diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:48:14 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:48:14 -0800 |
| commit | d5b06b67bbeeed7c05c0eb2e05d6a972ad050d1c (patch) | |
| tree | ba5654cffacfd2002eefc5bc3764a7971afff1dc /Linux-PAM/modules/pam_group | |
| parent | 4c51da22e068907adb7857d50f5109a467c94d7c (diff) | |
| parent | 7cbfa335c57d068d59508c844f3957165cccfb9b (diff) | |
New upstream version 0.99.7.1
Diffstat (limited to 'Linux-PAM/modules/pam_group')
| -rw-r--r-- | Linux-PAM/modules/pam_group/Makefile | 21 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/Makefile.am | 34 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/Makefile.in | 736 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/README | 45 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/README.xml | 34 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/group.conf | 69 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/group.conf.5 | 83 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/group.conf.5.xml | 131 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/pam_group.8 | 80 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/pam_group.8.xml | 162 | ||||
| -rw-r--r-- | Linux-PAM/modules/pam_group/pam_group.c | 258 | ||||
| -rwxr-xr-x | Linux-PAM/modules/pam_group/tst-pam_group | 2 |
12 files changed, 1475 insertions, 180 deletions
diff --git a/Linux-PAM/modules/pam_group/Makefile b/Linux-PAM/modules/pam_group/Makefile deleted file mode 100644 index 06c88998..00000000 --- a/Linux-PAM/modules/pam_group/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: Makefile,v 1.3 2003/11/27 07:49:46 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_group -LOCAL_CONFILE=./group.conf -INSTALLED_CONFILE=$(SCONFIGD)/group.conf - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_group/Makefile.am b/Linux-PAM/modules/pam_group/Makefile.am new file mode 100644 index 00000000..544fa12f --- /dev/null +++ b/Linux-PAM/modules/pam_group/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group + +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_group.la + +secureconf_DATA = group.conf + +TESTS = tst-pam_group + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_group.8.xml group.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_group/Makefile.in b/Linux-PAM/modules/pam_group/Makefile.in new file mode 100644 index 00000000..7deca09c --- /dev/null +++ b/Linux-PAM/modules/pam_group/Makefile.in @@ -0,0 +1,736 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_group +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_group_la_LIBADD = +pam_group_la_SOURCES = pam_group.c +pam_group_la_OBJECTS = pam_group.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_group.c +DIST_SOURCES = pam_group.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_group.la +secureconf_DATA = group.conf +TESTS = tst-pam_group +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_group/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_group/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_group.la: $(pam_group_la_OBJECTS) $(pam_group_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_group_la_OBJECTS) $(pam_group_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_group.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_group.8.xml group.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_group/README b/Linux-PAM/modules/pam_group/README new file mode 100644 index 00000000..2e1e37a5 --- /dev/null +++ b/Linux-PAM/modules/pam_group/README @@ -0,0 +1,45 @@ +pam_group — PAM module for group access + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module fuctions in parallel with the /etc/group file. If the user +is granted any groups based on the behavior of this module, they are granted in +addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to +games (through membership of the floppy group) after work hours. + +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + diff --git a/Linux-PAM/modules/pam_group/README.xml b/Linux-PAM/modules/pam_group/README.xml new file mode 100644 index 00000000..387d6987 --- /dev/null +++ b/Linux-PAM/modules/pam_group/README.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> +--> +<!-- +<!ENTITY groupconf SYSTEM "group.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_group/group.conf b/Linux-PAM/modules/pam_group/group.conf index e721b990..d4a10672 100644 --- a/Linux-PAM/modules/pam_group/group.conf +++ b/Linux-PAM/modules/pam_group/group.conf @@ -1,10 +1,7 @@ -## -## Note, to get this to work as it is currently typed you need -## -## 1. to run an application as root -## 2. add the following groups to the /etc/group file: -## floppy, games, sound -## +# +# This is the configuration file for the pam_group module. +# + # # *** Please note that giving group membership on a session basis is # *** NOT inherently secure. If a user can create an executable that @@ -16,11 +13,9 @@ # *** "chgrp games toplay; chmod g+s toplay". They are basically able # *** to play games any time... You have been warned. AGM # -# this is an example configuration file for the pam_group