summaryrefslogtreecommitdiff
path: root/modules/pam_access/pam_access.c
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2019-02-11 16:13:42 -0800
committerSteve Langasek <vorlon@debian.org>2019-02-12 06:07:57 +0000
commit668b13da8f830c38388cecac45539972e80cb246 (patch)
treeba3a4e02ed5ec62fe645dfa810c01d26decf591f /modules/pam_access/pam_access.c
parentf00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb (diff)
parent3b77a78d575b8ab56bb0e828499df328d55c925f (diff)
New upstream version 1.3.1
Diffstat (limited to 'modules/pam_access/pam_access.c')
-rw-r--r--modules/pam_access/pam_access.c41
1 files changed, 34 insertions, 7 deletions
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 3ac1ad00..80d885dd 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -44,6 +44,7 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
+#include <glob.h>
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
#endif
@@ -87,6 +88,7 @@
#define ALL 2
#define YES 1
#define NO 0
+#define NOMATCH -1
/*
* A structure to bundle up all login-related information to keep the
@@ -415,7 +417,11 @@ login_access (pam_handle_t *pamh, struct login_info *item)
"pam_access", 0);
}
#endif
- return (match == NO || (line[0] == '+'));
+ if (match == NO)
+ return NOMATCH;
+ if (line[0] == '+')
+ return YES;
+ return NO;
}
@@ -516,7 +522,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
/* Try to split on a pattern (@*[^@]+)(@+.*) */
for (at = tok; *at == '@'; ++at);
- if ((at = strchr(at, '@')) != NULL) {
+ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') {
+ return (group_match (pamh, tok, string, item->debug));
+ } else if ((at = strchr(at, '@')) != NULL) {
/* split user@host pattern */
if (item->hostname == NULL)
return NO;
@@ -541,9 +549,7 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
hostname = item->hostname;
}
return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
- return (group_match (pamh, tok, string, item->debug));
- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
return rv;
else if (item->only_new_group_syntax == NO &&
pam_modutil_user_in_group_nam_nam (pamh,
@@ -727,7 +733,7 @@ network_netmask_match (pam_handle_t *pamh,
{ /* netmask as integre value */
char *endptr = NULL;
netmask = strtol(netmask_ptr, &endptr, 0);
- if ((endptr == NULL) || (*endptr != '\0'))
+ if ((endptr == netmask_ptr) || (*endptr != '\0'))
{ /* invalid netmask value */
return NO;
}
@@ -800,6 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
const char *user=NULL;
const void *void_from=NULL;
const char *from;
+ const char const *default_config = PAM_ACCESS_CONFIG;
struct passwd *user_pw;
char hostname[MAXHOSTNAMELEN + 1];
int rv;
@@ -821,7 +828,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
*/
memset(&loginfo, '\0', sizeof(loginfo));
loginfo.user = user_pw;
- loginfo.config_file = PAM_ACCESS_CONFIG;
+ loginfo.config_file = default_config;
/* parse the argument list */
@@ -892,6 +899,26 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
rv = login_access(pamh, &loginfo);
+ if (rv == NOMATCH && loginfo.config_file == default_config) {
+ glob_t globbuf;
+ int i, glob_rv;
+
+ /* We do not manipulate locale as setlocale() is not
+ * thread safe. We could use uselocale() in future.
+ */
+ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
+ if (!glob_rv) {
+ /* Parse the *.conf files. */
+ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
+ loginfo.config_file = globbuf.gl_pathv[i];
+ rv = login_access(pamh, &loginfo);
+ if (rv != NOMATCH)
+ break;
+ }
+ globfree(&globbuf);
+ }
+ }
+
if (loginfo.gai_rv == 0 && loginfo.res)
freeaddrinfo(loginfo.res);