New wpi driver
Hi all, I'm pleased to tell you i got the latest wpi driver from Damien Bergamini to work properly on a latest -stable on an Acer laptop. Some history: I didn't do anything special, only report some problems on the [EMAIL PROTECTED] about this new driver on the recently 4.0 release and Damien was kind enough to respond me, the problem were related to the switch on my laptop used to turn on/off the receiver being an ACPI-only switch, this cause the driver to not work properly due to openbsd acpi issues on the laptop. Then Damien ask if i would like to have the FreeBSD version of the driver since i told him the switch work properly on FreeBSD, this all end up me having the driver working smoothly on FreeBSD. The driver as provided by Damien compiled without any issues on my stable, no need to put it under any special directory or what else. Obviously the driver is BSD licensed and obviously is an unsupported version of the driver so not complain to the author if this fail for you. For make this all clear i quote word from the author: --- No problem. It's BSD-licensed, you can redistribute it freely. I just don't want to hear complaints from users if it doesn't work. I don't provide any support for the FreeBSD version of wpi(4). --- The driver is available here: http://www.datacode.it/wpi-freebsd/wpi-freebsd.tgz If anyone from FreeBSD team or else is willing to put it on a host with more bandwidth it's more then welcome. Here is the relevant part from the dmesg and ifconfig. wpi0: Intel(R) PRO/Wireless 3945ABG mem 0xd210-0xd2100fff irq 19 at device 0.0 on pci5 channel 1 pwr1 0x007d pwr2 0x007c channel 2 pwr1 0x007b pwr2 0x007e channel 3 pwr1 0x009c pwr2 0x009d channel 4 pwr1 0x009e pwr2 0x009c channel 5 pwr1 0x pwr2 0x channel 6 pwr1 0x0075 pwr2 0x0076 channel 7 pwr1 0x0075 pwr2 0x0074 channel 8 pwr1 0x0077 pwr2 0x0076 channel 9 pwr1 0x0075 pwr2 0x0077 channel 10 pwr1 0x pwr2 0x channel 11 pwr1 0x0001 pwr2 0x0001 channel 12 pwr1 0x0001 pwr2 0x0001 channel 13 pwr1 0x0001 pwr2 0x0001 channel 14 pwr1 0x0001 pwr2 0x0001 wpi0: Ethernet address: 00:13:02:18:e5:b2 wpi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 00:13:02:18:e5:b2 media: IEEE 802.11 Wireless Ethernet autoselect status: no carrier ssid channel 1 authmode OPEN privacy OFF txpowmax 100 bmiss 7 protmode CTS Regards -- Massimo.run(); ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
m_free() in if_bridge
While browsing through if_bridge.c I noticed that if the bridge interface is in monitoring mode, m_free() gets called on the packet after passing it to BPF. Should this not be m_freem() instead or am I missing something? The code in question can be found in the bridge_input() function, line 1877 in if_bridge.c. regards, jacques ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: m_free() in if_bridge
On Wed, Nov 08, 2006 at 04:37:34PM +0200, Jacques Fourie wrote: While browsing through if_bridge.c I noticed that if the bridge interface is in monitoring mode, m_free() gets called on the packet after passing it to BPF. Should this not be m_freem() instead or am I missing something? The code in question can be found in the bridge_input() function, line 1877 in if_bridge.c. It's been fixed already: : revision 1.85 : date: 2006/11/05 17:56:25; author: csjp; state: Exp; lines: +1 -1 : Fix possible leak when bridge is in monitor mode. Use m_freem() which will : free the entire chain, instead of using m_free() which will free just the : mbuf that was passed. : : Discussed with: thompsa : MFC after: 3 days Cheers, -- Ruslan Ermilov [EMAIL PROTECTED] FreeBSD committer pgpunGeIg36Kh.pgp Description: PGP signature
