Re: pam_access.so not recognizing host name in access.conf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2017-02-07 at 13:36 +0100, Josef Moellers wrote:
> On 03.02.2017 14:52, Tomas Mraz wrote:
> > On Fri, 2017-01-27 at 14:09 +0100, Josef Moellers wrote:
> > > On 26.01.2017 16:40, Josef Moellers wrote:
> > > > Hi,
> > > > The following specification in access.conf does not work as
> > > > expected:
> > > > -:username:ALL EXCEPT localhost
> > > > The manual page access.conf.5 claims that the third field may
> > > > contain
> > > > host names, but the code only checks for numerical IP addresses
> > > > by
> > > > calling inet_pton().
> > > > Is this desired behavior or am I missing something.
> > > > I'm willing to write a patch.
> > > 
> > > I suspect that "tok" and "string" need to be swapped in the
> > > second
> > > half
> > > of network_netmask_match():
> > 
> > No, this is not the case, the code is correct in what it is
> > intended to
> > do. There is simply missing the matching for case where the
> > application
> > calling the PAM module sets PAM_RHOST to an IP address (or an alias
> > name) and you want to use localhost in access.conf.
> > 
> > I am not saying that support for this cannot be added but it is
> > another
> > matching code to add, you cannot simply hijack
> > network_netmask_match()
> > for that purpose.
> 
> I have attached a patch which will build an addrinfo list from "tok"
> and
> match the given IP address ("string") against all the members of this
> list, returning YES on the first match. In the case of an IP address
> in
> access.conf, the list contains only a single member, the IP address
> itself, in case of a hostname, the list will contain all IP addresses
> the hostname resolves to.
> 
> While going through the code, I also found one bug:
>             char *endptr = NULL;
>             netmask = strtol(netmask_ptr, &endptr, 0);
> -           if ((endptr == NULL) || (*endptr != '\0'))
> +           if ((endptr == netmask_ptr) || (*endptr != '\0'))
>                 { /* invalid netmask value */
>                   return NO;

Can you please create both of these patches as GitHub pull requests for
Linux PAM?

https://github.com/linux-pam/linux-pam/

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux