From 7d62660a513243560c73311bc0514b0dd5f46434 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 3 Aug 2006 12:42:08 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): New function for list matching. (evaluate_notinlist): Likewise. (evaluate): Add service value match, list matching. * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the features. --- modules/pam_succeed_if/pam_succeed_if.8.xml | 27 +++++++++++++++++++++- modules/pam_succeed_if/pam_succeed_if.c | 35 +++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index 3a77505d..1b57a652 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -97,7 +97,8 @@ Available fields are user, uid, gid, - shell and home: + shell, home + and service: @@ -175,6 +176,18 @@ Field does not match the given glob. + + + + Field is contained in the list of items separated by colons. + + + + + + Field is not contained in the list of items separated by colons. + + @@ -187,6 +200,18 @@ User is not in given group. + + + + (user,host) is in given netgroup. + + + + + + (user,host) is not in given netgroup. + + diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index f7e8ed2c..372c8070 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -184,6 +184,27 @@ evaluate_noglob(const char *left, const char *right) { return (fnmatch(right, left, 0) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR; } +/* Check for list match. */ +static int +evaluate_inlist(const char *left, const char *right) +{ + char *p; + if ((p=strstr(right, left)) == NULL) + return PAM_AUTH_ERR; + if (p == right || *(p-1) == ':') { /* ':' is a list separator */ + p += strlen(left); + if (*p == '\0' || *p == ':') { + return PAM_SUCCESS; + } + } + return PAM_AUTH_ERR; +} +/* Check for list mismatch. */ +static int +evaluate_notinlist(const char *left, const char *right) +{ + return evaluate_inlist(left, right) != PAM_SUCCESS ? PAM_SUCCESS : PAM_AUTH_ERR; +} /* Return PAM_SUCCESS if the user is in the group. */ static int evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group) @@ -250,6 +271,13 @@ evaluate(pam_handle_t *pamh, int debug, snprintf(buf, sizeof(buf), "%s", pwd->pw_dir); left = buf; } + if (strcasecmp(left, "service") == 0) { + const void *svc; + if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS) + svc = ""; + snprintf(buf, sizeof(buf), "%s", svc); + left = buf; + } /* If we have no idea what's going on, return an error. */ if (left != buf) { pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left); @@ -305,6 +333,13 @@ evaluate(pam_handle_t *pamh, int debug, (strcasecmp(qual, "noglob") == 0)) { return evaluate_noglob(left, right); } + /* Attribute value matches item in list. */ + if (strcasecmp(qual, "in") == 0) { + return evaluate_inlist(left, right); + } + if (strcasecmp(qual, "notin") == 0) { + return evaluate_notinlist(left, right); + } /* User is in this group. */ if (strcasecmp(qual, "ingroup") == 0) { return evaluate_ingroup(pamh, pwd->pw_name, right); -- cgit v1.2.3