1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
26
27
28 #include <sys/types.h>
29 #include <sys/wait.h>
30 #include <sys/stat.h>
31 #include <fcntl.h>
32 #include <stdlib.h>
33 #include <security/pam_appl.h>
34 #include <security/pam_modules.h>
35 #include <security/pam_impl.h>
36 #include <syslog.h>
37 #include <pwd.h>
38 #include <shadow.h>
39 #include <lastlog.h>
40 #include <ctype.h>
41 #include <unistd.h>
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <libintl.h>
45 #include <signal.h>
46 #include <thread.h>
47 #include <synch.h>
48 #include <errno.h>
49 #include <time.h>
50 #include <string.h>
51 #include <crypt.h>
52 #include <assert.h>
53 #include <deflt.h>
54 #include <libintl.h>
55 #include <passwdutil.h>
56
57 #define LASTLOG "/var/adm/lastlog"
58 #define LOGINADMIN "/etc/default/login"
59 #define UNIX_AUTH_DATA "SUNW-UNIX-AUTH-DATA"
60 #define UNIX_AUTHTOK_DATA "SUNW-UNIX-AUTHTOK-DATA"
61
62 /*
63 * Function Declarations
64 */
65 extern void setusershell();
66 extern int _nfssys(int, void *);
67
68 typedef struct _unix_authtok_data_ {
69 int age_status;
70 }unix_authtok_data;
71
72 /*ARGSUSED*/
73 static void
unix_cleanup(pam_handle_t * pamh,void * data,int pam_status)74 unix_cleanup(
75 pam_handle_t *pamh,
76 void *data,
77 int pam_status)
78 {
79 free((unix_authtok_data *)data);
80 }
81
82 /*
83 * check_for_login_inactivity - Check for login inactivity
84 *
85 */
86
87 static int
check_for_login_inactivity(uid_t pw_uid,struct spwd * shpwd)88 check_for_login_inactivity(
89 uid_t pw_uid,
90 struct spwd *shpwd)
91 {
92 int fdl;
93 struct lastlog ll;
94 int retval;
95 offset_t offset;
96
97 offset = (offset_t)pw_uid * (offset_t)sizeof (struct lastlog);
98
99 if ((fdl = open(LASTLOG, O_RDWR|O_CREAT, 0444)) >= 0) {
100 /*
101 * Read the last login (ll) time
102 */
103 if (llseek(fdl, offset, SEEK_SET) != offset) {
104 __pam_log(LOG_AUTH | LOG_ERR,
105 "pam_unix_acct: pam_sm_acct_mgmt: "
106 "can't obtain last login info on uid %d "
107 "(uid too large)", pw_uid);
108 (void) close(fdl);
109 return (0);
110 }
111
112 retval = read(fdl, (char *)&ll, sizeof (ll));
113
114 /* Check for login inactivity */
115
116 if ((shpwd->sp_inact > 0) && (retval == sizeof (ll)) &&
117 ll.ll_time) {
118 /*
119 * account inactive too long.
120 * and no update password set
121 * and no last pwd change date in shadow file
122 * and last pwd change more than inactive time
123 * then account inactive too long and no access.
124 */
125 if (((time_t)((ll.ll_time / DAY) + shpwd->sp_inact)
126 < DAY_NOW) &&
127 (shpwd->sp_lstchg != 0) &&
128 (shpwd->sp_lstchg != -1) &&
129 ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) {
130 /*
131 * Account inactive for too long
132 */
133 (void) close(fdl);
134 return (1);
135 }
136 }
137
138 (void) close(fdl);
139 }
140 return (0);
141 }
142
143 /*
144 * new_password_check()
145 *
146 * check to see if the user needs to change their password
147 */
148
149 static int
new_password_check(shpwd,flags)150 new_password_check(shpwd, flags)
151 struct spwd *shpwd;
152 int flags;
153 {
154 time_t now = DAY_NOW;
155
156 /*
157 * We want to make sure that we change the password only if
158 * passwords are required for the system, the user does not
159 * have a password, AND the user's NULL password can be changed
160 * according to its password aging information
161 */
162
163 if ((flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
164 if (shpwd->sp_pwdp[0] == '\0') {
165 if (((shpwd->sp_max == -1) ||
166 ((time_t)shpwd->sp_lstchg > now) ||
167 ((now >= (time_t)(shpwd->sp_lstchg +
168 shpwd->sp_min)) &&
169 (shpwd->sp_max >= shpwd->sp_min)))) {
170 return (PAM_NEW_AUTHTOK_REQD);
171 }
172 }
173 }
174 return (PAM_SUCCESS);
175 }
176
177 /*
178 * perform_passwd_aging_check
179 * - Check for password exipration.
