1 /* This file is part of pam-modules.
2    Copyright (C) 2001, 2006-2008, 2010-2012, 2014-2015, 2018 Sergey
3    Poznyakoff
4 
5    This program is free software; you can redistribute it and/or modify it
6    under the terms of the GNU General Public License as published by the
7    Free Software Foundation; either version 3 of the License, or (at your
8    option) any later version.
9 
10    This program is distributed in the hope that it will be useful,
11    but WITHOUT ANY WARRANTY; without even the implied warranty of
12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13    GNU General Public License for more details.
14 
15    You should have received a copy of the GNU General Public License along
16    with this program.  If not, see <http://www.gnu.org/licenses/>.  */
17 
18 #ifdef HAVE__PAM_ACONF_H
19 #include <security/_pam_aconf.h>
20 #endif
21 
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <stdarg.h>
25 #include <string.h>
26 #include <unistd.h>
27 #include <ctype.h>
28 #include <syslog.h>
29 #include <errno.h>
30 #include <regex.h>
31 
32 #include "graypam.h"
33 
34 /* indicate the following groups are defined */
35 #define PAM_SM_AUTH
36 
37 #ifndef LINUX_PAM
38 #include <security/pam_appl.h>
39 #endif				/* LINUX_PAM */
40 #include <security/pam_modules.h>
41 
42 #define SENSE_ALLOW   0
43 #define SENSE_DENY    1
44 const char *sense_choice[] = { "allow", "deny", NULL };
45 
46 static int sense;
47 static long debug_level;
48 static const char *regex = NULL;
49 static int regex_flags = REG_NOSUB|REG_EXTENDED;
50 static const char *transform = NULL;
51 static const char *user_name;
52 
53 struct pam_opt pam_opt[] = {
54 	{ PAM_OPTSTR(debug), pam_opt_long, &debug_level },
55 	{ PAM_OPTSTR(debug), pam_opt_const, &debug_level, { 1 } },
56 	{ PAM_OPTSTR(audit), pam_opt_const, &debug_level, { 100 } },
57 	{ PAM_OPTSTR(waitdebug), pam_opt_null, NULL, { 0 },
58 	  gray_wait_debug_fun },
59 	{ PAM_OPTSTR(sense), pam_opt_enum, &sense,
60 	  { .enumstr = sense_choice } },
61 	{ PAM_OPTSTR(transform), pam_opt_string, &transform },
62 	{ PAM_OPTSTR(user), pam_opt_string, &user_name },
63 	{ PAM_OPTSTR(regex), pam_opt_string, &regex },
64 	{ PAM_OPTSTR(extended), pam_opt_bitmask, &regex_flags,
65 	  { .value = REG_EXTENDED } },
66 	{ PAM_OPTSTR(basic), pam_opt_bitmask_rev, &regex_flags,
67 	  { .value = REG_EXTENDED } },
68 	{ PAM_OPTSTR(icase), pam_opt_bitmask, &regex_flags,
69 	  { .value = REG_ICASE } },
70 	{ PAM_OPTSTR(ignore-case), pam_opt_bitmask, &regex_flags,
71 	  { .value = REG_ICASE } },
72 	{ PAM_OPTSTR(case), pam_opt_bitmask_rev, &regex_flags,
73 	  { .value = REG_ICASE } },
74 
75 	{ NULL }
76 };
77 
78 
79 static void
_pam_parse(pam_handle_t * pamh,int argc,const char ** argv)80 _pam_parse(pam_handle_t *pamh, int argc, const char **argv)
81 {
82 	gray_log_init(0, MODULE_NAME, LOG_AUTHPRIV);
83 	gray_parseopt(pam_opt, argc, argv);
84 	if (!regex && !transform)
85 		_pam_log(LOG_ERR, "neither regex nor transform are specified");
86 	if (user_name && transform)
87 		_pam_log(LOG_ERR, "Both `user' and `transform' are given");
88 }
89 
90 /*
91  * PAM framework looks for these entry-points to pass control to the
92  * authentication module.
93  */
94 
95 /* Fun starts here :)
96 
97  * pam_sm_authenticate() performs authentication
98  *
99  */
100 
101 PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)102 pam_sm_authenticate(pam_handle_t *pamh,
103 		    int flags,
104 		    int argc,
105 		    const char **argv)
106 {
107 	int retval, rc;
108 	char *name;
109 	regex_t rx;
110 
111 	_pam_parse(pamh, argc, argv);
112 
113 	DEBUG(90,("enter pam_sm_authenticate"));
114 
115 	gray_pam_init(PAM_AUTHINFO_UNAVAIL);
116 
117 	/*
118 	 * get username
119 	 */
120 	retval = pam_get_user(pamh, (const char**)&name, "login: ");
121 	if (retval == PAM_SUCCESS) {
122 		DEBUG(10, ("username [%s] obtained", name));
123 	} else {
124 		_pam_log(LOG_NOTICE, "can't get username");
125 		return PAM_AUTHINFO_UNAVAIL;
126 	}
127 
128 	if (transform) {
129 		char *newname;
130 		gray_slist_t slist;
131 
132 		gray_set_transform_expr(transform);
133 		slist = gray_slist_create();
134 		gray_transform_name_to_slist(slist, name, &newname);
135 		DEBUG(90,("new name: %s", newname));
136 		MAKE_STR(pamh, newname, name);
137 		retval = pam_set_item(pamh, PAM_USER, name);
138 		gray_slist_free(&slist);
139 		gray_free_transform_expr();
140 		if (retval != PAM_SUCCESS) {
141 			_pam_log(LOG_ERR, "retval %d", retval);
142 			return PAM_AUTHINFO_UNAVAIL;
143 		}
144 	}
145 
146 	if (regex) {
147 		for (;;) {
148 			if (rc = regcomp(&rx, regex, regex_flags)) {
149 				char errbuf[512];
150 				regerror (rc, &rx, errbuf, sizeof (errbuf));
151 				_pam_log(LOG_ERR, "can't compile regex: %s",
152 					 errbuf);
153 				retval = PAM_AUTHINFO_UNAVAIL;
154 				break;
155 			}
156 
157 			retval = regexec(&rx, name, 0, NULL, 0);
158 			if (retval) {
159 				DEBUG(1,("%s does not match %s",name,regex));
160 			}
161 
162 			switch (sense) {
163 			case SENSE_ALLOW:
164 				break;
165 
166 			case SENSE_DENY:
167 				retval = !retval;
168 				break;
169 
170 			}
171 
172 			if (retval != PAM_SUCCESS) {
173 				_pam_log(LOG_NOTICE, "rejecting %s", name);
174 				retval = PAM_AUTH_ERR;
175 			} else
176 				_pam_log(LOG_NOTICE, "allowing %s", name);
177 			if (user_name)
178 				pam_set_item(pamh, PAM_USER, strdup(user_name));
179 			break;
180 		}
181 	}
182 
183 	DEBUG(90,("exit pam_sm_authenticate: %d", retval));
184 	return retval;
185 }
186 
187 PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)188 pam_sm_setcred(pam_handle_t *pamh,
189 	       int flags,
190 	       int argc,
191 	       const char **argv)
192 {
193 	return PAM_SUCCESS;
194 }
195 
196 #ifdef PAM_STATIC
197 
198 struct pam_module _pam_regex_modstruct = {
199 	"pam_regex",                      /* name of the module */
200 	pam_sm_authenticate,
201 	pam_sm_setcred,
202 	NULL,
203 	NULL,
204 	NULL,
205 	NULL
206 };
207 
208 #endif
209 
210