Thanks for filing the bug. I've applied your suggested change. Cheers Andrew Carlo Marcelo Arenas Belon wrote: > > > greetings, > > > > i've found a bug on pam_access while trying to set a username/host access. > > whenever an ip address is used the search failes to find the entry. > > sorry to reply to my own post but seems nobody was replying anyway :-( > (TM) > > i have made a cvs diff of the patch and uploaded it to the sourceforge > bugtraq on : > > https://sourceforge.net/tracker/?func=detail&aid=419631&group_id=6663&atid=106663 > > to make my patch clear, what i did was to add one byte to the hn buffer to > store the trailing dot (that is needed to try a match on ip address rather > than on hostname) and has been checked on the code as shown by : > > } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { > > so if the hostname connecting has a working PTR the call on > gethostbyname(string) would make an A request and try to match that > address with what is on the access.conf file (inside tok char*). > > using a trailing dot to make this work is a pretty obscure and i think > that adding a module parameter would be nicer, but surelly this could > break other implementations/SPECs i am surelly not aware off. > > on the call to snprintf i just added the trailing dot so it could match > with what is found on the access.conf (the ip address including the > "required" trailing dot) > > also should be noted that since glibc 2.1 the returned value for > snprintf is what the "expected" number of bytes is and not what the > "actual" number of bytes were written, so the check on the returned > address for >= sizeof(hn) shouldn't be triggered unless there was an > overflow attempt and i guess a warning would be a too (actually not coded > for clarity). > > r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u.", > (unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1], > (unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]); > if (r < 0 || r >= sizeof(hn)) > return (NO); > > some logic also could be made clearer if changing gethostbyname(string) > for gethostbyname2(string, AF_INET) and more work for IPv6 could be added > also, but first i would like to know if my thinking is right or i am just > totally lost? (again trading compatibility and portability with > simplicity) > > so, is there anything interesting on this or i am just missing the whole > point? > > Carlo > > PS. i am CC the pam_access writer and the owner of the code i am changing > as shown on pam_accees.c, so all the interested parties should be at least > notified IMHO. > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
