Hi all,
This is my first contribution to pam: this patch adds direct support for
groups for pam_access.
- A new option "nodefgroup" has been added to remove previous default
behavior of supporting groups as a last resort.
- Groups can be explicitly written under the form "(group_name)"; the
use of parenthesis has been chosen to not conflict with netgroups.
A sample access.conf is also provided.
Regards,
Julien
##############################################################################
# /etc/security/access.conf
# Login access control table
##############################################################################
# Disallow non-root logins on tty1.
- : ALL EXCEPT root : tty1
# Anybody in group 'nogroup', or users 'anonymous' and 'nobody' are denied all.
- : ALL : (nogroup) anonymous nobody
# Group 'wheel' may access root.
+ : root : (wheel)
# User 'root' should be denied to get access from all other sources.
- : root : ALL
# Group 'users' may switch to any other member of 'users'.
+ : (users) : (users)
# All other users should be denied to get access from all sources.
- : ALL : ALL
--- Linux-PAM-0.99.7.1.yours/modules/pam_access/pam_access.c 2006-08-31 12:20:37.000000000 +0200
+++ Linux-PAM-0.99.7.1.mine/modules/pam_access/pam_access.c 2007-06-13 14:03:58.000000000 +0200
@@ -89,6 +89,8 @@
#define YES 1
#define NO 0
+int allow_default_group = YES;
+
/*
* A structure to bundle up all login-related information to keep the
* functional interfaces as generic as possible.
@@ -136,6 +138,8 @@
} else if (strcmp (argv[i], "debug") == 0) {
pam_access_debug = YES;
+ } else if (strcmp (argv[i], "nodefgroup") == 0) {
+ allow_default_group = NO;
} else {
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
}
@@ -151,6 +155,7 @@
static int list_match (pam_handle_t *, char *, struct login_info *,
match_func *);
static int user_match (pam_handle_t *, char *, struct login_info *);
+static int group_match (pam_handle_t *, const char *, const char *);
static int from_match (pam_handle_t *, char *, struct login_info *);
static int string_match (pam_handle_t *, const char *, const char *);
static int network_netmask_match (pam_handle_t *, const char *, const char *);
@@ -458,6 +463,30 @@
}
+/* group_match - match a username against token named group */
+
+static int
+group_match (pam_handle_t *pamh, const char *tok, const char* usr)
+{
+ char grptok[BUFSIZ];
+
+ if (strlen(tok) < 3)
+ return NO;
+
+ /* token is recieved under the format '(...)' */
+ memset(grptok, 0, BUFSIZ);
+ strncpy(grptok, tok + 1, strlen(tok) - 2);
+
+ if (pam_access_debug)
+ pam_syslog (pamh, LOG_DEBUG,
+ "group_match: grp=%s, user=%s", grptok, usr);
+
+ if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok))
+ return YES;
+
+ return NO;
+}
+
/* user_match - match a username against one token */
static int
@@ -487,9 +516,12 @@
from_match (pamh, at + 1, &fake_item));
} else if (tok[0] == '@') /* netgroup */
return (netgroup_match (pamh, tok + 1, (char *) 0, string));
+ else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
+ return (group_match (pamh, tok, string));
else if (string_match (pamh, tok, string)) /* ALL or exact match */
return YES;
- else if (pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok))
+ else if (allow_default_group == YES &&
+ pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok))
/* try group membership */
return YES;
@@ -515,13 +547,17 @@
* name, return YES if it matches the last fields of the string. If the
* token has the magic value "LOCAL", return YES if the string does not
* contain a "." character. If the token is a network number, return YES
- * if it matches the head of the string.
+ * if it matches the head of the string. If the token is a local group,
+ * return YES if user is member of token (eg group).
*/
if (string == NULL) {
return NO;
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match (pamh, tok + 1, string, (char *) 0));
+ } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { /* local group */
+ /* get calling user's main group */
+ return group_match(pamh, tok, getpwuid(getuid())->pw_name);
} else if (string_match(pamh, tok, string)) {
/* ALL or exact match */
return (YES);
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
