diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2002-07-13 05:48:19 +0000 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2002-07-13 05:48:19 +0000 |
| commit | 2b395f6d039fb5c92a5ae799b305dd33061c9fbc (patch) | |
| tree | 6386214fcccb9987050ca9b5534bffc5d473c688 /modules | |
| parent | c95e6e34c26fc95f622b4d0535bccede3c655146 (diff) | |
| download | pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.tar.gz pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.tar.bz2 pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.zip | |
Relevant BUGIDs: 476951, 476953
Purpose of commit: bugfix
Commit summary:
---------------
Be more careful when using the deny option - pay attention to the trust
option before you grant access.
Fix from Nalin.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_wheel/README | 9 | ||||
| -rw-r--r-- | modules/pam_wheel/pam_wheel.c | 40 |
2 files changed, 31 insertions, 18 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 336bb31e..b75689e8 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -1,6 +1,6 @@ pam_wheel: - only permit root authentication too members of wheel group + only permit root authentication to members of wheel group RECOGNIZED ARGUMENTS: debug write a message to syslog indicating success or @@ -21,13 +21,16 @@ RECOGNIZED ARGUMENTS: is trying to get UID 0 access and is a member of the wheel group, deny access (well, kind of nonsense, but for use in conjunction with 'group' argument... :-) + Conversely, if the user is not in the group, return + PAM_IGNORE (unless 'trust' was also specified, in + which case we return PAM_SUCCESS). group=xxxx Instead of checking the GID 0 group, use the xxxx group to perform the authentification. MODULE SERVICES PROVIDED: - auth _authetication and _setcred (blank) + auth _authentication, _setcred (blank) and _acct_mgmt AUTHOR: - Cristian Gafton <gafton@sorosis.ro> + Cristian Gafton <gafton@redhat.com> diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index c460abc9..d127791b 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -192,33 +192,43 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) { - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'", - (ctrl & PAM_DENY_ARG)?"denied":"granted", - fromsu,username); + if (ctrl & PAM_DENY_ARG) { + retval = PAM_PERM_DENIED; + + } else if (ctrl & PAM_TRUST_ARG) { + retval = PAM_SUCCESS; /* this can be a sufficient check */ + + } else { + retval = PAM_IGNORE; } + } else { + if (ctrl & PAM_DENY_ARG) { - return PAM_PERM_DENIED; - } else { + if (ctrl & PAM_TRUST_ARG) { - return PAM_SUCCESS; /* this can be a sufficient check */ + retval = PAM_SUCCESS; /* this can be a sufficient check */ } else { - return PAM_IGNORE; + retval = PAM_IGNORE; } + + } else { + retval = PAM_PERM_DENIED; } } if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'", - (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username); + if (retval == PAM_IGNORE) { + _pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'", + fromsu, username); + } else { + _pam_log(LOG_NOTICE, "Access %s to '%s' for '%s'", + (retval != PAM_SUCCESS) ? "denied":"granted", + fromsu, username); + } } - if (ctrl & PAM_DENY_ARG) { - return PAM_SUCCESS; /* this can be a sufficient check */ - } else { - return PAM_PERM_DENIED; - } + return retval; } /* --- authentication management functions --- */ |