diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 16:26:05 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 17:26:38 -0800 |
| commit | 9c52e721044e7501c3d4567b36d222dc7326224a (patch) | |
| tree | 9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_group | |
| parent | 9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff) | |
| parent | 186ff16e8d12ff15d518000c17f115ccab5275a4 (diff) | |
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_group')
| -rw-r--r-- | modules/pam_group/Makefile.am | 34 | ||||
| -rw-r--r-- | modules/pam_group/Makefile.in | 738 | ||||
| -rw-r--r-- | modules/pam_group/README | 45 | ||||
| -rw-r--r-- | modules/pam_group/README.xml | 34 | ||||
| -rw-r--r-- | modules/pam_group/group.conf | 99 | ||||
| -rw-r--r-- | modules/pam_group/group.conf.5 | 83 | ||||
| -rw-r--r-- | modules/pam_group/group.conf.5.xml | 131 | ||||
| -rw-r--r-- | modules/pam_group/pam_group.8 | 94 | ||||
| -rw-r--r-- | modules/pam_group/pam_group.8.xml | 162 | ||||
| -rw-r--r-- | modules/pam_group/pam_group.c | 842 | ||||
| -rwxr-xr-x | modules/pam_group/tst-pam_group | 2 |
11 files changed, 2264 insertions, 0 deletions
diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am new file mode 100644 index 00000000..22dc831b --- /dev/null +++ b/modules/pam_group/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group + +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_group.la +pam_group_la_LIBADD = -L$(top_builddir)/libpam -lpam + +secureconf_DATA = group.conf + +TESTS = tst-pam_group + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_group.8.xml group.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/modules/pam_group/Makefile.in b/modules/pam_group/Makefile.in new file mode 100644 index 00000000..cff1b86e --- /dev/null +++ b/modules/pam_group/Makefile.in @@ -0,0 +1,738 @@ +# Makefile.in generated by automake 1.10.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_group +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_group_la_DEPENDENCIES = +pam_group_la_SOURCES = pam_group.c +pam_group_la_OBJECTS = pam_group.lo +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_group.c +DIST_SOURCES = pam_group.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NMEDIT = @NMEDIT@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +securelib_LTLIBRARIES = pam_group.la +pam_group_la_LIBADD = -L$(top_builddir)/libpam -lpam +secureconf_DATA = group.conf +TESTS = tst-pam_group +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_group/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_group/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_group.la: $(pam_group_la_OBJECTS) $(pam_group_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_group_la_OBJECTS) $(pam_group_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_group.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_group.8.xml group.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_group/README b/modules/pam_group/README new file mode 100644 index 00000000..2e1e37a5 --- /dev/null +++ b/modules/pam_group/README @@ -0,0 +1,45 @@ +pam_group — PAM module for group access + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module fuctions in parallel with the /etc/group file. If the user +is granted any groups based on the behavior of this module, they are granted in +addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to +games (through membership of the floppy group) after work hours. + +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + diff --git a/modules/pam_group/README.xml b/modules/pam_group/README.xml new file mode 100644 index 00000000..387d6987 --- /dev/null +++ b/modules/pam_group/README.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> +--> +<!-- +<!ENTITY groupconf SYSTEM "group.