diff options
Diffstat (limited to 'Linux-PAM/modules/pam_listfile')
-rw-r--r-- | Linux-PAM/modules/pam_listfile/Makefile.am | 4 | ||||
-rw-r--r-- | Linux-PAM/modules/pam_listfile/Makefile.in | 7 | ||||
-rw-r--r-- | Linux-PAM/modules/pam_listfile/README | 5 | ||||
-rw-r--r-- | Linux-PAM/modules/pam_listfile/pam_listfile.8 | 65 | ||||
-rw-r--r-- | Linux-PAM/modules/pam_listfile/pam_listfile.8.xml | 15 | ||||
-rw-r--r-- | Linux-PAM/modules/pam_listfile/pam_listfile.c | 9 |
6 files changed, 77 insertions, 28 deletions
diff --git a/Linux-PAM/modules/pam_listfile/Makefile.am b/Linux-PAM/modules/pam_listfile/Makefile.am index 5eb5c75c..2f211320 100644 --- a/Linux-PAM/modules/pam_listfile/Makefile.am +++ b/Linux-PAM/modules/pam_listfile/Makefile.am @@ -15,13 +15,13 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam +AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_listfile.la +pam_listfile_la_LIBADD = -L$(top_builddir)/libpam -lpam if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/Linux-PAM/modules/pam_listfile/Makefile.in b/Linux-PAM/modules/pam_listfile/Makefile.in index bf08192d..8e12f5d9 100644 --- a/Linux-PAM/modules/pam_listfile/Makefile.in +++ b/Linux-PAM/modules/pam_listfile/Makefile.in @@ -64,7 +64,7 @@ am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" securelibLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_listfile_la_LIBADD = +pam_listfile_la_DEPENDENCIES = pam_listfile_la_SOURCES = pam_listfile.c pam_listfile_la_OBJECTS = pam_listfile.lo DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ @@ -175,6 +175,7 @@ POSUB = @POSUB@ RANLIB = @RANLIB@ SCONFIGDIR = @SCONFIGDIR@ SECUREDIR = @SECUREDIR@ +SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ @@ -252,9 +253,9 @@ TESTS = tst-pam_listfile securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam $(am__append_1) +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_listfile.la +pam_listfile_la_LIBADD = -L$(top_builddir)/libpam -lpam @ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README all: all-am diff --git a/Linux-PAM/modules/pam_listfile/README b/Linux-PAM/modules/pam_listfile/README index f0aaaf7f..51bb13d2 100644 --- a/Linux-PAM/modules/pam_listfile/README +++ b/Linux-PAM/modules/pam_listfile/README @@ -58,6 +58,11 @@ apply=[user|@group] item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost| shell] it have a meaning. +quiet + + Do not treat service refusals or missing list files as errors that need to + be logged. + EXAMPLES Classic 'ftpusers' authentication can be implemented with this entry in /etc/ diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8 b/Linux-PAM/modules/pam_listfile/pam_listfile.8 index 2ccecd4b..0103aa5e 100644 --- a/Linux-PAM/modules/pam_listfile/pam_listfile.8 +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8 @@ -1,11 +1,11 @@ .\" Title: pam_listfile .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/22/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> +.\" Date: 08/25/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_LISTFILE" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LISTFILE" "8" "08/25/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -14,7 +14,7 @@ pam_listfile \- deny or allow services based on an arbitrary file .SH "SYNOPSIS" .HP 16 -\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] +\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] .SH "DESCRIPTION" .PP pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file. @@ -64,25 +64,40 @@ Besides this last one, all arguments should be specified; do not count on any de No credentials are awarded by this module. .SH "OPTIONS" .PP -.TP 3n +.PP \fBitem=[tty|user|rhost|ruser|group|shell]\fR +.RS 4 What is listed in the file and should be checked for. -.TP 3n +.RE +.PP \fBsense=[allow|deny]\fR +.RS 4 Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested. -.TP 3n +.RE +.PP \fBfile=\fR\fB\fI/path/filename\fR\fR +.RS 4 File containing one item per line. The file needs to be a plain file and not world writeable. -.TP 3n +.RE +.PP \fBonerr=[succeed|fail]\fR +.RS 4 What to do if something weird happens like being unable to open the file. -.TP 3n +.RE +.PP \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR +.RS 4 Restrict the user class for which the restriction apply. Note that with \fBitem=[user|ruser|group]\fR this oes not make sense, but for \fBitem=[tty|rhost|shell]\fR it have a meaning. +.RE +.PP +\fBquiet\fR +.RS 4 +Do not treat service refusals or missing list files as errors that need to be logged. +.RE .SH "MODULE SERVICES PROVIDED" .PP The services @@ -94,34 +109,44 @@ and are supported. .SH "RETURN VALUES" .PP -.TP 3n +.PP PAM_AUTH_ERR +.RS 4 Authentication failure. -.TP 3n +.RE +.PP PAM_BUF_ERR +.RS 4 Memory buffer error. -.TP 3n +.RE +.PP PAM_IGNORE +.RS 4 The rule does not apply to the \fBapply\fR option. -.TP 3n +.RE +.PP PAM_SERVICE_ERR +.RS 4 Error in service module. -.TP 3n +.RE +.PP PAM_SUCCESS +.RS 4 Success. +.RE .SH "EXAMPLES" .PP Classic 'ftpusers' authentication can be implemented with this entry in \fI/etc/pam.d/ftpd\fR: .sp -.RS 3n +.RS 4 .nf # # deny ftp\-access to users listed in the /etc/ftpusers file # -auth required pam_listfile.so \\ +auth required pam_listfile.so \e onerr=succeed item=user sense=deny file=/etc/ftpusers .fi @@ -137,12 +162,12 @@ To allow login access only for certain users, you can use a \fI/etc/pam.d/login\fR entry like this: .sp -.RS 3n +.RS 4 .nf # # permit login to users listed in /etc/loginusers # -auth required pam_listfile.so \\ +auth required pam_listfile.so \e onerr=fail item=user sense=allow file=/etc/loginusers .fi diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml index 0e90414a..2aab4962 100644 --- a/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml @@ -33,6 +33,9 @@ <arg choice="opt"> apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>] </arg> + <arg choice="opt"> + quiet + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -155,6 +158,18 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>quiet</option> + </term> + <listitem> + <para> + Do not treat service refusals or missing list files as + errors that need to be logged. + </para> + </listitem> + </varlistentry> </variablelist> </para> diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.c b/Linux-PAM/modules/pam_listfile/pam_listfile.c index 1545fe03..f276e5b8 100644 --- a/Linux-PAM/modules/pam_listfile/pam_listfile.c +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.c @@ -68,7 +68,7 @@ PAM_EXTERN int pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; + int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2, quiet=0; const void *void_citemp; const char *citemp; char *ifname=NULL; @@ -155,6 +155,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, apply_type=APPLY_TYPE_USER; strncpy(apply_val,myval,sizeof(apply_val)-1); } + } else if (!strcmp(mybuf,"quiet")) { + quiet = 1; } else { free(ifname); pam_syslog(pamh,LOG_ERR, "Unknown option: %s",mybuf); @@ -399,8 +401,9 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, #endif (void) pam_get_item(pamh, PAM_SERVICE, &service); (void) pam_get_user(pamh, &user_name, NULL); - pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", - user_name, (const char *)service); + if (!quiet) + pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", + user_name, (const char *)service); return PAM_AUTH_ERR; } } |