Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-12-01  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_access/pam_access.8.xml: Fix description of nodefgroup
        option.

        * modules/pam_group/pam_group.c (is_same): Fix check for correct
        string length.

2 files changed, 8 insertions, 6 deletions

diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index ff048593..6b031d2e 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -150,8 +150,10 @@
         </term>
         <listitem>
           <para>
-            The group database will not be used for tokens not
-            identified as account name.
+            User tokens which are not enclosed in parentheses will not be
+	    matched against the group database. The backwards compatible default is
+            to try the group database match even for tokens not enclosed
+            in parentheses.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index bddcf1cb..4a931c4f 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -331,10 +331,10 @@ is_same (const pam_handle_t *pamh UNUSED,
      }
 
      /* Ok, we know that b is a substring from A and does not contain
-	wildcards, but now the length of both strings must be the same,
-	too. */
-     if (strlen (a) != strlen(b))
-       return FALSE;
+        wildcards, but now the length of both strings must be the same,
+        too. In this case it means, a[i] has to be the end of the string. */
+     if (a[i] != '\0')
+          return FALSE;
 
      return ( !len );
 }