diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | modules/pam_access/access.conf.5.xml | 7 | ||||
-rw-r--r-- | modules/pam_access/pam_access.c | 11 |
3 files changed, 22 insertions, 4 deletions
@@ -1,3 +1,11 @@ +2009-11-18 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c(user_match): Revert the netgroup + match to the original behavior, add new syntax for adding the local + hostname. + * modules/pam_access/access.conf.5.xml: Document the new syntax + for adding the local hostname to the netgroup match. + 2009-11-10 Thorsten Kukuk <kukuk@suse.de> * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 1b629afc..a4d3419b 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -74,7 +74,12 @@ not set and <origin> field is thus set from <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>". If supported by the system you can use - <emphasis>@netgroupname</emphasis> in host or user patterns. + <emphasis>@netgroupname</emphasis> in host or user patterns. The + <emphasis>@@netgroupname</emphasis> syntax is supported in the user + pattern only and it makes the local system hostname to be passed + to the netgroup match call in addition to the user name. This might not + work correctly on some libc implementations causing the match to + always fail. </para> <para> diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 963ce528..e9f0caa3 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -529,9 +529,14 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ - if (item->hostname == NULL) - return NO; - return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug)); + const char *hostname = NULL; + if (tok[1] == '@') { /* add hostname to netgroup match */ + if (item->hostname == NULL) + return NO; + ++tok; + hostname = item->hostname; + } + return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') return (group_match (pamh, tok, string, item->debug)); else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ |