diff options
| author | Tomas Mraz <tm@t8m.info> | 2009-11-18 16:06:53 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2009-11-18 16:06:53 +0000 |
| commit | e8e780f7a3911f8ad9d96268d669ed7943e93f4f (patch) | |
| tree | 47ba1c7f3cfa9fc64418be8a6b3504a06ccc0e60 /modules | |
| parent | 0674700d17431655b4be03de6119ada78164266b (diff) | |
Relevant BUGIDs: 2892189
Purpose of commit: bugfix
Commit summary:
---------------
2009-11-18 Tomas Mraz <t8m@centrum.cz>
* modules/pam_access/pam_access.c(user_match): Revert the netgroup
match to the original behavior, add new syntax for adding the local
hostname.
* modules/pam_access/access.conf.5.xml: Document the new syntax
for adding the local hostname to the netgroup match.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_access/access.conf.5.xml | 7 | ||||
| -rw-r--r-- | modules/pam_access/pam_access.c | 11 |
2 files changed, 14 insertions, 4 deletions
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 1b629afc..a4d3419b 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -74,7 +74,12 @@ not set and <origin> field is thus set from <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>". If supported by the system you can use - <emphasis>@netgroupname</emphasis> in host or user patterns. + <emphasis>@netgroupname</emphasis> in host or user patterns. The + <emphasis>@@netgroupname</emphasis> syntax is supported in the user + pattern only and it makes the local system hostname to be passed + to the netgroup match call in addition to the user name. This might not + work correctly on some libc implementations causing the match to + always fail. </para> <para> diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 963ce528..e9f0caa3 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -529,9 +529,14 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ - if (item->hostname == NULL) - return NO; - return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug)); + const char *hostname = NULL; + if (tok[1] == '@') { /* add hostname to netgroup match */ + if (item->hostname == NULL) + return NO; + ++tok; + hostname = item->hostname; + } + return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') return (group_match (pamh, tok, string, item->debug)); else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ |