diff options
author | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-12 12:24:32 +0300 |
---|---|---|
committer | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-12 12:24:32 +0300 |
commit | 440faf671375cd9d8631d8d3416128db657bff03 (patch) | |
tree | 9f042bc5474bff3571bc3fef60905f3c2f450544 | |
parent | Moved from passwd to shadow (diff) | |
download | openpam-modules-440faf671375cd9d8631d8d3416128db657bff03.tar.gz openpam-modules-440faf671375cd9d8631d8d3416128db657bff03.tar.bz2 openpam-modules-440faf671375cd9d8631d8d3416128db657bff03.zip |
Continued work on pam_sm_acct_mgmt
-rw-r--r-- | src/pam_unix/pam_unix.c | 71 |
1 files changed, 65 insertions, 6 deletions
diff --git a/src/pam_unix/pam_unix.c b/src/pam_unix/pam_unix.c index 112d1d0..2791783 100644 --- a/src/pam_unix/pam_unix.c +++ b/src/pam_unix/pam_unix.c @@ -120,9 +120,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , struct spwd *pwd; int pam_err; const char *user; - time_t tp; + time_t curtime; + +#ifndef __linux__ const void *rhost, *tty; char rhostip[MAXHOSTNAMELEN] = ""; +#endif /* Sanity checks for uname,pwd,tty,host etc */ @@ -131,9 +134,17 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pam_err != PAM_SUCCESS) return (pam_err); - if (user == NULL || (pwd = getpwnam(user)) == NULL) + if (user == NULL || (pwd = getspnam(user)) == NULL) return (PAM_SERVICE_ERR); +#ifndef __linux__ + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); if (pam_err != PAM_SUCCESS) @@ -143,7 +154,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pam_err != PAM_SUCCESS) return (pam_err); - +#endif if (*pwd->sp_pwdp == '\0' && (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) return (PAM_NEW_AUTHTOK_REQD); @@ -156,11 +167,59 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif - /* Check if pw_change or pw_expire is set */ + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ - if (pwd->sp_lstchg || pwd->sp_expire) - gettimeofday(&tp, NULL); + /* validate tty/host/time */ + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); } |