|
@@ -1,830 +0,0 @@
|
|
|
-/*
|
|
|
- * CDE - Common Desktop Environment
|
|
|
- *
|
|
|
- * Copyright (c) 1993-2012, The Open Group. All rights reserved.
|
|
|
- *
|
|
|
- * These libraries and programs are free software; you can
|
|
|
- * redistribute them and/or modify them under the terms of the GNU
|
|
|
- * Lesser General Public License as published by the Free Software
|
|
|
- * Foundation; either version 2 of the License, or (at your option)
|
|
|
- * any later version.
|
|
|
- *
|
|
|
- * These libraries and programs are distributed in the hope that
|
|
|
- * they will be useful, but WITHOUT ANY WARRANTY; without even the
|
|
|
- * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
|
- * PURPOSE. See the GNU Lesser General Public License for more
|
|
|
- * details.
|
|
|
- *
|
|
|
- * You should have received a copy of the GNU Lesser General Public
|
|
|
- * License along with these libraries and programs; if not, write
|
|
|
- * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
|
|
|
- * Floor, Boston, MA 02110-1301 USA
|
|
|
- */
|
|
|
-/* $XConsortium: validate.c /main/4 1995/10/27 16:19:47 rswiston $ */
|
|
|
-/************************************<+>*************************************
|
|
|
- ****************************************************************************
|
|
|
- **
|
|
|
- ** File: validate.c
|
|
|
- **
|
|
|
- ** Project: HP Visual User Environment (DT)
|
|
|
- **
|
|
|
- ** Description: Dtgreet BLS user authentication routines
|
|
|
- **
|
|
|
- ** These routines validate the user; checking name, password,
|
|
|
- ** number of users on the system, password aging, etc.
|
|
|
- **
|
|
|
- **
|
|
|
- ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
|
|
|
- **
|
|
|
- **
|
|
|
- ** Conditional compiles:
|
|
|
- **
|
|
|
- ** OSMAJORVERSION < 8
|
|
|
- ** HP-UX 7.0/7.03 restricted license counting algorithms
|
|
|
- ** are used. Otherwise HP-UX 8.0 and beyond is used
|
|
|
- **
|
|
|
- ** BLS HP BLS B1 simple authentication.
|
|
|
- **
|
|
|
- **
|
|
|
- ****************************************************************************
|
|
|
- ************************************<+>*************************************/
|
|
|
-
|
|
|
-#ifdef BLS
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * Includes & Defines
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-#include <stdio.h>
|
|
|
-#include <fcntl.h>
|
|
|
-#include <stdlib.h>
|
|
|
-#include <pwd.h>
|
|
|
-
|
|
|
-#include "../vg.h"
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * HP-UX BLS authentication routines
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-#include <sys/param.h> /* for MAXUID macro */
|
|
|
-#include <sys/types.h>
|
|
|
-#include <sys/utsname.h>
|
|
|
-#include <string.h>
|
|
|
-#include <utmp.h>
|
|
|
-#include <time.h>
|
|
|
-#include <grp.h>
|
|
|
-
|
|
|
-
|
|
|
-/* BLS only headers */
|
|
|
-# include <sys/security.h>
|
|
|
-# include <prot.h>
|
|
|
-# include "bls.h"
|
|
|
-
|
|
|
-
|
|
|
-#define how_to_count ut_exit.e_exit
|
|
|
-
|
|
|
-#ifdef __hp9000s300
|
|
|
-static int num_users[] = { 2, 32767 };
|
|
|
-# define MIN_VERSION 'A'
|
|
|
-# define UNLIMITED 'B'
|
|
|
-#else
|
|
|
-static int num_users[] = { 2, 16, 32, 64 , 8 };
|
|
|
-# define MIN_VERSION 'A'
|
|
|
-# define UNLIMITED 'U'
|
|
|
-#endif
|
|
|
-
|
|
|
-/* Maximum number of users allowed with restricted license */
|
|
|
-#if OSMAJORVERSION < 8
|
|
|
-# define MAX_STRICT_USERS 2
|
|
|
-#else
|
|
|
-# define MAX_STRICT_USERS 8
|
|
|
-#endif
|
|
|
-
|
|
|
-#define NUM_VERSIONS (sizeof(num_users)/sizeof(num_users[0])) - 1
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * External declarations
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-extern Widget focusWidget; /* login or password text field */
|
|
|
-
|
|
|
-extern long groups[NGROUPS];
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * Procedure declarations
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-static int CheckPassword( char *name, char *passwd );
|
|
|
-static int CountUsers( int added_users) ;
|
|
|
-static int CountUsersStrict( char *new_user) ;
|
|
|
-static void WriteBtmp( char *name) ;
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * Global variables
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-/* BLS only data */
|
|
|
- struct pr_passwd *b1_pwd;
|
|
|
- struct verify_info verify_data;
|
|
|
- struct verify_info *verify = &verify_data;
|
|
|
- struct greet_info greet_data;
|
|
|
- struct greet_info *greet = &greet_data;
|
|
|
- static int UserHasPassword = 1;
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * CountUsers
|
|
|
- *
|
|
|
- * see if new user has exceeded the maximum.
