pam_access: First check for the (group) match.

The (group) match is performed first to allow for groups
containing '@'.

* modules/pam_access/pam_access.c (user_match): First check for the (group) match.

diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 3ac1ad00b86e58c4694b21495fe0bbeebedd092d..d689578819f3898eb6337417de539897ca5d781f 100644 (file)
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -516,7 +516,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
     /* Try to split on a pattern (@*[^@]+)(@+.*) */
     for (at = tok; *at == '@'; ++at);
 
-    if ((at = strchr(at, '@')) != NULL) {
+    if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') {
+      return (group_match (pamh, tok, string, item->debug));
+    } else if ((at = strchr(at, '@')) != NULL) {
         /* split user@host pattern */
        if (item->hostname == NULL)
            return NO;
@@ -541,9 +543,7 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
                hostname = item->hostname;
        }
         return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
-    } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
-      return (group_match (pamh, tok, string, item->debug));
-    else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+    } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
       return rv;
     else if (item->only_new_group_syntax == NO &&
             pam_modutil_user_in_group_nam_nam (pamh,