Page MenuHomeFreeBSD
Files F145137842

D23198.id67304.diff
No OneTemporary
Actions

D23198.id67304.diff
View Options

Index: lib/libpam/modules/pam_login_access/login.access.5
===================================================================
--- lib/libpam/modules/pam_login_access/login.access.5
+++ lib/libpam/modules/pam_login_access/login.access.5
@@ -31,7 +31,13 @@
character.
.Pp
The second field should be a list of one or more login names,
-group names, or ALL (always matches).
+group names, or ALL (always matches). Group names must be enclosed in
+parentheses if the pam module specification for
+.Pa pam_login_access
+specifies the
+.Pa nodefgroup
+option.
+Otherwise group names will only match if no usernames match.
.Pp
The third field should be a list
of one or more tty names (for non-networked logins), host names, domain
Index: lib/libpam/modules/pam_login_access/login_access.c
===================================================================
--- lib/libpam/modules/pam_login_access/login_access.c
+++ lib/libpam/modules/pam_login_access/login_access.c
@@ -31,29 +31,25 @@
#include "pam_login_access.h"
-#define _PATH_LOGACCESS "/etc/login.access"
-
- /* Delimiters for fields and for lists of users, ttys or hosts. */
-
-static char fs[] = ":"; /* field separator */
-static char sep[] = ", \t"; /* list-element separator */
-
/* Constants to be used in assignments only, not in comparisons... */
-#define YES 1
-#define NO 0
+#define YES true
+#define NO false
-static int from_match(const char *, const char *);
+static int from_match(const char *, const char *, struct pam_login_access_options *);
static int list_match(char *, const char *,
- int (*)(const char *, const char *));
+ int (*)(const char *, const char *,
+ struct pam_login_access_options *),
+ struct pam_login_access_options *);
static int netgroup_match(const char *, const char *, const char *);
static int string_match(const char *, const char *);
-static int user_match(const char *, const char *);
+static int user_match(const char *, const char *, struct pam_login_access_options *);
+static int group_match(const char *, const char *);
/* login_access - match username/group and host/tty with access control file */
int
-login_access(const char *user, const char *from)
+login_access(const char *user, const char *from, struct pam_login_access_options *login_access_opts)
{
FILE *fp;
char line[BUFSIZ];
@@ -72,12 +68,12 @@
* non-existing table means no access control.
*/
- if ((fp = fopen(_PATH_LOGACCESS, "r")) != NULL) {
+ if ((fp = fopen(login_access_opts->accessfile, "r")) != NULL) {
while (!match && fgets(line, sizeof(line), fp)) {
lineno++;
if (line[end = strlen(line) - 1] != '\n') {
syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
- _PATH_LOGACCESS, lineno);
+ login_access_opts->accessfile, lineno);
continue;
}
if (line[0] == '#')
@@ -87,25 +83,25 @@
line[end] = 0; /* strip trailing whitespace */
if (line[0] == 0) /* skip blank lines */
continue;
- if (!(perm = strtok(line, fs))
- || !(users = strtok((char *) 0, fs))
- || !(froms = strtok((char *) 0, fs))
- || strtok((char *) 0, fs)) {
- syslog(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS,
+ if (!(perm = strtok(line, login_access_opts->fieldsep))
+ || !(users = strtok((char *) 0, login_access_opts->fieldsep))
+ || !(froms = strtok((char *) 0, login_access_opts->fieldsep))
+ || strtok((char *) 0, login_access_opts->fieldsep)) {
+ syslog(LOG_ERR, "%s: line %d: bad field count", login_access_opts->accessfile,
lineno);
continue;
}
if (perm[0] != '+' && perm[0] != '-') {
- syslog(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS,
+ syslog(LOG_ERR, "%s: line %d: bad first field", login_access_opts->accessfile,
lineno);
continue;
}
- match = (list_match(froms, from, from_match)
- && list_match(users, user, user_match));
+ match = (list_match(froms, from, from_match, login_access_opts)
+ && list_match(users, user, user_match, login_access_opts));
}
(void) fclose(fp);
} else if (errno != ENOENT) {
- syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
+ syslog(LOG_ERR, "cannot open %s: %m", login_access_opts->accessfile);
}
return (match == 0 || (line[0] == '+'));
}
@@ -114,7 +110,8 @@
static int
list_match(char *list, const char *item,
- int (*match_fn)(const char *, const char *))
+ int (*match_fn)(const char *, const char *, struct pam_login_access_options *),
+ struct pam_login_access_options *login_access_opts)
{
char *tok;
int match = NO;
@@ -126,18 +123,19 @@
* the match is affected by any exceptions.
*/
- for (tok = strtok(list, sep); tok != NULL; tok = strtok((char *) 0, sep)) {