module. Its -# syntax is based on that of the pam_time module and (at some point in -# the distant past was inspired by the 'shadow' package) + # -# the syntax of the lines is as follows: +# The syntax of the lines is as follows: # # services;ttys;users;times;groups # @@ -28,15 +23,59 @@ # newlines). From reading these comments, it is clear that # text following a '#' is ignored to the end of the line. # -# the first four fields are described in the pam_time directory. -# The only difference for these is how the time field is interpretted: -# it is used to indicate "when" these groups are to be given to the user. +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). # # groups -# The (comma or space separated) list of groups that the user +# The (comma or space separated) list of groups that the user # inherits membership of. These groups are added if the previous # fields are satisfied by the user's request # +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, games, sound +# # # Here is a simple example: running 'xsh' on tty* (any ttyXXX device), diff --git a/Linux-PAM/modules/pam_group/group.conf.5 b/Linux-PAM/modules/pam_group/group.conf.5 new file mode 100644 index 00000000..0e36ebf4 --- /dev/null +++ b/Linux-PAM/modules/pam_group/group.conf.5 @@ -0,0 +1,83 @@ +.\" Title: group.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "GROUP.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +group.conf \- configuration file for the pam_group module +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. +.PP +For this module to function correctly there must be a correctly formatted +\fI/etc/security/group.conf\fR +file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line. +.PP +The syntax of the lines is as follows: +.PP + +\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR;\fIgroups\fR +.PP +The first field, the +\fIservices\fR +field, is a logic list of PAM service names that the rule applies to. +.PP +The second field, the +\fItty\fR +field, is a logic list of terminal names that this rule applies to. +.PP +The third field, the +\fIusers\fR +field, is a logic list of users or a netgroup of users to whom this rule applies. +.PP +For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. +.PP +The +\fItimes\fR +field is used to indicate "when" these groups are to be given to the user. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday. +.PP +Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day). +.PP +The +\fIgroups\fR +field is a comma or space separated list of groups that the user inherits membership of. These groups are added if the previous fields are satisfied by the user's request. +.PP +For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/group.conf\fR. +.PP +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the floppy (through membership of the floppy group) +.sp +.RS 3n +.nf +xsh;tty*&!ttyp*;us;Al0000\-2400;floppy +.fi +.RE +.PP +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to games (through membership of the floppy group) after work hours. +.sp +.RS 3n +.nf +xsh; tty* ;sword;!Wk0900\-1800;games, sound +xsh; tty* ;*;Al0900\-1800;floppy + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam_group\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_group was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_group/group.conf.5.xml b/Linux-PAM/modules/pam_group/group.conf.5.xml new file mode 100644 index 00000000..9c008eb0 --- /dev/null +++ b/Linux-PAM/modules/pam_group/group.conf.5.xml @@ -0,0 +1,131 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="group.conf"> + + <refmeta> + <refentrytitle>group.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>group.conf</refname> + <refpurpose>configuration file for the pam_group module</refpurpose> + </refnamediv> + + <refsect1 id='group.conf-description'> + <title>DESCRIPTION</title> + + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + For this module to function correctly there must be a correctly + formatted <filename>/etc/security/group.conf</filename> file present. + White spaces are ignored and lines maybe extended with '\' (escaped + newlines). Text following a '#' is ignored to the end of the line. + </para> + + <para> + The syntax of the lines is as follows: + </para> + + <para> + <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>;<replaceable>groups</replaceable> + </para> + + + <para> + The first field, the <replaceable>services</replaceable> field, is a logic list + of PAM service names that the rule applies to. + </para> + + <para> + The second field, the <replaceable>tty</replaceable> + field, is a logic list of terminal names that this rule applies to. + </para> + + <para> + The third field, the <replaceable>users</replaceable> + field, is a logic list of users or a netgroup of users to whom this + rule applies. + </para> + + <para> + For these items the simple wildcard '*' may be used only once. + With netgroups no wildcards or logic operators are allowed. + </para> + + <para> + The <replaceable>times</replaceable> field is used to indicate "when" + these groups are to be given to the