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + </section> + +</article> diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf new file mode 100644 index 00000000..b766becb --- /dev/null +++ b/modules/pam_group/group.conf @@ -0,0 +1,99 @@ +# +# This is the configuration file for the pam_group module. +# + +# +# *** Please note that giving group membership on a session basis is +# *** NOT inherently secure. If a user can create an executable that +# *** is setgid a group that they are infrequently given membership +# *** of, they can basically obtain group membership any time they +# *** like. Example: games are allowed between the hours of 6pm and 6am +# *** user joe logs in at 7pm writes a small C-program toplay.c that +# *** invokes their favorite shell, compiles it and does +# *** "chgrp play toplay; chmod g+s toplay". They are basically able +# *** to play games any time... You have been warned. AGM +# + +# +# The syntax of the lines is as follows: +# +# services;ttys;users;times;groups +# +# white space is ignored and lines maybe extended with '\\n' (escaped +# newlines). From reading these comments, it is clear that +# text following a '#' is ignored to the end of the line. +# +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). +# +# groups +# The (comma or space separated) list of groups that the user +# inherits membership of. These groups are added if the previous +# fields are satisfied by the user's request +# +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, play, sound +# + +# +# Here is a simple example: running 'xsh' on tty* (any ttyXXX device), +# the user 'us' is given access to the floppy (through membership of +# the floppy group) +# + +#xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +# +# another example: running 'xsh' on tty* (any ttyXXX device), +# the user 'sword' is given access to games (through membership of +# the sound and play group) after work hours. +# + +#xsh; tty* ;sword;!Wk0900-1800;sound, play +#xsh; tty* ;*;Al0900-1800;floppy + +# +# End of group.conf file +# diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 new file mode 100644 index 00000000..7f0f2268 --- /dev/null +++ b/modules/pam_group/group.conf.5 @@ -0,0 +1,83 @@ +.\" Title: group.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +.\" Date: 04/16/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "GROUP\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +group.conf - configuration file for the pam_group module +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. +.PP +For this module to function correctly there must be a correctly formatted +\fI/etc/security/group\.conf\fR +file present\. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\. Text following a \'#\' is ignored to the end of the line\. +.PP +The syntax of the lines is as follows: +.PP + +\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR;\fIgroups\fR +.PP +The first field, the +\fIservices\fR +field, is a logic list of PAM service names that the rule applies to\. +.PP +The second field, the +\fItty\fR +field, is a logic list of terminal names that this rule applies to\. +.PP +The third field, the +\fIusers\fR +field, is a logic list of users or a netgroup of users to whom this rule applies\. +.PP +For these items the simple wildcard \'*\' may be used only once\. With netgroups no wildcards or logic operators are allowed\. +.PP +The +\fItimes\fR +field is used to indicate "when" these groups are to be given to the user\. The format here is a logic list of day/time\-range entries\. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\. As a final example, AlFr means all days except Friday\. +.PP +Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\. +.PP +The +\fIgroups\fR +field is a comma or space separated list of groups that the user inherits membership of\. These groups are added if the previous fields are satisfied by the user\'s request\. +.PP +For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/group\.conf\fR\. +.PP +Running \'xsh\' on tty* (any ttyXXX device), the user \'us\' is given access to the floppy (through membership of the floppy group) +.sp +.RS 4 +.nf +xsh;tty*&!ttyp*;us;Al0000\-2400;floppy +.fi +.RE +.PP +Running \'xsh\' on tty* (any ttyXXX device), the user \'sword\' is given access to games (through membership of the floppy group) after work hours\. +.sp +.RS 4 +.nf +xsh; tty* ;sword;!Wk0900\-1800;games, sound +xsh; tty* ;*;Al0900\-1800;floppy + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam_group\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_group was written by Andrew G\. Morgan <morgan@kernel\.org>\. diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml new file mode 100644 index 00000000..9c008eb0 --- /dev/null +++ b/modules/pam_group/group.conf.5.xml @@ -0,0 +1,131 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="group.conf"> + + <refmeta> + <refentrytitle>group.