summaryrefslogtreecommitdiff
path: root/modules/pam_wheel
diff options
context:
space:
mode:
authorAndrew G. Morgan <morgan@kernel.org>2002-07-13 05:48:19 +0000
committerAndrew G. Morgan <morgan@kernel.org>2002-07-13 05:48:19 +0000
commit2b395f6d039fb5c92a5ae799b305dd33061c9fbc (patch)
tree6386214fcccb9987050ca9b5534bffc5d473c688 /modules/pam_wheel
parentc95e6e34c26fc95f622b4d0535bccede3c655146 (diff)
Relevant BUGIDs: 476951, 476953
Purpose of commit: bugfix Commit summary: --------------- Be more careful when using the deny option - pay attention to the trust option before you grant access. Fix from Nalin.
Diffstat (limited to 'modules/pam_wheel')
-rw-r--r--modules/pam_wheel/README9
-rw-r--r--modules/pam_wheel/pam_wheel.c40
2 files changed, 31 insertions, 18 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index 336bb31e..b75689e8 100644
--- a/modules/pam_wheel/README
+++ b/modules/pam_wheel/README
@@ -1,6 +1,6 @@
pam_wheel:
- only permit root authentication too members of wheel group
+ only permit root authentication to members of wheel group
RECOGNIZED ARGUMENTS:
debug write a message to syslog indicating success or
@@ -21,13 +21,16 @@ RECOGNIZED ARGUMENTS:
is trying to get UID 0 access and is a member of the
wheel group, deny access (well, kind of nonsense, but
for use in conjunction with 'group' argument... :-)
+ Conversely, if the user is not in the group, return
+ PAM_IGNORE (unless 'trust' was also specified, in
+ which case we return PAM_SUCCESS).
group=xxxx Instead of checking the GID 0 group, use the xxxx
group to perform the authentification.
MODULE SERVICES PROVIDED:
- auth _authetication and _setcred (blank)
+ auth _authentication, _setcred (blank) and _acct_mgmt
AUTHOR:
- Cristian Gafton <gafton@sorosis.ro>
+ Cristian Gafton <gafton@redhat.com>
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index c460abc9..d127791b 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -192,33 +192,43 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl,
if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'",
- (ctrl & PAM_DENY_ARG)?"denied":"granted",
- fromsu,username);
+ if (ctrl & PAM_DENY_ARG) {
+ retval = PAM_PERM_DENIED;
+
+ } else if (ctrl & PAM_TRUST_ARG) {
+ retval = PAM_SUCCESS; /* this can be a sufficient check */
+
+ } else {
+ retval = PAM_IGNORE;
}
+ } else {
+
if (ctrl & PAM_DENY_ARG) {
- return PAM_PERM_DENIED;
- } else {
+
if (ctrl & PAM_TRUST_ARG) {
- return PAM_SUCCESS; /* this can be a sufficient check */
+ retval = PAM_SUCCESS; /* this can be a sufficient check */
} else {
- return PAM_IGNORE;
+ retval = PAM_IGNORE;
}
+
+ } else {
+ retval = PAM_PERM_DENIED;
}
}
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'",
- (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username);
+ if (retval == PAM_IGNORE) {
+ _pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'",
+ fromsu, username);
+ } else {
+ _pam_log(LOG_NOTICE, "Access %s to '%s' for '%s'",
+ (retval != PAM_SUCCESS) ? "denied":"granted",
+ fromsu, username);
+ }
}
- if (ctrl & PAM_DENY_ARG) {
- return PAM_SUCCESS; /* this can be a sufficient check */
- } else {
- return PAM_PERM_DENIED;
- }
+ return retval;
}
/* --- authentication management functions --- */