Hello,
When I compiled the latest pam for my box, and them got locked out; I
went to look how my patch (posted 13 Jun 2007) had been applied.
I remember that the "getpwuid" part didn't please you; and you actually
removed it from the patch applied.
Unfortunately, that also killed part of the behavior of the patch: e.g.
a rule such as:
+ : (users) : (users)
would no longer allow users belonging to group "users" to su to any
other user in group "users".
I've modified a bit the source code as to prevent any possible segfault
to fix this problem.
Julien
diff -NBbaur Linux-PAM-0.99.8.1-pristine/modules/pam_access/pam_access.c Linux-PAM-0.99.8.1/modules/pam_access/pam_access.c
--- Linux-PAM-0.99.8.1-pristine/modules/pam_access/pam_access.c 2007-06-25 11:59:11.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_access/pam_access.c 2007-09-27 00:24:30.000000000 +0200
@@ -548,6 +552,7 @@
const char *string = item->from;
int tok_len;
int str_len;
+ struct passwd *from_group;
if (pam_access_debug)
pam_syslog (pamh, LOG_DEBUG,
@@ -566,6 +571,12 @@
return NO;
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match (pamh, tok + 1, string, (char *) 0));
+ } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { /* local group */
+ /* get calling user's main group */
+ from_group = getpwuid(getuid());
+ if (!from_group)
+ return NO;
+ return group_match(pamh, tok, from_group->pw_name);
} else if (string_match(pamh, tok, string)) {
/* ALL or exact match */
return (YES);
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
