summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2006-08-03 12:42:08 +0000
committerTomas Mraz <tm@t8m.info>2006-08-03 12:42:08 +0000
commit7d62660a513243560c73311bc0514b0dd5f46434 (patch)
treeb11918fffc2f886e96d841e2b93be1e8c9e8b645 /modules
parent7e7f95f54a06c52595c909dcfe183dc3cb37fc6b (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): New function for list matching. (evaluate_notinlist): Likewise. (evaluate): Add service value match, list matching. * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the features.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8.xml27
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.c35
2 files changed, 61 insertions, 1 deletions
diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml
index 3a77505d..1b57a652 100644
--- a/modules/pam_succeed_if/pam_succeed_if.8.xml
+++ b/modules/pam_succeed_if/pam_succeed_if.8.xml
@@ -97,7 +97,8 @@
<para>
Available fields are <emphasis>user</emphasis>,
<emphasis>uid</emphasis>, <emphasis>gid</emphasis>,
- <emphasis>shell</emphasis> and <emphasis>home</emphasis>:
+ <emphasis>shell</emphasis>, <emphasis>home</emphasis>
+ and <emphasis>service</emphasis>:
</para>
<variablelist>
@@ -176,6 +177,18 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term><option>field in item:item:...</option></term>
+ <listitem>
+ <para>Field is contained in the list of items separated by colons.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>field notin item:item:...</option></term>
+ <listitem>
+ <para>Field is not contained in the list of items separated by colons.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>user ingroup group</option></term>
<listitem>
<para>User is in given group.</para>
@@ -187,6 +200,18 @@
<para>User is not in given group.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>user innetgr netgroup</option></term>
+ <listitem>
+ <para>(user,host) is in given netgroup.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>user notinnetgr group</option></term>
+ <listitem>
+ <para>(user,host) is not in given netgroup.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index f7e8ed2c..372c8070 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -184,6 +184,27 @@ evaluate_noglob(const char *left, const char *right)
{
return (fnmatch(right, left, 0) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
}
+/* Check for list match. */
+static int
+evaluate_inlist(const char *left, const char *right)
+{
+ char *p;
+ if ((p=strstr(right, left)) == NULL)
+ return PAM_AUTH_ERR;
+ if (p == right || *(p-1) == ':') { /* ':' is a list separator */
+ p += strlen(left);
+ if (*p == '\0' || *p == ':') {
+ return PAM_SUCCESS;
+ }
+ }
+ return PAM_AUTH_ERR;
+}
+/* Check for list mismatch. */
+static int
+evaluate_notinlist(const char *left, const char *right)
+{
+ return evaluate_inlist(left, right) != PAM_SUCCESS ? PAM_SUCCESS : PAM_AUTH_ERR;
+}
/* Return PAM_SUCCESS if the user is in the group. */
static int
evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
@@ -250,6 +271,13 @@ evaluate(pam_handle_t *pamh, int debug,
snprintf(buf, sizeof(buf), "%s", pwd->pw_dir);
left = buf;
}
+ if (strcasecmp(left, "service") == 0) {
+ const void *svc;
+ if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS)
+ svc = "";
+ snprintf(buf, sizeof(buf), "%s", svc);
+ left = buf;
+ }
/* If we have no idea what's going on, return an error. */
if (left != buf) {
pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left);
@@ -305,6 +333,13 @@ evaluate(pam_handle_t *pamh, int debug,
(strcasecmp(qual, "noglob") == 0)) {
return evaluate_noglob(left, right);
}
+ /* Attribute value matches item in list. */
+ if (strcasecmp(qual, "in") == 0) {
+ return evaluate_inlist(left, right);
+ }
+ if (strcasecmp(qual, "notin") == 0) {
+ return evaluate_notinlist(left, right);
+ }
/* User is in this group. */
if (strcasecmp(qual, "ingroup") == 0) {
return evaluate_ingroup(pamh, pwd->pw_name, right);