1 /*-
2 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 * Copyright (c) 2001 Mark R V Murray
5 * All rights reserved.
6 * Copyright (c) 2001 Networks Associates Technology, Inc.
7 * All rights reserved.
8 * Copyright (c) 2004 Joe R. Doupnik
9 * All rights reserved.
10 *
11 * Portions of this software were developed for the FreeBSD Project by
12 * ThinkSec AS and NAI Labs, the Security Research Division of Network
13 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
14 * ("CBOSS"), as part of the DARPA CHATS research program.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
24 * 3. The name of the author may not be used to endorse or promote
25 * products derived from this software without specific prior written
26 * permission.
27 * 4. Neither the name of the University nor the names of its contributors
28 * may be used to endorse or promote products derived from this software
29 * without specific prior written permission.
30 *
31 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
32 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
33 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
34 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
35 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
36 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
37 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
39 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
40 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 * SUCH DAMAGE.
42 *
43 * $FreeBSD: src/lib/libpam/modules/pam_lastlog/pam_lastlog.c,v 1.23 2007/07/22 15:17:29 des Exp $
44 */
45
46 #define _BSD_SOURCE
47
48 #include <sys/param.h>
49
50 #include <fcntl.h>
51 #include <libutil.h>
52 #include <paths.h>
53 #include <pwd.h>
54 #include <stdio.h>
55 #include <stdlib.h>
56 #include <string.h>
57 #include <syslog.h>
58 #include <time.h>
59 #include <unistd.h>
60 #include <utmpx.h>
61
62 #define PAM_SM_SESSION
63
64 #include <security/pam_appl.h>
65 #include <security/pam_modules.h>
66 #include <security/pam_mod_misc.h>
67
68 static void doutmpx(const char *, const char *, const char *,
69 const struct sockaddr_storage *ss, const struct timeval *);
70 static void dolastlogx(pam_handle_t *, int, const struct passwd *, const char *,
71 const char *, const struct sockaddr_storage *ss, const struct timeval *);
72 static void domsg(pam_handle_t *, time_t, const char *, size_t, const char *,
73 size_t);
74 static void logit(int, const char *, ...) __printflike(2, 3);
75
76 static void
logit(int level,const char * fmt,...)77 logit(int level, const char *fmt, ...)
78 {
79 va_list ap;
80
81 openlog("pam_lastlog", LOG_PID, LOG_AUTHPRIV);
82 va_start(ap, fmt);
83 vsyslog(level, fmt, ap);
84 va_end(ap);
85 closelog();
86 }
87
88
89 PAM_EXTERN int
pam_sm_open_session(pam_handle_t * pamh,int flags,int argc __unused,const char * argv[]__unused)90 pam_sm_open_session(pam_handle_t *pamh, int flags,
91 int argc __unused, const char *argv[] __unused)
92 {
93 struct passwd *pwd, pwres;
94 struct timeval now;
95 const char *user, *rhost, *tty;
96 const void *vrhost, *vtty;
97 int pam_err;
98 int quiet;
99 char pwbuf[1024];
100 #ifdef LOGIN_CAP
101 login_cap_t *lc;
102 #endif
103
104 pam_err = pam_get_user(pamh, &user, NULL);
105 if (pam_err != PAM_SUCCESS)
106 return pam_err;
107
108 if (user == NULL ||
109 getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
110 pwd == NULL)
111 return PAM_SERVICE_ERR;
112
113 PAM_LOG("Got user: %s", user);
114
115 pam_err = pam_get_item(pamh, PAM_RHOST, &vrhost);
116 if (pam_err != PAM_SUCCESS)
117 goto err;
118 rhost = (const char *)vrhost;
119
120 pam_err = pam_get_item(pamh, PAM_TTY, &vtty);
121 if (pam_err != PAM_SUCCESS)
122 goto err;
123 tty = (const char *)vtty;
124
125 if (tty == NULL) {
126 PAM_LOG("No PAM_TTY");
127 pam_err = PAM_SERVICE_ERR;
128 goto err;
129 }
130
131 if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
132 tty = tty + strlen(_PATH_DEV);
133
134 if (*tty == '\0') {
135 pam_err = PAM_SERVICE_ERR;
136 goto err;
137 }
138
139 (void)gettimeofday(&now, NULL);
140
141 if ((flags & PAM_SILENT) != 0)
142 quiet = 1;
143 else {
144 #ifdef LOGIN_CAP
145 lc = login_getpwclass(pwd);
146 quiet = login_getcapbool(lc, "hushlogin", 0);
147 login_close(lc);
148 #else
149 quiet = 0;
150 #endif
151 }
152 dolastlogx(pamh, quiet, pwd, rhost, tty, NULL, &now);
153 doutmpx(user, rhost, tty, NULL, &now);
154 quiet = 1;
155 err:
156 if (openpam_get_option(pamh, "no_fail"))
157 return PAM_SUCCESS;
158 return pam_err;
159 }
160
161 PAM_EXTERN int
pam_sm_close_session(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)162 pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
163 int argc __unused, const char *argv[] __unused)
164 {
165 const void *vtty;
166 const char *tty;
167
168 pam_get_item(pamh, PAM_TTY, &vtty);
169 if (vtty == NULL)
170 return PAM_SERVICE_ERR;
171 tty = (const char *)vtty;
172
173 if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
174 tty = tty + strlen(_PATH_DEV);
175
176 if (*tty == '\0')
177 return PAM_SERVICE_ERR;
178
179 if (logoutx(tty, 0, DEAD_PROCESS))
180 logwtmpx(tty, "", "", 0, DEAD_PROCESS);
181 else
182 logit(LOG_NOTICE, "%s(): no utmpx record for %s",
183 __func__, tty);
184
185 return PAM_SUCCESS;
186 }
187
188 static void
domsg(pam_handle_t * pamh,time_t t,const char * host,size_t hsize,const char * line,size_t lsize)189 domsg(pam_handle_t *pamh, time_t t, const char *host, size_t hsize,
190 const char *line, size_t lsize)
191 {
192 char buf[MAXHOSTNAMELEN + 32], *promptresp = NULL;
193 int pam_err;
194
195 if (*host) {
196 (void)snprintf(buf, sizeof(buf), "from %.*s ",
197 (int)hsize, host);
198 host = buf;
199 }
200
201 pam_err = pam_prompt(pamh, PAM_TEXT_INFO, &promptresp,
202 "Last login: %.24s %son %.*s\n", ctime(&t), host, (int)lsize, line);
203
204 if (pam_err == PAM_SUCCESS && promptresp)
205 free(promptresp);
206 }
207
208 static void
doutmpx(const char * username,const char * hostname,const char * tty,const struct sockaddr_storage * ss,const struct timeval * now)209 doutmpx(const char *username, const char *hostname, const char *tty,
210 const struct sockaddr_storage *ss, const struct timeval *now)
211 {
212 struct utmpx utmpx;
213 const char *t;
214
215 memset((void *)&utmpx, 0, sizeof(utmpx));
216 utmpx.ut_tv = *now;
217 (void)strncpy(utmpx.ut_name, username, sizeof(utmpx.ut_name));
218 if (hostname) {
219 (void)strncpy(utmpx.ut_host, hostname, sizeof(utmpx.ut_host));
220 if (ss)
221 utmpx.ut_ss = *ss;
222 }
223 (void)strncpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line));
224 utmpx.ut_type = USER_PROCESS;
225 utmpx.ut_pid = getpid();
226 t = tty + strlen(tty);
227 if ((size_t)(t - tty) >= sizeof(utmpx.ut_id)) {
228 (void)strncpy(utmpx.ut_id, t - sizeof(utmpx.ut_id),
229 sizeof(utmpx.ut_id));
230 } else {
231 (void)strncpy(utmpx.ut_id, tty, sizeof(utmpx.ut_id));
232 }
233 if (pututxline(&utmpx) == NULL)
234 logit(LOG_NOTICE, "Cannot update utmpx %m");
235 endutxent();
236 if (_updwtmpx(_PATH_WTMPX, &utmpx) != 0)
237 logit(LOG_NOTICE, "Cannot update wtmpx %m");
238 }
239
240 static void
dolastlogx(pam_handle_t * pamh,int quiet,const struct passwd * pwd,const char * hostname __unused,const char * tty __unused,const struct sockaddr_storage * ss __unused,const struct timeval * now __unused)241 dolastlogx(pam_handle_t *pamh, int quiet, const struct passwd *pwd,
242 const char *hostname __unused, const char *tty __unused,
243 const struct sockaddr_storage *ss __unused,
244 const struct timeval *now __unused)
245 {
246 struct lastlogx ll;
247 if (!quiet) {
248 if (getlastlogx(_PATH_LASTLOGX, pwd->pw_uid, &ll) != NULL)
249 domsg(pamh, (time_t)ll.ll_tv.tv_sec, ll.ll_host,
250 sizeof(ll.ll_host), ll.ll_line,
251 sizeof(ll.ll_line));
252 }
253 #if 0
254 ll.ll_tv = *now;
255 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
256
257 if (hostname)
258 (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
259 else
260 (void)memset(ll.ll_host, 0, sizeof(ll.ll_host));
261
262 if (ss)
263 ll.ll_ss = *ss;
264 else
265 (void)memset(&ll.ll_ss, 0, sizeof(ll.ll_ss));
266
267 if (updlastlogx(_PATH_LASTLOGX, pwd->pw_uid, &ll) != 0)
268 logit(LOG_NOTICE, "Cannot update lastlogx %m");
269 PAM_LOG("Login recorded in %s", _PATH_LASTLOGX);
270 #endif
271 }
272
273 PAM_MODULE_ENTRY("pam_lastlog");
274