+2005-12-21 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
+ (evaluate_notingroup): Simplified.
+ (evaluate_innetgr), (evaluate_notinnetgr): New functions.
+ (evaluate): Added calls to evaluate_(not)innetgr().
+ * modules/pam_succeed_if/README: Documented netgroup matching.
+ * NEWS: Mentioned the added netgroup matching support.
+
2005-12-20 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_lastlog/pam_lastlog.c (last_login_read): Use
!~ - Wildcard mismatch.
ingroup - Group membership check. [*]
notingroup - Group non-membership check. [*]
+ innetgr - Netgroup membership check. [*][+]
+ notinnetgr - Netgroup non-membership check. [*][+]
- * The "ingroup" and "notingroup" operators should only be
- used with the USER attribute.
+ * The "ingroup", "notingroup", "innetgr" and "notinnetgr"
+ operators should only be used with the USER attribute.
+ + The "innetgr" and "notinnetgr" operators always match
+ both remote host and USER against the netgroup. If a remote
+ host is not set by the application it will be matched
+ against any host in the netgroup triplet.
Examples:
Deny authentication to all users except those in the wheel
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
+#include <netdb.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
static int
evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
{
- int ret;
- ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
- switch (ret) {
- case 1:
+ if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
return PAM_SUCCESS;
- break;
- default:
- break;
- }
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the user is NOT in the group. */
static int
evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
{
- int ret;
- ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
- switch (ret) {
- case 0:
+ if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
+ return PAM_SUCCESS;
+ return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+static int
+evaluate_innetgr(const char *host, const char *user, const char *group)
+{
+ if (innetgr(group, host, user, NULL) == 1)
+ return PAM_SUCCESS;
+ return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+static int
+evaluate_notinnetgr(const char *host, const char *user, const char *group)
+{
+ if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
- break;
- default:
- break;
- }
return PAM_AUTH_ERR;
}
if (strcasecmp(qual, "notingroup") == 0) {
return evaluate_notingroup(pamh, pwd->pw_name, right);
}
+ /* (Rhost, user) is in this netgroup. */
+ if (strcasecmp(qual, "innetgr") == 0) {
+ const void *rhost;
+ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ rhost = NULL;
+ return evaluate_innetgr(rhost, pwd->pw_name, right);
+ }
+ /* (Rhost, user) is not in this group. */
+ if (strcasecmp(qual, "notinnetgr") == 0) {
+ const void *rhost;
+ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ rhost = NULL;
+ return evaluate_notinnetgr(rhost, pwd->pw_name, right);
+ }
/* Fail closed. */
return PAM_SERVICE_ERR;
}