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>group.conf</refname> + <refpurpose>configuration file for the pam_group module</refpurpose> + </refnamediv> + + <refsect1 id='group.conf-description'> + <title>DESCRIPTION</title> + + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + For this module to function correctly there must be a correctly + formatted <filename>/etc/security/group.conf</filename> file present. + White spaces are ignored and lines maybe extended with '\' (escaped + newlines). Text following a '#' is ignored to the end of the line. + </para> + + <para> + The syntax of the lines is as follows: + </para> + + <para> + <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>;<replaceable>groups</replaceable> + </para> + + + <para> + The first field, the <replaceable>services</replaceable> field, is a logic list + of PAM service names that the rule applies to. + </para> + + <para> + The second field, the <replaceable>tty</replaceable> + field, is a logic list of terminal names that this rule applies to. + </para> + + <para> + The third field, the <replaceable>users</replaceable> + field, is a logic list of users or a netgroup of users to whom this + rule applies. + </para> + + <para> + For these items the simple wildcard '*' may be used only once. + With netgroups no wildcards or logic operators are allowed. + </para> + + <para> + The <replaceable>times</replaceable> field is used to indicate "when" + these groups are to be given to the user. The format here is a logic + list of day/time-range entries. The days are specified by a sequence of + two character entries, MoTuSa for example is Monday Tuesday and Saturday. + Note that repeated days are unset MoMo = no day, and MoWk = all weekdays + bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa + Su Wk Wd Al, the last two being week-end days and all 7 days of the week + respectively. As a final example, AlFr means all days except Friday. + </para> + <para> + Each day/time-range can be prefixed with a '!' to indicate "anything but". + The time-range part is two 24-hour times HHMM, separated by a hyphen, + indicating the start and finish time (if the finish time is smaller + than the start time it is deemed to apply on the following day). + </para> + + <para> + The <replaceable>groups</replaceable> field is a comma or space + separated list of groups that the user inherits membership of. These + groups are added if the previous fields are satisfied by the user's request. + </para> + + <para> + For a rule to be active, ALL of service+ttys+users must be satisfied + by the applying process. + </para> + </refsect1> + + <refsect1 id="group.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/group.conf</filename>. + </para> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access + to the floppy (through membership of the floppy group) + </para> + <programlisting>xsh;tty*&!ttyp*;us;Al0000-2400;floppy</programlisting> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access + to games (through membership of the floppy group) after work hours. + </para> + <programlisting> +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + </programlisting> + </refsect1> + + <refsect1 id="group.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="group.conf-author"> + <title>AUTHOR</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 new file mode 100644 index 00000000..fabd4a5f --- /dev/null +++ b/modules/pam_group/pam_group.8 @@ -0,0 +1,94 @@ +.\" Title: pam_group +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +.\" Date: 04/16/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_GROUP" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_group - PAM module for group access +.SH "SYNOPSIS" +.HP 13 +\fBpam_group\.so\fR +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. +.PP +By default rules for group memberships are taken from config file +\fI/etc/security/group\.conf\fR\. +.PP +This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a +\fBsetgid\fR +binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted +\fInosuid\fR +the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted +\fInosuid\fR\. +.PP +The pam_group module fuctions in parallel with the +\fI/etc/group\fR +file\. If the user is granted any groups based on the behavior of this module, they are granted +\fIin addition\fR +to those entries +\fI/etc/group\fR +(or equivalent)\. +.SH "OPTIONS" +.PP +This module does not recognise any options\. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported\. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +group membership was granted\. +.RE +.PP +PAM_ABORT +.RS 4 +Not all relevant data could be gotten\. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\. +.RE +.PP +PAM_CRED_ERR +.RS 4 +Group membership was not granted\. +.RE +.PP +PAM_IGNORE +.RS 4 + +\fBpam_sm_authenticate\fR +was called which does nothing\. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user is not known to the system\. +.RE +.SH "FILES" +.PP +\fI/etc/security/group\.conf\fR +.RS 4 +Default configuration file +.RE +.SH "SEE ALSO" +.PP + +\fBgroup.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8)\. +.SH "AUTHORS" +.PP +pam_group was written by Andrew G\. Morgan <morgan@kernel\.org>\. diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml new file mode 100644 index 00000000..f7488fb3 --- /dev/null +++ b/modules/pam_group/pam_group.8.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_group'> + + <refmeta> + <refentrytitle>pam_group</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_group-name'> + <refname>pam_group</refname> + <refpurpose> + PAM module for group access + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_group-cmdsynopsis"> + <command>pam_group.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_group-description"> + <title>DESCRIPTION</title> + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + By default rules for group memberships are taken from config file + <filename>/etc/security/group.conf</filename>. + </para> + <para> + This module's usefulness relies on the file-systems + accessible to the user. The point being that once granted the + membership of a group, the user may attempt to create a + <function>setgid</function> binary with a restricted group ownership. + Later, when the user is not given membership to this group, they can + recover group membership with the precompiled binary. The reason that + the file-systems that the user has access to are so significant, is the + fact that when a system is mounted <emphasis>nosuid</emphasis> the user + is unable to create or execute such a binary file. For this module to + provide any level of security, all file-systems that the user has write + access to should be mounted <emphasis>nosuid</emphasis>. + </para> + <para> + The pam_group module fuctions in parallel with the + <filename>/etc/group</filename> file. If the user is granted any groups + based on the behavior of this module, they are granted + <emphasis>in addition</emphasis> to those entries + <filename>/etc/group</filename> (or equivalent). + </para> + </refsect1> + + <refsect1 id="pam_group-options"> + <title>OPTIONS</title> + <para>This module does not recognise any options.</para> + </refsect1> + + <refsect1 id="pam_group-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_group-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + group membership was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + Group membership was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_sm_authenticate</function> was called which does nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/group.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>group.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_group-authors"> + <title>AUTHORS</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c new file mode 100644 index 00000000..4a54da14 --- /dev/null +++ b/modules/pam_group/pam_group.c @@ -0,0 +1,842 @@ +/* pam_group module */ + +/* + * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6 + */ + +#include "config.h" + +#include <sys/file.h> +#include <stdio.h> +#include <stdlib.h> +#include <ctype.h> +#include <unistd.h> +#include <stdarg.h> +#include <time.h> +#include <syslog.h> +#include <string.h> + +#include <grp.