Date: Fri, 3 Aug 2007 10:36:08 GMT From: Matthijs Kooijman <matthijs@stdin.nl> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/115162: [libpam] [patch] Add check for target user's group list to pam_group Message-ID: <200708031036.l73Aa8jM047178@www.freebsd.org> Resent-Message-ID: <200708031040.l73Ae1Xm005761@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115162 >Category: kern >Synopsis: [libpam] [patch] Add check for target user's group list to pam_group >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Aug 03 10:40:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Matthijs Kooijman >Release: 6.2-RELEASE >Organization: I.C.T.S.V. Inter-Actief >Environment: FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007 matthijs@zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a i386 >Description: The added patch adds a "target" option to the pam_group module. This option makes pam_group do its checks against the target user's group list instead of the applicant's group. This behaviour can be used to limit user logins to a specific group for networked services, where there is no identified applicant yet, such as for ssh logins. >How-To-Repeat: >Fix: Patch attached with submission follows: --- pam_group.c.orig Wed Aug 1 20:43:51 2007 +++ pam_group.c.target Wed Aug 1 21:56:37 2007 @@ -69,10 +69,14 @@ if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only")) return (PAM_IGNORE); - /* get applicant */ - if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS - || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) - return (PAM_AUTH_ERR); + /* get applicant, unless we should compare with the target account */ + if (!openpam_get_option(pamh, "target")) + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS + || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) + return (PAM_AUTH_ERR); + + /* Note that if the target option is set, pwd will contain the target + account instead of applicant's account now */ /* get regulating group */ if ((group = openpam_get_option(pamh, "group")) == NULL) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708031036.l73Aa8jM047178>