New upstream version 1.4.0

1 files changed, 78 insertions, 45 deletions

diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aac3eeb0..7103ae30 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -34,7 +34,6 @@
  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
  */
 
 #include "config.h"
@@ -54,11 +53,6 @@
 #include <grp.h>
 #include <netdb.h>
 
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
@@ -215,23 +209,60 @@ evaluate_notinlist(const char *left, const char *right)
 }
 /* Return PAM_SUCCESS if the user is in the group. */
 static int
-evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
+evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *grouplist)
 {
-	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
-		return PAM_SUCCESS;
+	char *ptr = NULL;
+	static const char delim[] = ":";
+	char const *grp = NULL;
+	char *group = strdup(grouplist);
+
+	if (group == NULL)
+		return PAM_BUF_ERR;
+
+	grp = strtok_r(group, delim, &ptr);
+	while(grp != NULL) {
+		if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) {
+			free(group);
+			return PAM_SUCCESS;
+		}
+		grp = strtok_r(NULL, delim, &ptr);
+	}
+	free(group);
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the user is NOT in the group. */
 static int
-evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
+evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *grouplist)
 {
-	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
-		return PAM_SUCCESS;
-	return PAM_AUTH_ERR;
+	char *ptr = NULL;
+	static const char delim[] = ":";
+	char const *grp = NULL;
+	char *group = strdup(grouplist);
+
+	if (group == NULL)
+		return PAM_BUF_ERR;
+
+	grp = strtok_r(group, delim, &ptr);
+	while(grp != NULL) {
+		if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) {
+			free(group);
+			return PAM_AUTH_ERR;
+		}
+		grp = strtok_r(NULL, delim, &ptr);
+	}
+	free(group);
+	return PAM_SUCCESS;
 }
+
+#ifdef HAVE_INNETGR
+# define SOMETIMES_UNUSED UNUSED
+#else
+# define SOMETIMES_UNUSED
+#endif
+
 /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
 static int
-evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
 {
 #ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
@@ -244,7 +275,7 @@ evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, c
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
-evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
 {
 #ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)
@@ -259,7 +290,7 @@ evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user
 static int
 evaluate(pam_handle_t *pamh, int debug,
 	 const char *left, const char *qual, const char *right,
-	 struct passwd *pwd, const char *user)
+	 struct passwd **pwd, const char *user)
 {
 	char buf[LINE_MAX] = "";
 	const char *attribute = left;
@@ -270,22 +301,35 @@ evaluate(pam_handle_t *pamh, int debug,
 		snprintf(buf, sizeof(buf), "%s", user);
 		left = buf;
 	}
+	/* Get information about the user if needed. */
+	if ((*pwd == NULL) &&
+	    ((strcasecmp(left, "uid") == 0) ||
+	     (strcasecmp(left, "gid") == 0) ||
+	     (strcasecmp(left, "shell") == 0) ||
+	     (strcasecmp(left, "home") == 0) ||
+	     (strcasecmp(left, "dir") == 0) ||
+	     (strcasecmp(left, "homedir") == 0))) {
+		*pwd = pam_modutil_getpwnam(pamh, user);
+		if (*pwd == NULL) {
+			return PAM_USER_UNKNOWN;
+		}
+	}
 	if (strcasecmp(left, "uid") == 0) {
-		snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_uid);
+		snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_uid);
 		left = buf;
 	}
 	if (strcasecmp(left, "gid") == 0) {
-		snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_gid);
+		snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_gid);
 		left = buf;
 	}
 	if (strcasecmp(left, "shell") == 0) {
-		snprintf(buf, sizeof(buf), "%s", pwd->pw_shell);
+		snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_shell);
 		left = buf;
 	}
 	if ((strcasecmp(left, "home") == 0) ||
 	    (strcasecmp(left, "dir") == 0) ||
 	    (strcasecmp(left, "homedir") == 0)) {
-		snprintf(buf, sizeof(buf), "%s", pwd->pw_dir);
+		snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_dir);
 		left = buf;
 	}
 	if (strcasecmp(left, "service") == 0) {
@@ -383,11 +427,11 @@ evaluate(pam_handle_t *pamh, int debug,
 	if (strcasecmp(qual, "notin") == 0) {
 		return evaluate_notinlist(left, right);
 	}
-	/* User is in this group. */
+	/* User is in this group(s). */
 	if (strcasecmp(qual, "ingroup") == 0) {
 		return evaluate_ingroup(pamh, user, right);
 	}
-	/* User is not in this group. */
+	/* User is not in this group(s). */
 	if (strcasecmp(qual, "notingroup") == 0) {
 		return evaluate_notingroup(pamh, user, right);
 	}
@@ -413,19 +457,12 @@ int
 pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		     int argc, const char **argv)
 {
-	const void *prompt;
 	const char *user;
-	struct passwd *pwd;
+	struct passwd *pwd = NULL;
 	int ret, i, count, use_uid, debug;
 	const char *left, *right, *qual;
 	int quiet_fail, quiet_succ, audit;
 
-	/* Get the user prompt. */
-	ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt);
-	if ((ret != PAM_SUCCESS) || (prompt == NULL) || (strlen(prompt) == 0)) {
-		prompt = "login: ";
-	}
-
 	quiet_fail = 0;
 	quiet_succ = 0;
 	audit = 0;
@@ -463,23 +500,15 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		user = pwd->pw_name;
 	} else {
 		/* Get the user's name. */
-		ret = pam_get_user(pamh, &user, prompt);
-		if ((ret != PAM_SUCCESS) || (user == NULL)) {
-			pam_syslog(pamh, LOG_ERR,
-				   "error retrieving user name: %s",
+		ret = pam_get_user(pamh, &user, NULL);
+		if (ret != PAM_SUCCESS) {
+			pam_syslog(pamh, LOG_NOTICE,
+				   "cannot determine user name: %s",
 				   pam_strerror(pamh, ret));
 			return ret;
 		}
 
-		/* Get information about the user. */
-		pwd = pam_modutil_getpwnam(pamh, user);
-		if (pwd == NULL) {
-			if(audit)
-				pam_syslog(pamh, LOG_NOTICE,
-					   "error retrieving information about user %s",
-					   user);
-			return PAM_USER_UNKNOWN;
-		}
+		/* Postpone requesting password data until it is needed */
 	}
 
 	/* Walk the argument list. */
@@ -520,9 +549,13 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 			count++;
 			ret = evaluate(pamh, debug,
 				       left, qual, right,
-				       pwd, user);
+				       &pwd, user);
+			if (ret == PAM_USER_UNKNOWN && audit)
+				pam_syslog(pamh, LOG_NOTICE,
+					   "error retrieving information about user %s",
+					   user);
 			if (ret != PAM_SUCCESS) {
-				if(!quiet_fail)
+				if(!quiet_fail && ret != PAM_USER_UNKNOWN)
 					pam_syslog(pamh, LOG_INFO,
 						   "requirement \"%s %s %s\" "
 						   "not met by user \"%s\"",