summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2010-08-04 13:00:59 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2010-08-04 13:00:59 +0000
commit0e73991710adce250f8cc56040528ae25e68bad0 (patch)
tree61b59602b9e275313747ffee90039c88508e4934
parentc9dd97e696e70900869af7f50f647c2517aab405 (diff)
Relevant BUGIDs: #3035919, #3002340, #3037155
Purpose of commit: bugfix Commit summary: --------------- 2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_access/pam_access.c (user_match): Make sure that user@host will not match @@netgroup. Bug #3035919. * modules/pam_group/pam_group.c (check_account): Add '%' for UNIX groups. * modules/pam_group/group.conf: Add example for '%'. * modules/pam_group/group.conf.5.xml: Document '%' syntax. Bug #3002340, #3037155.
-rw-r--r--ChangeLog11
-rw-r--r--modules/pam_access/pam_access.c3
-rw-r--r--modules/pam_group/group.conf9
-rw-r--r--modules/pam_group/group.conf.5.xml16
-rw-r--r--modules/pam_group/pam_group.c3
5 files changed, 37 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 419e63e1..74259ab8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/pam_access.c (user_match): Make sure
+ that user@host will not match @@netgroup. Bug #3035919.
+
+ * modules/pam_group/pam_group.c (check_account): Add '%' for
+ UNIX groups.
+ * modules/pam_group/group.conf: Add example for '%'.
+ * modules/pam_group/group.conf.5.xml: Document '%' syntax.
+ Bug #3002340, #3037155.
+
2010-08-02 Steve Langasek <vorlon@debian.org>
* modules/pam_mkhomedir/Makefile.am: don't pass --version-script
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index e9f0caa3..daee47da 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -521,7 +521,8 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
* name of the user's primary group.
*/
- if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
+ if (tok[0] != '@' && (at = strchr(tok + 1, '@')) != 0) {
+ /* split user@host pattern */
if (item->hostname == NULL)
return NO;
fake_item.from = item->hostname;
diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf
index b766becb..7c07a260 100644
--- a/modules/pam_group/group.conf
+++ b/modules/pam_group/group.conf
@@ -1,5 +1,5 @@
#
-# This is the configuration file for the pam_group module.
+# This is the configuration file for the pam_group module.
#
#
@@ -95,5 +95,12 @@
#xsh; tty* ;*;Al0900-1800;floppy
#
+# yet another example: any member of the group 'admin' running
+# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
+#
+
+#xsh; tty* ;%admin;Al0000-2400;plugdev
+
+#
# End of group.conf file
#
diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml
index 9c008eb0..3a7e3f5d 100644
--- a/modules/pam_group/group.conf.5.xml
+++ b/modules/pam_group/group.conf.5.xml
@@ -52,13 +52,15 @@
<para>
The third field, the <replaceable>users</replaceable>
- field, is a logic list of users or a netgroup of users to whom this
- rule applies.
+ field, is a logic list of users, or a UNIX group, or a netgroup of
+ users to whom this rule applies. Group names are preceded by a '%'
+ symbol, while netgroup names are preceded by a '@' symbol.
</para>
<para>
For these items the simple wildcard '*' may be used only once.
- With netgroups no wildcards or logic operators are allowed.
+ With UNIX groups or netgroups no wildcards or logic operators
+ are allowed.
</para>
<para>
@@ -111,6 +113,14 @@
xsh; tty* ;sword;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
</programlisting>
+ <para>
+ Any member of the group 'admin' running 'xsh' on tty*,
+ is granted access (at any time) to the group 'plugdev'
+ </para>
+ <programlisting>
+xsh; tty* ;%admin;Al0000-2400;plugdev
+ </programlisting>
+
</refsect1>
<refsect1 id="group.conf-see_also">
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index 3dc7f78e..310b2622 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -660,6 +660,9 @@ static int check_account(pam_handle_t *pamh, const char *service,
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
good &= innetgr (&buffer[1], NULL, user, NULL);
+ /* otherwise, if the buffer starts with %, it's a UNIX group */
+ else if (buffer[0] == '%')
+ good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
else
good &= logic_field(pamh,user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));