aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-12 12:24:32 +0300
committerSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-12 12:24:32 +0300
commit440faf671375cd9d8631d8d3416128db657bff03 (patch)
tree9f042bc5474bff3571bc3fef60905f3c2f450544
parentMoved from passwd to shadow (diff)
downloadopenpam-modules-440faf671375cd9d8631d8d3416128db657bff03.tar.gz
openpam-modules-440faf671375cd9d8631d8d3416128db657bff03.tar.bz2
openpam-modules-440faf671375cd9d8631d8d3416128db657bff03.zip
Continued work on pam_sm_acct_mgmt
-rw-r--r--src/pam_unix/pam_unix.c71
1 files changed, 65 insertions, 6 deletions
diff --git a/src/pam_unix/pam_unix.c b/src/pam_unix/pam_unix.c
index 112d1d0..2791783 100644
--- a/src/pam_unix/pam_unix.c
+++ b/src/pam_unix/pam_unix.c
@@ -120,9 +120,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
struct spwd *pwd;
int pam_err;
const char *user;
- time_t tp;
+ time_t curtime;
+
+#ifndef __linux__
const void *rhost, *tty;
char rhostip[MAXHOSTNAMELEN] = "";
+#endif
/* Sanity checks for uname,pwd,tty,host etc */
@@ -131,9 +134,17 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pam_err != PAM_SUCCESS)
return (pam_err);
- if (user == NULL || (pwd = getpwnam(user)) == NULL)
+ if (user == NULL || (pwd = getspnam(user)) == NULL)
return (PAM_SERVICE_ERR);
+#ifndef __linux__
+ /*
+ * tty/host info are provided by login classes
+ * and cannot be used out of the box under Linux
+ * for sanity checking (BSD only). May need to
+ * be ported/rewritten to work on Linux as well.
+ * Time will tell...
+ */
pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);
if (pam_err != PAM_SUCCESS)
@@ -143,7 +154,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pam_err != PAM_SUCCESS)
return (pam_err);
-
+#endif
if (*pwd->sp_pwdp == '\0' &&
(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
return (PAM_NEW_AUTHTOK_REQD);
@@ -156,11 +167,59 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
#endif
- /* Check if pw_change or pw_expire is set */
+ /* Check if pw_lstchg or pw_expire is set */
+
+ if (pwd->sp_lstchg || pwd->sp_expire)
+ curtime = time(NULL) / (60 * 60 * 24);
+ if (pwd->sp_expire) {
+ if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
+#ifndef __linux__
+ login_close(lc);
+#endif
+ return (PAM_ACCT_EXPIRED);
+ } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) {
+// pam_error(pamh, "Warning: your account expires on %s",
+// ctime(&pwd->pw_expire));
+ }
+ }
+
+ if (pwd->sp_lstchg == 0 ) {
+ return (PAM_NEW_AUTHTOK_REQD);
+ }
+
+ /* check all other possibilities (mostly stolen from pam_tcb) */
+
+ if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
+ (pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
+ (pwd->sp_lstchg != 0))
+ return (PAM_ACCT_EXPIRED);
+
+ if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
+ (pwd->sp_max != -1))
+ return (PAM_ACCT_EXPIRED);
+
+ if ((curtime - pwd->sp_lstchg > pwd->sp_max)
+ && (curtime - pwd->sp_lstchg > pwd->sp_inact)
+ && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact)
+ && (pwd->sp_max != -1) && (pwd->sp_inact != -1))
+ return (PAM_ACCT_EXPIRED);
+
+ pam_err = (PAM_SUCCESS);
+
+#ifndef __linux__
- if (pwd->sp_lstchg || pwd->sp_expire)
- gettimeofday(&tp, NULL);
+ /* validate tty/host/time */
+ if (!auth_hostok(lc, rhost, rhostip) ||
+ !auth_ttyok(lc, tty) ||
+ !auth_timeok(lc, time(NULL)))
+ pam_err = PAM_AUTH_ERR;
+
+
+ login_close(lc);
+#endif
+
+ return (pam_err);
}