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-#define NCOUNT 16
|
|
|
-
|
|
|
-static int
|
|
|
-CountUsers( int added_users )
|
|
|
-{
|
|
|
- int count[NCOUNT], nusers, i;
|
|
|
- struct utmp *entry;
|
|
|
-
|
|
|
- for (i=0; i<NCOUNT; i++)
|
|
|
- count[i] = 0;
|
|
|
-
|
|
|
- count[added_users]++;
|
|
|
-
|
|
|
- while ( (entry = getutent()) != NULL) {
|
|
|
- if (entry->ut_type == USER_PROCESS) {
|
|
|
- i = entry->how_to_count;
|
|
|
- if (i < 0 || i >= NCOUNT)
|
|
|
- i = 1; /* if out of range, then count */
|
|
|
- /* as ordinary user */
|
|
|
- count[i]++;
|
|
|
- }
|
|
|
- }
|
|
|
- endutent();
|
|
|
-
|
|
|
- /*
|
|
|
- * KEY:
|
|
|
- * [0] does not count at all
|
|
|
- * [1] counts as real user
|
|
|
- * [2] logins via a pty which have not gone trough login. These
|
|
|
- * collectively count as 1 user IF count[3] is 0, otherwise,
|
|
|
- * they are not counted. Starting with HP-UX 8.0 they are
|
|
|
- * no longer counted at all.
|
|
|
- * [3] logins via a pty which have been logged through login (i.e.
|
|
|
- * rlogin and telnet). these count as 1 "real" user per
|
|
|
- * unique user name.
|
|
|
- * [4-15] may be used for groups of users which collectively
|
|
|
- * count as 1
|
|
|
- */
|
|
|
- nusers = count[1];
|
|
|
-
|
|
|
-#if OSMAJORVERSION < 8
|
|
|
- for (i=2; i<NCOUNT; i++)
|
|
|
-#else
|
|
|
- for (i=3; i<NCOUNT; i++)
|
|
|
-#endif
|
|
|
- if (count[i] > 0)
|
|
|
- nusers++;
|
|
|
-
|
|
|
- return(nusers);
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * CountUsersStrict
|
|
|
- *
|
|
|
- * see if new user has exceeded the maximum.
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-static int
|
|
|
-CountUsersStrict( char *new_user )
|
|
|
-{
|
|
|
- char pty_users[MAX_STRICT_USERS][8];
|
|
|
- int count[NCOUNT], nusers, i, cnt, pty_off = -1, uname_off;
|
|
|
- struct utmp *entry;
|
|
|
-
|
|
|
- /*
|
|
|
- * Initialize count array...
|
|
|
- */
|
|
|
- for (i = 0; i < NCOUNT; i++)
|
|
|
- count[i] = 0;
|
|
|
-
|
|
|
- /*
|
|
|
- * Add in the new user (we know it's not a pty)...
