[Kimchi-devel] [WIP 2/4] A module to do pam account managment
Shu Ming
shuming at linux.vnet.ibm.com
Wed Jan 29 17:07:58 UTC 2014
The steps to use this module
1) Built it into pam_members.so
gcc -o pam_members.o -c pam_members.c -fPIC
gcc -shared -Xlinker -x -o pam_members.so pam_members.o
2) Install pam_members.so into /user/lib64/security
3) Put your service configuration file into /etc/pam.d, see
vmadmin, vmuser, superadmin for example
4) Call PAM.pam().acct_mgmt() to check if the user is in the group members
see pamauth_acc.py for example
Signed-off-by: Shu Ming <shuming at linux.vnet.ibm.com>
---
src/kimchi/pam_members.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 103 insertions(+)
create mode 100644 src/kimchi/pam_members.c
diff --git a/src/kimchi/pam_members.c b/src/kimchi/pam_members.c
new file mode 100644
index 0000000..ecd3797
--- /dev/null
+++ b/src/kimchi/pam_members.c
@@ -0,0 +1,103 @@
+/*
+ * A module to pam account managment, the steps to use this module
+ * 1) Built it into pam_members.so
+ * gcc -o pam_members.o -c pam_members.c -fPIC
+ * gcc -shared -Xlinker -x -o pam_members.so pam_members.o
+ * 2) Install pam_members.so into /user/lib64/security
+ * 3) Put your service configuration file into /etc/pam.d, see
+ * vmadmin, vmuser, superadmin for example
+ * 4) Call PAM.pam().acct_mgmt() to check if the user is in the group members
+ * see pamauth_acc.py for example
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <grp.h>
+#include <string.h>
+#include <syslog.h>
+#include <libintl.h>
+#include <pwd.h>
+#include <security/pam_appl.h>
+
+int debug_mode = 0;
+
+#define debug_printf(fmt) if (debug_mode > 0) printf fmt
+
+int
+pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv)
+{
+ char *user = NULL;
+ char *host = NULL;
+ char *service = NULL;
+ const char *allowed_grp = NULL;
+ char grp_buf[4096];
+ struct group grp;
+ struct group *grps_ret;
+ struct pam_conv *conversation;
+ struct pam_message message;
+ struct pam_message *pmessage = &message;
+ struct pam_response *res = NULL;
+ int i;
+ int debug = 0;
+
+ /*
+ * Set flags to display warnings if in debug mode.
+ */
+ for (i = 0; i < argc; i++) {
+ if (strcasecmp(argv[i], "debug") == 0)
+ debug_mode = 1;
+ else if (strncmp(argv[i], "group=", 6) == 0)
+ allowed_grp = &argv[i][6];
+ }
+
+ /*
+ * Get user name,service name, and host name.
+ */
+ (void) pam_get_user(pamh, &user, NULL);
+ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
+ (void) pam_get_item(pamh, PAM_RHOST, (const void **) &host);
+ debug_printf(("user=%s, service=%s, host=%s\n", user, service, host));
+ debug_printf(("allowed_grp=%s\n", allowed_grp));
+
+ /*
+ * Deny access if user is NULL.
+ */
+ if (user == NULL) {
+ debug_printf(("user is NULL\n"));
+ return (PAM_USER_UNKNOWN);
+ }
+
+ if (host == NULL)
+ host = "unknown";
+
+ /*
+ * Get the broken fileds from group database of allowed_grp
+ */
+ if (getgrnam_r(allowed_grp, &grp, grp_buf, sizeof (grp_buf), &grps_ret) != 0) {
+ debug_printf(("%s: members_only: group %s not defined.\n",
+ service, allowed_grp));
+ return (PAM_SYSTEM_ERR);
+ }
+
+ /*
+ * Ignore this module if group contains no members.
+ */
+ if (grp.gr_mem[0] == 0) {
+ debug_printf(("%s: members_only: group %s empty: "
+ "all users allowed.\n", service, grp.gr_name));
+ return (PAM_IGNORE);
+ }
+
+ /*
+ * Check to see if user is in group. If so, return SUCCESS.
+ */
+ for (; grp.gr_mem[0]; grp.gr_mem++) {
+ debug_printf(("Check member %s: in group\n.", user));
+ if (strcmp(grp.gr_mem[0], user) == 0) {
+ debug_printf(("%s: user %s is member of group %s. "
+ "Access allowed.\n",
+ service, user, grp.gr_name));
+ return (PAM_SUCCESS);
+ }
+ }
+}
--
1.8.1.4
More information about the Kimchi-devel
mailing list