+ for (tok = strtok(list, login_access_opts->listsep); tok != NULL; tok = strtok((char *) 0, login_access_opts->listsep)) {
if (strcmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */
break;
- if ((match = (*match_fn)(tok, item)) != 0) /* YES */
+ if ((match = (*match_fn)(tok, item, login_access_opts)) != 0) /* YES */
break;
}
/* Process exceptions to matches. */
if (match != NO) {
- while ((tok = strtok((char *) 0, sep)) && strcmp(tok, "EXCEPT"))
+ while ((tok = strtok((char *) 0, login_access_opts->listsep)) && strcmp(tok, "EXCEPT"))
/* VOID */ ;
- if (tok == NULL || list_match((char *) 0, item, match_fn) == NO)
+ if (tok == NULL || list_match((char *) 0, item, match_fn,
+ login_access_opts) == NO)
return (match);
}
return (NO);
@@ -170,16 +168,56 @@
return (NO);
}
-/* user_match - match a username against one token */
+/* group_match - match a group against one token */
-static int
-user_match(const char *tok, const char *string)
+int
+group_match(const char *tok, const char *string)
{
struct group *group;
struct passwd *passwd;
gid_t *grouplist;
- int ngroups = NGROUPS;
- int i;
+ int i, ngroups = NGROUPS;
+
+ if ((passwd = getpwnam(string)) == NULL) {
+ return (NO);
+ }
+ errno = 0;
+ if ((group = getgrnam(tok)) == NULL) {
+ if (errno != 0) {
+ syslog(LOG_ERR, "getgrnam() failed for %s: %s", string, strerror(errno));
+ } else {
+ syslog(LOG_NOTICE, "group not found: %s", string);
+ }
+ return (NO);
+ }
+ if ((grouplist = calloc(ngroups, sizeof(gid_t))) == NULL) {
+ syslog(LOG_ERR, "cannot allocate memory for grouplist: %s", string);
+ return (NO);
+ }
+ if (getgrouplist(string, passwd->pw_gid, grouplist, &ngroups) != 0) {
+ syslog(LOG_ERR, "getgrouplist() failed for %s", string);
+ free(grouplist);
+ return (NO);
+ }
+ for (i = 0; i < ngroups; i++) {
+ if (grouplist[i] == group->gr_gid) {
+ free(grouplist);
+ return (YES);
+ }
+ }
+ free(grouplist);
+ return (NO);
+}
+
+/* user_match - match a username against one token */
+
+static int
+user_match(const char *tok, const char *string,
+ struct pam_login_access_options *login_access_opts)
+{
+ size_t stringlen;
+ char *grpstr;
+ int rc;
/*
* If a token has the magic value "ALL" the match always succeeds.
@@ -189,39 +227,20 @@
if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, (char *) 0, string));
- } else if (string_match(tok, string)) { /* ALL or exact match */
- return (YES);
- } else {
- if ((passwd = getpwnam(string)) == NULL)
- return (NO);
- errno = 0;
- if ((group = getgrnam(tok)) == NULL) {/* try group membership */
- if (errno != 0) {
- syslog(LOG_ERR, "getgrnam() failed for %s: %s", string, strerror(errno));
- } else {
- syslog(LOG_NOTICE, "group not found: %s", string);
- }
- return (NO);
- }
- errno = 0;
- if ((grouplist = calloc(ngroups, sizeof(gid_t))) == NULL) {
+ } else if (tok[0] == '(' && tok[(stringlen = strlen(&tok[1]))] == ')') { /* group */
+ if ((grpstr = strndup(&tok[1], stringlen - 1)) == NULL) {
if (errno == ENOMEM) {
- syslog(LOG_ERR, "cannot allocate memory for grouplist: %s", string);
+ syslog(LOG_ERR, "cannot allocate memory for %s", string);
}
return (NO);
}
- if (getgrouplist(string, passwd->pw_gid, grouplist, &ngroups) != 0) {
- syslog(LOG_ERR, "getgrouplist() failed for %s", string);
- free(grouplist);
- return (NO);
- }
- for (i = 0; i < ngroups; i++) {
- if (grouplist[i] == group->gr_gid) {
- free(grouplist);
- return (YES);
- }
- }
- free(grouplist);
+ rc = group_match(grpstr, string);
+ free(grpstr);
+ return (rc);
+ } else if (string_match(tok, string)) { /* ALL or exact match */
+ return (YES);
+ } else if (login_access_opts->defgroup == true) {/* try group membership */
+ return (group_match(tok, string) == YES);
}
return (NO);
}
@@ -229,7 +248,8 @@
/* from_match - match a host or tty against a list of tokens */
static int
-from_match(const char *tok, const char *string)
+from_match(const char *tok, const char *string,
+ struct pam_login_access_options *login_access_opts __unused)
{
int tok_len;
int str_len;
Index: lib/libpam/modules/pam_login_access/pam_login_access.h
===================================================================
--- lib/libpam/modules/pam_login_access/pam_login_access.h
+++ lib/libpam/modules/pam_login_access/pam_login_access.h
@@ -38,4 +38,15 @@
* $FreeBSD$
*/
-extern int login_access(const char *, const char *);
+#include <stdbool.h>
+
+struct pam_login_access_options {
+ bool defgroup;
+ bool audit;
+ const char *accessfile;
+ /* Delimiters for fields and for lists of users, ttys or hosts. */
+ const char *fieldsep; /* field separator */