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <netdb.h> + +#define PAM_GROUP_BUFLEN 1000 +#define FIELD_SEPARATOR ';' /* this is new as of .02 */ + +#ifndef TRUE +# define TRUE 1 +#endif +#ifndef FALSE +# define FALSE 0 +#endif + +typedef enum { AND, OR } operator; + +/* + * here, we make definitions for the externally accessible functions + * in this file (these definitions are required for static modules + * but strongly encouraged generally) they are used to instruct the + * modules include file to define their prototypes. + */ + +#define PAM_SM_AUTH + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +/* --- static functions for checking whether the user should be let in --- */ + +static void shift_bytes(char *mem, int from, int by) +{ + while (by-- > 0) { + *mem = mem[from]; + ++mem; + } +} + +/* This function should initially be called with buf = NULL. If + * an error occurs, the file descriptor is closed. Subsequent + * calls with a closed descriptor will cause buf to be deallocated. + * Therefore, always check buf after calling this to see if an error + * occurred. + */ +static int +read_field (const pam_handle_t *pamh, int fd, char **buf, int *from, int *to) +{ + /* is buf set ? */ + + if (! *buf) { + *buf = (char *) malloc(PAM_GROUP_BUFLEN); + if (! *buf) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + return -1; + } + *from = *to = 0; + fd = open(PAM_GROUP_CONF, O_RDONLY); + } + + /* do we have a file open ? return error */ + + if (fd < 0 && *to <= 0) { + pam_syslog(pamh, LOG_ERR, "%s not opened", PAM_GROUP_CONF); + memset(*buf, 0, PAM_GROUP_BUFLEN); + _pam_drop(*buf); + return -1; + } + + /* check if there was a newline last time */ + + if ((*to > *from) && (*to > 0) + && ((*buf)[*from] == '\0')) { /* previous line ended */ + (*from)++; + (*buf)[0] = '\0'; + return fd; + } + + /* ready for more data: first shift the buffer's remaining data */ + + *to -= *from; + shift_bytes(*buf, *from, *to); + *from = 0; + (*buf)[*to] = '\0'; + + while (fd >= 0 && *to < PAM_GROUP_BUFLEN) { + int i; + + /* now try to fill the remainder of the buffer */ + + i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to); + if (i < 0) { + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF); + close(fd); + return -1; + } else if (!i) { + close(fd); + fd = -1; /* end of file reached */ + } else + *to += i; + + /* + * contract the buffer. Delete any comments, and replace all + * multiple spaces with single commas + */ + + i = 0; +#ifdef DEBUG_DUMP + D(("buffer=<%s>",*buf)); +#endif + while (i < *to) { + if ((*buf)[i] == ',') { + int j; + + for (j=++i; j<*to && (*buf)[j] == ','; ++j); + if (j!=i) { + shift_bytes(i + (*buf), j-i, (*to) - j); + *to -= j-i; + } + } + switch ((*buf)[i]) { + int j, c; + case '#': + c = 0; + for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); + if (j >= *to) { + (*buf)[*to = ++i] = '\0'; + } else if (c == '\n') { + shift_bytes(i + (*buf), j-i, (*to) - j); + *to -= j-i; + ++i; + } else { + pam_syslog(pamh, LOG_CRIT, + "internal error in file %s at line %d", + __FILE__, __LINE__); + close(fd); + return -1; + } + break; + case '\\': + if ((*buf)[i+1] == '\n') { + shift_bytes(i + *buf, 2, *to - (i+2)); + *to -= 2; + } else { + ++i; /* we don't escape non-newline characters */ + } + break; + case '!': + case ' ': + case '\t': + if ((*buf)[i] != '!') + (*buf)[i] = ','; + /* delete any trailing spaces */ + for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' + || c == '\t' ); ++j); + shift_bytes(i + *buf, j-i, (*to)-j ); + *to -= j-i; + break; + default: + ++i; + } + } + } + + (*buf)[*to] = '\0'; + + /* now return the next field (set the from/to markers) */ + { + int i; + + for (i=0; i<*to; ++i) { + switch ((*buf)[i]) { + case '#': + case '\n': /* end of the line/file */ + (*buf)[i] = '\0'; + *from = i; + return fd; + case FIELD_SEPARATOR: /* end of the field */ + (*buf)[i] = '\0'; + *from = ++i; + return fd; + } + } + *from = i; + (*buf)[*from] = '\0'; + } + + if (*to <= 0) { + D(("[end of text]")); + *buf = NULL; + } + return fd; +} + +/* read a member from a field */ + +static int logic_member(const char *string, int *at) +{ + int c,to; + int done=0; + int