Relevant BUGIDs:

Purpose of commit: bugfix Commit summary: --------------- 2008-04-21 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_access/access.conf.5.xml: Document changed behavior of LOCAL keyword. * modules/pam_access/pam_access.c: Add from_remote_host to struct login_info to change behavior of LOCAL keyword: if PAM_RHOST is not set, LOCAL will be true.
author: Thorsten Kukuk <kukuk@thkukuk.de> 2008-04-21 11:21:12 +0000
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2008-04-21 11:21:12 +0000
commit: aeccee4585ab2ea6deab9cbebc7afc67b7196a80 (patch)
tree: de848926000e8b5a9d970b4a7da44abd65b370c5 /modules
parent: 902026536a826400014a7508b008e41269d081e6 (diff)
download: pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.gz
pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.bz2
pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.zip
2 files changed, 16 insertions, 8 deletions
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index f8eb7a4e..17185172 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -69,8 +69,11 @@
       internet network numbers (end with "."), internet network addresses
       with network mask (where network mask can be a decimal number or an
       internet address also), <emphasis>ALL</emphasis> (which always matches)
-      or <emphasis>LOCAL</emphasis> (which matches any string that does not
-      contain a "." character). If supported by the system you can use
+      or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
+      keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
+      not set and &lt;origin&gt; field is thus set from
+      <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
+      If supported by the system you can use
       <emphasis>@netgroupname</emphasis> in host or user patterns.
     </para>
 
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 778b68cd..a5c6c6a5 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -48,7 +48,7 @@
 
 #ifdef HAVE_LIBAUDIT
 #include <libaudit.h>
-#endif                                                                                                                                         
+#endif
 
 /*
  * here, we make definitions for the externally accessible functions
@@ -104,6 +104,7 @@ struct login_info {
     int noaudit;			/* Do not audit denials */
     const char *fs;			/* field separator */
     const char *sep;			/* list-element separator */
+    int from_remote_host;               /* If PAM_RHOST was used for from */
 };
 
 /* Parse module config arguments */
@@ -113,7 +114,7 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
            int argc, const char **argv)
 {
     int i;
-    
+
     loginfo->noaudit = NO;
     loginfo->debug = NO;
     loginfo->only_new_group_syntax = NO;
@@ -571,8 +572,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
      * If a token has the magic value "ALL" the match always succeeds. Return
      * YES if the token fully matches the string. If the token is a domain
      * name, return YES if it matches the last fields of the string. If the
-     * token has the magic value "LOCAL", return YES if the string does not
-     * contain a "." character. If the token is a network number, return YES
+     * token has the magic value "LOCAL", return YES if the from field was
+     * not taken by PAM_RHOST. If the token is a network number, return YES
      * if it matches the head of the string.
      */
 
@@ -587,8 +588,8 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
 	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
 	    && strcasecmp(tok, string + str_len - tok_len) == 0)
 	    return (YES);
-    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no dots */
-	if (strchr(string, '.') == 0)
+    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no PAM_RHOSTS */
+	if (item->from_remote_host == 0)
 	    return (YES);
     } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
       struct addrinfo *res;
@@ -817,6 +818,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 
         /* local login, set tty name */
 
+        loginfo.from_remote_host = 0;
+
         if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS
             || void_from == NULL) {
             D(("PAM_TTY not set, probing stdin"));
@@ -849,6 +852,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	    }
 	}
     }
+    else
+      loginfo.from_remote_host = 1;
 
     loginfo.from = from;
author	Thorsten Kukuk <kukuk@thkukuk.de>	2008-04-21 11:21:12 +0000
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2008-04-21 11:21:12 +0000
commit	aeccee4585ab2ea6deab9cbebc7afc67b7196a80 (patch)
tree	de848926000e8b5a9d970b4a7da44abd65b370c5 /modules
parent	902026536a826400014a7508b008e41269d081e6 (diff)
download	pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.gz pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.tar.bz2 pam-aeccee4585ab2ea6deab9cbebc7afc67b7196a80.zip