Re: Yet another magic symlinks implementation
AFS also has an @sys variable which is useful for network filesystem mounted binaries and software for multiple architectures through a single globally unique path: http://www.openafs.org/pages/doc/AdminReference/auarf234.htm#HDRSYS And I'd vote with Oliver on preferring variant symlinks for flexibility: On Mon, 6 Nov 2006, Oliver Fromme wrote: I'm afraid that I don't like NetBSD's magic symlinks very much. It's less flexible than variant symlinks because it only supports a fixed set of variables. As far as I can tell, it does not solve any of the tasks described above. Therefore I would really like to see your port of DragonFly BSD's variant symlinks comitted to FreeBSD. Of course, it could be a compile-time option in case there are people who don't want the code in their kernel at all. But you have to set a sysctl anyway to enable it globally (it's disabled by default on DragonFly). ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Panic in contigmalloc/vm_page_remove (fwd)
Back in June 2005, I encountered an issue with contigmalloc1() (see rev 1.43 of src/sys/vm/vm_contig.c) which Brian ([EMAIL PROTECTED]) looked into and solved. Running FreeBSD 5.3 + the updated rev (1.43) of vm_contig.c (which isn't merged to RELENG_5), I have now encountered a reproduceable panic in vm_page_remove which seems to be related to this patch but also to our new hardware. I have a new system (based on a Tyan 3098 motherboard) which panics at boot time (when assigning an IP with ifconfig more exactly) while the same build works ok on my older systems (Tyan 2098 motherboard). I have - reverted to the FreeBSD 5.3 version of vm_contig - panic went away. - merged the newer panic-related fixes - panic remained - tried the last version of vm_page on RELENG_5 - panic remained - loaded FreeBSD 6.1 - no panic I am guessing that rev 1.43 causes the panic indirectly but a later change in RELENG_6 fixed it or hid it. However, I would guess that this problem is unlikely to affect many, as rev 1.43 was not merged to RELENG_5. The dmesg output and panic trace are attached. Any assistance is most welcome. Nicolas Dehaine St Bernard Software[kernel boots, root login. ifconfig wasn't run at boot time (same results if it does)] # ifconfig output ok: em0, em1 interfaces # ifconfig em0 10.0.0.1 panic: vm_page_remove: page not busy KDB: stack backtrace: kdb_backtrace(100,c27877d0,c233f5f8,c1c41d68,18c87) at kdb_backtrace+0x29 panic(c05e5fd1,c233f5f8,c1c41d68,dd94f9d4,c0580238) at panic+0xa8 vm_page_remove(c233f5f8,c233f5f8) at vm_page_remove+0x22 vm_page_free_toq(c233f5f8,c233f5f8,40,c233f5f8,dd94fa38) at vm_page_free_toq+0x78 vm_page_free(c233f5f8) at vm_page_free+0x15 vm_page_alloc_contig(1,0,0,,1000) at vm_page_alloc_contig+0x346 contigmalloc(1000,c05fc2c0,1,0,) at contigmalloc+0x97 alloc_bounce_pages(c2750480,1) at alloc_bounce_pages+0x5f bus_dmamap_create(c2750480,1,c2760004,c25d3000,c25d3000) at bus_dmamap_create+0xff em_allocate_receive_structures(c25d3000,c25f2000,1000) at em_allocate_receive_structures+0xec em_setup_receive_structures(c25d3000,c25d3000,c25d3000) at