|
|
|
- */
|
|
|
- count[1]++;
|
|
|
-
|
|
|
- while ( (entry = getutent()) != NULL ) {
|
|
|
- if (entry->ut_type == USER_PROCESS) {
|
|
|
- i = entry->how_to_count;
|
|
|
-
|
|
|
- /* if out of range, then count as ordinary user logged in
|
|
|
- via a tty */
|
|
|
- if (i == 1 || (i < 0 || i >= NCOUNT))
|
|
|
- count[1]++;
|
|
|
- /* See if it is a pty login granted by login program */
|
|
|
- else if (i == 3) {
|
|
|
- count[3]++;
|
|
|
- /* See if user is already logged in via login pty */
|
|
|
- uname_off = -1;
|
|
|
- for (cnt = 0; cnt <= pty_off; cnt++)
|
|
|
- if (strncmp(pty_users[cnt], entry->ut_user, 8) == 0)
|
|
|
- uname_off = cnt;
|
|
|
-
|
|
|
- if (uname_off == -1) { /* user is not logged in via pty yet */
|
|
|
-
|
|
|
- if (pty_off >= MAX_STRICT_USERS) /* cannot add any
|
|
|
- more users */
|
|
|
- return(MAX_STRICT_USERS + 1);
|
|
|
- /* add the user name to the array of pty users */
|
|
|
- else
|
|
|
- strncpy(pty_users[++pty_off], entry->ut_user, 8);
|
|
|
- }
|
|
|
- } /* end if (i == 3) */
|
|
|
- else
|
|
|
- count[i]++;
|
|
|
- } /* end if entry->ut_type == USER_PROCESS */
|
|
|
- } /* end while (entry = getutent()) */
|
|
|
-
|
|
|
- endutent();
|
|
|
- /*
|
|
|
- * KEY:
|
|
|
- * [0] does not count at all
|
|
|
- * [1] counts as "real" user
|
|
|
- * [2] logins via a pty which have not gone trough login. These
|
|
|
- * collectively count as 1 user IF count[3] is 0, otherwise,
|
|
|
- * they are not counted. Starting with HP-UX 8.0 they are
|
|
|
- * no longer counted at all.
|
|
|
- * [3] logins via a pty which have been logged through login (i.e.
|
|
|
- * rlogin and telnet). these count as 1 "real" user per
|
|
|
- * unique user name.
|
|
|
- * [4-15] may be used for groups of users which collectively count
|
|
|
- * as 1
|
|
|
- */
|
|
|
-
|
|
|
- nusers = pty_off + 1 + count[1]; /* Current number of users is sum of
|
|
|
- users logged in via tty + the
|
|
|
- number of unique users logged in
|
|
|
- via pty which have gone through
|
|
|
- login */
|
|
|
-
|
|
|
-#if OSMAJORVERSION < 8
|
|
|
- if ((count[3] == 0) && (count[2] != 0))
|
|
|
- nusers++; /* Add 1 user for all pty logins IF
|
|
|
- none of pty logins have been
|
|
|
- granted by the login program */
|
|
|
-#else
|
|
|
- /*
|
|
|
- * Don't count any hpterm logins (exit status of 2). We already
|
|
|
- * counted all pty logins granted by the login program.
|
|
|
- */
|
|
|
-#endif
|
|
|
-
|
|
|
- for (i = 4; i < NCOUNT; i++)
|
|
|
- if (count[i] > 0)
|
|
|
- nusers++;
|
|
|
- return(nusers);
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * CheckPassword
|
|
|
- *
|
|
|
- * Check validity of user password.
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-static int
|
|
|
-CheckPassword( char *name, char *passwd )
|
|
|
-{
|
|
|
-
|
|
|
- char *crypt();
|
|
|
- struct passwd *p;
|
|
|
- char *reason;
|
|
|
-
|
|
|
- /*
|
|
|
- * HP BLS B1 password authentication...
|
|
|
- */
|
|
|
-
|
|
|
- if ( ISSECURE ) {
|
|
|
- b1_pwd = getprpwnam(name);
|
|
|
-
|
|
|
- if ( b1_pwd == NULL || strlen(name) == 0 ) {
|
|
|
- Debug("unknown user '%s'\n", name);
|
|
|
- audit_login((struct pr_passwd *)0, (struct passwd *)0,
|
|
|
- dpyinfo.name, "No entry in protected password db",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(FALSE);
|
|
|
- }
|
|
|
-
|
|
|
- /*
|
|
|
- * look up user's regular account information...
