Re: [Maria-developers] [Commits] 50dc8c0: MDEV-8842 add group support to pam_user_map module.
Hi, Holyfoot!
On Oct 07, holyf...@askmonty.org wrote:
> revision-id: 50dc8c0e8a27d18a3d75ff43a87975fcd5e0e7f6
> (mariadb-10.1.7-67-g50dc8c0)
> parent(s): bed4e847950eef50930b44632eea43416e7b37d1
> committer: Alexey Botchkov
> timestamp: 2015-10-07 00:51:33 +0500
> message:
>
> MDEV-8842 add group support to pam_user_map module.
> Added to the pam_user_map module.
Looks pretty much ok. Just one suggestion:
I'd keep groups in the pam_sm_authenticate and passed
the pointer down to user_in_group.
Indeed, there may many @group entries in the mapping file, seems like a
waste do repopulate group array every time.
> ---
> plugin/auth_pam/mapper/pam_user_map.c | 59
> +--
> 1 file changed, 57 insertions(+), 2 deletions(-)
>
> diff --git a/plugin/auth_pam/mapper/pam_user_map.c
> b/plugin/auth_pam/mapper/pam_user_map.c
> index e73ab6d..a3008bd 100644
> --- a/plugin/auth_pam/mapper/pam_user_map.c
> +++ b/plugin/auth_pam/mapper/pam_user_map.c
> @@ -13,22 +13,71 @@ authrequiredpam_user_map.so
>
>And create /etc/security/user_map.conf with the desired mapping
>in the format: orig_user_name: mapped_user_name
> + @user's_group_name: mapped_user_name
> =
> -#comments and emty lines are ignored
> +#comments and emtpy lines are ignored
> john: jack
> bob: admin
> top: accounting
> +@group_ro: readonly
> =
>
> */
>
> +#include
> #include
> #include
> +#include
> +#include
> +#include
> #include
>
> #define FILENAME "/etc/security/user_map.conf"
> #define skip(what) while (*s && (what)) s++
>
> +#define GROUP_BUFFER_SIZE 100
> +int user_in_group(const char *user, const char *group)
> +{
> + gid_t group_buffer[GROUP_BUFFER_SIZE];
> + gid_t *groups= group_buffer;
> + gid_t group_id;
> + gid_t user_group_id;
> + int ng, i;
> +
> + {
> +struct passwd *pw= getpwnam(user);
> +struct group *g= getgrnam(group);
> +if (pw == NULL || g == NULL)
> + return 0;
> +user_group_id= pw->pw_gid;
> +group_id= g->gr_gid;
> + }
> +
> + ng= GROUP_BUFFER_SIZE;
> + if (getgrouplist(user, user_group_id, groups, ) < 0)
> + {
> +/* The rare case when the user is present in more than */
> +/* GROUP_BUFFER_SIZE groups. */
> +groups= (gid_t *) malloc(ng * sizeof (gid_t));
> +if (!groups)
> + return 0;
> +
> +(void) getgrouplist(user, user_group_id, groups, );
> + }
> +
> + for (i= 0; i < ng; i++)
> + {
> +if (groups[i] == group_id)
> + break;
> + }
> +
> + if (groups != group_buffer)
> +free(groups);
> +
> + return i < ng;
> +}
> +
> +
> int pam_sm_authenticate(pam_handle_t *pamh, int flags,
> int argc, const char *argv[])
> {
> @@ -51,10 +100,14 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
>while (fgets(buf, sizeof(buf), f) != NULL)
>{
> char *s= buf, *from, *to, *end_from, *end_to;
> +int check_group;
> +
> line++;
>
> skip(isspace(*s));
> if (*s == '#' || *s == 0) continue;
> +if ((check_group= *s == '@'))
> + s++;
> from= s;
> skip(isalnum(*s) || (*s == '_'));
> end_from= s;
> @@ -67,7 +120,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
> if (end_to == to) goto syntax_error;
>
> *end_from= *end_to= 0;
> -if (strcmp(username, from) == 0)
> +if (check_group ?
> + user_in_group(username, from) :
> + (strcmp(username, from) == 0))
> {
>pam_err= pam_set_item(pamh, PAM_USER, to);
>goto ret;
Regards,
Sergei
___
Mailing list: https://launchpad.net/~maria-developers
Post to : maria-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-developers
More help : https://help.launchpad.net/ListHelp
Re: [Maria-developers] [Commits] 50dc8c0: MDEV-8842 add group support to pam_user_map module.
Hi again.
See the next version :)
http://lists.askmonty.org/pipermail/commits/2015-October/008513.html
HF
07.10.2015 13:57, Sergei Golubchik wrote:
Hi, Holyfoot!