em_setup_receive_structures+0x23 em_init_locked(c25d3000) at em_init_locked+0x10e em_init(c25d3000,c25d3000,c278f500,c25d3000,dd94fb5c) at em_init+0x42 ether_ioctl(c25d3000,8020690c,c278f500) at ether_ioctl+0x50 em_ioctl(c25d3000,8020690c,c278f500,0,1) at em_ioctl+0xba in_ifinit(c25d3000,c278f500,dd94fc70,0,dd94fbbc) at in_ifinit+0x1e5 in_control(c2789510,8040691a,dd94fc60,c25d3000,c27877d0) at in_control+0x830 ifioctl(c2789510,8040691a,dd94fc60,c27877d0,0) at ifioctl+0x187 soo_ioctl(c270dd8c,8040691a,dd94fc60,c28fee00,c27877d0) at soo_ioctl+0x42d ioctl(c27877d0,dd94fd14,3,0,286) at ioctl+0x545 syscall(2f,2f,2f,0,bfbfedb0) at syscall+0x27b Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x280cd0e7, esp = 0xbfbfec5c, ebp = 0xbfbfecc8 --- KDB: enter: panic Fatal trap 3: breakpoint instruction fault while in kernel mode instruction pointer = 0x8:0xc04caf1b stack pointer = 0x10:0xdd94f984 frame pointer = 0x10:0xdd94f984 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= interrupt enabled, IOPL = 0 current process = 671 (ifconfig) trap number = 3 panic: breakpoint instruction fault KDB: enter: panic Fatal trap 3: breakpoint instruction fault while in kernel mode instruction pointer = 0x8:0xc04caf1b stack pointer = 0x10:0xdd94f8c0 frame pointer = 0x10:0xdd94f8c0 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= IOPL = 0 current process = 671 (ifconfig) trap number = 3 panic: breakpoint instruction fault KDB: enter: panic Fatal trap 3: breakpoint instruction fault while in kernel mode instruction pointer = 0x8:0xc04caf1b stack pointer = 0x10:0xdd94f7fc frame pointer = 0x10:0xdd94f7fc code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= IOPL = 0 current process = 671 (ifconfig) trap number = 3 Fatal trap 3: breakpoint instruction fault while in kernel mode instruction pointer = 0x8:0xc04caf1b stack pointer = 0x10:0xdd94f738 frame pointer = 0x10:0xdd94f738 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= IOPL = 0 current process = 671 (ifconfig) trap number = 3 panic: breakpoint instruction fault KDB: enter: panic Fatal trap 3: breakpoint instruction fault while in kernel mode instruction pointer = 0x8:0xc04caf1b stack pointer = 0x10:0xdd94f674 frame pointer = 0x10:0xdd94f674 code segment
RFC: pam_krb5: minimum_[ug]id options
While fiddling with PAM, it came to my attention that the pam_krb5
module in some other (Linux?) PAM implementations supports, amongst
other things, a minimum_uid option. This makes it possible to skip over
Kerberos authentication for local system accounts, like so:
authrequiredpam_krb5.sono_warn minimum_uid=1000
authrequiredpam_unix.sono_warn try_first_pass
I think it'd a nice addition to our pam_krb5 at least.
I've attached an initial patch. Comments/review welcome.
Shaun
--
Shaun Amott // PGP: 0x6B387A9A
A foolish consistency is the hobgoblin
of little minds. - Ralph Waldo Emerson
Index: pam_krb5.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -r1.6 pam_krb5.8
--- pam_krb5.8 24 Nov 2001 23:41:32 - 1.6
+++ pam_krb5.8 8 Nov 2006 20:50:35 -
@@ -108,6 +108,13 @@
.Ql %p ,
to designate the current process ID; can be used in
.Ar name .
+.It Cm minimum_uid Ns = Ns Ar id
+Do not attempt to authenticate users with a uid below
+.Ar id .
+Instead, simply return; thus allowing a later module to authenticate
+the user.
+.It Cm minimum_gid Ns = Ns Ar id
+As above, but specifies a minimum group.