token=0; + + to=*at; + do { + c = string[to++]; + + switch (c) { + + case '\0': + --to; + done = 1; + break; + + case '&': + case '|': + case '!': + if (token) { + --to; + } + done = 1; + break; + + default: + if (isalpha(c) || c == '*' || isdigit(c) || c == '_' + || c == '-' || c == '.' || c == '/' || c == ':') { + token = 1; + } else if (token) { + --to; + done = 1; + } else { + ++*at; + } + } + } while (!done); + + return to - *at; +} + +typedef enum { VAL, OP } expect; + +static int +logic_field (const pam_handle_t *pamh, const void *me, + const char *x, int rule, + int (*agrees)(const pam_handle_t *pamh, const void *, + const char *, int, int)) +{ + int left=FALSE, right, not=FALSE; + operator oper=OR; + int at=0, l; + expect next=VAL; + + while ((l = logic_member(x,&at))) { + int c = x[at]; + + if (next == VAL) { + if (c == '!') + not = !not; + else if (isalpha(c) || c == '*' || isdigit(c) || c == '_' + || c == '-' || c == '.' || c == '/' || c == ':') { + right = not ^ agrees(pamh, me, x+at, l, rule); + if (oper == AND) + left &= right; + else + left |= right; + next = OP; + } else { + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected name (rule #%d)", + rule); + return FALSE; + } + } else { /* OP */ + switch (c) { + case '&': + oper = AND; + break; + case '|': + oper = OR; + break; + default: + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected & or | (rule #%d)", + rule); + D(("%c at %d",c,at)); + return FALSE; + } + next = VAL; + } + at += l; + } + + return left; +} + +static int +is_same (const pam_handle_t *pamh UNUSED, + const void *A, const char *b, int len, int rule UNUSED) +{ + int i; + const char *a; + + a = A; + for (i=0; len > 0; ++i, --len) { + if (b[i] != a[i]) { + if (b[i++] == '*') { + return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); + } else + return FALSE; + } + } + + /* Ok, we know that b is a substring from A and does not contain + wildcards, but now the length of both strings must be the same, + too. */ + if (strlen (a) != strlen(b)) + return FALSE; + + return ( !len ); +} + +typedef struct { + int day; /* array of 7 bits, one set for today */ + int minute; /* integer, hour*100+minute for now */ +} TIME; + +static struct day { + const char *d; + int bit; +} const days[11] = { + { "su", 01 }, + { "mo", 02 }, + { "tu", 04 }, + { "we", 010 }, + { "th", 020 }, + { "fr", 040 }, + { "sa", 0100 }, + { "wk", 076 }, + { "wd", 0101 }, + { "al", 0177 }, + { NULL, 0 } +}; + +static TIME time_now(void) +{ + struct tm *local; + time_t the_time; + TIME this; + + the_time = time((time_t *)0); /* get the current time */ + local = localtime(&the_time); + this.day = days[local->tm_wday].bit; + this.minute = local->tm_hour*100 + local->tm_min; + + D(("day: 0%o, time: %.4d", this.day, this.minute)); + return this; +} + +/* take the current date and see if the range "date" passes it */ +static int +check_time (const pam_handle_t *pamh, const void *AT, + const char *times, int len, int rule) +{ + int not,pass; + int marked_day, time_start, time_end; + const TIME *at; + int i,j=0; + + at = AT; + D(("checking: 0%o/%.4d vs. %s", at->day, at->minute, times)); + + if (times == NULL) { + /* this should not happen */ + pam_syslog(pamh, LOG_CRIT, "internal error in file %s at line %d", + __FILE__, __LINE__); + return FALSE; + } + + if (times[j] == '!') { + ++j; + not = TRUE; + } else { + not = FALSE; + } + + for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { + int this_day=-1; + + D(("%c%c ?", times[j], times[j+1])); + for (i=0; days[i].d != NULL; ++i) { + if (tolower(times[j]) == days[i].d[0] + && tolower(times[j+1]) == days[i].d[1] ) { + this_day = days[i].bit; + break; + } + } + j += 2; + if (this_day == -1) { + pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule); + return FALSE; + } + marked_day ^= this_day; + } + if (marked_day == 0) { + pam_syslog(pamh, LOG_ERR, "no day specified"); + return FALSE; + } + D(("day range = 0%o", marked_day)); + + time_start = 0; + for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { + time_start *= 10; + time_start += times[i+j]-'0'; /* is this portable? */ + } + j += i; + + if (times[j] == '-') { + time_end = 0; + for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { + time_end *= 