summaryrefslogtreecommitdiff
path: root/modules/pam_succeed_if
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_succeed_if')
-rw-r--r--modules/pam_succeed_if/Makefile.am17
-rw-r--r--modules/pam_succeed_if/Makefile.in112
-rw-r--r--modules/pam_succeed_if/README13
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.818
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8.xml12
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.c123
6 files changed, 181 insertions, 114 deletions
diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am
index ce1eb500..cb54f843 100644
--- a/modules/pam_succeed_if/Makefile.am
+++ b/modules/pam_succeed_if/Makefile.am
@@ -5,18 +5,20 @@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if
-
-TESTS = tst-pam_succeed_if
-
-man_MANS = pam_succeed_if.8
+EXTRA_DIST = $(XMLS)
+if HAVE_DOC
+dist_man_MANS = pam_succeed_if.8
+endif
XMLS = README.xml pam_succeed_if.8.xml
+dist_check_SCRIPTS = tst-pam_succeed_if
+TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ $(WARN_CFLAGS)
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
@@ -26,7 +28,6 @@ securelib_LTLIBRARIES = pam_succeed_if.la
pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la
if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_succeed_if.8.xml
+dist_noinst_DATA = README
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/modules/pam_succeed_if/Makefile.in b/modules/pam_succeed_if/Makefile.in
index db2bcb69..fa26cbea 100644
--- a/modules/pam_succeed_if/Makefile.in
+++ b/modules/pam_succeed_if/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -20,7 +20,17 @@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -85,9 +95,6 @@ build_triplet = @build@
host_triplet = @host@
@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
subdir = modules/pam_succeed_if
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/build-aux/depcomp \
- $(top_srcdir)/build-aux/test-driver README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
@@ -103,6 +110,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \
+ $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -157,7 +166,8 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
-am__depfiles_maybe = depfiles
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/pam_succeed_if.Plo
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -186,8 +196,9 @@ am__can_run_installinfo = \
esac
man8dir = $(mandir)/man8
NROFF = nroff
-MANS = $(man_MANS)
-DATA = $(noinst_DATA)
+MANS = $(dist_man_MANS)
+am__dist_noinst_DATA_DIST = README
+DATA = $(dist_noinst_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -384,6 +395,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log)
TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver
TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
$(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
+ $(top_srcdir)/build-aux/depcomp \
+ $(top_srcdir)/build-aux/test-driver
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -412,6 +426,8 @@ DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
+ECONF_CFLAGS = @ECONF_CFLAGS@
+ECONF_LIBS = @ECONF_LIBS@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
@@ -420,7 +436,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
-HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -456,6 +471,7 @@ LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
@@ -492,11 +508,13 @@ SECUREDIR = @SECUREDIR@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
STRIP = @STRIP@
TIRPC_CFLAGS = @TIRPC_CFLAGS@
TIRPC_LIBS = @TIRPC_LIBS@
USE_NLS = @USE_NLS@
VERSION = @VERSION@
+WARN_CFLAGS = @WARN_CFLAGS@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
@@ -565,17 +583,20 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if
-TESTS = tst-pam_succeed_if
-man_MANS = pam_succeed_if.8
+EXTRA_DIST = $(XMLS)
+@HAVE_DOC_TRUE@dist_man_MANS = pam_succeed_if.8
XMLS = README.xml pam_succeed_if.8.xml
+dist_check_SCRIPTS = tst-pam_succeed_if
+TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ $(WARN_CFLAGS)
+
AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1)
securelib_LTLIBRARIES = pam_succeed_if.la
pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la
-@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README
+@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README
all: all-am
.SUFFIXES:
@@ -592,14 +613,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
@@ -655,21 +675,27 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_succeed_if.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_succeed_if.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -683,10 +709,10 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(man_MANS)
+install-man8: $(dist_man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
- list2='$(man_MANS)'; \
