X-Git-Url: https://git.sesse.net/?p=itkacl;a=blobdiff_plain;f=libpam-itkacl-0.4%2Fpam_itkacl.c;fp=libpam-itkacl-0.4%2Fpam_itkacl.c;h=19044bc3cc52a8997e62f924512d79e4bb4e23e6;hp=0000000000000000000000000000000000000000;hb=5a4ae0a37159e6af798d19800681f78872fb65a0;hpb=0022fb1b09dd6a4ef8d8a1d5766762603b6b0a2a

diff --git a/libpam-itkacl-0.4/pam_itkacl.c b/libpam-itkacl-0.4/pam_itkacl.c
new file mode 100644
index 0000000..19044bc
--- /dev/null
+++ b/libpam-itkacl-0.4/pam_itkacl.c
@@ -0,0 +1,108 @@
+
+#define PAM_SM_ACCOUNT
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <syslog.h>
+#include <security/pam_modules.h>
+
+#include "itkacl.h"
+
+/* --- authentication management functions --- */
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
+				   int argc, const char **argv)
+{
+	return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
+			      const char **argv)
+{
+
+	return PAM_CRED_UNAVAIL;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
+				const char **argv)
+{
+	char realm[256], errmsg[256];
+	const char *username;
+	int ret;
+
+	openlog("pam_itkacl", 0, LOG_AUTHPRIV);
+
+	/* We want and need exactly one argument: realm='whatever' */
+	if (argc != 1) {
+		syslog(LOG_CRIT, "wrong number of arguments: expected 1, got %d", argc);
+		return PAM_SERVICE_ERR;
+	}
+	if (sscanf(argv[0], "realm='%[^']'", realm) != 1) {
+		syslog(LOG_CRIT, "realm in bad format: got %s, expected realm='/foo/bar'", argv[0]);
+		return PAM_SERVICE_ERR;
+	}
+
+	/* Get the user name from PAM */
+	ret = pam_get_item(pamh, PAM_USER, (const void **)&username);
+	if (ret != PAM_SUCCESS || username == NULL) {
+		syslog(LOG_CRIT, "Couldn't get username from PAM");
+		return PAM_USER_UNKNOWN;
+	}
+
+	/* Root should always be able to log in */
+	if (strcmp(username, "root") == 0)
+		return PAM_SUCCESS;
+
+	ret = itkacl_check(realm, username, errmsg, 256);
+	if (ret == -1) {
+		syslog(LOG_ERR, "itkacl_check() returned an error: %s", errmsg);
+		return PAM_SERVICE_ERR;
+	}
+
+	if (ret == 0) {
+		return PAM_SUCCESS;
+	} else {
+		return PAM_ACCT_EXPIRED;
+	}
+}
+
+/* --- password management --- */
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
+				const char **argv)
+{
+	return PAM_AUTHTOK_ERR;
+}
+
+/* --- session management --- */
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
+				   int argc, const char **argv)
+{
+	return PAM_SYSTEM_ERR;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags,
+				    int argc, const char **argv)
+{
+	return PAM_SYSTEM_ERR;
+}
+
+/* end of module definition */
+
+/* static module data */
+#ifdef PAM_STATIC
+struct pam_module _pam_itkacl_modstruct = {
+	"pam_itkacl",
+	pam_sm_authenticate,
+	pam_sm_setcred,
+	pam_sm_acct_mgmt,
+	pam_sm_open_session,
+	pam_sm_close_session,
+	pam_sm_chauthtok
+};
+#endif