|
|
|
- */
|
|
|
-
|
|
|
- p = getpwnam(name);
|
|
|
-
|
|
|
- if ( p == NULL || strlen(name) == 0 ) {
|
|
|
- Debug("unknown user '%s'\n", name);
|
|
|
- audit_login((struct pr_passwd *)0, (struct passwd *)0,
|
|
|
- dpyinfo.name, "No entry in password file",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(FALSE);
|
|
|
- }
|
|
|
-
|
|
|
- /* verify_info has become a catchall for info needed later */
|
|
|
- verify->user_name = name;
|
|
|
- verify->prpwd = b1_pwd;
|
|
|
- verify->pwd = p;
|
|
|
- strncpy(verify->terminal, dpyinfo.name, 15);
|
|
|
- verify->terminal[15]='\0';
|
|
|
-
|
|
|
- }
|
|
|
-
|
|
|
- Debug("Verify %s \n",name);
|
|
|
-
|
|
|
- /* if the password doesn't exists, we can't check it, but
|
|
|
- * the user will be forced to change it later */
|
|
|
- if ( (UserHasPassword = password_exists(verify)) != 0 )
|
|
|
- if ( strcmp(bigcrypt(passwd,b1_pwd->ufld.fd_encrypt),
|
|
|
- b1_pwd->ufld.fd_encrypt) ) {
|
|
|
- Debug("verify failed\n");
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Password incorrect",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(FALSE);
|
|
|
- } else {
|
|
|
- Debug ("username/password verify succeeded\n");
|
|
|
- return(TRUE);
|
|
|
- }
|
|
|
- /*
|
|
|
- * all password checks failed...
|
|
|
- */
|
|
|
-
|
|
|
- return (FALSE);
|
|
|
-
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * BLS_Verify
|
|
|
- *
|
|
|
- * verify the user
|
|
|
- *
|
|
|
- * return codes indicate authentication results.
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-#define MAXATTEMPTS 3
|
|
|
-
|
|
|
-static struct passwd nouser = {"", "nope"}; /* invalid user password struct */
|
|
|
-
|
|
|
-int
|
|
|
-BLS_Verify( char *name, char *passwd )
|
|
|
-{
|
|
|
-
|
|
|
- static int login_attempts = 0; /* # failed authentications */
|
|
|
-
|
|
|
- struct passwd *p; /* password structure */
|
|
|
- struct pr_passwd *prpwd;
|
|
|
-
|
|
|
- struct utsname utsnam;
|
|
|
- int n;
|
|
|
- int uid;
|
|
|
-
|
|
|
- /*
|
|
|
- * Desparate maneuvre to give dtgreet the privledges it needs
|
|
|
- */
|
|
|
- if ( login_attempts == 0 ) {
|
|
|
- Debug("Setting luid for dtgreet\n");
|
|
|
- if ( getluid() == -1 )
|
|
|
- setluid(getuid());
|
|
|
- }
|
|
|
-
|
|
|
- /*
|
|
|
- * validate password...
|
|
|
- */
|
|
|
-
|
|
|
- if ( CheckPassword(name, passwd) == FALSE) {
|
|
|
- p = verify->pwd;
|
|
|
- if ( focusWidget == passwd_text ) {
|
|
|
-
|
|
|
- WriteBtmp(name);
|
|
|
-
|
|
|
- if ((++login_attempts % MAXATTEMPTS) == 0 ) {
|
|
|
-
|
|
|
- if (p->pw_name == NULL )
|
|
|
- p = &nouser;
|
|
|
-
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Failed login(bailout)",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- }
|
|
|
-
|
|
|
- } else if ( !UserHasPassword ) {
|
|
|
- /*
|
|
|
- * The user has not password -- this must be the initial login for this
|
|
|
- * user. Treat it like an expired password. This should invoke the
|
|
|
- * password program on behalf of the user.
|
|
|
- */
|
|
|
- UserHasPassword = 1;
|
|
|
- return VF_PASSWD_AGED;
|
|
|
- }
|
|
|
-
|
|
|
- return(VF_INVALID);
|
|
|
- }
|
|
|
- prpwd = verify->prpwd;
|
|
|
- p = verify->pwd;
|
|
|
-
|
|
|
- /* check that the uid of both passwd and pr_passwd struct's agree */
|
|
|
- uid = p->pw_uid;
|
|
|
- if (uid != prpwd->ufld.fd_uid) {
|
|
|
- audit_login(prpwd, p, verify->terminal,
|
|
|
- "User id's inconsistent across password database\n",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- Debug("login failed - uid's do not match\n");
|
|
|
- return VF_BAD_UID;
|
|
|
- }
|
|
|
- verify->uid = uid;
|
|
|
-
|
|
|
- /* check if user's account is locked
|
|
|
- * This can be by dead password (lifetime exceeded),
|
|
|
- * fd_lock is set, or fd_max_tries is exceeded.
|
|
|
- * locked_out is from libsec, but is poorly documented.
