From 6c45b51f441daab12166843bc12cbf0a4d480e35 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 16 Dec 2005 17:52:36 +0000
Subject: Relevant BUGIDs: none

Purpose of commit: new feature

Commit summary:
---------------

2005-12-16  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_group/pam_group.c (check_account): Implement
        support for netgroups.

        * modules/pam_group/group.conf: Add all documentation to this
        example config file and don't reference to outdated configs.

        * modules/pam_group/README: New.

        * modules/pam_group/Makefile.am: Add README to EXTRADIST.
---
 modules/pam_group/Makefile.am |  2 +-
 modules/pam_group/README      | 23 +++++++++++++++
 modules/pam_group/group.conf  | 69 +++++++++++++++++++++++++++++++++----------
 modules/pam_group/pam_group.c | 12 ++++----
 4 files changed, 84 insertions(+), 22 deletions(-)
 create mode 100644 modules/pam_group/README

(limited to 'modules/pam_group')

diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am
index 72faba4b..abcac34a 100644
--- a/modules/pam_group/Makefile.am
+++ b/modules/pam_group/Makefile.am
@@ -4,7 +4,7 @@
 
 CLEANFILES = *~
 
-EXTRA_DIST = group.conf
+EXTRA_DIST = README group.conf
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
diff --git a/modules/pam_group/README b/modules/pam_group/README
new file mode 100644
index 00000000..d579b858
--- /dev/null
+++ b/modules/pam_group/README
@@ -0,0 +1,23 @@
+
+This is a help file for the pam_group module. It explains the need for
+pam_group and also the syntax of the /etc/security/group.conf file.
+
+1. Introduction
+===============
+
+It is desirable to give extra privileges to a user running a specific
+PAM aware application at various times of the day and on specific days
+or over various terminal lines by adding this user to extra groups.
+
+The pam_group module is intended to offer a configurable module that
+satisfies this purpose, within the context of Linux-PAM.
+
+2. the /etc/security/group.conf file
+===================================
+
+Its syntax is described in the sample group.conf file.
+
+unrecognised rules are ignored (but an error is logged to syslog(3))
+
+--------------------
+Bugs to the list <pam-list@redhat.com>
diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf
index e721b990..d4a10672 100644
--- a/modules/pam_group/group.conf
+++ b/modules/pam_group/group.conf
@@ -1,10 +1,7 @@
-##
-## Note, to get this to work as it is currently typed you need
-##
-## 1. to run an application as root
-## 2. add the following groups to the /etc/group file:
-##		floppy, games, sound
-##
+#
+# This is the configuration file for the pam_group module. 
+#
+
 #
 # *** Please note that giving group membership on a session basis is
 # *** NOT inherently secure. If a user can create an executable that
@@ -16,11 +13,9 @@
 # *** "chgrp games toplay; chmod g+s toplay". They are basically able
 # *** to play games any time... You have been warned. AGM
 #
-# this is an example configuration file for the pam_group module. Its
-# syntax is based on that of the pam_time module and (at some point in
-# the distant past was inspired by the 'shadow' package)
+
 #
-# the syntax of the lines is as follows:
+# The syntax of the lines is as follows:
 #
 #       services;ttys;users;times;groups
 #
@@ -28,15 +23,59 @@
 # newlines). From reading these comments, it is clear that
 # text following a '#' is ignored to the end of the line.
 #
-# the first four fields are described in the pam_time directory.
-# The only difference for these is how the time field is interpretted:
-# it is used to indicate "when" these groups are to be given to the user.
+# the combination of individual users/terminals etc is a logic list
+# namely individual tokens that are optionally prefixed with '!' (logical
+# not) and separated with '&' (logical and) and '|' (logical or).
+#
+# services
+#       is a logic list of PAM service names that the rule applies to.
+#
+# ttys
+#       is a logic list of terminal names that this rule applies to.
+#
+# users
+#       is a logic list of users or a netgroup of users to whom this
+#       rule applies.
+#
+# NB. For these items the simple wildcard '*' may be used only once.
+#     With netgroups no wildcards or logic operators are allowed.
+#
+# times
+#       It is used to indicate "when" these groups are to be given to the
+#       user. The format here is a logic list of day/time-range
+#       entries the days are specified by a sequence of two character
+#       entries, MoTuSa for example is Monday Tuesday and Saturday. Note
+#       that repeated days are unset MoMo = no day, and MoWk = all weekdays
+#       bar Monday. The two character combinations accepted are
+#
+#               Mo Tu We Th Fr Sa Su Wk Wd Al
+#
+#       the last two being week-end days and all 7 days of the week
+#       respectively. As a final example, AlFr means all days except Friday.
+#
+#       Each day/time-range can be prefixed with a '!' to indicate "anything
+#       but"
+#
+#       The time-range part is two 24-hour times HHMM separated by a hyphen
+#       indicating the start and finish time (if the finish time is smaller
+#       than the start time it is deemed to apply on the following day).
 #
 # groups
-#	The (comma or space separated) list of groups that the user 
+#	The (comma or space separated) list of groups that the user
 #	inherits membership of. These groups are added if the previous
 #	fields are satisfied by the user's request
 #
+# For a rule to be active, ALL of service+ttys+users must be satisfied
+# by the applying process.
+#
+
+#
+# Note, to get this to work as it is currently typed you need
+#
+# 1. to run an application as root
+# 2. add the following groups to the /etc/group file:
+#		floppy, games, sound
+#
 
 #
 # Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index c81ad665..bc40912b 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -6,11 +6,6 @@
  * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6
  */
 
-static const char rcsid[] =
-"$Id$;\n"
-"Version 0.5 for Linux-PAM\n"
-"Copyright (c) Andrew G. Morgan 1996 <morgan@linux.kernel.org>\n";
-
 #include "config.h"
 
 #include <sys/file.h>
@@ -27,6 +22,7 @@ static const char rcsid[] =
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <netdb.h>
 
 #define PAM_GROUP_BUFLEN        1000
 #define FIELD_SEPARATOR         ';'   /* this is new as of .02 */
@@ -686,7 +682,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
 		       "%s: no user entry #%d", PAM_GROUP_CONF, count);
 	    continue;
 	}
-	good &= logic_field(pamh,user, buffer, count, is_same);
+	/* If buffer starts with @, we are using netgroups */
+	if (buffer[0] == '@')
+	  good &= innetgr (&buffer[1], NULL, user, NULL);
+	else
+	  good &= logic_field(pamh,user, buffer, count, is_same);
 	D(("with user: %s", good ? "passes":"fails" ));
 
 	/* here we get the time field */
-- 
cgit v1.2.3