pam: Add a `pam_malcontent.so` module to enforce time-limited sessions

This involves adding a build-time dependency on PAM.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
This commit is contained in:
Philip Withnall 2019-12-06 17:09:57 +00:00
parent e16759e0f7
commit bd7b17ffd4
7 changed files with 271 additions and 3 deletions

View File

@ -5,7 +5,7 @@ before_script:
libxml2-devel dbus-daemon
glib2-devel dbus-devel gobject-introspection-devel
gettext-devel polkit-devel polkit-gnome git
lcov
lcov pam-devel
- export LANG=C.UTF-8
stages:

View File

@ -19,12 +19,19 @@ po_dir = join_paths(meson.source_root(), 'po')
prefix = get_option('prefix')
bindir = join_paths(prefix, get_option('bindir'))
datadir = join_paths(prefix, get_option('datadir'))
libdir = join_paths(prefix, get_option('libdir'))
libexecdir = join_paths(prefix, get_option('libexecdir'))
# FIXME: This isnt exposed in accountsservice.pc
# See https://gitlab.freedesktop.org/accountsservice/accountsservice/merge_requests/16
accountsserviceinterfacesdir = join_paths(datadir, 'accountsservice', 'interfaces')
# FIXME: pam.pc doesnt exist
pamlibdir = get_option('pamlibdir')
if pamlibdir == ''
pamlibdir = join_paths(prefix, libdir.split('/')[-1], 'security')
endif
dbus = dependency('dbus-1')
dbusinterfacesdir = dbus.get_pkgconfig_variable('interfaces_dir',
define_variable: ['datadir', datadir])
@ -121,3 +128,4 @@ test_env = [
subdir('accounts-service')
subdir('malcontent-client')
subdir('libmalcontent')
subdir('pam')

View File

@ -4,3 +4,8 @@ option(
value: false,
description: 'enable installed tests'
)
option(
'pamlibdir',
type: 'string',
description: 'directory for PAM modules'
)

22
pam/meson.build Normal file
View File

@ -0,0 +1,22 @@
libpam = cc.find_library('pam', required: true)
libpam_misc = cc.find_library('pam_misc', required: true)
pam_malcontent = shared_library('pam_malcontent',
files('pam_malcontent.c'),
name_prefix: '',
link_args: [
'-shared',
'-Wl,--version-script=' + join_paths(meson.current_source_dir(), 'pam_malcontent.sym'),
],
dependencies: [
dependency('gio-2.0', version: '>= 2.44'),
dependency('glib-2.0', version: '>= 2.54.2'),
dependency('gobject-2.0', version: '>= 2.54'),
libmalcontent_dep,
libpam,
libpam_misc,
],
link_depends: files('pam_malcontent.sym'),
include_directories: root_inc,
install: true,
install_dir: pamlibdir)

206
pam/pam_malcontent.c Normal file
View File

@ -0,0 +1,206 @@
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
*
* Copyright © 2019 Endless Mobile, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Authors:
* - Philip Withnall <withnall@endlessm.com>
*/
#include "config.h"
#define PAM_SM_ACCOUNT
#include <glib.h>
#include <glib/gi18n-lib.h>
#include <libmalcontent/malcontent.h>
#include <pwd.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <syslog.h>
/* Example usage:
*
* Heres an example of a PAM file which uses `pam_malcontent.so`. Note
* that `pam_malcontent.so` must be listed before `pam_systemd.so`, and it must
* have type `account`.
*
* ```
* auth sufficient pam_unix.so nullok try_first_pass
* auth required pam_deny.so
*
* account required pam_nologin.so
* account sufficient pam_unix.so
* account required pam_permit.so
* -account required pam_malcontent.so
*
* password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok
* password required pam_deny.so
*
* -session optional pam_keyinit.so revoke
* -session optional pam_loginuid.so
* -session optional pam_systemd.so
* session sufficient pam_unix.so
* ```
*/
/* @pw_out is (transfer none) (out) (not optional) */
static int
get_user_data (pam_handle_t *handle,
const char **username_out,
const struct passwd **pw_out)
{
const char *username = NULL;
struct passwd *pw = NULL;
int r;
g_return_val_if_fail (handle != NULL, PAM_AUTH_ERR);
g_return_val_if_fail (username_out != NULL, PAM_AUTH_ERR);
g_return_val_if_fail (pw_out != NULL, PAM_AUTH_ERR);
r = pam_get_user (handle, &username, NULL);
if (r != PAM_SUCCESS)
{
pam_syslog (handle, LOG_ERR, "Failed to get user name.");
return r;
}
if (username == NULL || *username == '\0')
{
pam_syslog (handle, LOG_ERR, "User name not valid.");
return PAM_AUTH_ERR;
}
pw = pam_modutil_getpwnam (handle, username);
if (pw == NULL)
{
pam_syslog (handle, LOG_ERR, "Failed to get user data.");
return PAM_USER_UNKNOWN;
}
*pw_out = pw;
*username_out = username;
return PAM_SUCCESS;
}
static void
runtime_max_sec_free (pam_handle_t *handle,
void *data,
int error_status)
{
g_return_if_fail (data != NULL);
g_free (data);
}
PAM_EXTERN int
pam_sm_acct_mgmt (pam_handle_t *handle,
int flags,
int argc,
const char **argv)
{
int retval;
const char *username = NULL;
const struct passwd *pw = NULL;
g_autoptr(GDBusConnection) connection = NULL;
g_autoptr(MctManager) manager = NULL;
g_autoptr(MctSessionLimits) limits = NULL;
g_autoptr(GError) local_error = NULL;
g_autofree gchar *runtime_max_sec_str = NULL;
guint64 now = g_get_real_time ();
guint64 time_remaining_secs = 0;
gboolean time_limit_enabled = FALSE;
/* Look up the user data from the handle. */
retval = get_user_data (handle, &username, &pw);
if (retval != PAM_SUCCESS)
{
/* The error has already been logged. */
return retval;
}
if (pw->pw_uid == 0)
{
/* Always allow root, to avoid a situation where this PAM module prevents
* all users logging in with no way of recovery. */
pam_info (handle, _("User %s has no time limits enabled"), "root");
return PAM_SUCCESS;
}
/* Connect to the system bus. */
connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &local_error);
if (connection == NULL)
{
pam_error (handle,
_("Error getting session limits for user %s: %s"),
username, local_error->message);
return PAM_SERVICE_ERR;
}
/* Get the time limits on this users session usage. */
manager = mct_manager_new (connection);
limits = mct_manager_get_session_limits (manager, pw->pw_uid,
MCT_MANAGER_GET_VALUE_FLAGS_NONE,
NULL, &local_error);
if (limits == NULL)
{
if (g_error_matches (local_error, MCT_MANAGER_ERROR,
MCT_MANAGER_ERROR_DISABLED))
{
return PAM_SUCCESS;
}
else
{
pam_error (handle,
_("Error getting session limits for user %s: %s"),
username, local_error->message);
return PAM_SERVICE_ERR;
}
}
/* Check if theres time left. */
if (!mct_session_limits_check_time_remaining (limits, now, &time_remaining_secs,
&time_limit_enabled))
{
pam_error (handle, _("User %s has no time remaining"), username);
return PAM_AUTH_ERR;
}
if (!time_limit_enabled)
{
pam_info (handle, _("User %s has no time limits enabled"), username);
return PAM_SUCCESS;
}
/* Propagate the remaining time to the `pam_systemd.so` module, which will
* end the users session when it runs out. */
runtime_max_sec_str = g_strdup_printf ("%" G_GUINT64_FORMAT, time_remaining_secs);
retval = pam_set_data (handle, "systemd.runtime_max_sec",
g_steal_pointer (&runtime_max_sec_str), runtime_max_sec_free);
if (retval != PAM_SUCCESS)
{
pam_error (handle, _("Error setting time limit on login session: %s"),
pam_strerror (handle, retval));
return retval;
}
return PAM_SUCCESS;
}

26
pam/pam_malcontent.sym Normal file
View File

@ -0,0 +1,26 @@
/*
* Copyright © 2019 Endless Mobile, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Authors:
* - Philip Withnall <withnall@endlessm.com>
*/
{
global:
pam_sm_acct_mgmt;
local: *;
};

View File

@ -2,3 +2,4 @@
# Please keep this file sorted alphabetically.
accounts-service/com.endlessm.ParentalControls.policy
libmalcontent/manager.c
pam/pam_malcontent.c