.El
.Ss Kerberos 5 Account Management Module
The Kerberos 5 account management component
Index: pam_krb5.c
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.23
diff -u -r1.23 pam_krb5.c
--- pam_krb5.c 7 Jul 2005 14:16:38 - 1.23
+++ pam_krb5.c 8 Nov 2006 20:50:36 -
@@ -90,6 +90,8 @@
#define PAM_OPT_FORWARDABLEforwardable
#define PAM_OPT_NO_CCACHE no_ccache
#define PAM_OPT_REUSE_CCACHE reuse_ccache
+#define PAM_OPT_MINIMUM_UIDminimum_uid
+#define PAM_OPT_MINIMUM_GIDminimum_gid
/*
* authentication management
@@ -110,6 +112,9 @@
const char *user, *pass;
const void *sourceuser, *service;
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
retval = pam_get_user(pamh, user, USER_PROMPT);
if (retval != PAM_SUCCESS)
@@ -222,6 +227,21 @@
PAM_LOG(Done getpwnam());
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
+ if (retstr)
+ minuid = (uid_t)strtoul(retstr, NULL, 10);
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+ if (retstr)
+ mingid = (gid_t)strtoul(retstr, NULL, 10);
+
+ if (pwd-pw_uid minuid || pwd-pw_gid mingid)
+ return (PAM_IGNORE);
+
+ PAM_LOG(Checked uid and gid bounds);
+
/* Get a TGT */
memset(creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, creds, princ,
@@ -349,6 +369,9 @@
const void *user;
void *cache_data;
char *cache_name_buf = NULL, *p;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
uid_t euid;
gid_t egid;
@@ -391,6 +414,30 @@
PAM_LOG(Got euid, egid: %d %d, euid, egid);
+ /* Get the uid. This should exist. */
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup3;
+ }
+
+ PAM_LOG(Done getpwnam());
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
+ if (retstr)
+ minuid = (uid_t)strtoul(retstr, NULL, 10);
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+ if (retstr)
+ mingid = (gid_t)strtoul(retstr, NULL, 10);
+
+ if (pwd-pw_uid minuid || pwd-pw_gid mingid)
+ return (PAM_IGNORE);
+
+ PAM_LOG(Checked uid and gid bounds);
+
/* Retrieve the temporary cache */
retval = pam_get_data(pamh, ccache, cache_data);
if (retval != PAM_SUCCESS) {
@@ -405,15 +452,6 @@
goto cleanup3;
}
- /* Get the uid. This should exist. */
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto cleanup3;
- }
-
- PAM_LOG(Done getpwnam());
-
/* Avoid following a symlink as root */
if (setegid(pwd-pw_gid)) {
retval = PAM_SERVICE_ERR;
pgpttGFuoVSpj.pgp
Description: PGP signature
Re: RFC: pam_krb5: minimum_[ug]id options
On Wed, Nov 08, 2006 at 09:28:30PM +, Shaun Amott wrote:
While fiddling with PAM, it came to my attention that the pam_krb5
module in some other (Linux?) PAM implementations supports, amongst
other things, a minimum_uid option. This makes it possible to skip over
Kerberos authentication for local system accounts, like so:
authrequiredpam_krb5.sono_warn minimum_uid=1000
authrequiredpam_unix.sono_warn try_first_pass
I think it'd a nice addition to our pam_krb5 at least.
I've attached an initial patch. Comments/review welcome.
OK.
Index: pam_krb5.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -r1.6 pam_krb5.8
--- pam_krb5.824 Nov 2001 23:41:32 - 1.6
+++ pam_krb5.88 Nov 2006 20:50:35 -
@@ -108,6 +108,13 @@
.Ql %p ,
to designate the current process ID; can be used in
.Ar name .
+.It Cm minimum_uid Ns = Ns Ar id
+Do not attempt to authenticate users with a uid below
^^^ UID
+.Ar id .
+Instead, simply return; thus allowing a later module to authenticate
+the user.
+.It Cm minimum_gid Ns = Ns Ar id
+As above, but specifies a minimum group.
^ group ID or GID
Also, it could be explicit about this being a primary GID.
.El
.Ss Kerberos 5 Account Management Module
The Kerberos 5 account management component
Document date should be bumped (the .Dd macro).