10; + time_end += times[i+j]-'0'; /* is this portable? */ + } + j += i; + } else + time_end = -1; + + D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); + if (i != 5 || time_end == -1) { + pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule); + return TRUE; + } + D(("times(%d to %d)", time_start,time_end)); + D(("marked_day = 0%o", marked_day)); + + /* compare with the actual time now */ + + pass = FALSE; + if (time_start < time_end) { /* start < end ? --> same day */ + if ((at->day & marked_day) && (at->minute >= time_start) + && (at->minute < time_end)) { + D(("time is listed")); + pass = TRUE; + } + } else { /* spans two days */ + if ((at->day & marked_day) && (at->minute >= time_start)) { + D(("caught on first day")); + pass = TRUE; + } else { + marked_day <<= 1; + marked_day |= (marked_day & 0200) ? 1:0; + D(("next day = 0%o", marked_day)); + if ((at->day & marked_day) && (at->minute <= time_end)) { + D(("caught on second day")); + pass = TRUE; + } + } + } + + return (not ^ pass); +} + +static int find_member(const char *string, int *at) +{ + int c,to; + int done=0; + int token=0; + + to=*at; + do { + c = string[to++]; + + switch (c) { + + case '\0': + --to; + done = 1; + break; + + case '&': + case '|': + case '!': + if (token) { + --to; + } + done = 1; + break; + + default: + if (isalpha(c) || isdigit(c) || c == '_' || c == '*' + || c == '-') { + token = 1; + } else if (token) { + --to; + done = 1; + } else { + ++*at; + } + } + } while (!done); + + return to - *at; +} + +#define GROUP_BLK 10 +#define blk_size(len) (((len-1 + GROUP_BLK)/GROUP_BLK)*GROUP_BLK) + +static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len) +{ + int l,at=0; + int blks; + + blks = blk_size(len); + D(("cf. blks=%d and len=%d", blks,len)); + + while ((l = find_member(buf,&at))) { + int edge; + + if (len >= blks) { + gid_t *tmp; + + D(("allocating new block")); + tmp = (gid_t *) realloc((*list) + , sizeof(gid_t) * (blks += GROUP_BLK)); + if (tmp != NULL) { + (*list) = tmp; + } else { + pam_syslog(pamh, LOG_ERR, "out of memory for group list"); + free(*list); + (*list) = NULL; + return -1; + } + } + + /* '\0' terminate the entry */ + + edge = (buf[at+l]) ? 1:0; + buf[at+l] = '\0'; + D(("found group: %s",buf+at)); + + /* this is where we convert a group name to a gid_t */ + { + const struct group *grp; + + grp = pam_modutil_getgrnam(pamh, buf+at); + if (grp == NULL) { + pam_syslog(pamh, LOG_ERR, "bad group: %s", buf+at); + } else { + D(("group %s exists", buf+at)); + (*list)[len++] = grp->gr_gid; + } + } + + /* next entry along */ + + at += l + edge; + } + D(("returning with [%p/len=%d]->%p",list,len,*list)); + return len; +} + + +static int check_account(pam_handle_t *pamh, const char *service, + const char *tty, const char *user) +{ + int from=0,to=0,fd=-1; + char *buffer=NULL; + int count=0; + TIME here_and_now; + int retval=PAM_SUCCESS; + gid_t *grps; + int no_grps; + + /* + * first we get the current list of groups - the application + * will have previously done an initgroups(), or equivalent. + */ + + D(("counting supplementary groups")); + no_grps = getgroups(0, NULL); /* find the current number of groups */ + if (no_grps > 0) { + grps = calloc( blk_size(no_grps) , sizeof(gid_t) ); + D(("copying current list into grps [%d big]",blk_size(no_grps))); + if (getgroups(no_grps, grps) < 0) { + D(("getgroups call failed")); + no_grps = 0; + grps = NULL; + } +#ifdef DEBUG + { + int z; + for (z=0; z<no_grps; ++z) { + D(("gid[%d]=%d", z, grps[z])); + } + } +#endif + } else { + D(("no supplementary groups known")); + no_grps = 0; + grps = NULL; + } + + here_and_now = time_now(); /* find current time */ + + /* parse the rules in the configuration file */ + do { + int good=TRUE; + + /* here we get the service name field */ + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (!buffer || !buffer[0]) { + /* empty line .. ? */ + continue; + } + ++count; + D(("working on rule #%d",count)); + + good = logic_field(pamh,service, buffer, count, is_same); + D(("with service: %s", good ? "passes":"fails" )); + + /* here we get the terminal name field */ + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (!buffer || !buffer[0]) { + pam_syslog(pamh, LOG_ERR, + "%s: no tty