diff options
author | yar <yar@FreeBSD.org> | 2006-03-06 12:54:03 +0000 |
---|---|---|
committer | yar <yar@FreeBSD.org> | 2006-03-06 12:54:03 +0000 |
commit | 0f8e367b43bef4874ce8118703483bd1b4458815 (patch) | |
tree | 0968f1296e3578a18d21eae8acbac52db8099155 /usr.bin/login | |
parent | 512bf290331aecc6f382585ee6225fa62efd024f (diff) | |
download | FreeBSD-src-0f8e367b43bef4874ce8118703483bd1b4458815.zip FreeBSD-src-0f8e367b43bef4874ce8118703483bd1b4458815.tar.gz |
login.access.5 and login_access.c are no longer used
in usr.bin/login because the login.access feature has
moved to PAM completely.
Their counterparts in lib/libpam/modules/pam_login_access
have been found to be in sync with, and even in better shape
than, login.access.5 and login_access.c here.
Therefore cvs rm login.access.5 and login_access.c from
usr.bin/login so that nobody will waste their time on fixing
or developing the files here.
MFC after: 3 days
Diffstat (limited to 'usr.bin/login')
-rw-r--r-- | usr.bin/login/login.access.5 | 57 | ||||
-rw-r--r-- | usr.bin/login/login_access.c | 239 |
2 files changed, 0 insertions, 296 deletions
diff --git a/usr.bin/login/login.access.5 b/usr.bin/login/login.access.5 deleted file mode 100644 index 2f2d8f2..0000000 --- a/usr.bin/login/login.access.5 +++ /dev/null @@ -1,57 +0,0 @@ -.\" -.\" $FreeBSD$ -.\" -.Dd April 30, 1994 -.Dt LOGIN.ACCESS 5 -.Os -.Sh NAME -.Nm login.access -.Nd login access control table -.Sh DESCRIPTION -The -.Nm -file specifies (user, host) combinations and/or (user, tty) -combinations for which a login will be either accepted or refused. -.Pp -When someone logs in, the -.Nm -is scanned for the first entry that -matches the (user, host) combination, or, in case of non-networked -logins, the first entry that matches the (user, tty) combination. -The -permissions field of that table entry determines whether the login will -be accepted or refused. -.Pp -Each line of the login access control table has three fields separated by a -.Ql \&: -character: -.Ar permission : Ns Ar users : Ns Ar origins -.Pp -The first field should be a "+" (access granted) or "-" (access denied) -character. -The second field should be a list of one or more login names, -group names, or ALL (always matches). -The third field should be a list -of one or more tty names (for non-networked logins), host names, domain -names (begin with "."), host addresses, internet network numbers (end -with "."), ALL (always matches) or LOCAL (matches any string that does -not contain a "." character). -If you run NIS you can use @netgroupname -in host or user patterns. -.Pp -The EXCEPT operator makes it possible to write very compact rules. -.Pp -The group file is searched only when a name does not match that of the -logged-in user. -Only groups are matched in which users are explicitly -listed: the program does not look at a user's primary group id value. -.Sh FILES -.Bl -tag -width /etc/login.access -compact -.It Pa /etc/login.access -login access control table -.El -.Sh SEE ALSO -.Xr login 1 , -.Xr pam 8 -.Sh AUTHORS -.An Guido van Rooij diff --git a/usr.bin/login/login_access.c b/usr.bin/login/login_access.c deleted file mode 100644 index f6f5745..0000000 --- a/usr.bin/login/login_access.c +++ /dev/null @@ -1,239 +0,0 @@ - /* - * This module implements a simple but effective form of login access - * control based on login names and on host (or domain) names, internet - * addresses (or network numbers), or on terminal line names in case of - * non-networked logins. Diagnostics are reported through syslog(3). - * - * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. - */ - -#ifdef LOGIN_ACCESS -#if 0 -#ifndef lint -static char sccsid[] = "%Z% %M% %I% %E% %U%"; -#endif -#endif - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/types.h> -#include <ctype.h> -#include <errno.h> -#include <grp.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> - -#include "login.h" -#include "pathnames.h" - - /* Delimiters for fields and for lists of users, ttys or hosts. */ - -static char fs[] = ":"; /* field separator */ -static char sep[] = ", \t"; /* list-element separator */ - - /* Constants to be used in assignments only, not in comparisons... */ - -#define YES 1 -#define NO 0 - -static int from_match(const char *, const char *); -static int list_match(char *, const char *, - int (*)(const char *, const char *)); -static int netgroup_match(const char *, const char *, const char *); -static int string_match(const char *, const char *); -static int user_match(const char *, const char *); - -/* login_access - match username/group and host/tty