user. The format here is a logic + list of day/time-range entries. The days are specified by a sequence of + two character entries, MoTuSa for example is Monday Tuesday and Saturday. + Note that repeated days are unset MoMo = no day, and MoWk = all weekdays + bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa + Su Wk Wd Al, the last two being week-end days and all 7 days of the week + respectively. As a final example, AlFr means all days except Friday. + </para> + <para> + Each day/time-range can be prefixed with a '!' to indicate "anything but". + The time-range part is two 24-hour times HHMM, separated by a hyphen, + indicating the start and finish time (if the finish time is smaller + than the start time it is deemed to apply on the following day). + </para> + + <para> + The <replaceable>groups</replaceable> field is a comma or space + separated list of groups that the user inherits membership of. These + groups are added if the previous fields are satisfied by the user's request. + </para> + + <para> + For a rule to be active, ALL of service+ttys+users must be satisfied + by the applying process. + </para> + </refsect1> + + <refsect1 id="group.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/group.conf</filename>. + </para> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access + to the floppy (through membership of the floppy group) + </para> + <programlisting>xsh;tty*&!ttyp*;us;Al0000-2400;floppy</programlisting> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access + to games (through membership of the floppy group) after work hours. + </para> + <programlisting> +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + </programlisting> + </refsect1> + + <refsect1 id="group.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="group.conf-author"> + <title>AUTHOR</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_group/pam_group.8 b/Linux-PAM/modules/pam_group/pam_group.8 new file mode 100644 index 00000000..7058f1aa --- /dev/null +++ b/Linux-PAM/modules/pam_group/pam_group.8 @@ -0,0 +1,80 @@ +.\" Title: pam_group +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/22/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_GROUP" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_group \- PAM module for group access +.SH "SYNOPSIS" +.HP 13 +\fBpam_group.so\fR +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. +.PP +By default rules for group memberships are taken from config file +\fI/etc/security/group.conf\fR. +.PP +This module's usefulness relies on the file\-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a +\fBsetgid\fR +binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted +\fInosuid\fR +the user is unable to create or execute such a binary file. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted +\fInosuid\fR. +.PP +The pam_group module fuctions in parallel with the +\fI/etc/group\fR +file. If the user is granted any groups based on the behavior of this module, they are granted +\fIin addition\fR +to those entries +\fI/etc/group\fR +(or equivalent). +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +group membership was granted. +.TP 3n +PAM_ABORT +Not all relevant data could be gotten. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_CRED_ERR +Group membership was not granted. +.TP 3n +PAM_IGNORE + +\fBpam_sm_authenticate\fR +was called which does nothing. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "FILES" +.TP 3n +\fI/etc/security/group.conf\fR +Default configuration file +.SH "SEE ALSO" +.PP + +\fBgroup.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHORS" +.PP +pam_group was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_group/pam_group.8.xml b/Linux-PAM/modules/pam_group/pam_group.8.xml new file mode 100644 index 00000000..61c7eef1 --- /dev/null +++ b/Linux-PAM/modules/pam_group/pam_group.8.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_group'> + + <refmeta> + <refentrytitle>pam_group</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_group-name'> + <refname>pam_group</refname> + <refpurpose> + PAM module for group access + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_group-cmdsynopsis"> + <command>pam_group.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_group-description"> + <title>DESCRIPTION</title> + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + By default rules for group memberships are taken from config file + <filename>/etc/security/group.conf</filename>. + </para> + <para> + This module's usefulness relies on the file-systems + accessible to the user. The point being that once granted the + membership of a group, the user may attempt to create a + <function>setgid</function> binary with a restricted group ownership. + Later, when the user is not given membership to this group, they can + recover group membership with the precompiled binary. The reason that + the file-systems that the user has access to are so significant, is the + fact that when a system is mounted <emphasis>nosuid</emphasis> the user + is unable to create or execute such a binary file. For this module to + provide any