entry #%d", PAM_GROUP_CONF, count); + continue; + } + good &= logic_field(pamh,tty, buffer, count, is_same); + D(("with tty: %s", good ? "passes":"fails" )); + + /* here we get the username field */ + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (!buffer || !buffer[0]) { + pam_syslog(pamh, LOG_ERR, + "%s: no user entry #%d", PAM_GROUP_CONF, count); + continue; + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') + good &= innetgr (&buffer[1], NULL, user, NULL); + else + good &= logic_field(pamh,user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); + + /* here we get the time field */ + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (!buffer || !buffer[0]) { + pam_syslog(pamh, LOG_ERR, + "%s: no time entry #%d", PAM_GROUP_CONF, count); + continue; + } + + good &= logic_field(pamh,&here_and_now, buffer, count, check_time); + D(("with time: %s", good ? "passes":"fails" )); + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (!buffer || !buffer[0]) { + pam_syslog(pamh, LOG_ERR, + "%s: no listed groups for rule #%d", PAM_GROUP_CONF, count); + continue; + } + + /* + * so we have a list of groups, we need to turn it into + * something to send to setgroups(2) + */ + + if (good) { + D(("adding %s to gid list", buffer)); + good = mkgrplist(pamh, buffer, &grps, no_grps); + if (good < 0) { + no_grps = 0; + } else { + no_grps = good; + } + } + + /* check the line is terminated correctly */ + + fd = read_field(pamh,fd,&buffer,&from,&to); + if (buffer && buffer[0]) { + pam_syslog(pamh, LOG_ERR, + "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count); + } + + if (good > 0) { + D(("rule #%d passed, added %d groups", count, good)); + } else if (good < 0) { + retval = PAM_BUF_ERR; + } else { + D(("rule #%d failed", count)); + } + + } while (buffer); + + /* now set the groups for the user */ + + if (no_grps > 0) { +#ifdef DEBUG + int err; +#endif + D(("trying to set %d groups", no_grps)); +#ifdef DEBUG + for (err=0; err<no_grps; ++err) { + D(("gid[%d]=%d", err, grps[err])); + } +#endif + if (setgroups(no_grps, grps) != 0) { + D(("but couldn't set groups %m")); + pam_syslog(pamh, LOG_ERR, + "unable to set the group membership for user: %m"); + retval = PAM_CRED_ERR; + } + } + + if (grps) { /* tidy up */ + memset(grps, 0, sizeof(gid_t) * blk_size(no_grps)); + _pam_drop(grps); + no_grps = 0; + } + + return retval; +} + +/* --- public authentication management functions --- */ + +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh, int flags, + int argc UNUSED, const char **argv UNUSED) +{ + const void *service=NULL, *void_tty=NULL; + const char *user=NULL; + const char *tty; + int retval; + unsigned setting; + + /* only interested in establishing credentials */ + + setting = flags; + if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } + + /* set service name */ + + if (pam_get_item(pamh, PAM_SERVICE, &service) + != PAM_SUCCESS || service == NULL) { + pam_syslog(pamh, LOG_ERR, "cannot find the current service name"); + return PAM_ABORT; + } + + /* set username */ + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + /* set tty name */ + + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS + || void_tty == NULL) { + D(("PAM_TTY not set, probing stdin")); + tty = ttyname(STDIN_FILENO); + if (tty == NULL) { + tty = ""; + } + if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); + return PAM_ABORT; + } + } + else + tty = (const char *) void_tty; + + if (tty[0] == '/') { /* full path */ + const char *t; + tty++; + if ((t = strchr(tty, '/')) != NULL) { + tty = t + 1; + } + } + + /* good, now we have the service name, the user and the terminal name */ + + D(("service=%s", service)); + D(("user=%s", user)); + D(("tty=%s", tty)); + + retval = check_account(pamh,service,tty,user); /* get groups */ + + return retval; +} + +/* end of module definition */ + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_group_modstruct = { + "pam_group", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL +}; +#endif diff --git a/modules/pam_group/tst-pam_group b/modules/pam_group/tst-pam_group new file mode 100755 index 00000000..29f7ba06 --- /dev/null +++ b/modules/pam_group/tst-pam_group @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_group.so |