Date: Wed, 18 Oct 2006 15:17:47 -0700 (PDT) From: Nick Barkas <snb@threerings.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/104553: [PATCH] Add login group support to login.access(5) Message-ID: <20061018221747.4444B6680@smtp.earth.threerings.net> Resent-Message-ID: <200610182220.k9IMKFtZ056413@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 104553 >Category: bin >Synopsis: [PATCH] Add login group support to login.access(5) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Oct 18 22:20:15 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 7.0-CURRENT i386 >Organization: Three Rings Design >Environment: System: FreeBSD freebsd-current.sea.earth.threerings.net 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Fri Jul 28 23:15:01 PDT 2006 root@freebsd-current.sea.earth.threerings.net:/usr/obj/usr/src/sys/TEST i386 >Description: I use /etc/login.access to control access to machines based on what groups users are in. Only certain groups are permitted access. If a user is a member of a group, but it is their primary or login group, login.access will not permit them to log in. Group based access control only works if the group(s) given in /etc/login.access have the users in their **gr_mem struct member. This behavior is documented in login.access(5) and comments in /etc/login.access, but it would be nice if the group access control worked for login groups. >How-To-Repeat: Put a line like this in /etc/login.access: -:ALL EXCEPT wheel foogroup:ALL If user foo has a password file entry like this: foo:*:1001:1001:Test User:/home/foo:/bin/sh and foogroup has a group file entry like this: foogroup:*:1001: user foo will not be able to log in, despite the fact that the user is in group foogroup. >Fix: Here are patches against -CURRENT to code and documentation that will fix this: --- src/etc/login.access.orig Sun Jun 6 04:46:27 2004 +++ src/etc/login.access Wed Oct 18 14:46:19 2006 @@ -24,9 +24,10 @@ # # The EXCEPT operator makes it possible to write very compact rules. # -# The group file is searched only when a name does not match that of the -# logged-in user. Only groups are matched in which users are explicitly -# listed: the program does not look at a user's primary group id value. +# The user's groups are checked against the name(s) in the second field +# only when it/they do not match the user's login name. Each group the +# user is in, including his or her login group, will be checked until the +# first match is found. # ############################################################################## # --- src/lib/libpam/modules/pam_login_access/login.access.5.orig Mon Sep 25 18:26:25 2006 +++ src/lib/libpam/modules/pam_login_access/login.access.5 Wed Oct 18 14:27:12 2006 @@ -41,10 +41,10 @@ .Pp The EXCEPT operator makes it possible to write very compact rules. .Pp -The group file is searched only when a name does not match that of the -logged-in user. -Only groups are matched in which users are explicitly -listed: the program does not look at a user's primary group id value. +The user's groups are checked against the name(s) in the second field +only when it/they do not match the user's login name. +Each group the user is in, including his or her login group, will be +checked until the first match is found. .Sh FILES .Bl -tag -width /etc/login.access -compact .It Pa /etc/login.access --- src/lib/libpam/modules/pam_login_access/login_access.c.orig Wed Oct 18 12:19:37 2006 +++ src/lib/libpam/modules/pam_login_access/login_access.c Wed Oct 18 14:02:24 2006 @@ -20,6 +20,7 @@ #include <ctype.h> #include <errno.h> #include <grp.h> +#include <pwd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -156,6 +157,7 @@ user_match(const char *tok, const char *string) { struct group *group; + struct passwd *pw; int i; /* @@ -172,6 +174,13 @@ for (i = 0; group->gr_mem[i]; i++) if (strcasecmp(string, group->gr_mem[i]) == 0) return (YES); + } + /* Check if the user's login group matches token. */ + if ((pw = getpwnam(string)) != NULL) { + group = getgrgid(pw->pw_gid); + if (strcasecmp(tok, group->gr_name) == 0) { + return(YES); + } } return (NO); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061018221747.4444B6680>