The steps to use this module 1) Built it into pam_members.so gcc -o pam_members.o -c pam_members.c -fPIC gcc -shared -Xlinker -x -o pam_members.so pam_members.o 2) Install pam_members.so into /user/lib64/security 3) Put your service configuration file into /etc/pam.d, see vmadmin, vmuser, superadmin for example 4) Call PAM.pam().acct_mgmt() to check if the user is in the group members see pamauth_acc.py for example Signed-off-by: Shu Ming <shuming@linux.vnet.ibm.com> --- src/kimchi/pam_members.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 src/kimchi/pam_members.c diff --git a/src/kimchi/pam_members.c b/src/kimchi/pam_members.c new file mode 100644 index 0000000..ecd3797 --- /dev/null +++ b/src/kimchi/pam_members.c @@ -0,0 +1,103 @@ +/* + * A module to pam account managment, the steps to use this module + * 1) Built it into pam_members.so + * gcc -o pam_members.o -c pam_members.c -fPIC + * gcc -shared -Xlinker -x -o pam_members.so pam_members.o + * 2) Install pam_members.so into /user/lib64/security + * 3) Put your service configuration file into /etc/pam.d, see + * vmadmin, vmuser, superadmin for example + * 4) Call PAM.pam().acct_mgmt() to check if the user is in the group members + * see pamauth_acc.py for example + */ + +#include <stdio.h> +#include <stdlib.h> +#include <grp.h> +#include <string.h> +#include <syslog.h> +#include <libintl.h> +#include <pwd.h> +#include <security/pam_appl.h> + +int debug_mode = 0; + +#define debug_printf(fmt) if (debug_mode > 0) printf fmt + +int +pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv) +{ + char *user = NULL; + char *host = NULL; + char *service = NULL; + const char *allowed_grp = NULL; + char grp_buf[4096]; + struct group grp; + struct group *grps_ret; + struct pam_conv *conversation; + struct pam_message message; + struct pam_message *pmessage = &message; + struct pam_response *res = NULL; + int i; + int debug = 0; + + /* + * Set flags to display warnings if in debug mode. + */ + for (i = 0; i < argc; i++) { + if (strcasecmp(argv[i], "debug") == 0) + debug_mode = 1; + else if (strncmp(argv[i], "group=", 6) == 0) + allowed_grp = &argv[i][6]; + } + + /* + * Get user name,service name, and host name. + */ + (void) pam_get_user(pamh, &user, NULL); + (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + (void) pam_get_item(pamh, PAM_RHOST, (const void **) &host); + debug_printf(("user=%s, service=%s, host=%s\n", user, service, host)); + debug_printf(("allowed_grp=%s\n", allowed_grp)); + + /* + * Deny access if user is NULL. + */ + if (user == NULL) { + debug_printf(("user is NULL\n")); + return (PAM_USER_UNKNOWN); + } + + if (host == NULL) + host = "unknown"; + + /* + * Get the broken fileds from group database of allowed_grp + */ + if (getgrnam_r(allowed_grp, &grp, grp_buf, sizeof (grp_buf), &grps_ret) != 0) { + debug_printf(("%s: members_only: group %s not defined.\n", + service, allowed_grp)); + return (PAM_SYSTEM_ERR); + } + + /* + * Ignore this module if group contains no members. + */ + if (grp.gr_mem[0] == 0) { + debug_printf(("%s: members_only: group %s empty: " + "all users allowed.\n", service, grp.gr_name)); + return (PAM_IGNORE); + } + + /* + * Check to see if user is in group. If so, return SUCCESS. + */ + for (; grp.gr_mem[0]; grp.gr_mem++) { + debug_printf(("Check member %s: in group\n.", user)); + if (strcmp(grp.gr_mem[0], user) == 0) { + debug_printf(("%s: user %s is member of group %s. " + "Access allowed.\n", + service, user, grp.gr_name)); + return (PAM_SUCCESS); + } + } +} -- 1.8.1.4