/*
 * Linux PAM module
 *
 * DESCRIPTION
 *
 * 	grant login access only to users listed in named group
 *
 * USAGE
 *
 *  intented to use as
 *
 *    account     requisite     pam_group.so groupname
 *
 *  in /etc/pam.d/system-auth (Fedora Core 2)
 * 
 * INSTALL
 *
 * gcc -fPIC -shared -o pam_allowgroup.so pam_allowgroup.c
 * cp pam_allowgroup.so /lib/security
 *
 * TODO
 *
 * port to IRIX/Solaris
 * fix syslog priority :-)
 *
 * VERSION
 * 
 * Fri Jun 25 12:40:05 CEST 2004
 * <spd@daphne.cps.unizar.es>
 */

#include <sys/param.h>

#include <pwd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>



#include <security/pam_modules.h>
#include <security/pam_appl.h>

#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
 
/*#define PG_DEBUG 1*/

#ifndef PAM_EXTERN
#define PAM_EXTERN
#endif



PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{
    return (PAM_SUCCESS);
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{

    return (PAM_SUCCESS);
}

PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{
	/*
	 * This gets executed when
	 * "account requisite pam_group.so" is used in system-auth (FC2)
	 */

    struct passwd *pwd;
    const char *user;
    int pam_err, retry;
	register struct group *g;
	gid_t gid;


	openlog("pam_group", LOG_PID|LOG_NDELAY|LOG_NOWAIT , LOG_AUTH);

	if ( NULL == argv[0])
	{
		syslog(LOG_CRIT,"use: pam_group.so groupname");
		closelog();
		return ( PAM_SUCCESS );
	}


    /* identify user */
    if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
        return (pam_err);
    if ((pwd = getpwnam(user)) == NULL)
        return (PAM_USER_UNKNOWN);

    pam_err = PAM_AUTH_ERR;
	setgrent();
	if ( NULL == (g = getgrnam(argv[0])))
	{
		endgrent();
#ifdef PG_DEBUG
		syslog(LOG_CRIT,"%s (%s)","getgrnam",argv[0]);
#endif
		closelog();
        return (pam_err);
	}
	else
	{
		while (*(g->gr_mem) != NULL)
		{
#ifdef PG_DEBUG
			syslog(LOG_CRIT,"gr_mem: %s -  %s",argv[0], *(g->gr_mem));
#endif
			if (0==strcmp(user,*(g->gr_mem)))
			{
       			pam_err = PAM_SUCCESS;
				break;
			}
			*(g->gr_mem)++;
		}
		endgrent();
	}
	if ( pam_err != PAM_SUCCESS )
	{
		gid=getgid();
		if ( gid == g->gr_gid )
			pam_err = PAM_SUCCESS;
	}


	if ( pam_err != PAM_SUCCESS )
		syslog(LOG_CRIT,"%s trying to access",user);
	closelog();

    return (pam_err);
}

PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{

    return (PAM_SUCCESS);
}

PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{

    return (PAM_SUCCESS);
}

PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
    int argc, const char *argv[])
{

    return (PAM_SERVICE_ERR);
}

#ifdef PAM_MODULE_ENTRY
PAM_MODULE_ENTRY("pam_group");
#endif