|
|
|
- */
|
|
|
- if (locked_out(prpwd)) {
|
|
|
- Debug("Account locked\n");
|
|
|
- audit_login(prpwd, p, verify->terminal,
|
|
|
- "Account locked", ES_LOGIN_FAILED);
|
|
|
- return VF_INVALID;
|
|
|
- }
|
|
|
- /* can user log in at this time?
|
|
|
- * time_lock is in libsec, but poorly documented
|
|
|
- */
|
|
|
- if (time_lock(prpwd)) {
|
|
|
- Debug("Account time-locked\n");
|
|
|
- audit_login(prpwd, p, verify->terminal,
|
|
|
- "Account time-locked", ES_LOGIN_FAILED);
|
|
|
- return VF_INVALID;
|
|
|
- }
|
|
|
-
|
|
|
- /****************************************************
|
|
|
- xdm checks the security level here using
|
|
|
- verify_sec_user
|
|
|
- We do it later from the dtgreet callback rountine
|
|
|
- VerifySensitivityLevel()
|
|
|
- ****************************************************/
|
|
|
-
|
|
|
-#if 0
|
|
|
- /*
|
|
|
- * check restricted license...
|
|
|
- *
|
|
|
- * Note: This only applies to local displays. Foreign displays
|
|
|
- * (i.e. X-terminals) apparently do not count.
|
|
|
- */
|
|
|
-
|
|
|
- /* Get the version info via uname. If it doesn't look right,
|
|
|
- * assume the smallest user configuration
|
|
|
- */
|
|
|
-
|
|
|
- if (getenv(LOCATION) != NULL) {
|
|
|
- if (uname(&utsnam) < 0)
|
|
|
- utsnam.version[0] = MIN_VERSION;
|
|
|
-
|
|
|
- /*
|
|
|
- * Mappings:
|
|
|
- * 834 -> 834
|
|
|
- * 844 -> 844
|
|
|
- * 836 -> 635
|
|
|
- * 846 -> 645
|
|
|
- * 843 -> 642
|
|
|
- * 853 -> 652
|
|
|
- */
|
|
|
-
|
|
|
- if ((!strncmp(utsnam.machine, "9000/834", UTSLEN)) ||
|
|
|
- (!strncmp(utsnam.machine, "9000/844", UTSLEN)) ||
|
|
|
- (!strncmp(utsnam.machine, "9000/836", UTSLEN)) ||
|
|
|
- (!strncmp(utsnam.machine, "9000/846", UTSLEN)) ||
|
|
|
- (!strncmp(utsnam.machine, "9000/843", UTSLEN)) ||
|
|
|
- (!strncmp(utsnam.machine, "9000/853", UTSLEN))) {
|
|
|
-
|
|
|
-/* strict_count = 1;*/
|
|
|
- if (CountUsersStrict(name) > MAX_STRICT_USERS) {
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Attempted to login - too many users on the system",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_MAX_USERS);
|
|
|
- }
|
|
|
- }
|
|
|
- else {
|
|
|
- if (utsnam.version[0] != UNLIMITED) {
|
|
|
- if ((utsnam.version[0]-'A' < 0) ||
|
|
|
- (utsnam.version[0]-'A' > NUM_VERSIONS))
|
|
|
- utsnam.version[0] = MIN_VERSION;
|
|
|
-
|
|
|
- n = (int) utsnam.version[0] - 'A';
|
|
|
- if (CountUsers(1) > num_users[n]) {
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Attempted to login - too many users on the system",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_MAX_USERS);
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
-#endif /* 0 */
|
|
|
-
|
|
|
- /*
|
|
|
- * check password aging...
|
|
|
- */
|
|
|
-
|
|
|
- if ( passwordExpired(verify)) {
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Password expired",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_PASSWD_AGED);
|
|
|
- }
|
|
|
-
|
|
|
-
|
|
|
- /*
|
|
|
- * verify home directory exists...
|
|
|
- */
|
|
|
-
|
|
|
- if(chdir(p->pw_dir) < 0) {
|
|
|
- Debug("Attempted to login -- no home directory\n");
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- " Attempted to login - no home directory",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_HOME);
|
|
|
- }
|
|
|
-
|
|
|
- /*
|
|
|
- * validate uid and gid...
