Author: des
Date: Sat Mar 12 11:12:30 2011
New Revision: 219563
URL: http://svn.freebsd.org/changeset/base/219563
Log:
Add "ruser" and "luser" options. The former corresponds to the current
behavior, where the module checks that the supplicant is a member of the
required group. The latter checks the target user instead. If neither
option was specified, pam_group(8) assumes "ruser" and issues a warning.
I intend to eventually change the default to "luser" to match the
behavior of similarly-named service modules in other operating systems.
MFC after: 1 month
Modified:
head/lib/libpam/modules/pam_group/pam_group.8
head/lib/libpam/modules/pam_group/pam_group.c
Modified: head/lib/libpam/modules/pam_group/pam_group.8
==============================================================================
--- head/lib/libpam/modules/pam_group/pam_group.8 Sat Mar 12 09:41:25
2011 (r219562)
+++ head/lib/libpam/modules/pam_group/pam_group.8 Sat Mar 12 11:12:30
2011 (r219563)
@@ -1,4 +1,5 @@
.\" Copyright (c) 2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
.\" All rights reserved.
.\"
.\" Portions of this software were developed for the FreeBSD Project by
@@ -32,7 +33,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 6, 2003
+.Dd March 9, 2011
.Dt PAM_GROUP 8
.Os
.Sh NAME
@@ -64,10 +65,23 @@ it does exist and the applicant is a mem
Specify the name of the group to check.
The default is
.Dq Li wheel .
+.It Cm luser
+Accept or reject based on the target user's group membership.
.It Cm root_only
Skip this module entirely if the target account is not the superuser
account.
+.It Cm ruser
+Accept or reject based on the supplicant's group membership.
+This is the default.
.El
+.Pp
+Note that the
+.Cm luser
+and
+.Cm ruser
+options are mutually exclusive, and that
+.Nm
+will fail if both are specified.
.Sh SEE ALSO
.Xr pam.conf 5 ,
.Xr pam 8
Modified: head/lib/libpam/modules/pam_group/pam_group.c
==============================================================================
--- head/lib/libpam/modules/pam_group/pam_group.c Sat Mar 12 09:41:25
2011 (r219562)
+++ head/lib/libpam/modules/pam_group/pam_group.c Sat Mar 12 11:12:30
2011 (r219563)
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2011 Dag-Erling Smørgrav
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@@ -56,6 +57,7 @@ PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
+ int local, remote;
const char *group, *user;
const void *ruser;
char *const *list;
@@ -69,10 +71,24 @@ pam_sm_authenticate(pam_handle_t *pamh,
if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
return (PAM_IGNORE);
- /* get applicant */
- if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
- || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
- return (PAM_AUTH_ERR);
+ /* check local / remote */
+ local = openpam_get_option(pamh, "luser") ? 1 : 0;
+ remote = openpam_get_option(pamh, "ruser") ? 1 : 0;
+ if (local && remote) {
+ openpam_log(PAM_LOG_ERROR,
+ "the luser and ruser options are mutually exclusive");
+ return (PAM_SERVICE_ERR);
+ } else if (local) {
+ /* we already have the correct struct passwd */
+ } else {
+ if (!remote)
+ openpam_log(PAM_LOG_NOTICE,
+ "neither luser nor ruser specified, assuming
ruser");
+ /* default / historical behavior */
+ if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS ||
+ ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
+ return (PAM_AUTH_ERR);
+ }
/* get regulating group */
if ((group = openpam_get_option(pamh, "group")) == NULL)
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
