On Tue, 2017-02-07 at 13:36 +0100, Josef Moellers wrote: > On 03.02.2017 14:52, Tomas Mraz wrote: > > On Fri, 2017-01-27 at 14:09 +0100, Josef Moellers wrote: > > > On 26.01.2017 16:40, Josef Moellers wrote: > > > > Hi, > > > > The following specification in access.conf does not work as > > > > expected: > > > > -:username:ALL EXCEPT localhost > > > > The manual page access.conf.5 claims that the third field may > > > > contain > > > > host names, but the code only checks for numerical IP addresses > > > > by > > > > calling inet_pton(). > > > > Is this desired behavior or am I missing something. > > > > I'm willing to write a patch. > > > > > > I suspect that "tok" and "string" need to be swapped in the > > > second > > > half > > > of network_netmask_match(): > > > > No, this is not the case, the code is correct in what it is > > intended to > > do. There is simply missing the matching for case where the > > application > > calling the PAM module sets PAM_RHOST to an IP address (or an alias > > name) and you want to use localhost in access.conf. > > > > I am not saying that support for this cannot be added but it is > > another > > matching code to add, you cannot simply hijack > > network_netmask_match() > > for that purpose. > > I have attached a patch which will build an addrinfo list from "tok" > and > match the given IP address ("string") against all the members of this > list, returning YES on the first match. In the case of an IP address > in > access.conf, the list contains only a single member, the IP address > itself, in case of a hostname, the list will contain all IP addresses > the hostname resolves to. > > While going through the code, I also found one bug: > char *endptr = NULL; > netmask = strtol(netmask_ptr, &endptr, 0); > - if ((endptr == NULL) || (*endptr != '\0')) > + if ((endptr == netmask_ptr) || (*endptr != '\0')) > { /* invalid netmask value */ > return NO; Can you please create both of these patches as GitHub pull requests for Linux PAM? https://github.com/linux-pam/linux-pam/ -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list