From 2037cd51a2b787c492d60c9235b85868f03ed9ba Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 30 Jun 2009 10:28:53 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- This makes Linux-PAM compile able with uClibc or on embedded systems without full libc/libnsl. 2009-06-29 Thorsten Kukuk * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files. * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS support if all necessary functions exist. * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug option, handle correct if OS has no NIS support. * modules/pam_access/pam_access.c (netgroup_match): Check if yp_get_default_domain and innetgr are available at compile time. * configure.in: Check for functions: innetgr, getdomainname check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h. --- modules/pam_access/pam_access.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'modules/pam_access/pam_access.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index ba8effe3..963ce528 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -41,11 +41,12 @@ #include #include #include -#include #include #include #include - +#ifdef HAVE_RPCSVC_YPCLNT_H +#include +#endif #ifdef HAVE_LIBAUDIT #include #endif @@ -465,13 +466,31 @@ static int netgroup_match (pam_handle_t *pamh, const char *netgroup, const char *machine, const char *user, int debug) { - char *mydomain = NULL; int retval; + char *mydomain = NULL; +#ifdef HAVE_YP_GET_DEFAUTL_DOMAIN yp_get_default_domain(&mydomain); +#elif defined(HAVE_GETDOMAINNAME) + char domainname_res[256]; + if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) + { + if (strcmp (domainname_res, "(none)") == 0) + { + /* If domainname is not set, some systems will return "(none)" */ + domainname_res[0] = '\0'; + } + mydomain = domainname_res; + } +#endif +#ifdef HAVE_INNETGR retval = innetgr (netgroup, machine, user, mydomain); +#else + retval = 0; + pam_syslog (pamh, LOG_ERR, "pam_access does not have netgroup support"); +#endif if (debug == YES) pam_syslog (pamh, LOG_DEBUG, "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", @@ -479,7 +498,6 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, machine ? machine : "NULL", user ? user : "NULL", mydomain ? mydomain : "NULL"); return retval; - } /* user_match - match a username against one token */ -- cgit v1.2.3 From e8e780f7a3911f8ad9d96268d669ed7943e93f4f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 18 Nov 2009 16:06:53 +0000 Subject: Relevant BUGIDs: 2892189 Purpose of commit: bugfix Commit summary: --------------- 2009-11-18 Tomas Mraz * modules/pam_access/pam_access.c(user_match): Revert the netgroup match to the original behavior, add new syntax for adding the local hostname. * modules/pam_access/access.conf.5.xml: Document the new syntax for adding the local hostname to the netgroup match. --- ChangeLog | 8 ++++++++ modules/pam_access/access.conf.5.xml | 7 ++++++- modules/pam_access/pam_access.c | 11 ++++++++--- 3 files changed, 22 insertions(+), 4 deletions(-) (limited to 'modules/pam_access/pam_access.c') diff --git a/ChangeLog b/ChangeLog index 0214bec1..8033486f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2009-11-18 Tomas Mraz + + * modules/pam_access/pam_access.c(user_match): Revert the netgroup + match to the original behavior, add new syntax for adding the local + hostname. + * modules/pam_access/access.conf.5.xml: Document the new syntax + for adding the local hostname to the netgroup match. + 2009-11-10 Thorsten Kukuk * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 1b629afc..a4d3419b 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -74,7 +74,12 @@ not set and <origin> field is thus set from PAM_TTY or PAM_SERVICE". If supported by the system you can use - @netgroupname in host or user patterns. + @netgroupname in host or user patterns. The + @@netgroupname syntax is supported in the user + pattern only and it makes the local system hostname to be passed + to the netgroup match call in addition to the user name. This might not + work correctly on some libc implementations causing the match to + always fail. diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 963ce528..e9f0caa3 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -529,9 +529,14 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ - if (item->hostname == NULL) - return NO; - return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug)); + const char *hostname = NULL; + if (tok[1] == '@') { /* add hostname to netgroup match */ + if (item->hostname == NULL) + return NO; + ++tok; + hostname = item->hostname; + } + return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') return (group_match (pamh, tok, string, item->debug)); else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ -- cgit v1.2.3