Index: pam_krb5.c
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.23
diff -u -r1.23 pam_krb5.c
--- pam_krb5.c7 Jul 2005 14:16:38 - 1.23
+++ pam_krb5.c8 Nov 2006 20:50:36 -
@@ -90,6 +90,8 @@
#define PAM_OPT_FORWARDABLE forwardable
#define PAM_OPT_NO_CCACHEno_ccache
#define PAM_OPT_REUSE_CCACHE reuse_ccache
+#define PAM_OPT_MINIMUM_UID minimum_uid
+#define PAM_OPT_MINIMUM_GID minimum_gid
Defines were sorted alphabetically by a defined name.
/*
* authentication management
@@ -110,6 +112,9 @@
const char *user, *pass;
const void *sourceuser, *service;
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
retval = pam_get_user(pamh, user, USER_PROMPT);
if (retval != PAM_SUCCESS)
@@ -222,6 +227,21 @@
PAM_LOG(Done getpwnam());
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
Extraneous empty line.
+ if (retstr)
^ missing != NULL
+ minuid = (uid_t)strtoul(retstr, NULL, 10);
Errors are silently ignored; limit (UID_MAX) isn't checked.
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+ if (retstr)
+ mingid = (gid_t)strtoul(retstr, NULL, 10);
+
Ditto but s/UID_MAX/GID_MAX/.
+ if (pwd-pw_uid minuid || pwd-pw_gid mingid)
+ return (PAM_IGNORE);
+
+ PAM_LOG(Checked uid and gid bounds);
+
/* Get a TGT */
memset(creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, creds, princ,
@@ -349,6 +369,9 @@
const void *user;
void *cache_data;
char *cache_name_buf = NULL, *p;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
uid_t euid;
gid_t egid;
@@ -391,6 +414,30 @@
PAM_LOG(Got euid, egid: %d %d, euid, egid);
+ /* Get the uid. This should exist. */
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup3;
+ }
+
+ PAM_LOG(Done getpwnam());
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+
+ if (retstr)
+ minuid = (uid_t)strtoul(retstr, NULL, 10);
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
+ if (retstr)
+ mingid = (gid_t)strtoul(retstr, NULL, 10);
+
+ if (pwd-pw_uid minuid || pwd-pw_gid mingid)
+ return (PAM_IGNORE);
+
+ PAM_LOG(Checked uid and gid bounds);
+
/* Retrieve the temporary cache */
retval = pam_get_data(pamh, ccache, cache_data);
if (retval != PAM_SUCCESS) {
@@ -405,15 +452,6 @@
goto cleanup3;
}
- /* Get the uid. This should exist. */
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto cleanup3;
- }
-
- PAM_LOG(Done getpwnam());
-
/* Avoid following a symlink as root */
if (setegid(pwd-pw_gid)) {
retval = PAM_SERVICE_ERR;
Cheers,
--
Ruslan Ermilov
[EMAIL PROTECTED]
FreeBSD committer
pgpEGzGpWOdwY.pgp
Description: PGP signature
Re: [patch] rm can have undesired side-effects
Mac OS X uses the FreeBSD's behaviour. I don't see any problem with the current implementation of rm -P. I think I agree with Mike Meyers (omg!) My 0.01 cents -- JFRH ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RFC: pam_krb5: minimum_[ug]id options
Thanks for reviewing the patch. Here's an updated version with your
suggestions incorporated.
Shaun
--
Shaun Amott // PGP: 0x6B387A9A
A foolish consistency is the hobgoblin
of little minds. - Ralph Waldo Emerson
Index: pam_krb5.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -r1.6 pam_krb5.8
--- pam_krb5.8 24 Nov 2001 23:41:32 - 1.6
+++ pam_krb5.8 9 Nov 2006 01:14:18 -
@@ -1,7 +1,7 @@
.\
.\ $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
.\ $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24
23:41:32 dd Exp $
-.Dd January 15, 1999
+.Dd Thursday 09, 2006
.Dt PAM_KRB5 8
.Os
.Sh NAME
@@ -108,6 +108,13 @@
.Ql %p ,
to designate the current process ID; can be used in
.Ar name .
