2 * CDE - Common Desktop Environment
4 * Copyright (c) 1993-2012, The Open Group. All rights reserved.
6 * These libraries and programs are free software; you can
7 * redistribute them and/or modify them under the terms of the GNU
8 * Lesser General Public License as published by the Free Software
9 * Foundation; either version 2 of the License, or (at your option)
12 * These libraries and programs are distributed in the hope that
13 * they will be useful, but WITHOUT ANY WARRANTY; without even the
14 * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
15 * PURPOSE. See the GNU Lesser General Public License for more
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with these librararies and programs; if not, write
20 * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
21 * Floor, Boston, MA 02110-1301 USA
23 /* $XConsortium: sample_acct_mgmt.c /main/2 1996/05/09 04:29:37 drk $ */
26 * Copyright (c) 1992-1995, by Sun Microsystems, Inc.
27 * All rights reserved.
30 #ident "@(#)sample_acct_mgmt.c 1.12 96/02/02 SMI"
33 #include <security/pam_appl.h>
34 #include <security/pam_modules.h>
37 static parse_allow_name(char *, char *);
40 * pam_sm_acct_mgmt main account managment routine.
41 * It only checks the flag passed from pam_sm_auth_user().
42 * XXX: The routine just prints out a warning message.
43 * It may need to force the user to change his/her
47 #include <security/pam_appl.h>
48 #define PAMTXD "SUNW_OST_SYSOSPAM"
67 if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS)
68 return (PAM_SERVICE_ERR);
70 if (pam_get_item(pamh, PAM_SERVICE, (void **)&pg) != PAM_SUCCESS)
71 return (PAM_SERVICE_ERR);
74 * kludge alert. su needs to be handled specially for allow policy.
75 * we want to use the policy of the current user not the "destination"
76 * user. This will enable us to prevent su to root but not to rlogin,
77 * telnet, rsh, ftp to root.
79 * description of problem: user name is the "destination" name. not
80 * the current name. The allow policy needs to be applied to the
81 * current name in the case of su. user is "root" in this case and
82 * we will be getting the root policy instead of the user policy.
84 if (strcmp(pg, "su") == 0) {
90 return (PAM_SYSTEM_ERR);
94 if (user == 0 || *user == '\0' || (strcmp(user, "root") == 0))
97 for (i = 0; i < argc; i++) {
98 if (strcasecmp(argv[i], "debug") == 0)
100 else if (strcasecmp(argv[i], "nowarn") == 0) {
102 flags = flags | PAM_SILENT;
103 } else if (strncmp(argv[i], "allow=", 6) == 0)
104 error |= parse_allow_name(user, (char *)(argv[i]+6));
106 syslog(LOG_DEBUG, "illegal option %s", argv[i]);
108 return (error?PAM_SUCCESS:PAM_AUTH_ERR);
112 parse_allow_name(char *who, char *cp)
115 static char *getname();
121 cp = getname(cp, name);
122 /* catch things such as =, and ,, */
125 if (strcmp(who, name) == 0)
132 getname(char *cp, char *name)
134 /* force name to be initially null string */
142 if (*cp == ',' || *cp == '\0')
146 /* make name into string */
148 return ((*cp == '\0')? (char *)0 : ++cp);