Relevant BUGIDs:
authorTomas Mraz <tm@t8m.info>
Wed, 21 Dec 2005 10:04:09 +0000 (10:04 +0000)
committerTomas Mraz <tm@t8m.info>
Wed, 21 Dec 2005 10:04:09 +0000 (10:04 +0000)
Purpose of commit: new feature

Commit summary:
---------------
        * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
        (evaluate_notingroup): Simplified.
        (evaluate_innetgr), (evaluate_notinnetgr): New functions.
        (evaluate): Added calls to evaluate_(not)innetgr().
        * modules/pam_succeed_if/README: Documented netgroup matching.
        * NEWS: Mentioned the added netgroup matching support.

ChangeLog
NEWS
modules/pam_succeed_if/README
modules/pam_succeed_if/pam_succeed_if.c

index c9aeb1d9e7e3a88375fbe81e4a0274bea1b11084..c4f25bc956211c221a02bd2fd672298ecc77b3d5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2005-12-21  Tomas Mraz <t8m@centrum.cz>
+
+       * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
+       (evaluate_notingroup): Simplified.
+       (evaluate_innetgr), (evaluate_notinnetgr): New functions.
+       (evaluate): Added calls to evaluate_(not)innetgr().
+       * modules/pam_succeed_if/README: Documented netgroup matching.
+       * NEWS: Mentioned the added netgroup matching support.
+
 2005-12-20  Thorsten Kukuk  <kukuk@thkukuk.de>
 
        * modules/pam_lastlog/pam_lastlog.c (last_login_read): Use
diff --git a/NEWS b/NEWS
index 8886ad0773db7760069561a5bd7838fd7444b023..f6955ee525908ce83acbef091cb71f814d044d4d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,6 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+* pam_succeed_if, pam_group, pam_time: Support netgroup matching.
 
 Release 0.99.2.1
 
index fdb278ef9582cac0469170caa6ade987590c3945..e6e4f2aaa3eafe0c477b8dce0db05e4f92efc2f5 100644 (file)
@@ -34,10 +34,16 @@ pam_succeed_if:
                !~              - Wildcard mismatch.
                ingroup         - Group membership check. [*]
                notingroup      - Group non-membership check. [*]
+               innetgr         - Netgroup membership check. [*][+]
+               notinnetgr      - Netgroup non-membership check. [*][+]
 
-               * The "ingroup" and "notingroup" operators should only be
-                 used with the USER attribute.
+               * The "ingroup", "notingroup", "innetgr" and "notinnetgr"
+                 operators should only be used with the USER attribute.
 
+               + The "innetgr" and "notinnetgr" operators always match
+                 both remote host and USER against the netgroup. If a remote
+                 host is not set by the application it will be matched
+                 against any host in the netgroup triplet.
        Examples:
 
                Deny authentication to all users except those in the wheel
index 8f8cafa376ced3eb5aeaaf6c1d262c0a2322ab4c..f84fdd3f0fee0d4aa2f0b769f981d63df712e7a7 100644 (file)
@@ -52,6 +52,7 @@
 #include <unistd.h>
 #include <pwd.h>
 #include <grp.h>
+#include <netdb.h>
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
@@ -183,30 +184,32 @@ evaluate_noglob(const char *left, const char *right)
 static int
 evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-       int ret;
-       ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-       switch (ret) {
-       case 1:
+       if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
                return PAM_SUCCESS;
-               break;
-       default:
-               break;
-       }
        return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the user is NOT in the group. */
 static int
 evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-       int ret;
-       ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-       switch (ret) {
-       case 0:
+       if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
+               return PAM_SUCCESS;
+       return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+static int
+evaluate_innetgr(const char *host, const char *user, const char *group)
+{
+       if (innetgr(group, host, user, NULL) == 1)
+               return PAM_SUCCESS;
+       return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+static int
+evaluate_notinnetgr(const char *host, const char *user, const char *group)
+{
+       if (innetgr(group, host, user, NULL) == 0)
                return PAM_SUCCESS;
-               break;
-       default:
-               break;
-       }
        return PAM_AUTH_ERR;
 }
 
@@ -306,6 +309,20 @@ evaluate(pam_handle_t *pamh, int debug,
        if (strcasecmp(qual, "notingroup") == 0) {
                return evaluate_notingroup(pamh, pwd->pw_name, right);
        }
+       /* (Rhost, user) is in this netgroup. */
+       if (strcasecmp(qual, "innetgr") == 0) {
+               const void *rhost;
+               if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+                       rhost = NULL;           
+               return evaluate_innetgr(rhost, pwd->pw_name, right);
+       }
+       /* (Rhost, user) is not in this group. */
+       if (strcasecmp(qual, "notinnetgr") == 0) {
+               const void *rhost;
+               if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+                       rhost = NULL;           
+               return evaluate_notinnetgr(rhost, pwd->pw_name, right);
+       }
        /* Fail closed. */
        return PAM_SERVICE_ERR;
 }