[Kimchi-devel] [WIP 2/4] A module to do pam account managment

Shu Ming shuming at linux.vnet.ibm.com
Wed Jan 29 17:07:58 UTC 2014


The steps to use this module
1) Built it into pam_members.so
   gcc -o pam_members.o -c pam_members.c -fPIC
   gcc -shared -Xlinker -x -o pam_members.so pam_members.o
2) Install pam_members.so into /user/lib64/security
3) Put your service configuration file into /etc/pam.d, see
   vmadmin, vmuser, superadmin for example
4) Call PAM.pam().acct_mgmt() to check if the user is in the group members
   see pamauth_acc.py for example

Signed-off-by: Shu Ming <shuming at linux.vnet.ibm.com>
---
 src/kimchi/pam_members.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 src/kimchi/pam_members.c

diff --git a/src/kimchi/pam_members.c b/src/kimchi/pam_members.c
new file mode 100644
index 0000000..ecd3797
--- /dev/null
+++ b/src/kimchi/pam_members.c
@@ -0,0 +1,103 @@
+/*
+ * A module to pam account managment, the steps to use this module
+ * 1) Built it into pam_members.so
+ *    gcc -o pam_members.o -c pam_members.c -fPIC
+ *    gcc -shared -Xlinker -x -o pam_members.so pam_members.o
+ * 2) Install pam_members.so into /user/lib64/security
+ * 3) Put your service configuration file into /etc/pam.d, see
+ *    vmadmin, vmuser, superadmin for example
+ * 4) Call PAM.pam().acct_mgmt() to check if the user is in the group members
+ *    see pamauth_acc.py for example
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <grp.h>
+#include <string.h>
+#include <syslog.h>
+#include <libintl.h>
+#include <pwd.h>
+#include <security/pam_appl.h>
+
+int debug_mode = 0;
+
+#define	debug_printf(fmt)	if (debug_mode > 0) printf fmt
+
+int
+pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv)
+{
+    char *user = NULL;
+    char *host = NULL;
+    char *service = NULL;
+    const char *allowed_grp = NULL;
+    char grp_buf[4096];
+    struct group grp;
+    struct group *grps_ret;
+    struct pam_conv *conversation;
+    struct pam_message message;
+    struct pam_message *pmessage = &message;
+    struct pam_response *res = NULL;
+    int i;
+    int debug = 0;
+
+    /* 
+     * Set flags to display warnings if in debug mode.
+     */
+    for (i = 0; i < argc; i++) {
+        if (strcasecmp(argv[i], "debug") == 0)
+            debug_mode = 1;
+        else if (strncmp(argv[i], "group=", 6) == 0)
+            allowed_grp = &argv[i][6];
+    }
+
+    /*
+     * Get user name,service name, and host name.
+     */
+    (void) pam_get_user(pamh, &user, NULL);
+    (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
+    (void) pam_get_item(pamh, PAM_RHOST, (const void **) &host);
+    debug_printf(("user=%s, service=%s, host=%s\n", user, service, host));
+    debug_printf(("allowed_grp=%s\n", allowed_grp));
+
+    /*
+     *  Deny access if user is NULL.
+     */
+    if (user == NULL) {
+        debug_printf(("user is NULL\n"));
+        return (PAM_USER_UNKNOWN);
+    }
+
+    if (host == NULL)
+        host = "unknown";
+
+    /*
+     * Get the broken fileds from group database of allowed_grp
+     */
+    if (getgrnam_r(allowed_grp, &grp, grp_buf, sizeof (grp_buf), &grps_ret) != 0) {
+        debug_printf(("%s: members_only: group %s not defined.\n",
+            service, allowed_grp));
+        return (PAM_SYSTEM_ERR);
+    }
+
+    /* 
+     * Ignore this module if group contains no members.
+     */
+    if (grp.gr_mem[0] == 0) {
+        debug_printf(("%s: members_only: group %s empty: "
+            "all users allowed.\n", service, grp.gr_name));
+        return (PAM_IGNORE);
+    }
+
+    /*
+     * Check to see if user is in group. If so, return SUCCESS.
+     */
+    for (; grp.gr_mem[0]; grp.gr_mem++) {
+        debug_printf(("Check member %s:  in group\n.", user));
+        if (strcmp(grp.gr_mem[0], user) == 0) {
+            debug_printf(("%s: user %s is member of group %s. "
+                "Access allowed.\n",
+                 service, user, grp.gr_name));
+            return (PAM_SUCCESS);
+        }
+    }
+}
-- 
1.8.1.4




More information about the Kimchi-devel mailing list