+ const char *listsep; /* list-element separator */
+};
+
+extern int login_access(const char *, const char *, struct pam_login_access_options *);
Index: lib/libpam/modules/pam_login_access/pam_login_access.8
===================================================================
--- lib/libpam/modules/pam_login_access/pam_login_access.8
+++ lib/libpam/modules/pam_login_access/pam_login_access.8
@@ -34,7 +34,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd January 24, 2002
+.Dd March 2, 2019
.Dt PAM_LOGIN_ACCESS 8
.Os
.Sh NAME
@@ -68,8 +68,37 @@
remote host (in the case of a remote login), according to the
restrictions listed in
.Xr login.access 5 .
+.Bl -tag -width ".Cm nodefgroup"
+.It Cm accessfile Ns = Ns Ar pathname
+specifies a non-standard location for the
+.Pa login.access
+configuration file
+(normally located in
+.Pa /etc/login.access ) .
+.It Cm nodefgroup
+only matches users not enclosed in parentheses, requiring groups be
+specified in parentheses.
+This is not backwards compatible with legacy
+.Pa login.access
+configuration files.
+However this mitigates confusion between users and
+groups of the same name.
+.Xr syslog 3 .
+.It Cm fieldsep Ns = Ns Ar separators
+changes the field separator from the default ":". More than one separator
+may be specified.
+.It Cm listsep Ns = Ns Ar separators
+changes the field separator from the default space (''), tab (\\t) and
+comma (,).
+More than one separator may be specified.
+For example, listsep=;
+will replace the default with a semicolon (;).
+This option may be useful when specifying Active Directory groupnames which
+typically contain spaces.
+.El
.Sh SEE ALSO
.Xr pam 3 ,
+.Xr syslog 3 ,
.Xr login.access 5 ,
.Xr pam.conf 5
.Sh AUTHORS
Index: lib/libpam/modules/pam_login_access/pam_login_access.c
===================================================================
--- lib/libpam/modules/pam_login_access/pam_login_access.c
+++ lib/libpam/modules/pam_login_access/pam_login_access.c
@@ -42,6 +42,7 @@
#define _BSD_SOURCE
#include <sys/param.h>
+#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
@@ -51,13 +52,25 @@
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
+#include <security/openpam.h>
#include "pam_login_access.h"
+#define OPT_ACCESSFILE "accessfile"
+#define OPT_NOAUDIT "noaudit"
+#define OPT_FIELDSEP "fieldsep"
+#define OPT_LISTSEP "listsep"
+#define OPT_NODEFGROUP "nodefgroup"
+
+#define _PATH_LOGACCESS "/etc/login.access"
+#define _FIELD_SEPARATOR ":"
+#define _LIST_SEPARATOR ", \t"
+
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
+ struct pam_login_access_options login_access_opts;
const void *rhost, *tty, *user;
char hostname[MAXHOSTNAMELEN];
int pam_err;
@@ -80,25 +93,33 @@
return (pam_err);
gethostname(hostname, sizeof hostname);
+ login_access_opts.defgroup = openpam_get_option(pamh, OPT_NODEFGROUP) == NULL ? true : false;
+ login_access_opts.audit = openpam_get_option(pamh, OPT_NOAUDIT) == NULL ? true : false;
+ if ((login_access_opts.accessfile = openpam_get_option(pamh, OPT_ACCESSFILE)) == NULL)
+ login_access_opts.accessfile = _PATH_LOGACCESS;
+ if ((login_access_opts.fieldsep = openpam_get_option(pamh, OPT_FIELDSEP)) == NULL)
+ login_access_opts.fieldsep = _FIELD_SEPARATOR;
+ if ((login_access_opts.listsep = openpam_get_option(pamh, OPT_LISTSEP)) == NULL)
+ login_access_opts.listsep = _LIST_SEPARATOR;
if (rhost != NULL && *(const char *)rhost != '\0') {
PAM_LOG("Checking login.access for user %s from host %s",
(const char *)user, (const char *)rhost);
- if (login_access(user, rhost) != 0)
+ if (login_access(user, rhost, &login_access_opts) != 0)
return (PAM_SUCCESS);
PAM_VERBOSE_ERROR("%s is not allowed to log in from %s",
(const char *)user, (const char *)rhost);
} else if (tty != NULL && *(const char *)tty != '\0') {
PAM_LOG("Checking login.access for user %s on tty %s",
(const char *)user, (const char *)tty);
- if (login_access(user, tty) != 0)
+ if (login_access(user, tty, &login_access_opts) != 0)
return (PAM_SUCCESS);
PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
(const char *)user, (const char *)tty);
} else {
PAM_LOG("Checking login.access for user %s",
(const char *)user);
- if (login_access(user, "***unknown***") != 0)
+ if (login_access(user, "***unknown***", &login_access_opts) != 0)
return (PAM_SUCCESS);
PAM_VERBOSE_ERROR("%s is not allowed to log in",
(const char *)user);

File Metadata

Mime Type
text/plain
Expires
Tue, Feb 17, 8:45 AM (14 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28808863
Default Alt Text
D23198.id67304.diff (13 KB)

Event Timeline