- (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]

Move loginrestrictions test to port-aix.c, replace with a generic hook.
author: Darren Tucker <dtucker@zip.com.au> 2004-06-23 13:45:24 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2004-06-23 13:45:24 +1000
commit: 0a9d43d7264ff0a74c4f9493be238e35ef04c952 (patch)
tree: 5734ef5253ba9f4dac817c7987a00671c77d9fc6 /openbsd-compat/port-aix.c
parent: ef8f8af86c3df4d769892baeca5d18a7a8599908 (diff)
1 files changed, 45 insertions, 1 deletions
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 5ba6819de..bf7e98652 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
        return authsuccess;
 }
-  
+/*
+ * Check if specified account is permitted to log in.
+ * Returns 1 if login is allowed, 0 if not allowed.
+ */
+int
+sys_auth_allowed_user(struct passwd *pw)
+{
+        char *msg = NULL;
+        int result, permitted = 0;
+        struct stat st;
+        /*
+         * Don't perform checks for root account (PermitRootLogin controls
+         * logins via * ssh) or if running as non-root user (since
+         * loginrestrictions will always fail due to insufficient privilege).
+         */
+        if (pw->pw_uid == 0 || geteuid() != 0) {
+                debug3("%s: not checking");
+                return 1;
+        }
+        result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+        if (result == 0)
+                permitted = 1;
+        /*
+         * If restricted because /etc/nologin exists, the login will be denied
+         * in session.c after the nologin message is sent, so allow for now
+         * and do not append the returned message.
+         */
+        if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
+                permitted = 1;
+        else if (msg != NULL)
+                buffer_append(&loginmsg, msg, strlen(msg));
+        if (msg == NULL)
+                msg = xstrdup("(none)");
+        aix_remove_embedded_newlines(msg);
+        debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
+        if (!permitted)
+                logit("Login restricted for %s: %.100s", pw->pw_name, msg);
+        xfree(msg);
+        return permitted;
+}
 #  ifdef CUSTOM_FAILED_LOGIN
 /*
 * record_failed_login: generic "login failed" interface function
author	Darren Tucker <dtucker@zip.com.au>	2004-06-23 13:45:24 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2004-06-23 13:45:24 +1000
commit	0a9d43d7264ff0a74c4f9493be238e35ef04c952 (patch)
tree	5734ef5253ba9f4dac817c7987a00671c77d9fc6 /openbsd-compat/port-aix.c
parent	ef8f8af86c3df4d769892baeca5d18a7a8599908 (diff)

diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 5ba6819de..bf7e98652 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c
@@ -163,7 +163,51 @@ sys_auth_passwd(Authctxt ctxt, const char password)
163		163
164	return authsuccess;	164	return authsuccess;
165	}	165	}
166		166
		167	/*
		168	* Check if specified account is permitted to log in.
		169	* Returns 1 if login is allowed, 0 if not allowed.
		170	*/
		171	int
		172	sys_auth_allowed_user(struct passwd *pw)
		173	{
		174	char *msg = NULL;
		175	int result, permitted = 0;
		176	struct stat st;
		177
		178	/*
		179	* Don't perform checks for root account (PermitRootLogin controls
		180	* logins via * ssh) or if running as non-root user (since
		181	* loginrestrictions will always fail due to insufficient privilege).
		182	*/
		183	if (pw->pw_uid == 0 \|\| geteuid() != 0) {
		184	debug3("%s: not checking");
		185	return 1;
		186	}
		187
		188	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
		189	if (result == 0)
		190	permitted = 1;
		191	/*
		192	* If restricted because /etc/nologin exists, the login will be denied
		193	* in session.c after the nologin message is sent, so allow for now
		194	* and do not append the returned message.
		195	*/
		196	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
		197	permitted = 1;
		198	else if (msg != NULL)
		199	buffer_append(&loginmsg, msg, strlen(msg));
		200	if (msg == NULL)
		201	msg = xstrdup("(none)");
		202	aix_remove_embedded_newlines(msg);
		203	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
		204
		205	if (!permitted)
		206	logit("Login restricted for %s: %.100s", pw->pw_name, msg);
		207	xfree(msg);
		208	return permitted;
		209	}
		210
167	# ifdef CUSTOM_FAILED_LOGIN	211	# ifdef CUSTOM_FAILED_LOGIN
168	/*	212	/*
169	* record_failed_login: generic "login failed" interface function	213	* record_failed_login: generic "login failed" interface function