|
|
|
- */
|
|
|
-#ifdef NGROUPS
|
|
|
- getGroups(greet->name, verify, p->pw_gid);
|
|
|
-#else
|
|
|
- verify->gid = pwd->pw_gid;
|
|
|
-
|
|
|
- if ((p->pw_gid < 0) ||
|
|
|
- (p->pw_gid > MAXUID) ||
|
|
|
- (setgid(p->pw_gid) == -1)) {
|
|
|
-
|
|
|
- Debug("Attempted to login -- bad group id");
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Attempted to login - bad group id",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_BAD_GID);
|
|
|
- }
|
|
|
-#endif /* NGROUPS */
|
|
|
-
|
|
|
- if ((p->pw_uid < 0) ||
|
|
|
- (p->pw_uid > MAXUID) ||
|
|
|
- (setresuid(p->pw_uid, p->pw_uid, 0) == -1)) {
|
|
|
-
|
|
|
- Debug("Attempted to login -- bad user id\n");
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Attempted to login - bad user id",
|
|
|
- ES_LOGIN_FAILED);
|
|
|
- return(VF_BAD_UID);
|
|
|
- }
|
|
|
-
|
|
|
-
|
|
|
- /*
|
|
|
- * verify ok...
|
|
|
- */
|
|
|
-
|
|
|
- Debug ("Successful login\n");
|
|
|
- audit_login( b1_pwd, p ,dpyinfo.name,
|
|
|
- "Successful login",
|
|
|
- ES_LOGIN_REMOTE);
|
|
|
- return(VF_OK);
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * WriteBtmp
|
|
|
- *
|
|
|
- * log bad login attempts
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-
|
|
|
-static void
|
|
|
-WriteBtmp( char *name )
|
|
|
-{
|
|
|
- int fd;
|
|
|
- struct utmp utmp, *u;
|
|
|
-
|
|
|
- Boolean found=FALSE;
|
|
|
-
|
|
|
- bzero(&utmp, sizeof(struct utmp));
|
|
|
-
|
|
|
- utmp.ut_pid = getppid();
|
|
|
- while ((u = getutent()) != NULL) {
|
|
|
- if ( (u->ut_type == INIT_PROCESS ||
|
|
|
- u->ut_type == LOGIN_PROCESS ||
|
|
|
- u->ut_type == USER_PROCESS) &&
|
|
|
- u->ut_pid == utmp.ut_pid ) {
|
|
|
-
|
|
|
- found = TRUE;
|
|
|
- break;
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
-
|
|
|
- /*
|
|
|
- * if no utmp entry, this may be an X-terminal. Construct a utmp
|
|
|
- * entry for it...
|
|
|
- */
|
|
|
-
|
|
|
- if ( ! found ) {
|
|
|
- strncpy(utmp.ut_id, "??", sizeof(utmp.ut_id));
|
|
|
- strncpy(utmp.ut_line, dpyinfo.name, sizeof(utmp.ut_line));
|
|
|
- utmp.ut_type = LOGIN_PROCESS;
|
|
|
- strncpy(utmp.ut_host, dpyinfo.name, sizeof(utmp.ut_host));
|
|
|
- u = &utmp;
|
|
|
- }
|
|
|
-
|
|
|
-
|
|
|
- /*
|
|
|
- * If btmp exists, then record the bad attempt
|
|
|
- */
|
|
|
- if ( (fd = open(BTMP_FILE,O_WRONLY|O_APPEND)) >= 0) {
|
|
|
- strncpy(u->ut_user, name, sizeof(u->ut_user));
|
|
|
- (void) time(&u->ut_time);
|
|
|
- write(fd, (char *)u, sizeof(utmp));
|
|
|
- (void) close(fd);
|
|
|
- }
|
|
|
-
|
|
|
- endutent(); /* Close utmp file */
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * VerifySensitivityLevel
|
|
|
- *
|
|
|
- * verify B1 Sensitivity Level
|
|
|
- **************************************************************************/
|
|
|
-extern char *sensitivityLevel;
|
|
|
-
|
|
|
-int
|
|
|
-VerifySensitivityLevel( void)
|
|
|
-{
|
|
|
-
|
|
|
- int i;
|
|
|
-
|
|
|
- greet->b1security = sensitivityLevel =
|
|
|
- (char *) XmTextFieldGetString(passwd_text);
|
|
|
-
|
|
|
- /* new functions: (side effects: auditing, change verify) */
|
|
|
- if (verify_user_seclevel(verify, sensitivityLevel)
|
|
|
- && verify_sec_xterm(verify, sensitivityLevel)) {
|
|
|
-
|
|
|
- Debug("verify_user_seclevel succeeded.\n");
|
|
|
- return VF_OK;
|
|
|
- }
|
|
|
-
|
|
|
- Debug("verify_user_seclevel failed\n");
|
|
|
- return (VF_BAD_SEN_LEVEL);
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-#ifdef NGROUPS
|
|
|
-groupMember ( char *name, char **members )
|
|
|
-{
|
|
|
- while (*members) {
|
|
|
- if (!strcmp (name, *members))
|
|
|
- return 1;
|
|
|
- ++members;
|
|
|
- }
|
|
|
- return 0;
|
|
|
-}
|
|
|
-
|
|
|
-getGroups ( char *name, struct verify_info *verify, int gid)
|
|
|
-{
|
|
|
- int ngroups;
|
|
|
- struct group *g;
|
|
|
- int i;
|
|
|
-
|
|
|
- ngroups = 0;
|
|
|
- verify->groups[ngroups++] = gid;
|
|
|
- setgrent ();
|
|
|
- while (g = getgrent()) {
|
|
|
- /*
|
|
|
- * make the list unique
|
|
|
- */
|
|
|
- for (i = 0; i < ngroups; i++)
|
|
|
- if (verify->groups[i] == g->gr_gid)
|
|
|
- break;
|
|
|
- if (i != ngroups)
|
|
|
- continue;
|
|
|
- if (groupMember (name, g->gr_mem)) {
|
|
|
- if (ngroups >= NGROUPS)
|
|
|
- LogError ("%s belongs to more than %d groups, %s ignored\n",
|
|
|
- name, NGROUPS, g->gr_name);
|
|
|
- else
|
|
|
- verify->groups[ngroups++] = g->gr_gid;
|
|
|
- }
|
|
|
- }
|
|
|
- verify->ngroups = ngroups;
|
|
|
- endgrent ();
|
|
|
-}
|
|
|
-#endif
|
|
|
-
|
|
|
-/* check whether the password has expired or not.
|
|
|
- * return 1 means that the password has expired.
|
|
|
- */
|
|
|
-int
|
|
|
-passwordExpired( struct verify_info *verify)
|
|
|
-{
|
|
|
- struct pr_passwd *pr;
|
|
|
- time_t expiration;
|
|
|
- time_t last_change;
|
|
|
- time_t expiration_time;
|
|
|
- time_t now;
|
|
|
- int passwd_status;
|
|
|
- struct pr_passwd save_data;
|
|
|
- struct pr_default *df;
|
|
|
- char *ttime;
|
|
|
- char ptime[64];
|
|
|
-
|
|
|
- pr = verify->prpwd;
|
|
|
-
|
|
|
- /*
|
|
|
- * If null password, do not check expiration.
|
|
|
- */
|
|
|
-
|
|
|
- if (!pr->uflg.fg_encrypt || (pr->ufld.fd_encrypt[0] == '\0'))
|
|
|
- return 0;
|
|
|
-
|
|
|
- now = time((long *) 0);
|
|
|
-
|
|
|
- if (pr->uflg.fg_schange)
|
|
|
- last_change = pr->ufld.fd_schange;
|
|
|
- else
|
|
|
- last_change = (time_t) 0;
|
|
|
-
|
|
|
- if (pr->uflg.fg_expire)
|
|
|
- expiration = pr->ufld.fd_expire;
|
|
|
- else if (pr->sflg.fg_expire)
|
|
|
- expiration = pr->sfld.fd_expire;
|
|
|
- else
|
|
|
- expiration = (time_t) 0;
|
|
|
-
|
|
|
- df = getprdfnam(AUTH_DEFAULT);
|
|
|
-
|
|
|
- /*
|
|
|
- * A 0 or missing expiration field means there is no
|
|
|
- * expiration.
|
|
|
- */
|
|
|
- expiration_time = expiration ? last_change + expiration : 0;
|
|
|
-
|
|
|
- if (expiration_time && now > expiration_time ) {
|
|
|
- /*
|
|
|
- * The password has expired
|
|
|
- */
|
|
|
- Debug("The password is expired\n");
|
|
|
- return 1;
|
|
|
- }
|
|
|
-
|
|
|
- Debug("The password is not expired\n");
|
|
|
- return 0;
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-/***************************************************************************
|
|
|
- *
|
|
|
- * end HP-UX authentication routines
|
|
|
- *
|
|
|
- ***************************************************************************/
|
|
|
-#endif /* BLS */
|