From 440faf671375cd9d8631d8d3416128db657bff03 Mon Sep 17 00:00:00 2001
From: Seraphim Mellos <mellos@ceid.upatras.gr>
Date: Thu, 12 Jun 2008 12:24:32 +0300
Subject: Continued work on pam_sm_acct_mgmt

---
 src/pam_unix/pam_unix.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 65 insertions(+), 6 deletions(-)

diff --git a/src/pam_unix/pam_unix.c b/src/pam_unix/pam_unix.c
index 112d1d0..2791783 100644
--- a/src/pam_unix/pam_unix.c
+++ b/src/pam_unix/pam_unix.c
@@ -120,9 +120,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	struct spwd *pwd;
 	int pam_err;
 	const char *user;
-	time_t tp;
+	time_t curtime;
+	
+#ifndef __linux__
 	const void *rhost, *tty;
 	char rhostip[MAXHOSTNAMELEN] = "";
+#endif
 
 	/* Sanity checks for uname,pwd,tty,host etc */
 
@@ -131,9 +134,17 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
 
-	if (user == NULL || (pwd = getpwnam(user)) == NULL)
+	if (user == NULL || (pwd = getspnam(user)) == NULL)
 		return (PAM_SERVICE_ERR);
+#ifndef __linux__
 
+	/* 
+	 * tty/host info are provided by login classes
+	 * and cannot be used out of the box under Linux
+	 * for sanity checking (BSD only). May need to 
+	 * be ported/rewritten to work on Linux as well.
+	 * Time will tell...
+	 */
 	pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);
 
 	if (pam_err != PAM_SUCCESS)
@@ -143,7 +154,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
-
+#endif
 	if (*pwd->sp_pwdp == '\0' &&
          	(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
 		return (PAM_NEW_AUTHTOK_REQD);
@@ -156,11 +167,59 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
 		
 	}
 #endif
-	/* Check if pw_change or pw_expire is set */
+	/* Check if pw_lstchg or pw_expire is set */
+
+	if (pwd->sp_lstchg || pwd->sp_expire) 
+		curtime = time(NULL) / (60 * 60 * 24);
+	if (pwd->sp_expire) {
+		if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {  
+#ifndef __linux__ 		
+			login_close(lc);
+#endif	
+			return (PAM_ACCT_EXPIRED);
+		} else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) {
+//			pam_error(pamh, "Warning: your account expires on %s",
+//					 ctime(&pwd->pw_expire));
+		}
+	}
+
+	if (pwd->sp_lstchg == 0 ) {
+		return (PAM_NEW_AUTHTOK_REQD);
+	}
+	
+	/* check all other possibilities (mostly stolen from pam_tcb) */
+	
+	if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
+			(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
+			(pwd->sp_lstchg != 0)) 
+		return (PAM_ACCT_EXPIRED);
+	
+	if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
+		        (pwd->sp_max != -1))
+		return (PAM_ACCT_EXPIRED);
+
+	if ((curtime - pwd->sp_lstchg > pwd->sp_max)
+			&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
+			&& (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact)
+			&& (pwd->sp_max != -1) && (pwd->sp_inact != -1))
+		 return (PAM_ACCT_EXPIRED);
+
+	pam_err = (PAM_SUCCESS);
+
+#ifndef __linux__
 
-	if (pwd->sp_lstchg || pwd->sp_expire)
-                gettimeofday(&tp, NULL);
+	/* validate tty/host/time */
 
+	if (!auth_hostok(lc, rhost, rhostip) ||
+			!auth_ttyok(lc, tty) ||
+			!auth_timeok(lc, time(NULL)))
+		pam_err = PAM_AUTH_ERR;
+
+
+	login_close(lc);
+#endif
+
+	return (pam_err);
 
 }
 
-- 
cgit v1.2.3-65-gdbad