diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-04-21 11:21:12 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-04-21 11:21:12 +0000 |
| commit | aeccee4585ab2ea6deab9cbebc7afc67b7196a80 (patch) | |
| tree | de848926000e8b5a9d970b4a7da44abd65b370c5 /modules | |
| parent | 902026536a826400014a7508b008e41269d081e6 (diff) | |
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-21 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_access/access.conf.5.xml: Document changed behavior
of LOCAL keyword.
* modules/pam_access/pam_access.c: Add from_remote_host to
struct login_info to change behavior of LOCAL keyword: if
PAM_RHOST is not set, LOCAL will be true.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_access/access.conf.5.xml | 7 | ||||
| -rw-r--r-- | modules/pam_access/pam_access.c | 17 |
2 files changed, 16 insertions, 8 deletions
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index f8eb7a4e..17185172 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -69,8 +69,11 @@ internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), <emphasis>ALL</emphasis> (which always matches) - or <emphasis>LOCAL</emphasis> (which matches any string that does not - contain a "." character). If supported by the system you can use + or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis> + keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is + not set and <origin> field is thus set from + <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>". + If supported by the system you can use <emphasis>@netgroupname</emphasis> in host or user patterns. </para> diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 778b68cd..a5c6c6a5 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -48,7 +48,7 @@ #ifdef HAVE_LIBAUDIT #include <libaudit.h> -#endif +#endif /* * here, we make definitions for the externally accessible functions @@ -104,6 +104,7 @@ struct login_info { int noaudit; /* Do not audit denials */ const char *fs; /* field separator */ const char *sep; /* list-element separator */ + int from_remote_host; /* If PAM_RHOST was used for from */ }; /* Parse module config arguments */ @@ -113,7 +114,7 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, int argc, const char **argv) { int i; - + loginfo->noaudit = NO; loginfo->debug = NO; loginfo->only_new_group_syntax = NO; @@ -571,8 +572,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) * If a token has the magic value "ALL" the match always succeeds. Return * YES if the token fully matches the string. If the token is a domain * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES + * token has the magic value "LOCAL", return YES if the from field was + * not taken by PAM_RHOST. If the token is a network number, return YES * if it matches the head of the string. */ @@ -587,8 +588,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) + } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no PAM_RHOSTS */ + if (item->from_remote_host == 0) return (YES); } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { struct addrinfo *res; @@ -817,6 +818,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* local login, set tty name */ + loginfo.from_remote_host = 0; + if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS || void_from == NULL) { D(("PAM_TTY not set, probing stdin")); @@ -849,6 +852,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } } + else + loginfo.from_remote_host = 1; loginfo.from = from; |