|author||Thorsten Kukuk <email@example.com>||2005-12-16 17:52:36 +0000|
|committer||Thorsten Kukuk <firstname.lastname@example.org>||2005-12-16 17:52:36 +0000|
Relevant BUGIDs: none
Purpose of commit: new feature Commit summary: --------------- 2005-12-16 Thorsten Kukuk <email@example.com> * modules/pam_group/pam_group.c (check_account): Implement support for netgroups. * modules/pam_group/group.conf: Add all documentation to this example config file and don't reference to outdated configs. * modules/pam_group/README: New. * modules/pam_group/Makefile.am: Add README to EXTRADIST.
6 files changed, 98 insertions, 24 deletions
@@ -1,7 +1,7 @@
Original authors and current maintainers of Linux-PAM:
-Andrew G. Morgan <firstname.lastname@example.org>
+Andrew G. Morgan <email@example.com>
Dmitry V. Levin <firstname.lastname@example.org>
-Thorsten Kukuk <email@example.com>
+Thorsten Kukuk <firstname.lastname@example.org>
Sebastien Tricaud <email@example.com>
Tomas Mraz <firstname.lastname@example.org>
@@ -1,3 +1,15 @@
+2005-12-16 Thorsten Kukuk <email@example.com>
+ * modules/pam_group/pam_group.c (check_account): Implement
+ support for netgroups.
+ * modules/pam_group/group.conf: Add all documentation to this
+ example config file and don't reference to outdated configs.
+ * modules/pam_group/README: New.
+ * modules/pam_group/Makefile.am: Add README to EXTRADIST.
2005-12-15 Thorsten Kukuk <firstname.lastname@example.org>
* modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't report an
diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am
index 72faba4b..abcac34a 100644
@@ -4,7 +4,7 @@
CLEANFILES = *~
-EXTRA_DIST = group.conf
+EXTRA_DIST = README group.conf
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
diff --git a/modules/pam_group/README b/modules/pam_group/README
new file mode 100644
@@ -0,0 +1,23 @@
+This is a help file for the pam_group module. It explains the need for
+pam_group and also the syntax of the /etc/security/group.conf file.
+It is desirable to give extra privileges to a user running a specific
+PAM aware application at various times of the day and on specific days
+or over various terminal lines by adding this user to extra groups.
+The pam_group module is intended to offer a configurable module that
+satisfies this purpose, within the context of Linux-PAM.
+2. the /etc/security/group.conf file
+Its syntax is described in the sample group.conf file.
+unrecognised rules are ignored (but an error is logged to syslog(3))
+Bugs to the list <email@example.com>
diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf
index e721b990..d4a10672 100644
@@ -1,10 +1,7 @@
-## Note, to get this to work as it is currently typed you need
-## 1. to run an application as root
-## 2. add the following groups to the /etc/group file:
-## floppy, games, sound
+# This is the configuration file for the pam_group module.
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
@@ -16,11 +13,9 @@
# *** "chgrp games toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
-# this is an example configuration file for the pam_group module. Its
-# syntax is based on that of the pam_time module and (at some point in
-# the distant past was inspired by the 'shadow' package)
-# the syntax of the lines is as follows:
+# The syntax of the lines is as follows:
@@ -28,15 +23,59 @@
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
-# the first four fields are described in the pam_time directory.
-# The only difference for these is how the time field is interpretted:
-# it is used to indicate "when" these groups are to be given to the user.
+# the combination of individual users/terminals etc is a logic list
+# namely individual tokens that are optionally prefixed with '!' (logical
+# not) and separated with '&' (logical and) and '|' (logical or).
+# is a logic list of PAM service names that the rule applies to.
+# is a logic list of terminal names that this rule applies to.
+# is a logic list of users or a netgroup of users to whom this
+# rule applies.
+# NB. For these items the simple wildcard '*' may be used only once.
+# With netgroups no wildcards or logic operators are allowed.
+# It is used to indicate "when" these groups are to be given to the
+# user. The format here is a logic list of day/time-range
+# entries the days are specified by a sequence of two character
+# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
+# that repeated days are unset MoMo = no day, and MoWk = all weekdays
+# bar Monday. The two character combinations accepted are
+# Mo Tu We Th Fr Sa Su Wk Wd Al
+# the last two being week-end days and all 7 days of the week
+# respectively. As a final example, AlFr means all days except Friday.
+# Each day/time-range can be prefixed with a '!' to indicate "anything
+# The time-range part is two 24-hour times HHMM separated by a hyphen
+# indicating the start and finish time (if the finish time is smaller
+# than the start time it is deemed to apply on the following day).
-# The (comma or space separated) list of groups that the user
+# The (comma or space separated) list of groups that the user
# inherits membership of. These groups are added if the previous
# fields are satisfied by the user's request
+# For a rule to be active, ALL of service+ttys+users must be satisfied
+# by the applying process.
+# Note, to get this to work as it is currently typed you need
+# 1. to run an application as root
+# 2. add the following groups to the /etc/group file:
+# floppy, games, sound
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index c81ad665..bc40912b 100644
@@ -6,11 +6,6 @@
* Written by Andrew Morgan <firstname.lastname@example.org> 1996/7/6
-static const char rcsid =
-"Version 0.5 for Linux-PAM\n"
-"Copyright (c) Andrew G. Morgan 1996 <email@example.com>\n";
@@ -27,6 +22,7 @@ static const char rcsid =
#define PAM_GROUP_BUFLEN 1000
#define FIELD_SEPARATOR ';' /* this is new as of .02 */
@@ -686,7 +682,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
"%s: no user entry #%d", PAM_GROUP_CONF, count);
- good &= logic_field(pamh,user, buffer, count, is_same);
+ /* If buffer starts with @, we are using netgroups */
+ if (buffer == '@')
+ good &= innetgr (&buffer, NULL, user, NULL);
+ good &= logic_field(pamh,user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));
/* here we get the time field */