From a3741192151aaf4b4d26f97fe470c9e7ea34703e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 26 Sep 2005 09:56:28 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- Support for NULL tty for pam_access. 2005-09-23 Tomas Mraz * modules/pam_access/pam_access.c (from_match): Support NULL from. (string_match): Support NULL string, add NONE keyword matching it. (pam_sm_acct_mgmt): Don't fail when ttyname returns NULL. * modules/pam_access/access.conf: NONE keyword description * modules/pam_access/README: NONE keyword description --- modules/pam_access/README | 4 ++-- modules/pam_access/access.conf | 4 ++-- modules/pam_access/pam_access.c | 33 +++++++++++++++++++-------------- 3 files changed, 23 insertions(+), 18 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/README b/modules/pam_access/README index ddd4725f..c3f81d11 100644 --- a/modules/pam_access/README +++ b/modules/pam_access/README @@ -28,8 +28,8 @@ # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). # # If you run NIS you can use @netgroupname in host or user patterns; this # even works for @usergroup@@hostgroup patterns. Weird. diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index cec2be0c..98da5faa 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -28,8 +28,8 @@ # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). # # If you run NIS you can use @netgroupname in host or user patterns; this # even works for @usergroup@@hostgroup patterns. Weird. diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 55b7818d..867cd9a1 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -316,11 +316,13 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) * if it matches the head of the string. */ - if (tok[0] == '@') { /* netgroup */ + if (string != NULL && tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match (tok, string)) /* ALL or exact match */ - return YES; - else if (tok[0] == '.') { /* domain: match last fields */ + } else if (string_match(tok, string)) { /* ALL or exact match */ + return (YES); + } else if (string == NULL) { + return (NO); + } else if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); @@ -371,11 +373,16 @@ string_match (const char *tok, const char *string) /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. + * "NONE" token matches NULL string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ + } else if (string != NULL) { + if (strcasecmp(tok, string) == 0) { /* try exact match */ + return (YES); + } + } else if (strcasecmp(tok, "NONE") == 0) { return (YES); } return (NO); @@ -418,19 +425,17 @@ pam_sm_acct_mgmt (pam_handle_t *pamh, int flags UNUSED, || void_from == NULL) { D(("PAM_TTY not set, probing stdin")); from = ttyname(STDIN_FILENO); - if (from == NULL) { - pam_syslog(pamh, LOG_ERR, "couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); - return PAM_ABORT; - } + if (from != NULL) { + if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); + return PAM_ABORT; + } + } } else from = void_from; - if (from[0] == '/') { /* full path */ + if (from != NULL && from[0] == '/') { /* full path */ from++; from = strchr(from, '/'); from++; -- cgit v1.2.3