+.It Cm minimum_uid Ns = Ns Ar id
+Do not attempt to authenticate users with a UID below
+.Ar id .
+Instead, simply return; thus allowing a later module to authenticate
+the user.
+.It Cm minimum_gid Ns = Ns Ar id
+As above, but specifies a minimum primary GID.
.El
.Ss Kerberos 5 Account Management Module
The Kerberos 5 account management component
Index: pam_krb5.c
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.23
diff -u -r1.23 pam_krb5.c
--- pam_krb5.c 7 Jul 2005 14:16:38 - 1.23
+++ pam_krb5.c 9 Nov 2006 01:14:19 -
@@ -88,6 +88,8 @@
#define PAM_OPT_CCACHE ccache
#define PAM_OPT_DEBUG debug
#define PAM_OPT_FORWARDABLEforwardable
+#define PAM_OPT_MINIMUM_GIDminimum_gid
+#define PAM_OPT_MINIMUM_UIDminimum_uid
#define PAM_OPT_NO_CCACHE no_ccache
#define PAM_OPT_REUSE_CCACHE reuse_ccache
@@ -110,6 +112,9 @@
const char *user, *pass;
const void *sourceuser, *service;
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
retval = pam_get_user(pamh, user, USER_PROMPT);
if (retval != PAM_SUCCESS)
@@ -222,6 +227,39 @@
PAM_LOG(Done getpwnam());
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+ if (retstr != NULL) {
+ if ((minuid = (uid_t)strtoul(retstr, NULL, 10)) == 0) {
+ if (errno == ERANGE || errno == EINVAL) {
+ PAM_LOG(Error in minimum_uid: %s,
+ strerror(errno));
+ return (PAM_SERVICE_ERR);
+ }
+ } else if (minuid UID_MAX) {
+ PAM_LOG(Error in minimum_uid: invalid UID);
+ return (PAM_SERVICE_ERR);
+ }
+ }
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+ if (retstr != NULL) {
+ if ((mingid = (gid_t)strtoul(retstr, NULL, 10)) == 0) {
+ if (errno == ERANGE || errno == EINVAL) {
+ PAM_LOG(Error in minimum_gid: %s,
+ strerror(errno));
+ return (PAM_SERVICE_ERR);
+ }
+ } else if (mingid GID_MAX) {
+ PAM_LOG(Error in minimum_gid: invalid GID);
+ return (PAM_SERVICE_ERR);
+ }
+ }
+
+ if (pwd-pw_uid minuid || pwd-pw_gid mingid)
+ return (PAM_IGNORE);
+
+ PAM_LOG(Checked uid and gid bounds);
+
/* Get a TGT */
memset(creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, creds, princ,
@@ -349,6 +387,9 @@
const void *user;
void *cache_data;
char *cache_name_buf = NULL, *p;
+ const char *retstr;
+ uid_t minuid = 0;
+ gid_t mingid = 0;
uid_t euid;
gid_t egid;
@@ -391,6 +432,48 @@
PAM_LOG(Got euid, egid: %d %d, euid, egid);
+ /* Get the uid. This should exist. */
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup3;
+ }
+
+ PAM_LOG(Done getpwnam());
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_UID);
+ if (retstr != NULL) {
+ if ((minuid = (uid_t)strtoul(retstr, NULL, 10)) == 0) {
+ if (errno == ERANGE || errno == EINVAL) {
+ PAM_LOG(Error in minimum_uid: %s,
+ strerror(errno));
+ return (PAM_SERVICE_ERR);
+ }
+ } else if (minuid UID_MAX) {
+ PAM_LOG(Error in minimum_uid: invalid UID);
+ return (PAM_SERVICE_ERR);
+ }
+ }
+
+ retstr = openpam_get_option(pamh, PAM_OPT_MINIMUM_GID);
+