with access control file */ - -int -login_access(user, from) -const char *user; -const char *from; -{ - FILE *fp; - char line[BUFSIZ]; - char *perm; /* becomes permission field */ - char *users; /* becomes list of login names */ - char *froms; /* becomes list of terminals or hosts */ - int match = NO; - int end; - int lineno = 0; /* for diagnostics */ - - /* - * Process the table one line at a time and stop at the first match. - * Blank lines and lines that begin with a '#' character are ignored. - * Non-comment lines are broken at the ':' character. All fields are - * mandatory. The first field should be a "+" or "-" character. A - * non-existing table means no access control. - */ - - if ((fp = fopen(_PATH_LOGACCESS, "r")) != NULL) { - while (!match && fgets(line, sizeof(line), fp)) { - lineno++; - if (line[end = strlen(line) - 1] != '\n') { - syslog(LOG_ERR, "%s: line %d: missing newline or line too long", - _PATH_LOGACCESS, lineno); - continue; - } - if (line[0] == '#') - continue; /* comment line */ - while (end > 0 && isspace(line[end - 1])) - end--; - line[end] = 0; /* strip trailing whitespace */ - if (line[0] == 0) /* skip blank lines */ - continue; - if (!(perm = strtok(line, fs)) - || !(users = strtok((char *) 0, fs)) - || !(froms = strtok((char *) 0, fs)) - || strtok((char *) 0, fs)) { - syslog(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS, - lineno); - continue; - } - if (perm[0] != '+' && perm[0] != '-') { - syslog(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS, - lineno); - continue; - } - match = (list_match(froms, from, from_match) - && list_match(users, user, user_match)); - } - (void) fclose(fp); - } else if (errno != ENOENT) { - syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); - } - return (match == 0 || (line[0] == '+')); -} - -/* list_match - match an item against a list of tokens with exceptions */ - -static int list_match(list, item, match_fn) -char *list; -const char *item; -int (*match_fn)(const char *, const char *); -{ - char *tok; - int match = NO; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { - if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ - break; - if ((match = (*match_fn)(tok, item)) != NULL) /* YES */ - break; - } - /* Process exceptions to matches. */ - - if (match != NO) { - while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) - /* VOID */ ; - if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) - return (match); - } - return (NO); -} - -/* netgroup_match - match group against machine or user */ - -static int netgroup_match(group, machine, user) -const char *group __unused; -const char *machine __unused; -const char *user __unused; -{ - syslog(LOG_ERR, "NIS netgroup support not configured"); - return 0; -} - -/* user_match - match a username against one token */ - -static int user_match(tok, string) -const char *tok; -const char *string; -{ - struct group *group; - int i; - - /* - * If a token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the username, or if - * the token is a group that contains the username. - */ - - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, (char *) 0, string)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if ((group = getgrnam(tok)) != NULL) {/* try group membership */ - for (i = 0; group->gr_mem[i]; i++) - if (strcasecmp(string, group->gr_mem[i]) == 0) - return (YES); - } - return (NO); -} - -/* from_match - match a host or tty against a list of tokens */ - -static int from_match(tok, string) -const char *tok; -const char *string; -{ - int tok_len; - int str_len; - - /* - * If a token has the magic value "ALL" the match always succeeds. Return - * YES if the token fully matches the string. If the token is a domain - * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES - * if it matches the head of the string. - */ - - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(string)) > (tok_len = strlen(tok)) - && strcasecmp(tok, string + str_len - tok_len) == 0) - return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) - return (YES); - } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ - && strncmp(tok, string, tok_len) == 0) { - return (YES); - } - return (NO); -} - -/* string_match - match a string against one token */ - -static int string_match(tok, string) -const char *tok; -const char *string; -{ - - /* - * If the token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the string. - */ - - if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ - return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ - return (YES); - } - return (NO); -} -#endif /* LOGIN_ACCES */ |