On Oct 07, holyf...@askmonty.org wrote:
revision-id: 50dc8c0e8a27d18a3d75ff43a87975fcd5e0e7f6
(mariadb-10.1.7-67-g50dc8c0)
parent(s): bed4e847950eef50930b44632eea43416e7b37d1
committer: Alexey Botchkov
timestamp: 2015-10-07 00:51:33 +0500
message:
MDEV-8842 add group support to pam_user_map module.
Added to the pam_user_map module.
Looks pretty much ok. Just one suggestion:
I'd keep groups in the pam_sm_authenticate and passed
the pointer down to user_in_group.
Indeed, there may many @group entries in the mapping file, seems like a
waste do repopulate group array every time.
---
plugin/auth_pam/mapper/pam_user_map.c | 59 +--
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/plugin/auth_pam/mapper/pam_user_map.c
b/plugin/auth_pam/mapper/pam_user_map.c
index e73ab6d..a3008bd 100644
--- a/plugin/auth_pam/mapper/pam_user_map.c
+++ b/plugin/auth_pam/mapper/pam_user_map.c
@@ -13,22 +13,71 @@ authrequiredpam_user_map.so
And create /etc/security/user_map.conf with the desired mapping
in the format: orig_user_name: mapped_user_name
+ @user's_group_name: mapped_user_name
=
-#comments and emty lines are ignored
+#comments and emtpy lines are ignored
john: jack
bob: admin
top: accounting
+@group_ro: readonly
=
*/
+#include
#include
#include
+#include
+#include
+#include
#include
#define FILENAME "/etc/security/user_map.conf"
#define skip(what) while (*s && (what)) s++
+#define GROUP_BUFFER_SIZE 100
+int user_in_group(const char *user, const char *group)
+{
+ gid_t group_buffer[GROUP_BUFFER_SIZE];
+ gid_t *groups= group_buffer;
+ gid_t group_id;
+ gid_t user_group_id;
+ int ng, i;
+
+ {
+struct passwd *pw= getpwnam(user);
+struct group *g= getgrnam(group);
+if (pw == NULL || g == NULL)
+ return 0;
+user_group_id= pw->pw_gid;
+group_id= g->gr_gid;
+ }
+
+ ng= GROUP_BUFFER_SIZE;
+ if (getgrouplist(user, user_group_id, groups, ) < 0)
+ {
+/* The rare case when the user is present in more than */
+/* GROUP_BUFFER_SIZE groups. */
+groups= (gid_t *) malloc(ng * sizeof (gid_t));
+if (!groups)
+ return 0;
+
+(void) getgrouplist(user, user_group_id, groups, );
+ }
+
+ for (i= 0; i < ng; i++)
+ {
+if (groups[i] == group_id)
+ break;
+ }
+
+ if (groups != group_buffer)
+free(groups);
+
+ return i < ng;
+}
+
+
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
@@ -51,10 +100,14 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
while (fgets(buf, sizeof(buf), f) != NULL)
{
char *s= buf, *from, *to, *end_from, *end_to;
+int check_group;
+
line++;
skip(isspace(*s));
if (*s == '#' || *s == 0) continue;
+if ((check_group= *s == '@'))
+ s++;
from= s;
skip(isalnum(*s) || (*s == '_'));
end_from= s;
@@ -67,7 +120,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
if (end_to == to) goto syntax_error;
*end_from= *end_to= 0;
-if (strcmp(username, from) == 0)
+if (check_group ?
+ user_in_group(username, from) :
+ (strcmp(username, from) == 0))
{
pam_err= pam_set_item(pamh, PAM_USER, to);
goto ret;
Regards,
Sergei
___
Mailing list: https://launchpad.net/~maria-developers
Post to : maria-developers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-developers
More help : https://help.launchpad.net/ListHelp
Re: [Maria-developers] [Commits] 06e3c05: MDEV-8842 add group support to pam_user_map module.
Hi, Holyfoot! On Oct 07, holyf...@askmonty.org wrote: > revision-id: 06e3c05f1ad3156b5a3e0a775b07fb13b9ebb1a8 > (mariadb-10.1.7-68-g06e3c05) > parent(s): 8afe96f011eb8037a92b4b3aab16118b0771ad50 > committer: Alexey Botchkov > timestamp: 2015-10-07 15:52:26 +0500 > message: > > MDEV-8842 add group support to pam_user_map module. > Added to the pam_user_map module. Great, thanks! Ok to push. I assume you've tested that it still works after all the changes. Regards, Sergei ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