+ list2='$(dist_man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
@@ -721,7 +747,7 @@ uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
@@ -809,7 +835,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
if test -n "$$am__remaking_logs"; then \
echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
"recursion detected" >&2; \
- else \
+ elif test -n "$$redo_logs"; then \
am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
fi; \
if $(am__make_dryrun); then :; else \
@@ -899,7 +925,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
fi; \
$$success || exit 1
-check-TESTS:
+check-TESTS: $(dist_check_SCRIPTS)
@list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@@ -909,7 +935,7 @@ check-TESTS:
log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
exit $$?;
-recheck: all
+recheck: all $(dist_check_SCRIPTS)
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@set +e; $(am__set_TESTS_bases); \
bases=`for i in $$bases; do echo $$i; done \
@@ -942,7 +968,10 @@ tst-pam_succeed_if.log: tst-pam_succeed_if
@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(DISTFILES)
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -973,6 +1002,7 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
$(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA)
@@ -1021,7 +1051,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \
mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_succeed_if.Plo
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -1067,7 +1097,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_succeed_if.Plo
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -1090,15 +1120,16 @@ uninstall-man: uninstall-man8
.MAKE: check-am install-am install-strip
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
- clean-generic clean-libtool clean-securelibLTLIBRARIES \
- cscopelist-am ctags ctags-am distclean distclean-compile \
- distclean-generic distclean-libtool distclean-tags distdir dvi \
- dvi-am html html-am info info-am install install-am \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-man8 \
- install-pdf install-pdf-am install-ps install-ps-am \
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
+ check-am clean clean-generic clean-libtool \
+ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \
+ distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-man8 install-pdf \
+ install-pdf-am install-ps install-ps-am \
install-securelibLTLIBRARIES install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
@@ -1106,7 +1137,8 @@ uninstall-man: uninstall-man8
recheck tags tags-am uninstall uninstall-am uninstall-man \
uninstall-man8 uninstall-securelibLTLIBRARIES
-@ENABLE_REGENERATE_MAN_TRUE@README: pam_succeed_if.8.xml
+.PRECIOUS: Makefile
+
@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README
index 82102605..3d2f3d50 100644
--- a/modules/pam_succeed_if/README
+++ b/modules/pam_succeed_if/README
@@ -94,13 +94,13 @@ field notin item:item:...
Field is not contained in the list of items separated by colons.
-user ingroup group
+user ingroup group[:group:....]
- User is in given group.
+ User is in given group(s).
-user notingroup group
+user notingroup group[:group:....]
- User is not in given group.
+ User is not in given group(s).
user innetgr netgroup
@@ -112,9 +112,10 @@ user notinnetgr group
EXAMPLES
-To emulate the behaviour of pam_wheel, except there is no fallback to group 0:
+To emulate the behaviour of pam_wheel, except there is no fallback to group 0
+being only approximated by checking also the root group membership:
-auth required pam_succeed_if.so quiet user ingroup wheel
+auth required pam_succeed_if.so quiet user ingroup wheel:root
Given that the type matches, only loads the othermodule rule if the UID is over
diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8
index 07524beb..aa8ecdbd 100644
--- a/modules/pam_succeed_if/pam_succeed_if.8
+++ b/modules/pam_succeed_if/pam_succeed_if.8
@@ -1,13 +1,13 @@
'\" t
.\" Title: pam_succeed_if
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 05/18/2017
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 06/08/2020
.\" Manual: Linux-PAM
.\" Source: Linux-PAM
.\" Language: English
.\"
-.TH "PAM_SUCCEED_IF" "8" "05/18/2017" "Linux-PAM" "Linux\-PAM"
+.TH "PAM_SUCCEED_IF" "8" "06/08/2020" "Linux-PAM" "Linux\-PAM"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -146,14 +146,14 @@ Field is contained in the list of items separated by colons\&.
Field is not contained in the list of items separated by colons\&.
.RE
.PP
-\fBuser ingroup group\fR
+\fBuser ingroup group[:group:\&.\&.\&.\&.]\fR
.RS 4
-User is in given group\&.
+User is in given group(s)\&.
.RE
.PP
-\fBuser notingroup group\fR
+\fBuser notingroup group[:group:\&.\&.\&.\&.]\fR
.RS 4
-User is not in given group\&.
+User is not in given group(s)\&.