180 */
181 static int
perform_passwd_aging_check(pam_handle_t * pamh,struct spwd * shpwd,int flags)182 perform_passwd_aging_check(
183 pam_handle_t *pamh,
184 struct spwd *shpwd,
185 int flags)
186 {
187 time_t now = DAY_NOW;
188 int idledays = -1;
189 char *ptr;
190 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
191 void *defp;
192
193
194 if ((defp = defopen_r(LOGINADMIN)) != NULL) {
195 if ((ptr = defread_r("IDLEWEEKS=", defp)) != NULL)
196 idledays = 7 * atoi(ptr);
197 defclose_r(defp);
198 }
199
200 /*
201 * if (sp_lstchg == 0), the administrator has forced the
202 * user to change their passwd
203 */
204 if (shpwd->sp_lstchg == 0)
205 return (PAM_NEW_AUTHTOK_REQD);
206
207 /* If password aging is disabled (or min>max), all is well */
208 if (shpwd->sp_max < 0 || shpwd->sp_max < shpwd->sp_min)
209 return (PAM_SUCCESS);
210
211 /* Password aging is enabled. See if the password has aged */
212 if (now < (time_t)(shpwd->sp_lstchg + shpwd->sp_max))
213 return (PAM_SUCCESS);
214
215 /* Password has aged. Has it aged more than idledays ? */
216 if (idledays < 0) /* IDLEWEEKS not configured */
217 return (PAM_NEW_AUTHTOK_REQD);
218
219 /* idledays is configured */
220 if (idledays > 0 && (now < (time_t)(shpwd->sp_lstchg + idledays)))
221 return (PAM_NEW_AUTHTOK_REQD);
222
223 /* password has aged more that allowed for by IDLEWEEKS */
224 if (!(flags & PAM_SILENT)) {
225 (void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
226 "Your password has been expired for too long."),
227 sizeof (messages[0]));
228 (void) strlcpy(messages[1], dgettext(TEXT_DOMAIN,
229 "Please contact the system administrator."),
230 sizeof (messages[0]));
231 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 2, messages,
232 NULL);
233 }
234 return (PAM_AUTHTOK_EXPIRED);
235 }
236
237 /*
238 * warn_user_passwd_will_expire - warn the user when the password will
239 * expire.
240 */
241
242 static void
warn_user_passwd_will_expire(pam_handle_t * pamh,struct spwd shpwd)243 warn_user_passwd_will_expire(
244 pam_handle_t *pamh,
245 struct spwd shpwd)
246 {
247 time_t now = DAY_NOW;
248 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
249 time_t days;
250
251
252 if ((shpwd.sp_warn > 0) && (shpwd.sp_max > 0) &&
253 (now + shpwd.sp_warn) >= (time_t)(shpwd.sp_lstchg + shpwd.sp_max)) {
254 days = (time_t)(shpwd.sp_lstchg + shpwd.sp_max) - now;
255 if (days <= 0)
256 (void) snprintf(messages[0],
257 sizeof (messages[0]),
258 dgettext(TEXT_DOMAIN,
259 "Your password will expire within 24 hours."));
260 else if (days == 1)
261 (void) snprintf(messages[0],
262 sizeof (messages[0]),
263 dgettext(TEXT_DOMAIN,
264 "Your password will expire in 1 day."));
265 else
266 (void) snprintf(messages[0],
267 sizeof (messages[0]),
268 dgettext(TEXT_DOMAIN,
269 "Your password will expire in %d days."),
270 (int)days);
271
272 (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages,
273 NULL);
274 }
275 }
276
277 /*
278 * pam_sm_acct_mgmt - main account managment routine.
