diff options
| author | Tomas Mraz <tm@t8m.info> | 2009-11-02 16:09:07 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2009-11-02 16:09:07 +0000 |
| commit | 2d79d6172837d6d458f08e19169b97677593c772 (patch) | |
| tree | 539c9d55355687cb6b7f8002593415f6561d29e2 /modules/pam_sepermit/pam_sepermit.c | |
| parent | 2abb3dfa9a3ec4934217c594b7d3edcb43716a16 (diff) | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2009-11-02 Tomas Mraz <t8m@centrum.cz>
* modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page.
* modules/pam_sepermit/pam_sepermit.8.xml: Add reference to
sepermit.conf(5). Drop some redundant text.
* modules/pam_sepermit/sepermit.conf.5.xml: New file.
* modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore
option in sepermit.conf.
Diffstat (limited to 'modules/pam_sepermit/pam_sepermit.c')
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 0fd95619..df0a2b1c 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,7 +1,7 @@ /****************************************************************************** * A module for Linux-PAM that allows/denies acces based on SELinux state. * - * Copyright (c) 2007, 2008 Red Hat, Inc. + * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz <tmraz@redhat.com> * Contributions by Dan Walsh <dwalsh@redhat.com> * @@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) /* return 0 when matched, -1 when unmatched, pam error otherwise */ static int sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug, int sense) + const char *seuser, int debug, int *sense) { FILE *f; char *line = NULL; @@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, size_t len = 0; int matched = 0; int exclusive = 0; + int ignore = 0; f = fopen(cfgfile, "r"); @@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); if (strcmp(seuser, start) == 0) { - matched = 1; + matched = 1; } break; default: @@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { if (strcmp(opt, "exclusive") == 0) exclusive = 1; + else if (strcmp(opt, "ignore") == 0) + ignore = 1; else if (debug) { pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); } @@ -307,10 +310,13 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, free(line); fclose(f); if (matched) { - if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive) - return sepermit_lock(pamh, user, debug); - else - return 0; + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; + if (geteuid() == 0 && exclusive) + return sepermit_lock(pamh, user, debug); + } + return 0; } else return -1; @@ -365,7 +371,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug && sense != PAM_SUCCESS) pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense); + rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense); if (debug) pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); |