.RE
.PP
\fBuser innetgr netgroup\fR
@@ -191,13 +191,13 @@ A service error occurred or the arguments can\*(Aqt be parsed correctly\&.
.SH "EXAMPLES"
.PP
To emulate the behaviour of
-\fIpam_wheel\fR, except there is no fallback to group 0:
+\fIpam_wheel\fR, except there is no fallback to group 0 being only approximated by checking also the root group membership:
.sp
.if n \{\
.RS 4
.\}
.nf
-auth required pam_succeed_if\&.so quiet user ingroup wheel
+auth required pam_succeed_if\&.so quiet user ingroup wheel:root
.fi
.if n \{\
diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml
index 7bdcb024..14d939a3 100644
--- a/modules/pam_succeed_if/pam_succeed_if.8.xml
+++ b/modules/pam_succeed_if/pam_succeed_if.8.xml
@@ -198,15 +198,15 @@
</listitem>
</varlistentry>
<varlistentry>
- <term><option>user ingroup group</option></term>
+ <term><option>user ingroup group[:group:....]</option></term>
<listitem>
- <para>User is in given group.</para>
+ <para>User is in given group(s).</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>user notingroup group</option></term>
+ <term><option>user notingroup group[:group:....]</option></term>
<listitem>
- <para>User is not in given group.</para>
+ <para>User is not in given group(s).</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -271,10 +271,10 @@
<title>EXAMPLES</title>
<para>
To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except
- there is no fallback to group 0:
+ there is no fallback to group 0 being only approximated by checking also the root group membership:
</para>
<programlisting>
-auth required pam_succeed_if.so quiet user ingroup wheel
+auth required pam_succeed_if.so quiet user ingroup wheel:root
</programlisting>
<para>
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aac3eeb0..7103ae30 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -34,7 +34,6 @@
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
- *
*/
#include "config.h"
@@ -54,11 +53,6 @@
#include <grp.h>
#include <netdb.h>
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
@@ -215,23 +209,60 @@ evaluate_notinlist(const char *left, const char *right)
}
/* Return PAM_SUCCESS if the user is in the group. */
static int
-evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
+evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *grouplist)
{
- if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
- return PAM_SUCCESS;
+ char *ptr = NULL;
+ static const char delim[] = ":";
+ char const *grp = NULL;
+ char *group = strdup(grouplist);
+
+ if (group == NULL)
+ return PAM_BUF_ERR;
+
+ grp = strtok_r(group, delim, &ptr);
+ while(grp != NULL) {
+ if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) {
+ free(group);
+ return PAM_SUCCESS;
+ }
+ grp = strtok_r(NULL, delim, &ptr);
+ }
+ free(group);
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the user is NOT in the group. */
static int
-evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
+evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *grouplist)
{
- if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
- return PAM_SUCCESS;
- return PAM_AUTH_ERR;
+ char *ptr = NULL;
+ static const char delim[] = ":";
+ char const *grp = NULL;
+ char *group = strdup(grouplist);
+
+ if (group == NULL)
+ return PAM_BUF_ERR;
+
+ grp = strtok_r(group, delim, &ptr);
+ while(grp != NULL) {
+ if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) {
+ free(group);
+ return PAM_AUTH_ERR;
+ }
+ grp = strtok_r(NULL, delim, &ptr);
+ }
+ free(group);
+ return PAM_SUCCESS;
}
+
+#ifdef HAVE_INNETGR
+# define SOMETIMES_UNUSED UNUSED
+#else
+# define SOMETIMES_UNUSED
+#endif
+
/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
static int
-evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
{
#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
@@ -244,7 +275,7 @@ evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, c
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
-evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
{
