summaryrefslogtreecommitdiff
path: root/modules/pam_sepermit/pam_sepermit.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_sepermit/pam_sepermit.c')
-rw-r--r--modules/pam_sepermit/pam_sepermit.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 0fd95619..8b2360b5 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -1,7 +1,7 @@
/******************************************************************************
* A module for Linux-PAM that allows/denies acces based on SELinux state.
*
- * Copyright (c) 2007, 2008 Red Hat, Inc.
+ * Copyright (c) 2007, 2008, 2009 Red Hat, Inc.
* Originally written by Tomas Mraz <tmraz@redhat.com>
* Contributions by Dan Walsh <dwalsh@redhat.com>
*
@@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
/* return 0 when matched, -1 when unmatched, pam error otherwise */
static int
sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
- const char *seuser, int debug, int sense)
+ const char *seuser, int debug, int *sense)
{
FILE *f;
char *line = NULL;
@@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
size_t len = 0;
int matched = 0;
int exclusive = 0;
+ int ignore = 0;
f = fopen(cfgfile, "r");
@@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
if (strcmp(seuser, start) == 0) {
- matched = 1;
+ matched = 1;
}
break;
default:
@@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) {
if (strcmp(opt, "exclusive") == 0)
exclusive = 1;
+ else if (strcmp(opt, "ignore") == 0)
+ ignore = 1;
else if (debug) {
pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt);
}
@@ -307,10 +310,14 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
free(line);
fclose(f);
if (matched) {
- if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive)
- return sepermit_lock(pamh, user, debug);
- else
- return 0;
+ if (*sense == PAM_SUCCESS) {
+ if (ignore)
+ *sense = PAM_IGNORE;
+ if (geteuid() == 0 && exclusive)
+ if (sepermit_lock(pamh, user, debug) < 0)
+ *sense = PAM_AUTH_ERR;
+ }
+ return 0;
}
else
return -1;
@@ -365,7 +372,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
if (debug && sense != PAM_SUCCESS)
pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
- rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense);
+ rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense);
if (debug)
pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);