pam_wrongpass/pam_wrongpass.go at main · woopstar/pam_wrongpass · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// pam_wrongpass.go
package main

/*
#cgo CFLAGS: -fPIC
#cgo LDFLAGS: -lpam
#include <security/pam_appl.h>
#include <security/pam_modules.h>

// C-funktioner implementeret i pam_wrapper.c (kun declarations her)
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv);
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv);

// Helper fra pam_wrapper.c (kun declaration)
const char* get_pam_user(pam_handle_t *pamh);
*/
import "C"

import (
	"fmt"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"strings"
	"unsafe"
)

const (
	defaultMaxTries = 10
	stateDir        = "/var/lib/pam_wrongpass"
)

func countFilePathForUser(user string) string {
	return filepath.Join(stateDir, fmt.Sprintf("%s.count", user))
}

func readInt(path string) int {
	b, err := os.ReadFile(path)
	if err != nil {
		return 0
	}
	s := strings.TrimSpace(string(b))
	n, err := strconv.Atoi(s)
	if err != nil {
		return 0
	}
	return n
}

func writeInt(path string, v int) {
	_ = os.MkdirAll(filepath.Dir(path), 0700)
	_ = os.WriteFile(path, []byte(fmt.Sprintf("%d\n", v)), 0600)
}

func poweroffAsync() {
	_ = os.MkdirAll(stateDir, 0700)
	_ = exec.Command("/usr/bin/systemctl", "poweroff").Start()
}

func parseMaxTries(argc C.int, argv **C.char) int {
	maxTries := defaultMaxTries
	if argc <= 0 || argv == nil {
		return maxTries
	}
	args := (*[1 << 16]*C.char)(unsafe.Pointer(argv))[:argc:argc]
	for _, a := range args {
		if a == nil {
			continue
		}
		s := C.GoString(a)
		if strings.HasPrefix(s, "max_tries=") {
			if v, err := strconv.Atoi(strings.TrimPrefix(s, "max_tries=")); err == nil && v > 0 {
				maxTries = v
			}
		}
	}
	return maxTries
}

//export pam_sm_authenticate_go
func pam_sm_authenticate_go(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int {
	userC := C.get_pam_user(pamh)
	if userC == nil {
		return C.PAM_SUCCESS
	}
	user := C.GoString(userC)

	maxTries := parseMaxTries(argc, argv)
	path := countFilePathForUser(user)
	cnt := readInt(path) + 1
	writeInt(path, cnt)

	if cnt >= maxTries {
		writeInt(path, 0)
		poweroffAsync()
	}
	return C.PAM_SUCCESS
}

//export pam_sm_acct_mgmt_go
func pam_sm_acct_mgmt_go(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int {
	userC := C.get_pam_user(pamh)
	if userC == nil {
		return C.PAM_SUCCESS
	}
	user := C.GoString(userC)

	path := countFilePathForUser(user)
	writeInt(path, 0)
	return C.PAM_SUCCESS
}

// required for -buildmode=c-shared
func main() {}