level of security, all file-systems that the user has write + access to should be mounted <emphasis>nosuid</emphasis>. + </para> + <para> + The pam_group module fuctions in parallel with the + <filename>/etc/group</filename> file. If the user is granted any groups + based on the behavior of this module, they are granted + <emphasis>in addition</emphasis> to those entries + <filename>/etc/group</filename> (or equivalent). + </para> + </refsect1> + + <refsect1 id="pam_group-options"> + <title>OPTIONS</title> + <para>This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_group-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_group-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + group membership was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + Group membership was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_sm_authenticate</function> was called which does nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/group.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>group.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_group-authors"> + <title>AUTHORS</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_group/pam_group.c b/Linux-PAM/modules/pam_group/pam_group.c index c7b75fe2..1dc329ef 100644 --- a/Linux-PAM/modules/pam_group/pam_group.c +++ b/Linux-PAM/modules/pam_group/pam_group.c @@ -1,17 +1,10 @@ /* pam_group module */ /* - * $Id: pam_group.c,v 1.7 2004/09/24 13:13:20 kukuk Exp $ - * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6 */ -const static char rcsid[] = -"$Id: pam_group.c,v 1.7 2004/09/24 13:13:20 kukuk Exp $;\n" -"Version 0.5 for Linux-PAM\n" -"Copyright (c) Andrew G. Morgan 1996 <morgan@linux.kernel.org>\n"; - -#define _BSD_SOURCE +#include "config.h" #include <sys/file.h> #include <stdio.h> @@ -27,23 +20,18 @@ const static char rcsid[] = #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <netdb.h> -#ifdef DEFAULT_CONF_FILE -# define PAM_GROUP_CONF DEFAULT_CONF_FILE /* from external define */ -#else -# define PAM_GROUP_CONF "/etc/security/group.conf" -#endif #define PAM_GROUP_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ -#ifdef TRUE -# undef TRUE -#endif -#ifdef FALSE -# undef FALSE +#ifndef TRUE +# define TRUE 1 +#endif +#ifndef FALSE +# define FALSE 0 #endif -typedef enum { FALSE, TRUE } boolean; typedef enum { AND, OR } operator; /* @@ -57,21 +45,11 @@ typedef enum { AND, OR } operator; #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* --- static functions for checking whether the user should be let in --- */ -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_group", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - static void shift_bytes(char *mem, int from, int by) { while (by-- > 0) { @@ -86,14 +64,15 @@ static void shift_bytes(char *mem, int from, int by) * Therefore, always check buf after calling this to see if an error * occurred. */ -static int read_field(int fd, char **buf, int *from, int *to) +static int +read_field (const pam_handle_t *pamh, int fd, char **buf, int *from, int *to) { /* is buf set ? */ if (! *buf) { *buf = (char *) malloc(PAM_GROUP_BUFLEN); if (! *buf) { - _log_err("out of memory"); + pam_syslog(pamh, LOG_ERR, "out of memory"); return -1; } *from = *to = 0; @@ -103,7 +82,7 @@ static int read_field(int fd, char **buf, int *from, int *to) /* do we have a file open ? return error */ if (fd < 0 && *to <= 0) { - _log_err( PAM_GROUP_CONF " not opened"); + pam_syslog(pamh, LOG_ERR, "%s not opened", PAM_GROUP_CONF); memset(*buf, 0, PAM_GROUP_BUFLEN); _pam_drop(*buf); return -1; @@ -132,7 +111,7 @@ static int read_field(int fd, char **buf, int *from, int *to) i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to); if (i < 0) { - _log_err("error reading " PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF); close(fd); return -1; } else if (!i) { @@ -140,7 +119,7 @@ static int read_field(int fd, char **buf, int *from, int *to) fd = -1; /* end of file reached */ } else *to += i; - + /* * contract the buffer. Delete any comments, and replace all * multiple spaces with single commas @@ -161,8 +140,9 @@ static int read_field(int fd, char **buf, int *from, int *to) } } switch ((*buf)[i]) { - int j,c; + int j, c; case '#': + c = 0; for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); if (j >= *to) { (*buf)[*to = ++i] = '\0'; @@ -171,8 +151,9 @@ static int read_field(int fd, char **buf, int *from, int *to) *to -= j-i; ++i; } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); + pam_syslog(pamh, LOG_CRIT, + "internal error in file %s at line %d", + __FILE__, __LINE__); close(fd); return -1; } @@ -236,11 +217,10 @@ static int read_field(int fd, char **buf, int *from, int *to) static int logic_member(const char *string, int *at) { - int len,c,to; + int c,to; int done=0; int token=0; - len=0; to=*at; do { c = string[to++]; @@ -263,7 +243,7 @@ static int logic_member(const char *string, int *at) default: if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.' || c == '/') { + || c == '-' || c == '.' || c == '/' || c == ':') { token = 1; } else if (token) { --to; @@ -279,11 +259,13 @@ static int logic_member(const