From 1395ff30321ce605ab2ca79b1301cd93f51a5ca1 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Mon, 1 Dec 2008 11:26:59 +0000
Subject: [PATCH] Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-12-01  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_access/pam_access.8.xml: Fix description of nodefgroup
        option.

        * modules/pam_group/pam_group.c (is_same): Fix check for correct
        string length.
---
 ChangeLog                           | 8 ++++++++
 modules/pam_access/pam_access.8.xml | 6 ++++--
 modules/pam_group/pam_group.c       | 8 ++++----
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3c055f91..5f452a1b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-12-01  Tomas Mraz <t8m@centrum.cz>
+
+	* modules/pam_access/pam_access.8.xml: Fix description of nodefgroup
+	option.
+
+	* modules/pam_group/pam_group.c (is_same): Fix check for correct
+	string length.
+
 2008-11-29  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* configure.in: Check for xcrypt.h, fix typo in libaudit check.
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index ff048593..6b031d2e 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -150,8 +150,10 @@
         </term>
         <listitem>
           <para>
-            The group database will not be used for tokens not
-            identified as account name.
+            User tokens which are not enclosed in parentheses will not be
+	    matched against the group database. The backwards compatible default is
+            to try the group database match even for tokens not enclosed
+            in parentheses.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index bddcf1cb..4a931c4f 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -331,10 +331,10 @@ is_same (const pam_handle_t *pamh UNUSED,
      }
 
      /* Ok, we know that b is a substring from A and does not contain
-	wildcards, but now the length of both strings must be the same,
-	too. */
-     if (strlen (a) != strlen(b))
-       return FALSE;
+        wildcards, but now the length of both strings must be the same,
+        too. In this case it means, a[i] has to be the end of the string. */
+     if (a[i] != '\0')
+          return FALSE;
 
      return ( !len );
 }
-- 
2.40.0