From e4cbefcdd253ae67503268014ef39e849cb31b7b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Wed, 21 Dec 2005 10:04:09 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
        * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
        (evaluate_notingroup): Simplified.
        (evaluate_innetgr), (evaluate_notinnetgr): New functions.
        (evaluate): Added calls to evaluate_(not)innetgr().
        * modules/pam_succeed_if/README: Documented netgroup matching.
        * NEWS: Mentioned the added netgroup matching support.
---
 ChangeLog                               |  9 ++++++
 NEWS                                    |  1 +
 modules/pam_succeed_if/README           | 10 +++++--
 modules/pam_succeed_if/pam_succeed_if.c | 49 ++++++++++++++++++++++-----------
 4 files changed, 51 insertions(+), 18 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c9aeb1d9..c4f25bc9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2005-12-21  Tomas Mraz <t8m@centrum.cz>
+
+	* modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
+	(evaluate_notingroup): Simplified.
+	(evaluate_innetgr), (evaluate_notinnetgr): New functions.
+	(evaluate): Added calls to evaluate_(not)innetgr().
+	* modules/pam_succeed_if/README: Documented netgroup matching.
+	* NEWS: Mentioned the added netgroup matching support.
+
 2005-12-20  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* modules/pam_lastlog/pam_lastlog.c (last_login_read): Use
diff --git a/NEWS b/NEWS
index 8886ad07..f6955ee5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,6 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+* pam_succeed_if, pam_group, pam_time: Support netgroup matching.
 
 Release 0.99.2.1
 
diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README
index fdb278ef..e6e4f2aa 100644
--- a/modules/pam_succeed_if/README
+++ b/modules/pam_succeed_if/README
@@ -34,10 +34,16 @@ pam_succeed_if:
 		!~		- Wildcard mismatch.
 		ingroup		- Group membership check. [*]
 		notingroup	- Group non-membership check. [*]
+		innetgr		- Netgroup membership check. [*][+]
+		notinnetgr	- Netgroup non-membership check. [*][+]
 
-		* The "ingroup" and "notingroup" operators should only be
-		  used with the USER attribute.
+		* The "ingroup", "notingroup", "innetgr" and "notinnetgr"
+		  operators should only be used with the USER attribute.
 
+		+ The "innetgr" and "notinnetgr" operators always match
+		  both remote host and USER against the netgroup. If a remote
+		  host is not set by the application it will be matched
+		  against any host in the netgroup triplet.
 	Examples:
 
 		Deny authentication to all users except those in the wheel
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index 8f8cafa3..f84fdd3f 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -52,6 +52,7 @@
 #include <unistd.h>
 #include <pwd.h>
 #include <grp.h>
+#include <netdb.h>
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
@@ -183,30 +184,32 @@ evaluate_noglob(const char *left, const char *right)
 static int
 evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-	int ret;
-	ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-	switch (ret) {
-	case 1:
+	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
 		return PAM_SUCCESS;
-		break;
-	default:
-		break;
-	}
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the user is NOT in the group. */
 static int
 evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-	int ret;
-	ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-	switch (ret) {
-	case 0:
+	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
+		return PAM_SUCCESS;
+	return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+static int
+evaluate_innetgr(const char *host, const char *user, const char *group)
+{
+	if (innetgr(group, host, user, NULL) == 1)
+		return PAM_SUCCESS;
+	return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+static int
+evaluate_notinnetgr(const char *host, const char *user, const char *group)
+{
+	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
-		break;
-	default:
-		break;
-	}
 	return PAM_AUTH_ERR;
 }
 
@@ -306,6 +309,20 @@ evaluate(pam_handle_t *pamh, int debug,
 	if (strcasecmp(qual, "notingroup") == 0) {
 		return evaluate_notingroup(pamh, pwd->pw_name, right);
 	}
+	/* (Rhost, user) is in this netgroup. */
+	if (strcasecmp(qual, "innetgr") == 0) {
+		const void *rhost;
+		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+			rhost = NULL;		
+		return evaluate_innetgr(rhost, pwd->pw_name, right);
+	}
+	/* (Rhost, user) is not in this group. */
+	if (strcasecmp(qual, "notinnetgr") == 0) {
+		const void *rhost;
+		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+			rhost = NULL;		
+		return evaluate_notinnetgr(rhost, pwd->pw_name, right);
+	}
 	/* Fail closed. */
 	return PAM_SERVICE_ERR;
 }
-- 
cgit v1.2.3