diff options
Diffstat (limited to 'modules/pam_access/pam_access.c')
| -rw-r--r-- | modules/pam_access/pam_access.c | 49 |
1 files changed, 43 insertions, 6 deletions
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 34ee56bd..82fdfcc7 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -89,6 +89,9 @@ static const char *sep = ", \t"; /* list-element separator */ #define YES 1 #define NO 0 +/* Only allow group entries of the form "(xyz)" */ +static int only_new_group_syntax = NO; + /* * A structure to bundle up all login-related information to keep the * functional interfaces as generic as possible. @@ -136,6 +139,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, } else if (strcmp (argv[i], "debug") == 0) { pam_access_debug = YES; + } else if (strcmp (argv[i], "nodefgroup") == 0) { + only_new_group_syntax = YES; } else { pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); } @@ -151,6 +156,7 @@ typedef int match_func (pam_handle_t *, char *, struct login_info *); static int list_match (pam_handle_t *, char *, struct login_info *, match_func *); static int user_match (pam_handle_t *, char *, struct login_info *); +static int group_match (pam_handle_t *, const char *, const char *); static int from_match (pam_handle_t *, char *, struct login_info *); static int string_match (pam_handle_t *, const char *, const char *); static int network_netmask_match (pam_handle_t *, const char *, const char *); @@ -442,7 +448,7 @@ static char * myhostname(void) /* netgroup_match - match group against machine or user */ static int -netgroup_match (pam_handle_t *pamh, const char *group, +netgroup_match (pam_handle_t *pamh, const char *netgroup, const char *machine, const char *user) { char *mydomain = NULL; @@ -451,11 +457,12 @@ netgroup_match (pam_handle_t *pamh, const char *group, yp_get_default_domain(&mydomain); - retval = innetgr (group, machine, user, mydomain); + retval = innetgr (netgroup, machine, user, mydomain); if (pam_access_debug == YES) pam_syslog (pamh, LOG_DEBUG, - "netgroup_match: %d (group=%s, machine=%s, user=%s, domain=%s)", - retval, group ? group : "NULL", machine ? machine : "NULL", + "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", + retval, netgroup ? netgroup : "NULL", + machine ? machine : "NULL", user ? user : "NULL", mydomain ? mydomain : "NULL"); return retval; @@ -490,15 +497,45 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') /* netgroup */ return (netgroup_match (pamh, tok + 1, (char *) 0, string)); + else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') + return (group_match (pamh, tok, string)); else if (string_match (pamh, tok, string)) /* ALL or exact match */ - return YES; - else if (pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) + return YES; + else if (only_new_group_syntax == NO && + pam_modutil_user_in_group_nam_nam (pamh, + item->user->pw_name, tok)) /* try group membership */ return YES; return NO; } + +/* group_match - match a username against token named group */ + +static int +group_match (pam_handle_t *pamh, const char *tok, const char* usr) +{ + char grptok[BUFSIZ]; + + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "group_match: grp=%s, user=%s", grptok, usr); + + if (strlen(tok) < 3) + return NO; + + /* token is recieved under the format '(...)' */ + memset(grptok, 0, BUFSIZ); + strncpy(grptok, tok + 1, strlen(tok) - 2); + + if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok)) + return YES; + + return NO; +} + + /* from_match - match a host or tty against a list of tokens */ static int |