2 * Copyright (c) 2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2011 Dag-Erling Smørgrav
6 * Portions of this software were developed for the FreeBSD Project by
7 * ThinkSec AS and NAI Labs, the Security Research Division of Network
8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 * products derived from this software without specific prior written
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * $FreeBSD: src/lib/libpam/modules/pam_group/pam_group.c,v 1.6 2011/03/12 11:26:37 des Exp $
38 #include <sys/types.h>
50 #include <security/pam_appl.h>
51 #include <security/pam_modules.h>
52 #include <security/openpam.h>
56 pam_sm_authenticate(pam_handle_t
*pamh
, int flags __unused
,
57 int argc __unused
, const char *argv
[] __unused
)
60 const char *group
, *user
;
66 /* get target account */
67 if (pam_get_user(pamh
, &user
, NULL
) != PAM_SUCCESS
||
68 user
== NULL
|| (pwd
= getpwnam(user
)) == NULL
)
69 return (PAM_AUTH_ERR
);
70 if (pwd
->pw_uid
!= 0 && openpam_get_option(pamh
, "root_only"))
73 /* check local / remote */
74 local
= openpam_get_option(pamh
, "luser") ? 1 : 0;
75 remote
= openpam_get_option(pamh
, "ruser") ? 1 : 0;
76 if (local
&& remote
) {
77 openpam_log(PAM_LOG_ERROR
, "(pam_group) "
78 "the luser and ruser options are mutually exclusive");
79 return (PAM_SERVICE_ERR
);
81 /* we already have the correct struct passwd */
84 openpam_log(PAM_LOG_NOTICE
, "(pam_group) "
85 "neither luser nor ruser specified, assuming ruser");
86 /* default / historical behavior */
87 if (pam_get_item(pamh
, PAM_RUSER
, &ruser
) != PAM_SUCCESS
||
88 ruser
== NULL
|| (pwd
= getpwnam(ruser
)) == NULL
)
89 return (PAM_AUTH_ERR
);
92 /* get regulating group */
93 if ((group
= openpam_get_option(pamh
, "group")) == NULL
)
95 if ((grp
= getgrnam(group
)) == NULL
|| grp
->gr_mem
== NULL
)
98 /* check if the group is empty */
99 if (*grp
->gr_mem
== NULL
)
102 /* check membership */
103 if (pwd
->pw_gid
== grp
->gr_gid
)
105 for (list
= grp
->gr_mem
; *list
!= NULL
; ++list
)
106 if (strcmp(*list
, pwd
->pw_name
) == 0)
110 if (openpam_get_option(pamh
, "deny"))
111 return (PAM_SUCCESS
);
112 return (PAM_AUTH_ERR
);
114 if (openpam_get_option(pamh
, "deny"))
115 return (PAM_AUTH_ERR
);
116 return (PAM_SUCCESS
);
118 if (openpam_get_option(pamh
, "fail_safe"))
125 pam_sm_setcred(pam_handle_t
* pamh __unused
, int flags __unused
,
126 int argc __unused
, const char *argv
[] __unused
)
129 return (PAM_SUCCESS
);
132 PAM_MODULE_ENTRY("pam_group");