Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
        * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
        (evaluate_notingroup): Simplified.
        (evaluate_innetgr), (evaluate_notinnetgr): New functions.
        (evaluate): Added calls to evaluate_(not)innetgr().
        * modules/pam_succeed_if/README: Documented netgroup matching.
        * NEWS: Mentioned the added netgroup matching support.

2 files changed, 41 insertions, 18 deletions

diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README
index fdb278ef..e6e4f2aa 100644
--- a/modules/pam_succeed_if/README
+++ b/modules/pam_succeed_if/README
@@ -34,10 +34,16 @@ pam_succeed_if:
 		!~		- Wildcard mismatch.
 		ingroup		- Group membership check. [*]
 		notingroup	- Group non-membership check. [*]
+		innetgr		- Netgroup membership check. [*][+]
+		notinnetgr	- Netgroup non-membership check. [*][+]
 
-		* The "ingroup" and "notingroup" operators should only be
-		  used with the USER attribute.
+		* The "ingroup", "notingroup", "innetgr" and "notinnetgr"
+		  operators should only be used with the USER attribute.
 
+		+ The "innetgr" and "notinnetgr" operators always match
+		  both remote host and USER against the netgroup. If a remote
+		  host is not set by the application it will be matched
+		  against any host in the netgroup triplet.
 	Examples:
 
 		Deny authentication to all users except those in the wheel
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index 8f8cafa3..f84fdd3f 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -52,6 +52,7 @@
 #include <unistd.h>
 #include <pwd.h>
 #include <grp.h>
+#include <netdb.h>
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
@@ -183,30 +184,32 @@ evaluate_noglob(const char *left, const char *right)
 static int
 evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-	int ret;
-	ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-	switch (ret) {
-	case 1:
+	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1)
 		return PAM_SUCCESS;
-		break;
-	default:
-		break;
-	}
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the user is NOT in the group. */
 static int
 evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 {
-	int ret;
-	ret = pam_modutil_user_in_group_nam_nam(pamh, user, group);
-	switch (ret) {
-	case 0:
+	if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0)
+		return PAM_SUCCESS;
+	return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+static int
+evaluate_innetgr(const char *host, const char *user, const char *group)
+{
+	if (innetgr(group, host, user, NULL) == 1)
+		return PAM_SUCCESS;
+	return PAM_AUTH_ERR;
+}
+/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+static int
+evaluate_notinnetgr(const char *host, const char *user, const char *group)
+{
+	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
-		break;
-	default:
-		break;
-	}
 	return PAM_AUTH_ERR;
 }
 
@@ -306,6 +309,20 @@ evaluate(pam_handle_t *pamh, int debug,
 	if (strcasecmp(qual, "notingroup") == 0) {
 		return evaluate_notingroup(pamh, pwd->pw_name, right);
 	}
+	/* (Rhost, user) is in this netgroup. */
+	if (strcasecmp(qual, "innetgr") == 0) {
+		const void *rhost;
+		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+			rhost = NULL;		
+		return evaluate_innetgr(rhost, pwd->pw_name, right);
+	}
+	/* (Rhost, user) is not in this group. */
+	if (strcasecmp(qual, "notinnetgr") == 0) {
+		const void *rhost;
+		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+			rhost = NULL;		
+		return evaluate_notinnetgr(rhost, pwd->pw_name, right);
+	}
 	/* Fail closed. */
 	return PAM_SERVICE_ERR;
 }