char *string, int *at) typedef enum { VAL, OP } expect; -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) +static int +logic_field (const pam_handle_t *pamh, const void *me, + const char *x, int rule, + int (*agrees)(const pam_handle_t *pamh, const void *, + const char *, int, int)) { - boolean left=FALSE, right, not=FALSE; + int left=FALSE, right, not=FALSE; operator oper=OR; int at=0, l; expect next=VAL; @@ -294,15 +276,18 @@ static boolean logic_field(const void *me, const char *x, int rule, if (next == VAL) { if (c == '!') not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); + else if (isalpha(c) || c == '*' || isdigit(c) || c == '_' + || c == '-' || c == '.' || c == '/' || c == ':') { + right = not ^ agrees(pamh, me, x+at, l, rule); if (oper == AND) left &= right; else left |= right; next = OP; } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected name (rule #%d)", + rule); return FALSE; } } else { /* OP */ @@ -314,8 +299,9 @@ static boolean logic_field(const void *me, const char *x, int rule, oper = OR; break; default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected & or | (rule #%d)", + rule); D(("%c at %d",c,at)); return FALSE; } @@ -327,7 +313,9 @@ static boolean logic_field(const void *me, const char *x, int rule, return left; } -static boolean is_same(const void *A, const char *b, int len, int rule) +static int +is_same (const pam_handle_t *pamh UNUSED, + const void *A, const char *b, int len, int rule UNUSED) { int i; const char *a; @@ -349,10 +337,10 @@ typedef struct { int minute; /* integer, hour*100+minute for now */ } TIME; -struct day { +static struct day { const char *d; int bit; -} static const days[11] = { +} const days[11] = { { "su", 01 }, { "mo", 02 }, { "tu", 04 }, @@ -382,9 +370,11 @@ static TIME time_now(void) } /* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) +static int +check_time (const pam_handle_t *pamh, const void *AT, + const char *times, int len, int rule) { - boolean not,pass; + int not,pass; int marked_day, time_start, time_end; const TIME *at; int i,j=0; @@ -394,7 +384,8 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) if (times == NULL) { /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); + pam_syslog(pamh, LOG_CRIT, "internal error in file %s at line %d", + __FILE__, __LINE__); return FALSE; } @@ -418,13 +409,13 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) } j += 2; if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule); return FALSE; } marked_day ^= this_day; } if (marked_day == 0) { - _log_err("no day specified"); + pam_syslog(pamh, LOG_ERR, "no day specified"); return FALSE; } D(("day range = 0%o", marked_day)); @@ -448,7 +439,7 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule); return TRUE; } D(("times(%d to %d)", time_start,time_end)); @@ -483,11 +474,10 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) static int find_member(const char *string, int *at) { - int len,c,to; + int c,to; int done=0; int token=0; - len=0; to=*at; do { c = string[to++]; @@ -547,7 +537,7 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len) if (tmp != NULL) { (*list) = tmp; } else { - _log_err("out of memory for group list"); + pam_syslog(pamh, LOG_ERR, "out of memory for group list"); free(*list); (*list) = NULL; return -1; @@ -561,44 +551,17 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len) D(("found group: %s",buf+at)); /* this is where we convert a group name to a gid_t */ -#ifdef WANT_PWDB - { - int retval; - const struct pwdb *pw=NULL; - - retval = pwdb_locate("group", PWDB_DEFAULT, buf+at - , PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS) { - _log_err("bad group: %s; %s", buf+at, pwdb_strerror(retval)); - } else { - const struct pwdb_entry *pwe=NULL; - - D(("group %s exists", buf+at)); - retval = pwdb_get_entry(pw, "gid", &pwe); - if (retval == PWDB_SUCCESS) { - D(("gid = %d [%p]",* (const gid_t *) pwe->value,list)); - (*list)[len++] = * (const gid_t *) pwe->value; - pwdb_entry_delete(&pwe); /* tidy up */ - } else { - _log_err("%s group entry is bad; %s" - , pwdb_strerror(retval)); - } - pw = NULL; /* break link - cached for later use */ - } - } -#else { const struct group *grp; - grp = _pammodutil_getgrnam(pamh, buf+at); + grp = pam_modutil_getgrnam(pamh, buf+at); if (grp == NULL) { - _log_err("bad group: %s", buf+at); + pam_syslog(pamh, LOG_ERR, "bad group: %s", buf+at); } else { D(("group %s exists", buf+at)); (*list)[len++] = grp->gr_gid; } } -#endif /* next entry along */ @@ -630,7 +593,11 @@ static int check_account(pam_handle_t *pamh, const char *service, if (no_grps > 0) { grps = calloc( blk_size(no_grps) , sizeof(gid_t) ); D(("copying current list into grps [%d big]",blk_size(no_grps))); - (void) getgroups(no_grps, grps); + if (getgroups(no_grps, grps) < 0) { + D(("getgroups call failed")); + no_grps = 0; + grps = NULL; + } #ifdef DEBUG { int z; @@ -653,7 +620,7 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the service name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { /* empty line .. ? */ continue; @@ -661,44 +628,51 @@ static int check_account(pam_handle_t *pamh, const char *service, ++count; D(("working on rule #%d",count)); - good = logic_field(service, buffer, count, is_same); + good = logic_field(pamh,service, buffer, count, is_same); D(("with service: %s", good ? "passes":"fails" )); /* here we get the terminal name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no tty entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no tty entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(tty, buffer, count, is_same); + good &= logic_field(pamh,tty, buffer, count, is_same); D(("with tty: %s", good ? "passes":"fails" )); /* here we get the username field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no user entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no user entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(user, buffer, count, is_same); + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') + good &= innetgr (&buffer[1], NULL, user, NULL); + else + good &= logic_field(pamh,user, buffer, count, is_same); D(("with user: %s", good ? "passes":"fails" )); /* here we get the time field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no time entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no time entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(&here_and_now, buffer, count, check_time); + good &= logic_field(pamh,&here_and_now, buffer, count, check_time); D(("with time: %s", good ? "passes":"fails" )); - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no listed groups for rule #%d" - , count); + pam_syslog(pamh, LOG_ERR, + "%s: no listed groups for rule #%d", PAM_GROUP_CONF, count); continue; } @@ -719,9 +693,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* check the line is terminated correctly */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (buffer && buffer[0]) { - _log_err(PAM_GROUP_CONF "; poorly terminated rule #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count); } if (good > 0) { @@ -737,17 +712,19 @@ static int check_account(pam_handle_t *pamh, const char *service, /* now set the groups for the user */ if (no_grps > 0) { +#ifdef DEBUG int err; +#endif D(("trying to set %d groups", no_grps)); #ifdef DEBUG for (err=0; err<no_grps; ++err) { D(("gid[%d]=%d", err, grps[err])); } #endif - if ((err = setgroups(no_grps, grps))) { - D(("but couldn't set groups %d", err)); - _log_err("unable to set the group membership for user (err=%d)" - , err); + if (setgroups(no_grps, grps) != 0) { + D(("but couldn't set groups %m")); + pam_syslog(pamh, LOG_ERR, + "unable to set the group membership for user: %m"); retval = PAM_CRED_ERR; } } @@ -763,17 +740,20 @@ static int check_account(pam_handle_t *pamh, const char *service, /* --- public authentication management functions --- */ -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_IGNORE; } -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh, int flags, + int argc UNUSED, const char **argv UNUSED) { - const char *service=NULL, *tty=NULL; + const void *service=NULL, *void_tty=NULL; const char *user=NULL; + const char *tty; int retval; unsigned setting; @@ -787,9 +767,9 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags /* set service name */ - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) + if (pam_get_item(pamh, PAM_SERVICE, &service) != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); + pam_syslog(pamh, LOG_ERR, "cannot find the current service name"); return PAM_ABORT; } @@ -797,28 +777,33 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err("cannot determine the user's name"); + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } /* set tty name */ - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS + || void_tty == NULL) { D(("PAM_TTY not set, probing stdin")); tty = ttyname(STDIN_FILENO); if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; + tty = ""; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); return PAM_ABORT; } } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; + else + tty = (const char *) void_tty; + + if (tty[0] == '/') { /* full path */ + const char *t; + tty++; + if ((t = strchr(tty, '/')) != NULL) { + tty = t + 1; + } } /* good, now we have the service name, the user and the terminal name */ @@ -827,22 +812,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags D(("user=%s", user)); D(("tty=%s", tty)); -#ifdef WANT_PWDB - - /* We initialize the pwdb library and check the account */ - retval = pwdb_start(); /* initialize */ - if (retval == PWDB_SUCCESS) { - retval = check_account(pamh, service,tty,user); /* get groups */ - (void) pwdb_end(); /* tidy up */ - } else { - D(("failed to initialize pwdb; %s", pwdb_strerror(retval))); - _log_err("unable to initialize libpwdb"); - retval = PAM_ABORT; - } - -#else /* WANT_PWDB */ retval = check_account(pamh,service,tty,user); /* get groups */ -#endif /* WANT_PWDB */ return retval; } diff --git a/Linux-PAM/modules/pam_group/tst-pam_group b/Linux-PAM/modules/pam_group/tst-pam_group new file mode 100755 index 00000000..29f7ba06 --- /dev/null +++ b/Linux-PAM/modules/pam_group/tst-pam_group @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_group.so |