From 2fc2673d889a15f097acd8ae68fe9d292dea472d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 1 Nov 2016 15:17:54 +0100 Subject: pam_access: First check for the (group) match. The (group) match is performed first to allow for groups containing '@'. * modules/pam_access/pam_access.c (user_match): First check for the (group) match. --- modules/pam_access/pam_access.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'modules/pam_access/pam_access.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 3ac1ad00..d6895788 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -516,7 +516,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) /* Try to split on a pattern (@*[^@]+)(@+.*) */ for (at = tok; *at == '@'; ++at); - if ((at = strchr(at, '@')) != NULL) { + if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { + return (group_match (pamh, tok, string, item->debug)); + } else if ((at = strchr(at, '@')) != NULL) { /* split user@host pattern */ if (item->hostname == NULL) return NO; @@ -541,9 +543,7 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) hostname = item->hostname; } return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); - } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') - return (group_match (pamh, tok, string, item->debug)); - else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ return rv; else if (item->only_new_group_syntax == NO && pam_modutil_user_in_group_nam_nam (pamh, -- cgit v1.2.3 From a9253114c719eace32006058656671f8987eeb12 Mon Sep 17 00:00:00 2001 From: Josef Moellers Date: Thu, 9 Feb 2017 12:27:59 +0100 Subject: Properly test for strtol() failure to find any digits. * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set to beginning and not NULL. --- modules/pam_access/pam_access.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_access/pam_access.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index d6895788..ba3b99f9 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -727,7 +727,7 @@ network_netmask_match (pam_handle_t *pamh, { /* netmask as integre value */ char *endptr = NULL; netmask = strtol(netmask_ptr, &endptr, 0); - if ((endptr == NULL) || (*endptr != '\0')) + if ((endptr == netmask_ptr) || (*endptr != '\0')) { /* invalid netmask value */ return NO; } -- cgit v1.2.3 From 7d0c508a52ebc9c702e1b6e66f46e4a6dc028c4a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 31 May 2017 10:27:28 +0200 Subject: pam_access: support parsing files in /etc/security/access.d/*.conf * modules/pam_access/pam_access.c (login_access): Return NOMATCH if there was no match in the parsed file. (pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB subdirectory and call login_access() on the individual files matched. * modules/pam_access/pam_access.8.xml: Document the addition. * modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition. --- modules/pam_access/Makefile.am | 3 ++- modules/pam_access/pam_access.8.xml | 8 ++++++++ modules/pam_access/pam_access.c | 31 +++++++++++++++++++++++++++++-- 3 files changed, 39 insertions(+), 3 deletions(-) (limited to 'modules/pam_access/pam_access.c') diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am index 6c0f738e..924b7219 100644 --- a/modules/pam_access/Makefile.am +++ b/modules/pam_access/Makefile.am @@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ + -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index c629a9f3..9a6556cc 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -57,6 +57,14 @@ By default rules for access management are taken from config file /etc/security/access.conf if you don't specify another file. + Then individual *.conf files from the + /etc/security/access.d/ directory are read. + The files are parsed one after another in the order of the system locale. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. This means that once + a pattern is matched in some file no further files are parsed. + If a config file is explicitly specified with the + option the files in the above directory are not parsed. If Linux PAM is compiled with audit support the module will report diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index ba3b99f9..80d885dd 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -44,6 +44,7 @@ #include #include #include +#include #ifdef HAVE_LIBAUDIT #include #endif @@ -87,6 +88,7 @@ #define ALL 2 #define YES 1 #define NO 0 +#define NOMATCH -1 /* * A structure to bundle up all login-related information to keep the @@ -415,7 +417,11 @@ login_access (pam_handle_t *pamh, struct login_info *item) "pam_access", 0); } #endif - return (match == NO || (line[0] == '+')); + if (match == NO) + return NOMATCH; + if (line[0] == '+') + return YES; + return NO; } @@ -800,6 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *user=NULL; const void *void_from=NULL; const char *from; + const char const *default_config = PAM_ACCESS_CONFIG; struct passwd *user_pw; char hostname[MAXHOSTNAMELEN + 1]; int rv; @@ -821,7 +828,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, */ memset(&loginfo, '\0', sizeof(loginfo)); loginfo.user = user_pw; - loginfo.config_file = PAM_ACCESS_CONFIG; + loginfo.config_file = default_config; /* parse the argument list */ @@ -892,6 +899,26 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, rv = login_access(pamh, &loginfo); + if (rv == NOMATCH && loginfo.config_file == default_config) { + glob_t globbuf; + int i, glob_rv; + + /* We do not manipulate locale as setlocale() is not + * thread safe. We could use uselocale() in future. + */ + glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); + if (!glob_rv) { + /* Parse the *.conf files. */ + for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { + loginfo.config_file = globbuf.gl_pathv[i]; + rv = login_access(pamh, &loginfo); + if (rv != NOMATCH) + break; + } + globfree(&globbuf); + } + } + if (loginfo.gai_rv == 0 && loginfo.res) freeaddrinfo(loginfo.res); -- cgit v1.2.3