#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
@@ -259,7 +290,7 @@ evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user
static int
evaluate(pam_handle_t *pamh, int debug,
const char *left, const char *qual, const char *right,
- struct passwd *pwd, const char *user)
+ struct passwd **pwd, const char *user)
{
char buf[LINE_MAX] = "";
const char *attribute = left;
@@ -270,22 +301,35 @@ evaluate(pam_handle_t *pamh, int debug,
snprintf(buf, sizeof(buf), "%s", user);
left = buf;
}
+ /* Get information about the user if needed. */
+ if ((*pwd == NULL) &&
+ ((strcasecmp(left, "uid") == 0) ||
+ (strcasecmp(left, "gid") == 0) ||
+ (strcasecmp(left, "shell") == 0) ||
+ (strcasecmp(left, "home") == 0) ||
+ (strcasecmp(left, "dir") == 0) ||
+ (strcasecmp(left, "homedir") == 0))) {
+ *pwd = pam_modutil_getpwnam(pamh, user);
+ if (*pwd == NULL) {
+ return PAM_USER_UNKNOWN;
+ }
+ }
if (strcasecmp(left, "uid") == 0) {
- snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_uid);
+ snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_uid);
left = buf;
}
if (strcasecmp(left, "gid") == 0) {
- snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_gid);
+ snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_gid);
left = buf;
}
if (strcasecmp(left, "shell") == 0) {
- snprintf(buf, sizeof(buf), "%s", pwd->pw_shell);
+ snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_shell);
left = buf;
}
if ((strcasecmp(left, "home") == 0) ||
(strcasecmp(left, "dir") == 0) ||
(strcasecmp(left, "homedir") == 0)) {
- snprintf(buf, sizeof(buf), "%s", pwd->pw_dir);
+ snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_dir);
left = buf;
}
if (strcasecmp(left, "service") == 0) {
@@ -383,11 +427,11 @@ evaluate(pam_handle_t *pamh, int debug,
if (strcasecmp(qual, "notin") == 0) {
return evaluate_notinlist(left, right);
}
- /* User is in this group. */
+ /* User is in this group(s). */
if (strcasecmp(qual, "ingroup") == 0) {
return evaluate_ingroup(pamh, user, right);
}
- /* User is not in this group. */
+ /* User is not in this group(s). */
if (strcasecmp(qual, "notingroup") == 0) {
return evaluate_notingroup(pamh, user, right);
}
@@ -413,19 +457,12 @@ int
pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
- const void *prompt;
const char *user;
- struct passwd *pwd;
+ struct passwd *pwd = NULL;
int ret, i, count, use_uid, debug;
const char *left, *right, *qual;
int quiet_fail, quiet_succ, audit;
- /* Get the user prompt. */
- ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt);
- if ((ret != PAM_SUCCESS) || (prompt == NULL) || (strlen(prompt) == 0)) {
- prompt = "login: ";
- }
-
quiet_fail = 0;
quiet_succ = 0;
audit = 0;
@@ -463,23 +500,15 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
user = pwd->pw_name;
} else {
/* Get the user's name. */
- ret = pam_get_user(pamh, &user, prompt);
- if ((ret != PAM_SUCCESS) || (user == NULL)) {
- pam_syslog(pamh, LOG_ERR,
- "error retrieving user name: %s",
+ ret = pam_get_user(pamh, &user, NULL);
+ if (ret != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_NOTICE,
+ "cannot determine user name: %s",
pam_strerror(pamh, ret));
return ret;
}
- /* Get information about the user. */
- pwd = pam_modutil_getpwnam(pamh, user);
- if (pwd == NULL) {
- if(audit)
- pam_syslog(pamh, LOG_NOTICE,
- "error retrieving information about user %s",
- user);
- return PAM_USER_UNKNOWN;
- }
+ /* Postpone requesting password data until it is needed */
}
/* Walk the argument list. */
@@ -520,9 +549,13 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
count++;
ret = evaluate(pamh, debug,
left, qual, right,
- pwd, user);
+ &pwd, user);
+ if (ret == PAM_USER_UNKNOWN && audit)
+ pam_syslog(pamh, LOG_NOTICE,
+ "error retrieving information about user %s",
+ user);
if (ret != PAM_SUCCESS) {
- if(!quiet_fail)
+ if(!quiet_fail && ret != PAM_USER_UNKNOWN)
pam_syslog(pamh, LOG_INFO,
"requirement \"%s %s %s\" "
"not met by user \"%s\"",
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-16 13:40:17 +0000