From 3e8f62c35fce80343b5359b45924f7bc3fc22d4f Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Wed, 13 Jul 2022 15:12:27 +0200
Subject: Initial commit

---
 LICENSE    | 13 +++++++++++++
 README.md  | 37 +++++++++++++++++++++++++++++++++++++
 install.sh | 12 ++++++++++++
 ishome     | 15 +++++++++++++++
 main.c     | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 126 insertions(+)
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100755 install.sh
 create mode 100755 ishome
 create mode 100644 main.c

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..1db77f4
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,13 @@
+        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+                    Version 2, December 2004 
+
+ Copyright (C) 2022 Marvin Borner <develop@marvinborner.de> 
+
+ Everyone is permitted to copy and distribute verbatim or modified 
+ copies of this license document, and changing it is allowed as long 
+ as the name is changed. 
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9eea2a4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,37 @@
+# TrustHome
+
+TrustHome disables the password requirement for sudo/login while you’re
+using your home wifi.
+
+### DISLAIMER: I’m not responsible for any security breaches you may encounter while having this installed. This is merely a utility for my personal convenience and should never be used if you’re serious about security. You should ALWAYS use other security measures, such as full disk encryption, in addition.
+
+## Installation
+
+0.  Make sure that you use `iwd` and have `pam` and `sudo` configured
+    correctly
+    -   if you don’t use `iwd`, modifying `ishome` to fit your network
+        daemon shouldn’t be too hard
+1.  Modify `ishome` according to your network’s specifications
+2.  Verify whether the paths in `install.sh` work for you and your OS
+3.  Run `sudo ./install.sh` - you might need to install `libpam` if you
+    get errors
+4.  Modify your pam configuration accordingly. For example, my
+    `/etc/pam.d/sudo` file looks like this:
+
+<!-- -->
+
+    auth        sufficient      pam_trusthome.so
+    auth        sufficient      pam_fprintd.so
+    auth        include         system-auth
+    account     include         system-auth
+    session     include         system-auth
+
+using this configuration sudo will fall back to my fingerprint sensor if
+I’m not on my home network which will then fall back to normal password
+authentication if something failed. You may also want to edit files like
+`/etc/pam.d/login` in a similar way.
+
+## Ideas
+
+You could try modifying `ishome` so that you get authenticated
+automatically based on your GPS location or public IP address.
diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..5d40318
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,12 @@
+#!/bin/env sh
+
+set -e
+
+gcc -fPIC -c main.c
+ld -x --shared -o /lib/security/pam_trusthome.so main.o
+chmod 755 /lib/security/pam_trusthome.so
+rm main.o
+
+cp ishome /etc/security/
+chown root:root /etc/security/ishome
+chmod 005 /etc/security/ishome
diff --git a/ishome b/ishome
new file mode 100755
index 0000000..f547039
--- /dev/null
+++ b/ishome
@@ -0,0 +1,15 @@
+#!/bin/env sh
+
+WIFIBSS="xx:xx:xx:xx:xx:xx"
+WIFISSID="HomeNet"
+
+set -e
+
+bss=$(iwctl station wlan0 show | grep "ConnectedBss" | awk '{print $2}')
+wifi=$(iwctl station wlan0 show | grep "Connected network" | awk '{print $3}')
+
+if [ "$bss" = "$WIFIBSS" ] && [ "$wifi" = "$WIFISSID" ]; then
+	exit 0
+else
+	exit 1
+fi
diff --git a/main.c b/main.c
new file mode 100644
index 0000000..60eeec5
--- /dev/null
+++ b/main.c
@@ -0,0 +1,49 @@
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/wait.h>
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc,
+				   const char **argv)
+{
+	if (fork() == 0) {
+		execl("/etc/security/ishome", NULL);
+	} else {
+		int stat;
+		wait(&stat);
+		if (WIFEXITED(stat) && WEXITSTATUS(stat) == 0)
+			return PAM_SUCCESS;
+	}
+	return PAM_ABORT;
+}
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+				const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
+			      const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+				   const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+				    const char **argv)
+{
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
+				const char **argv)
+{
+	return PAM_SUCCESS;
+}
-- 
cgit v1.2.3