From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 13 Jan 2012 17:33:27 +0000 (+0100)
Subject: Add possibility to match ruser, rhost, and tty in pam_succeed_if.
X-Git-Tag: v1.1.6~24
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=91e4c3633f34a6590743ee105746308664078073;p=linux-pam

Add possibility to match ruser, rhost, and tty in pam_succeed_if.

* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
rhost, and tty as left operand.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
possible left operands.
---

diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml
index cc61e088..7bdcb024 100644
--- a/modules/pam_succeed_if/pam_succeed_if.8.xml
+++ b/modules/pam_succeed_if/pam_succeed_if.8.xml
@@ -33,8 +33,8 @@
     <para>
       pam_succeed_if.so is designed to succeed or fail authentication
       based on characteristics of the account belonging to the user being
-      authenticated. One use is to select whether to load other modules based
-      on this test.
+      authenticated or values of other PAM items. One use is to select whether
+      to load other modules based on this test.
     </para>
 
     <para>
@@ -105,8 +105,9 @@
     <para>
       Available fields are <emphasis>user</emphasis>,
       <emphasis>uid</emphasis>, <emphasis>gid</emphasis>,
-      <emphasis>shell</emphasis>, <emphasis>home</emphasis>
-      and <emphasis>service</emphasis>:
+      <emphasis>shell</emphasis>, <emphasis>home</emphasis>,
+      <emphasis>ruser</emphasis>, <emphasis>rhost</emphasis>,
+      <emphasis>tty</emphasis> and <emphasis>service</emphasis>:
     </para>
 
     <variablelist>
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index 2670c258..32a73738 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -281,11 +281,37 @@ evaluate(pam_handle_t *pamh, int debug,
 	}
 	if (strcasecmp(left, "service") == 0) {
 		const void *svc;
-		if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS)
+		if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS ||
+			svc == NULL)
 			svc = "";
 		snprintf(buf, sizeof(buf), "%s", (const char *)svc);
 		left = buf;
 	}
+	if (strcasecmp(left, "ruser") == 0) {
+		const void *ruser;
+		if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS ||
+			ruser == NULL)
+			ruser = "";
+		snprintf(buf, sizeof(buf), "%s", (const char *)ruser);
+		left = buf;
+		user = buf;
+	}
+	if (strcasecmp(left, "rhost") == 0) {
+		const void *rhost;
+		if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS ||
+			rhost == NULL)
+			rhost = "";
+		snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
+		left = buf;
+	}
+	if (strcasecmp(left, "tty") == 0) {
+		const void *tty;
+		if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS ||
+			tty == NULL)
+			tty = "";
+		snprintf(buf, sizeof(buf), "%s", (const char *)tty);
+		left = buf;
+	}
 	/* If we have no idea what's going on, return an error. */
 	if (left != buf) {
 		pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left);