On 26.01.2017 16:40, Josef Moellers wrote:
> Hi,
> The following specification in access.conf does not work as expected:
> -:username:ALL EXCEPT localhost
> The manual page access.conf.5 claims that the third field may contain
> host names, but the code only checks for numerical IP addresses by
> calling inet_pton().
> Is this desired behavior or am I missing something.
> I'm willing to write a patch.
I suspect that "tok" and "string" need to be swapped in the second half
of network_netmask_match():
Index: modules/pam_access/pam_access.c
===================================================================
--- modules/pam_access/pam_access.c.orig
+++ modules/pam_access/pam_access.c
@@ -742,12 +742,12 @@ network_netmask_match (pam_handle_t *pam
}
else
/* NO, then check if it is only an addr */
- if (isipaddr(tok, NULL, NULL) != YES)
+ if (isipaddr(string, NULL, NULL) != YES)
{
return NO;
}
- if (isipaddr(string, NULL, NULL) != YES)
+ if (isipaddr(tok, NULL, NULL) != YES)
{
/* Assume network/netmask with a name of a host. */
struct addrinfo hint;
@@ -759,7 +759,7 @@ network_netmask_match (pam_handle_t *pam
if (item->gai_rv != 0)
return NO;
else if (!item->res &&
- (item->gai_rv = getaddrinfo (string, NULL, &hint,
&item->res)) != 0)
+ (item->gai_rv = getaddrinfo (tok, NULL, &hint,
&item->res)) != 0)
return NO;
else
{
@@ -775,7 +775,7 @@ network_netmask_match (pam_handle_t *pam
: (void *) &((struct sockaddr_in6 *)
runp->ai_addr)->sin6_addr,
buf, sizeof (buf));
- if (are_addresses_equal(buf, tok, netmask_ptr))
+ if (are_addresses_equal(buf, string, netmask_ptr))
{
return YES;
}
Josef
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
