Add the PAM module.

[itkacl] / libpam-itkacl-0.4 / pam_itkacl.c

diff --git a/libpam-itkacl-0.4/pam_itkacl.c b/libpam-itkacl-0.4/pam_itkacl.c
new file mode 100644 (file)
index 0000000..19044bc
--- /dev/null
+++ b/libpam-itkacl-0.4/pam_itkacl.c
@@ -0,0 +1,108 @@
+
+#define PAM_SM_ACCOUNT
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <syslog.h>
+#include <security/pam_modules.h>
+
+#include "itkacl.h"
+
+/* --- authentication management functions --- */
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
+                                  int argc, const char **argv)
+{
+       return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
+                             const char **argv)
+{
+
+       return PAM_CRED_UNAVAIL;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
+                               const char **argv)
+{
+       char realm[256], errmsg[256];
+       const char *username;
+       int ret;
+
+       openlog("pam_itkacl", 0, LOG_AUTHPRIV);
+
+       /* We want and need exactly one argument: realm='whatever' */
+       if (argc != 1) {
+               syslog(LOG_CRIT, "wrong number of arguments: expected 1, got %d", argc);
+               return PAM_SERVICE_ERR;
+       }
+       if (sscanf(argv[0], "realm='%[^']'", realm) != 1) {
+               syslog(LOG_CRIT, "realm in bad format: got %s, expected realm='/foo/bar'", argv[0]);
+               return PAM_SERVICE_ERR;
+       }
+
+       /* Get the user name from PAM */
+       ret = pam_get_item(pamh, PAM_USER, (const void **)&username);
+       if (ret != PAM_SUCCESS || username == NULL) {
+               syslog(LOG_CRIT, "Couldn't get username from PAM");
+               return PAM_USER_UNKNOWN;
+       }
+
+       /* Root should always be able to log in */
+       if (strcmp(username, "root") == 0)
+               return PAM_SUCCESS;
+
+       ret = itkacl_check(realm, username, errmsg, 256);
+       if (ret == -1) {
+               syslog(LOG_ERR, "itkacl_check() returned an error: %s", errmsg);
+               return PAM_SERVICE_ERR;
+       }
+
+       if (ret == 0) {
+               return PAM_SUCCESS;
+       } else {
+               return PAM_ACCT_EXPIRED;
+       }
+}
+
+/* --- password management --- */
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
+                               const char **argv)
+{
+       return PAM_AUTHTOK_ERR;
+}
+
+/* --- session management --- */
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
+                                  int argc, const char **argv)
+{
+       return PAM_SYSTEM_ERR;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags,
+                                   int argc, const char **argv)
+{
+       return PAM_SYSTEM_ERR;
+}
+
+/* end of module definition */
+
+/* static module data */
+#ifdef PAM_STATIC
+struct pam_module _pam_itkacl_modstruct = {
+       "pam_itkacl",
+       pam_sm_authenticate,
+       pam_sm_setcred,
+       pam_sm_acct_mgmt,
+       pam_sm_open_session,
+       pam_sm_close_session,
+       pam_sm_chauthtok
+};
+#endif