Relevant BUGIDs: 533664

Purpose of commit: new feature

Commit summary:
---------------
added '%' domain for maxlogins limiting, now '*' and @group have
the old meaning (every) and '%' the new one (all)

diff --git a/CHANGELOG b/CHANGELOG
index 4948535b86ed6f950ff61f560e1b58de2c243653..4d3dbaab51e151c64f224c0494d50558d0174ba5 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -55,6 +55,9 @@ bug report - outstanding bugs are listed here:
 0.76: please submit patches for this section with actual code/doc
       patches!
 
+* pam_limits: added '%' domain for maxlogins limiting, now '*' and @group
+  have the old meaning (every) and '%' the new one (all)
+  (Bug 533664 - baggins)
 * pam_limits: put not so interesting log messages under debug arg
   (Bug 533668 - baggins)
 * pam_access: added the 'fieldsep=' argument (Bug 547051 - agmorgan),

diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 71727f51e50b1a3148525ea8a205addfd56a116d..6837fdefa0dd71685e4d8a01a32ecc61b3806703 100644 (file)
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -46,6 +46,8 @@
 #define LIMITS_DEF_GROUP    1 /* limit was set by a group entry */
 #define LIMITS_DEF_DEFAULT  2 /* limit was set by an default entry */
 #define LIMITS_DEF_NONE     3 /* this limit was not set yet */
+#define LIMITS_DEF_ALL      4 /* limit was set by an default entry */
+#define LIMITS_DEF_ALLGROUP 5 /* limit was set by a group entry */
 
 static const char *limits_def_names[] = {
        "USER",
@@ -243,12 +245,13 @@ static int check_logins(const char *name, int limit, int ctrl,
             continue;
        }
         if (!pl->flag_numsyslogins) {
-           if (((pl->login_limit_def == LIMITS_DEF_USER) ||
-                (pl->login_limit_def == LIMITS_DEF_DEFAULT))
+           if (((pl->login_limit_def == LIMITS_DEF_USER)
+                || (pl->login_limit_def == LIMITS_DEF_GROUP)
+                || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
                && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
                 continue;
            }
-           if ((pl->login_limit_def == LIMITS_DEF_GROUP)
+           if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
                && !is_in_group(ut->UT_USER, name)) {
                 continue;
            }
@@ -382,7 +385,16 @@ static void process_limit(int source, const char *lim_type,
             } else
                 limit_value = -1;
     }
-    
+
+    /* one more special case when limiting logins */
+    if ((source == LIMITS_DEF_ALL || source == LIMITS_DEF_ALLGROUP)
+               && (limit_item != LIMIT_LOGIN)) {
+       if (ctrl & PAM_DEBUG_ARG)
+           _pam_log(LOG_DEBUG,
+                       "'%%' domain valid for maxlogins type only");
+       return;
+    }
+
     switch(limit_item) {
         case RLIMIT_CPU:
             limit_value *= 60;
@@ -512,6 +524,17 @@ static int parse_config_file(const char *uname, int ctrl,
                 if (is_in_group(uname, domain+1))
                     process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl,
                                  pl);
+            } else if (domain[0]=='%') {
+                   if (ctrl & PAM_DEBUG_ARG) {
+                       _pam_log(LOG_DEBUG, "checking if %s is in group %s",
+                               uname, domain + 1);
+                   }
+               if (strcmp(domain,"%") == 0)
+                   process_limit(LIMITS_DEF_ALL, ltype, item, value, ctrl,
+                                 pl);
+               else if (is_in_group(uname, domain+1))
+                    process_limit(LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
+                                 pl);
             } else if (strcmp(domain, "*") == 0)
                 process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
                              pl);