1 /* $NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $ */ 2 3 /*- 4 * Copyright 2001 Mark R V Murray 5 * All rights reserved. 6 * Copyright (c) 2001 Networks Associates Technology, Inc. 7 * All rights reserved. 8 * 9 * Portions of this software were developed for the FreeBSD Project by 10 * ThinkSec AS and NAI Labs, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12 * ("CBOSS"), as part of the DARPA CHATS research program. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. The name of the author may not be used to endorse or promote 23 * products derived from this software without specific prior written 24 * permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 #include <sys/cdefs.h> 40 #ifdef __FreeBSD__ 41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.10 2002/04/12 22:27:21 des Exp $"); 42 #else 43 __RCSID("$NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $"); 44 #endif 45 46 47 #include <sys/types.h> 48 #include <sys/stat.h> 49 #include <fcntl.h> 50 #include <login_cap.h> 51 #include <pwd.h> 52 #include <errno.h> 53 #include <string.h> 54 #include <stdio.h> 55 #include <stdlib.h> 56 #include <unistd.h> 57 58 #define PAM_SM_AUTH 59 60 #include <security/pam_appl.h> 61 #include <security/pam_modules.h> 62 #include <security/pam_mod_misc.h> 63 64 #define NOLOGIN "/etc/nologin" 65 66 static char nologin_def[] = NOLOGIN; 67 68 PAM_EXTERN int 69 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 70 int argc __unused, const char *argv[] __unused) 71 { 72 login_cap_t *lc; 73 struct passwd *pwd, pwres; 74 struct stat st; 75 int retval, fd; 76 int ignorenologin = 0; 77 int rootlogin = 0; 78 const char *user, *nologin; 79 char *mtmp; 80 char pwbuf[1024]; 81 82 if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) 83 return retval; 84 85 PAM_LOG("Got user: %s", user); 86 87 /* 88 * For root, the default is to ignore nologin, but the 89 * ignorenologin capability can override this, so we 90 * set the default appropriately. 91 * 92 * Do not allow login of unexisting users, so that a directory 93 * failure will not cause the nologin capability to be ignored. 94 */ 95 if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 || 96 pwd == NULL) { 97 return PAM_USER_UNKNOWN; 98 } else { 99 if (pwd->pw_uid == 0) 100 rootlogin = 1; 101 } 102 103 lc = login_getclass(pwd->pw_class); 104 ignorenologin = login_getcapbool(lc, "ignorenologin", rootlogin); 105 nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def); 106 login_close(lc); 107 lc = NULL; 108 109 if (ignorenologin) 110 return PAM_SUCCESS; 111 112 if ((fd = open(nologin, O_RDONLY, 0)) == -1) { 113 /* 114 * The file does not exist, login is granted 115 */ 116 if (errno == ENOENT) 117 return PAM_SUCCESS; 118 119 /* 120 * open failed, but the file exists. This could be 121 * a temporary problem (system resources exausted): 122 * Refuse the login. 123 */ 124 PAM_LOG("Cannot open %s file: %s", nologin, strerror(errno)); 125 return PAM_AUTH_ERR; 126 } 127 128 PAM_LOG("Opened %s file", nologin); 129 130 if (fstat(fd, &st) < 0) { 131 close(fd); 132 return PAM_AUTH_ERR; 133 } 134 135 mtmp = malloc(st.st_size + 1); 136 if (mtmp != NULL) { 137 read(fd, mtmp, st.st_size); 138 mtmp[st.st_size] = '\0'; 139 pam_error(pamh, "%s", mtmp); 140 free(mtmp); 141 } 142 close(fd); 143 144 PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin); 145 146 return PAM_AUTH_ERR; 147 } 148 149 PAM_EXTERN int 150 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 151 int argc __unused, const char *argv[] __unused) 152 { 153 154 return (PAM_SUCCESS); 155 } 156 157 PAM_MODULE_ENTRY("pam_nologin"); 158