Purpose of commit: bugfix
Commit summary:
---------------
2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_access/pam_access.c (user_match): Make sure
that user@host will not match @@netgroup. Bug #
3035919.
* modules/pam_group/pam_group.c (check_account): Add '%' for
UNIX groups.
* modules/pam_group/group.conf: Add example for '%'.
* modules/pam_group/group.conf.5.xml: Document '%' syntax.
Bug #
3002340, #
3037155.
+2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/pam_access.c (user_match): Make sure
+ that user@host will not match @@netgroup. Bug #3035919.
+
+ * modules/pam_group/pam_group.c (check_account): Add '%' for
+ UNIX groups.
+ * modules/pam_group/group.conf: Add example for '%'.
+ * modules/pam_group/group.conf.5.xml: Document '%' syntax.
+ Bug #3002340, #3037155.
+
2010-08-02 Steve Langasek <vorlon@debian.org>
* modules/pam_mkhomedir/Makefile.am: don't pass --version-script
* name of the user's primary group.
*/
- if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
+ if (tok[0] != '@' && (at = strchr(tok + 1, '@')) != 0) {
+ /* split user@host pattern */
if (item->hostname == NULL)
return NO;
fake_item.from = item->hostname;
#
-# This is the configuration file for the pam_group module.
+# This is the configuration file for the pam_group module.
#
#
#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy
+#
+# yet another example: any member of the group 'admin' running
+# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
+#
+
+#xsh; tty* ;%admin;Al0000-2400;plugdev
+
#
# End of group.conf file
#
<para>
The third field, the <replaceable>users</replaceable>
- field, is a logic list of users or a netgroup of users to whom this
- rule applies.
+ field, is a logic list of users, or a UNIX group, or a netgroup of
+ users to whom this rule applies. Group names are preceded by a '%'
+ symbol, while netgroup names are preceded by a '@' symbol.
</para>
<para>
For these items the simple wildcard '*' may be used only once.
- With netgroups no wildcards or logic operators are allowed.
+ With UNIX groups or netgroups no wildcards or logic operators
+ are allowed.
</para>
<para>
xsh; tty* ;sword;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
</programlisting>
+ <para>
+ Any member of the group 'admin' running 'xsh' on tty*,
+ is granted access (at any time) to the group 'plugdev'
+ </para>
+ <programlisting>
+xsh; tty* ;%admin;Al0000-2400;plugdev
+ </programlisting>
+
</refsect1>
<refsect1 id="group.conf-see_also">
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
good &= innetgr (&buffer[1], NULL, user, NULL);
+ /* otherwise, if the buffer starts with %, it's a UNIX group */
+ else if (buffer[0] == '%')
+ good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
else
good &= logic_field(pamh,user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));