From e4cbefcdd253ae67503268014ef39e849cb31b7b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 21 Dec 2005 10:04:09 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup), (evaluate_notingroup): Simplified. (evaluate_innetgr), (evaluate_notinnetgr): New functions. (evaluate): Added calls to evaluate_(not)innetgr(). * modules/pam_succeed_if/README: Documented netgroup matching. * NEWS: Mentioned the added netgroup matching support. --- modules/pam_succeed_if/README | 10 +++++-- modules/pam_succeed_if/pam_succeed_if.c | 49 ++++++++++++++++++++++----------- 2 files changed, 41 insertions(+), 18 deletions(-) (limited to 'modules/pam_succeed_if') diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README index fdb278ef..e6e4f2aa 100644 --- a/modules/pam_succeed_if/README +++ b/modules/pam_succeed_if/README @@ -34,10 +34,16 @@ pam_succeed_if: !~ - Wildcard mismatch. ingroup - Group membership check. [*] notingroup - Group non-membership check. [*] + innetgr - Netgroup membership check. [*][+] + notinnetgr - Netgroup non-membership check. [*][+] - * The "ingroup" and "notingroup" operators should only be - used with the USER attribute. + * The "ingroup", "notingroup", "innetgr" and "notinnetgr" + operators should only be used with the USER attribute. + + The "innetgr" and "notinnetgr" operators always match + both remote host and USER against the netgroup. If a remote + host is not set by the application it will be matched + against any host in the netgroup triplet. Examples: Deny authentication to all users except those in the wheel diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 8f8cafa3..f84fdd3f 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -183,30 +184,32 @@ evaluate_noglob(const char *left, const char *right) static int evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group) { - int ret; - ret = pam_modutil_user_in_group_nam_nam(pamh, user, group); - switch (ret) { - case 1: + if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1) return PAM_SUCCESS; - break; - default: - break; - } return PAM_AUTH_ERR; } /* Return PAM_SUCCESS if the user is NOT in the group. */ static int evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) { - int ret; - ret = pam_modutil_user_in_group_nam_nam(pamh, user, group); - switch (ret) { - case 0: + if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0) + return PAM_SUCCESS; + return PAM_AUTH_ERR; +} +/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ +static int +evaluate_innetgr(const char *host, const char *user, const char *group) +{ + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; + return PAM_AUTH_ERR; +} +/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ +static int +evaluate_notinnetgr(const char *host, const char *user, const char *group) +{ + if (innetgr(group, host, user, NULL) == 0) return PAM_SUCCESS; - break; - default: - break; - } return PAM_AUTH_ERR; } @@ -306,6 +309,20 @@ evaluate(pam_handle_t *pamh, int debug, if (strcasecmp(qual, "notingroup") == 0) { return evaluate_notingroup(pamh, pwd->pw_name, right); } + /* (Rhost, user) is in this netgroup. */ + if (strcasecmp(qual, "innetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; + return evaluate_innetgr(rhost, pwd->pw_name, right); + } + /* (Rhost, user) is not in this group. */ + if (strcasecmp(qual, "notinnetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; + return evaluate_notinnetgr(rhost, pwd->pw_name, right); + } /* Fail closed. */ return PAM_SERVICE_ERR; } -- cgit v1.2.3