diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-04-21 11:21:12 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-04-21 11:21:12 +0000 |
| commit | aeccee4585ab2ea6deab9cbebc7afc67b7196a80 (patch) | |
| tree | de848926000e8b5a9d970b4a7da44abd65b370c5 /modules/pam_access/pam_access.c | |
| parent | 902026536a826400014a7508b008e41269d081e6 (diff) | |
| download | pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.gz pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.bz2 pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.zip | |
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-21 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_access/access.conf.5.xml: Document changed behavior
of LOCAL keyword.
* modules/pam_access/pam_access.c: Add from_remote_host to
struct login_info to change behavior of LOCAL keyword: if
PAM_RHOST is not set, LOCAL will be true.
Diffstat (limited to 'modules/pam_access/pam_access.c')
| -rw-r--r-- | modules/pam_access/pam_access.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 778b68cd..a5c6c6a5 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -48,7 +48,7 @@ #ifdef HAVE_LIBAUDIT #include <libaudit.h> -#endif +#endif /* * here, we make definitions for the externally accessible functions @@ -104,6 +104,7 @@ struct login_info { int noaudit; /* Do not audit denials */ const char *fs; /* field separator */ const char *sep; /* list-element separator */ + int from_remote_host; /* If PAM_RHOST was used for from */ }; /* Parse module config arguments */ @@ -113,7 +114,7 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, int argc, const char **argv) { int i; - + loginfo->noaudit = NO; loginfo->debug = NO; loginfo->only_new_group_syntax = NO; @@ -571,8 +572,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) * If a token has the magic value "ALL" the match always succeeds. Return * YES if the token fully matches the string. If the token is a domain * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES + * token has the magic value "LOCAL", return YES if the from field was + * not taken by PAM_RHOST. If the token is a network number, return YES * if it matches the head of the string. */ @@ -587,8 +588,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) + } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no PAM_RHOSTS */ + if (item->from_remote_host == 0) return (YES); } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { struct addrinfo *res; @@ -817,6 +818,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* local login, set tty name */ + loginfo.from_remote_host = 0; + if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS || void_from == NULL) { D(("PAM_TTY not set, probing stdin")); @@ -849,6 +852,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } } + else + loginfo.from_remote_host = 1; loginfo.from = from; |