.
+provides the same functionality for two PAM categories:
+authentication and account management.
 In terms of the
 .Ar module-type
-parameter, this is the
+parameter, those are the
 .Dq Li auth
-feature.
+and
+.Dq Li account
+features.
 It also provides a null function for session management.
 .Ss NoLogin Authentication Module
-The NoLogin authentication component
-.Pq Fn pam_sm_authenticate ,
-always returns success for the superuser,
-and returns success for all other users
-if the file
-.Pa /var/run/nologin
-does not exist.
-If
-.Pa /var/run/nologin
-does exist,
-then its contents are echoed
-to non-superusers
+The NoLogin authentication component,
+.Fn pam_sm_authenticate ,
+verifies whether logins are administratively disabled via
+.Xr nologin 5 .
+It returns success if the user's login class has an "ignorenologin"
+capability specified in
+.Xr login.conf 5
+or the
+.Xr nologin 5
+file does not exist.
+If neither condition is met,
+then the contents of
+.Xr nologin 5
+are echoed
 before failure is returned.
-If a "nologin" capability
-is specified in
+The location of
+.Xr nologin 5
+is specified by a "nologin" capability in
 .Xr login.conf 5 ,
-then the file thus specified
-is used instead.
-This usually defaults to
+which defaults to
 .Pa /var/run/nologin .
 .Pp
-The following options may be passed to the authentication module:
+The following options may be passed to the module:
 .Bl -tag -width ".Cm no_warn"
 .It Cm debug
 .Xr syslog 3
@@ -80,8 +84,15 @@
 suppress warning messages to the user.
 These messages include
 reasons why the user's
-authentication attempt was declined.
+login attempt was declined.
 .El
+.Ss NoLogin Account Management Module
+The NoLogin account management component,
+.Fn pam_sm_acct_mgmt , 
+returns the same value as the NoLogin authentication component
+would return.
+This component can be used to provide the NoLogin functionality
+to services that skip PAM authentication.
 .Sh SEE ALSO
 .Xr syslog 3 ,
 .Xr login.conf 5 ,
Index: Makefile
===================================================================
RCS file: /home/cvs/src/lib/libpam/modules/pam_nologin/Makefile,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -Llib/libpam/modules/pam_nologin/Makefile -Llib/libpam/modules/pam_nologin/Makefile -u -r1.1.1.1 -r1.2
--- lib/libpam/modules/pam_nologin/Makefile
+++ lib/libpam/modules/pam_nologin/Makefile
@@ -22,6 +22,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
+# $MidnightBSD$
 # $FreeBSD: src/lib/libpam/modules/pam_nologin/Makefile,v 1.7 2003/03/09 20:06:36 obrien Exp $
 
 LIB=	pam_nologin

More information about the Midnightbsd-cvs mailing list