diff options
| author | Tomas Mraz <tm@t8m.info> | 2006-08-03 12:42:08 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2006-08-03 12:42:08 +0000 |
| commit | 7d62660a513243560c73311bc0514b0dd5f46434 (patch) | |
| tree | b11918fffc2f886e96d841e2b93be1e8c9e8b645 /modules/pam_succeed_if | |
| parent | 7e7f95f54a06c52595c909dcfe183dc3cb37fc6b (diff) | |
| download | pam-7d62660a513243560c73311bc0514b0dd5f46434.tar.gz pam-7d62660a513243560c73311bc0514b0dd5f46434.tar.bz2 pam-7d62660a513243560c73311bc0514b0dd5f46434.zip | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
* modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist):
New function for list matching.
(evaluate_notinlist): Likewise.
(evaluate): Add service value match, list matching.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the
features.
Diffstat (limited to 'modules/pam_succeed_if')
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8.xml | 27 | ||||
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.c | 35 |
2 files changed, 61 insertions, 1 deletions
diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index 3a77505d..1b57a652 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -97,7 +97,8 @@ <para> Available fields are <emphasis>user</emphasis>, <emphasis>uid</emphasis>, <emphasis>gid</emphasis>, - <emphasis>shell</emphasis> and <emphasis>home</emphasis>: + <emphasis>shell</emphasis>, <emphasis>home</emphasis> + and <emphasis>service</emphasis>: </para> <variablelist> @@ -176,6 +177,18 @@ </listitem> </varlistentry> <varlistentry> + <term><option>field in item:item:...</option></term> + <listitem> + <para>Field is contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field notin item:item:...</option></term> + <listitem> + <para>Field is not contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> <term><option>user ingroup group</option></term> <listitem> <para>User is in given group.</para> @@ -187,6 +200,18 @@ <para>User is not in given group.</para> </listitem> </varlistentry> + <varlistentry> + <term><option>user innetgr netgroup</option></term> + <listitem> + <para>(user,host) is in given netgroup.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notinnetgr group</option></term> + <listitem> + <para>(user,host) is not in given netgroup.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index f7e8ed2c..372c8070 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -184,6 +184,27 @@ evaluate_noglob(const char *left, const char *right) { return (fnmatch(right, left, 0) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR; } +/* Check for list match. */ +static int +evaluate_inlist(const char *left, const char *right) +{ + char *p; + if ((p=strstr(right, left)) == NULL) + return PAM_AUTH_ERR; + if (p == right || *(p-1) == ':') { /* ':' is a list separator */ + p += strlen(left); + if (*p == '\0' || *p == ':') { + return PAM_SUCCESS; + } + } + return PAM_AUTH_ERR; +} +/* Check for list mismatch. */ +static int +evaluate_notinlist(const char *left, const char *right) +{ + return evaluate_inlist(left, right) != PAM_SUCCESS ? PAM_SUCCESS : PAM_AUTH_ERR; +} /* Return PAM_SUCCESS if the user is in the group. */ static int evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group) @@ -250,6 +271,13 @@ evaluate(pam_handle_t *pamh, int debug, snprintf(buf, sizeof(buf), "%s", pwd->pw_dir); left = buf; } + if (strcasecmp(left, "service") == 0) { + const void *svc; + if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS) + svc = ""; + snprintf(buf, sizeof(buf), "%s", svc); + left = buf; + } /* If we have no idea what's going on, return an error. */ if (left != buf) { pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left); @@ -305,6 +333,13 @@ evaluate(pam_handle_t *pamh, int debug, (strcasecmp(qual, "noglob") == 0)) { return evaluate_noglob(left, right); } + /* Attribute value matches item in list. */ + if (strcasecmp(qual, "in") == 0) { + return evaluate_inlist(left, right); + } + if (strcasecmp(qual, "notin") == 0) { + return evaluate_notinlist(left, right); + } /* User is in this group. */ if (strcasecmp(qual, "ingroup") == 0) { return evaluate_ingroup(pamh, pwd->pw_name, right); |