From 0e73991710adce250f8cc56040528ae25e68bad0 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 4 Aug 2010 13:00:59 +0000 Subject: Relevant BUGIDs: #3035919, #3002340, #3037155 Purpose of commit: bugfix Commit summary: --------------- 2010-08-04 Thorsten Kukuk * modules/pam_access/pam_access.c (user_match): Make sure that user@host will not match @@netgroup. Bug #3035919. * modules/pam_group/pam_group.c (check_account): Add '%' for UNIX groups. * modules/pam_group/group.conf: Add example for '%'. * modules/pam_group/group.conf.5.xml: Document '%' syntax. Bug #3002340, #3037155. --- ChangeLog | 11 +++++++++++ modules/pam_access/pam_access.c | 3 ++- modules/pam_group/group.conf | 9 ++++++++- modules/pam_group/group.conf.5.xml | 16 +++++++++++++--- modules/pam_group/pam_group.c | 3 +++ 5 files changed, 37 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 419e63e1..74259ab8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2010-08-04 Thorsten Kukuk + + * modules/pam_access/pam_access.c (user_match): Make sure + that user@host will not match @@netgroup. Bug #3035919. + + * modules/pam_group/pam_group.c (check_account): Add '%' for + UNIX groups. + * modules/pam_group/group.conf: Add example for '%'. + * modules/pam_group/group.conf.5.xml: Document '%' syntax. + Bug #3002340, #3037155. + 2010-08-02 Steve Langasek * modules/pam_mkhomedir/Makefile.am: don't pass --version-script diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index e9f0caa3..daee47da 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -521,7 +521,8 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) * name of the user's primary group. */ - if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ + if (tok[0] != '@' && (at = strchr(tok + 1, '@')) != 0) { + /* split user@host pattern */ if (item->hostname == NULL) return NO; fake_item.from = item->hostname; diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf index b766becb..7c07a260 100644 --- a/modules/pam_group/group.conf +++ b/modules/pam_group/group.conf @@ -1,5 +1,5 @@ # -# This is the configuration file for the pam_group module. +# This is the configuration file for the pam_group module. # # @@ -94,6 +94,13 @@ #xsh; tty* ;sword;!Wk0900-1800;sound, play #xsh; tty* ;*;Al0900-1800;floppy +# +# yet another example: any member of the group 'admin' running +# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev' +# + +#xsh; tty* ;%admin;Al0000-2400;plugdev + # # End of group.conf file # diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml index 9c008eb0..3a7e3f5d 100644 --- a/modules/pam_group/group.conf.5.xml +++ b/modules/pam_group/group.conf.5.xml @@ -52,13 +52,15 @@ The third field, the users - field, is a logic list of users or a netgroup of users to whom this - rule applies. + field, is a logic list of users, or a UNIX group, or a netgroup of + users to whom this rule applies. Group names are preceded by a '%' + symbol, while netgroup names are preceded by a '@' symbol. For these items the simple wildcard '*' may be used only once. - With netgroups no wildcards or logic operators are allowed. + With UNIX groups or netgroups no wildcards or logic operators + are allowed. @@ -111,6 +113,14 @@ xsh; tty* ;sword;!Wk0900-1800;games, sound xsh; tty* ;*;Al0900-1800;floppy + + Any member of the group 'admin' running 'xsh' on tty*, + is granted access (at any time) to the group 'plugdev' + + +xsh; tty* ;%admin;Al0000-2400;plugdev + + diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 3dc7f78e..310b2622 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -660,6 +660,9 @@ static int check_account(pam_handle_t *pamh, const char *service, /* If buffer starts with @, we are using netgroups */ if (buffer[0] == '@') good &= innetgr (&buffer[1], NULL, user, NULL); + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); else good &= logic_field(pamh,user, buffer, count, is_same); D(("with user: %s", good ? "passes":"fails" )); -- cgit v1.2.1