Date: Wed, 18 Oct 2006 15:17:47 -0700 (PDT) From: Nick Barkas <snb@threerings.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/104553: [PATCH] Add login group support to login.access(5) Message-ID: <20061018221747.4444B6680@smtp.earth.threerings.net> Resent-Message-ID: <200610182220.k9IMKFtZ056413@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 104553
>Category: bin
>Synopsis: [PATCH] Add login group support to login.access(5)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 18 22:20:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD freebsd-current.sea.earth.threerings.net 7.0-CURRENT FreeBSD
7.0-CURRENT #6: Fri Jul 28 23:15:01 PDT 2006
root@freebsd-current.sea.earth.threerings.net:/usr/obj/usr/src/sys/TEST i386
>Description:
I use /etc/login.access to control access to machines based on what groups users
are in. Only certain groups are permitted access. If a user is a member of a
group, but it is their primary or login group, login.access will not permit them
to log in. Group based access control only works if the group(s) given in
/etc/login.access have the users in their **gr_mem struct member.
This behavior is documented in login.access(5) and comments in
/etc/login.access, but it would be nice if the group access control worked for
login groups.
>How-To-Repeat:
Put a line like this in /etc/login.access:
-:ALL EXCEPT wheel foogroup:ALL
If user foo has a password file entry like this:
foo:*:1001:1001:Test User:/home/foo:/bin/sh
and foogroup has a group file entry like this:
foogroup:*:1001:
user foo will not be able to log in, despite the fact that the user is in group
foogroup.
>Fix:
Here are patches against -CURRENT to code and documentation that will fix this:
--- src/etc/login.access.orig Sun Jun 6 04:46:27 2004
+++ src/etc/login.access Wed Oct 18 14:46:19 2006
@@ -24,9 +24,10 @@
#
# The EXCEPT operator makes it possible to write very compact rules.
#
-# The group file is searched only when a name does not match that of the
-# logged-in user. Only groups are matched in which users are explicitly
-# listed: the program does not look at a user's primary group id value.
+# The user's groups are checked against the name(s) in the second field
+# only when it/they do not match the user's login name. Each group the
+# user is in, including his or her login group, will be checked until the
+# first match is found.
#
##############################################################################
#
--- src/lib/libpam/modules/pam_login_access/login.access.5.orig Mon Sep 25 18:26:25 2006
+++ src/lib/libpam/modules/pam_login_access/login.access.5 Wed Oct 18 14:27:12 2006
@@ -41,10 +41,10 @@
.Pp
The EXCEPT operator makes it possible to write very compact rules.
.Pp
-The group file is searched only when a name does not match that of the
-logged-in user.
-Only groups are matched in which users are explicitly
-listed: the program does not look at a user's primary group id value.
+The user's groups are checked against the name(s) in the second field
+only when it/they do not match the user's login name.
+Each group the user is in, including his or her login group, will be
+checked until the first match is found.
.Sh FILES
.Bl -tag -width /etc/login.access -compact
.It Pa /etc/login.access
--- src/lib/libpam/modules/pam_login_access/login_access.c.orig Wed Oct 18 12:19:37 2006
+++ src/lib/libpam/modules/pam_login_access/login_access.c Wed Oct 18 14:02:24 2006
@@ -20,6 +20,7 @@
#include <ctype.h>
#include <errno.h>
#include <grp.h>
+#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -156,6 +157,7 @@
user_match(const char *tok, const char *string)
{
struct group *group;
+ struct passwd *pw;
int i;
/*
@@ -172,6 +174,13 @@
for (i = 0; group->gr_mem[i]; i++)
if (strcasecmp(string, group->gr_mem[i]) == 0)
return (YES);
+ }
+ /* Check if the user's login group matches token. */
+ if ((pw = getpwnam(string)) != NULL) {
+ group = getgrgid(pw->pw_gid);
+ if (strcasecmp(tok, group->gr_name) == 0) {
+ return(YES);
+ }
}
return (NO);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061018221747.4444B6680>