I was caught out by the fact that pam_access defaults to allowing
access. Had I been asked what its default was, I would have said
PAM_IGNORE.
I offer this patch which leaves the default at PAM_SUCCESS but allows
the administrator to specify an alternative default as a module
option with default=[allow|ignore|deny].
I haven't patched the sysadmin's guide; I will send a patch to the
SGML if this patch is accepted.
--
ROCKALL MALIN
NORTHEAST 5 TO 7 BACKING NORTHWEST 4 OR 5, OCCASIONALLY 6 IN MALIN.
MAINLY FAIR. GOOD
diff -Naur pam_access.orig/README pam_access/README
--- pam_access.orig/README 2001-04-29 05:17:16.000000000 +0100
+++ pam_access/README 2005-01-22 21:45:38.000000000 +0000
@@ -11,6 +11,9 @@
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
+#
+# If no line matches, access will be ALLOWED. To alter this, specify the module
+# argument 'default=[allow|ignore|deny]'.
#
# Format of the login access control table is three fields separated by a
# ":" character:
diff -Naur pam_access.orig/access.conf pam_access/access.conf
--- pam_access.orig/access.conf 2005-01-21 12:01:20.000000000 +0000
+++ pam_access/access.conf 2005-01-22 21:48:01.000000000 +0000
@@ -6,6 +6,9 @@
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
+# If no line matches, access will be ALLOWED. To alter this, specify the module
+# argument 'default=[allow|ignore|deny]'.
+#
# Format of the login access control table is three fields separated by a
# ":" character:
#
diff -Naur pam_access.orig/pam_access.c pam_access/pam_access.c
--- pam_access.orig/pam_access.c 2005-01-21 12:01:20.000000000 +0000
+++ pam_access/pam_access.c 2005-01-21 16:45:00.000000000 +0000
@@ -87,6 +87,7 @@
static const char *fs = ":"; /* field separator */
static const char sep[] = ", \t"; /* list-element separator */
+static int def_ret = PAM_SUCCESS; /* default return status */
/* Constants to be used in assignments only, not in comparisons... */
@@ -122,6 +123,7 @@
static int parse_args(struct login_info *loginfo, int argc, const char **argv)
{
int i;
+ const char *cp;
for (i=0; i<argc; ++i) {
if (!strncmp("fieldsep=", argv[i], 9)) {
@@ -140,7 +142,11 @@
, loginfo->service, 11 + argv[i]);
return 0;
}
-
+ } else if (!strncmp("default=",argv[i],8)) {
+ cp = argv[i]+8;
+ if (!strncmp("allow",cp,5)) {def_ret=PAM_SUCCESS;}
+ else if (!strncmp("deny",cp,4)) {def_ret=PAM_PERM_DENIED;}
+ else if (!strncmp("ignore",cp,6)) {def_ret=PAM_IGNORE;}
} else {
_log_err("unrecognized option [%s]", argv[i]);
}
@@ -213,7 +219,8 @@
} else if (errno != ENOENT) {
_log_err("cannot open %s: %m", item->config_file);
}
- return (match == 0 || (line[0] == '+'));
+ if (match == 0) return def_ret;
+ return (line[0] == '+')?PAM_SUCCESS:PAM_PERM_DENIED;
}
/* list_match - match an item against a list of tokens with exceptions */
@@ -402,6 +409,7 @@
const char *user=NULL, *service=NULL;
char *from=NULL;
struct passwd *user_pw;
+ int ret;
if ((pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
!= PAM_SUCCESS) || (service == NULL) || (*service == ' ')) {
@@ -466,11 +474,14 @@
return PAM_ABORT;
}
- if (login_access(&loginfo)) {
- return (PAM_SUCCESS);
- } else {
- _log_err("access denied for user `%s' from `%s'",user,from);
- return (PAM_PERM_DENIED);
+ switch (ret=login_access(&loginfo)) {
+ case PAM_SUCCESS:
+ case PAM_IGNORE:
+ return ret;
+ break;
+ default:
+ _log_err("access denied for user `%s' from `%s'",user,from);
+ return (PAM_PERM_DENIED);
}
}
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