279 * Returns: module error or specific error on failure
280 */
281
282 int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags,int argc,const char ** argv)283 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
284 {
285 uid_t pw_uid;
286 char *repository_name = NULL;
287 char *user;
288 attrlist attr_pw[3];
289 attrlist attr_spw[7];
290 pwu_repository_t *pwu_rep = PWU_DEFAULT_REP;
291 pwu_repository_t *auth_rep = NULL;
292 int error = PAM_ACCT_EXPIRED;
293 int result;
294 int i;
295 int debug = 0;
296 int server_policy = 0;
297 unix_authtok_data *status;
298 struct spwd shpwd = {NULL, NULL,
299 -1, -1, -1, -1, -1, -1, 0};
300
301 for (i = 0; i < argc; i++) {
302 if (strcasecmp(argv[i], "debug") == 0)
303 debug = 1;
304 else if (strcasecmp(argv[i], "server_policy") == 0)
305 server_policy = 1;
306 else if (strcasecmp(argv[i], "nowarn") == 0) {
307 flags = flags | PAM_SILENT;
308 } else {
309 __pam_log(LOG_AUTH | LOG_ERR,
310 "ACCOUNT:pam_sm_acct_mgmt: illegal option %s",
311 argv[i]);
312 }
313 }
314
315 if (debug)
316 __pam_log(LOG_AUTH | LOG_DEBUG,
317 "pam_unix_account: entering pam_sm_acct_mgmt()");
318
319 if ((error = pam_get_item(pamh, PAM_USER, (void **)&user))
320 != PAM_SUCCESS)
321 goto out;
322
323 if (user == NULL) {
324 error = PAM_USER_UNKNOWN;
325 goto out;
326 } else
327 shpwd.sp_namp = user;
328
329 if ((error = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep))
330 != PAM_SUCCESS)
331 goto out;
332
333 if (auth_rep == NULL) {
334 pwu_rep = PWU_DEFAULT_REP;
335 } else {
336 if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) {
337 error = PAM_BUF_ERR;
338 goto out;
339 }
340 pwu_rep->type = auth_rep->type;
341 pwu_rep->scope = auth_rep->scope;
342 pwu_rep->scope_len = auth_rep->scope_len;
343 }
344
345 /*
346 * First get the password information
347 */
348 attr_pw[0].type = ATTR_REP_NAME; attr_pw[0].next = &attr_pw[1];
349 attr_pw[1].type = ATTR_UID; attr_pw[1].next = &attr_pw[2];
350 attr_pw[2].type = ATTR_PASSWD; attr_pw[2].next = NULL;
351 result = __get_authtoken_attr(user, pwu_rep, attr_pw);
352
353 if (result == PWU_NOT_FOUND) {
354 error = PAM_USER_UNKNOWN;
355 goto out;
356 } else if (result == PWU_DENIED) {
357 error = PAM_PERM_DENIED;
358 goto out;
359 } else if (result == PWU_NOMEM) {
360 error = PAM_BUF_ERR;
361 goto out;
362 } else if (result != PWU_SUCCESS) {
363 error = PAM_SERVICE_ERR;
364 goto out;
365 } else {
366 repository_name = attr_pw[0].data.val_s;
367 pw_uid = attr_pw[1].data.val_i;
368 shpwd.sp_pwdp = attr_pw[2].data.val_s;
369 }
370
371 /*
372 * if repository is not files|nis, and user wants server_policy,
373 * we don't care about aging and hence return PAM_IGNORE
374 */
375 if (server_policy &&
376 strcmp(repository_name, "files") != 0 &&
377 strcmp(repository_name, "nis") != 0) {
378 error = PAM_IGNORE;
379 goto out;
380 }
381
382 /*
383 * Now get the aging information
384 */
385 attr_spw[0].type = ATTR_LSTCHG; attr_spw[0].next = &attr_spw[1];
386 attr_spw[1].type = ATTR_MIN; attr_spw[1].next = &attr_spw[2];
387 attr_spw[2].type = ATTR_MAX; attr_spw[2].next = &attr_spw[3];
388 attr_spw[3].type = ATTR_WARN; attr_spw[3].next = &attr_spw[4];
389 attr_spw[4].type = ATTR_INACT; attr_spw[4].next = &attr_spw[5];
390 attr_spw[5].type = ATTR_EXPIRE; attr_spw[5].next = &attr_spw[6];
391 attr_spw[6].type = ATTR_FLAG; attr_spw[6].next = NULL;
392
393 result = __get_authtoken_attr(user, pwu_rep, attr_spw);
394 if (result == PWU_SUCCESS) {
395 shpwd.sp_lstchg = attr_spw[0].data.val_i;
396 shpwd.sp_min = attr_spw[1].data.val_i;
397 shpwd.sp_max = attr_spw[2].data.val_i;
398 shpwd.sp_warn = attr_spw[3].data.val_i;
399 shpwd.sp_inact = attr_spw[4].data.val_i;
400 shpwd.sp_expire = attr_spw[5].data.val_i;
401 shpwd.sp_flag = attr_spw[6].data.val_i;
402 }
403
404 if (debug) {
405 char *pw = "Unix PW";
406
407 if (shpwd.sp_pwdp == NULL)
408 pw = "NULL";
409 else if (strncmp(shpwd.sp_pwdp, LOCKSTRING,
410 sizeof (LOCKSTRING) - 1) == 0)
411 pw = LOCKSTRING;
412 else if (strcmp(shpwd.sp_pwdp, NOPWDRTR) == 0)
413 pw = NOPWDRTR;
414
415 if (result == PWU_DENIED) {
416 __pam_log(LOG_AUTH | LOG_DEBUG,
417 "pam_unix_account: %s: permission denied "
418 "to access password aging information. "
419 "Using defaults.", user);
420 }
421
422 __pam_log(LOG_AUTH | LOG_DEBUG,
423 "%s Policy:Unix, pw=%s, lstchg=%d, min=%d, max=%d, "
424 "warn=%d, inact=%d, expire=%d",
425 user, pw, shpwd.sp_lstchg, shpwd.sp_min, shpwd.sp_max,
426 shpwd.sp_warn, shpwd.sp_inact, shpwd.sp_expire);
427 }
428
429 if (pwu_rep != PWU_DEFAULT_REP) {
430 free(pwu_rep);
431 pwu_rep = PWU_DEFAULT_REP;
432 }
433
434 if (result == PWU_NOT_FOUND) {
435 error = PAM_USER_UNKNOWN;
436 goto out;
437 } else if (result == PWU_NOMEM) {
438 error = PAM_BUF_ERR;
439 goto out;
440 } else if (result != PWU_SUCCESS && result != PWU_DENIED) {
441 error = PAM_SERVICE_ERR;
442 goto out;
443 }
444
445 /*
446 * Check for locked account
447 */
448 if (shpwd.sp_pwdp != NULL &&
449 strncmp(shpwd.sp_pwdp, LOCKSTRING, sizeof (LOCKSTRING) - 1) == 0) {
450 char *service;
451 char *rhost = NULL;
452
453 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
454 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
455 __pam_log(LOG_AUTH | LOG_NOTICE,
456 "pam_unix_account: %s attempting to validate locked "
457 "account %s from %s",
458 service, user,
459 (rhost != NULL && *rhost != '\0') ? rhost : "local host");
460 error = PAM_PERM_DENIED;
461 goto out;
462 }
463
464 /*
465 * Check for NULL password and, if so, see if such is allowed
466 */
467 if (shpwd.sp_pwdp[0] == '\0' &&
468 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
469 char *service;
470 char *rhost = NULL;
471
472 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
473 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
474
475 __pam_log(LOG_AUTH | LOG_NOTICE,
476 "pam_unix_account: %s: empty password not allowed for "
477 "account %s from %s", service, user,
478 (rhost != NULL && *rhost != '\0') ? rhost : "local host");
479 error = PAM_PERM_DENIED;
480 goto out;
481 }
482
483 /*
484 * Check for account expiration
485 */
486 if (shpwd.sp_expire > 0 &&
487 (time_t)shpwd.sp_expire < DAY_NOW) {
488 error = PAM_ACCT_EXPIRED;
489 goto out;
490 }
491
492 /*
493 * Check for excessive login account inactivity
494 */
495 if (check_for_login_inactivity(pw_uid, &shpwd)) {
496 error = PAM_PERM_DENIED;
497 goto out;
498 }
499
500 /*
501 * Check to see if the user needs to change their password
502 */
503 if (error = new_password_check(&shpwd, flags)) {
504 goto out;
505 }
506
507 /*
508 * Check to make sure password aging information is okay
509 */
510 if ((error = perform_passwd_aging_check(pamh, &shpwd, flags))
511 != PAM_SUCCESS) {
512 goto out;
513 }
514
515 /*
516 * Finally, warn the user if their password is about to expire.
517 */
518 if (!(flags & PAM_SILENT)) {
519 warn_user_passwd_will_expire(pamh, shpwd);
520 }
521
522 /*
523 * All done, return Success
524 */
525 error = PAM_SUCCESS;
526
527 out:
528
529 {
530 int pam_res;
531 unix_authtok_data *authtok_data;
532
533 if (debug) {
534 __pam_log(LOG_AUTH | LOG_DEBUG,
535 "pam_unix_account: %s: %s",
536 (user == NULL)?"NULL":user,
537 pam_strerror(pamh, error));
538 }
539
540 if (repository_name)
541 free(repository_name);
542 if (pwu_rep != PWU_DEFAULT_REP)
543 free(pwu_rep);
544 if (shpwd.sp_pwdp) {
545 (void) memset(shpwd.sp_pwdp, 0, strlen(shpwd.sp_pwdp));
546 free(shpwd.sp_pwdp);
547 }
548
549 /* store the password aging status in the pam handle */
550 pam_res = pam_get_data(pamh, UNIX_AUTHTOK_DATA,
551 (const void **)&authtok_data);
552
553 if ((status = (unix_authtok_data *)calloc(1,
554 sizeof (unix_authtok_data))) == NULL) {
555 return (PAM_BUF_ERR);
556 }
557
558 if (pam_res == PAM_SUCCESS)
559 (void) memcpy(status, authtok_data,
560 sizeof (unix_authtok_data));
561
562 status->age_status = error;
563 if (pam_set_data(pamh, UNIX_AUTHTOK_DATA, status, unix_cleanup)
564 != PAM_SUCCESS) {
565 free(status);
566 return (PAM_SERVICE_ERR);
567 }
568 }
569
570 return (error);
571 }
572