diff options
author | des <des@FreeBSD.org> | 2014-08-23 11:40:40 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2014-08-23 11:40:40 +0000 |
commit | 1df0cac7e1b420116e441d1790ad356fbfd3ac7c (patch) | |
tree | 57bd3192ac9d0d44aeac7e9fe9c97cc759174d38 | |
parent | ce304e0b36d0a097909e8ed2bbf06ad4db31f9ca (diff) | |
download | FreeBSD-src-1df0cac7e1b420116e441d1790ad356fbfd3ac7c.zip FreeBSD-src-1df0cac7e1b420116e441d1790ad356fbfd3ac7c.tar.gz |
MFH (r268888): fix false negative for empty groups
PR: 109416
MFH (r268890): add support for "account" facility
PR: 115164
-rw-r--r-- | lib/libpam/modules/pam_group/pam_group.8 | 7 | ||||
-rw-r--r-- | lib/libpam/modules/pam_group/pam_group.c | 33 |
2 files changed, 29 insertions, 11 deletions
diff --git a/lib/libpam/modules/pam_group/pam_group.8 b/lib/libpam/modules/pam_group/pam_group.8 index 985094b..4f368e5 100644 --- a/lib/libpam/modules/pam_group/pam_group.8 +++ b/lib/libpam/modules/pam_group/pam_group.8 @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 9, 2011 +.Dd July 19, 2014 .Dt PAM_GROUP 8 .Os .Sh NAME @@ -48,6 +48,11 @@ .Sh DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group. +.Nm pam_group +provides functionality for two PAM categories: authentication and +account management. +In terms of the module-type parameter, they are the ``auth'' and +``account'' features. .Pp The following options may be passed to the .Nm diff --git a/lib/libpam/modules/pam_group/pam_group.c b/lib/libpam/modules/pam_group/pam_group.c index a6e32cd..6cf2774 100644 --- a/lib/libpam/modules/pam_group/pam_group.c +++ b/lib/libpam/modules/pam_group/pam_group.c @@ -47,15 +47,14 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/openpam.h> - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) +static int +pam_group(pam_handle_t *pamh) { int local, remote; const char *group, *user; @@ -96,14 +95,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL) goto failed; - /* check if the group is empty */ - if (*grp->gr_mem == NULL) - goto failed; - - /* check membership */ + /* check if user's own primary group */ if (pwd->pw_gid == grp->gr_gid) goto found; - for (list = grp->gr_mem; *list != NULL; ++list) + + /* iterate over members */ + for (list = grp->gr_mem; list != NULL && *list != NULL; ++list) if (strcmp(*list, pwd->pw_name) == 0) goto found; @@ -123,6 +120,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, } PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc __unused, const char *argv[] __unused) { @@ -130,4 +135,12 @@ pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, return (PAM_SUCCESS); } +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + PAM_MODULE_ENTRY("pam_group"); |