From owner-freebsd-bugs@FreeBSD.ORG Wed Oct 18 22:20:21 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30F8E16A416 for ; Wed, 18 Oct 2006 22:20:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0158343D53 for ; Wed, 18 Oct 2006 22:20:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9IMKFZv056414 for ; Wed, 18 Oct 2006 22:20:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9IMKFtZ056413; Wed, 18 Oct 2006 22:20:15 GMT (envelope-from gnats) Resent-Date: Wed, 18 Oct 2006 22:20:15 GMT Resent-Message-Id: <200610182220.k9IMKFtZ056413@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nick Barkas Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD6C616A40F for ; Wed, 18 Oct 2006 22:17:47 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: from smtp.earth.threerings.net (mail.threerings.net [64.127.109.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C9D543D4C for ; Wed, 18 Oct 2006 22:17:47 +0000 (GMT) (envelope-from snb@smtp.earth.threerings.net) Received: by smtp.earth.threerings.net (Postfix, from userid 10038) id 4444B6680; Wed, 18 Oct 2006 15:17:47 -0700 (PDT) Message-Id: <20061018221747.4444B6680@smtp.earth.threerings.net> Date: Wed, 18 Oct 2006 15:17:47 -0700 (PDT) From: Nick Barkas To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/104553: [PATCH] Add login group support to login.access(5) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Barkas List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 22:20:21 -0000 >Number: 104553 >Category: bin >Synopsis: [PATCH] Add login group support to login.access(5) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Oct 18 22:20:15 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 7.0-CURRENT i386 >Organization: Three Rings Design >Environment: System: FreeBSD freebsd-current.sea.earth.threerings.net 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Fri Jul 28 23:15:01 PDT 2006 root@freebsd-current.sea.earth.threerings.net:/usr/obj/usr/src/sys/TEST i386 >Description: I use /etc/login.access to control access to machines based on what groups users are in. Only certain groups are permitted access. If a user is a member of a group, but it is their primary or login group, login.access will not permit them to log in. Group based access control only works if the group(s) given in /etc/login.access have the users in their **gr_mem struct member. This behavior is documented in login.access(5) and comments in /etc/login.access, but it would be nice if the group access control worked for login groups. >How-To-Repeat: Put a line like this in /etc/login.access: -:ALL EXCEPT wheel foogroup:ALL If user foo has a password file entry like this: foo:*:1001:1001:Test User:/home/foo:/bin/sh and foogroup has a group file entry like this: foogroup:*:1001: user foo will not be able to log in, despite the fact that the user is in group foogroup. >Fix: Here are patches against -CURRENT to code and documentation that will fix this: --- src/etc/login.access.orig Sun Jun 6 04:46:27 2004 +++ src/etc/login.access Wed Oct 18 14:46:19 2006 @@ -24,9 +24,10 @@ # # The EXCEPT operator makes it possible to write very compact rules. # -# The group file is searched only when a name does not match that of the -# logged-in user. Only groups are matched in which users are explicitly -# listed: the program does not look at a user's primary group id value. +# The user's groups are checked against the name(s) in the second field +# only when it/they do not match the user's login name. Each group the +# user is in, including his or her login group, will be checked until the +# first match is found. # ############################################################################## # --- src/lib/libpam/modules/pam_login_access/login.access.5.orig Mon Sep 25 18:26:25 2006 +++ src/lib/libpam/modules/pam_login_access/login.access.5 Wed Oct 18 14:27:12 2006 @@ -41,10 +41,10 @@ .Pp The EXCEPT operator makes it possible to write very compact rules. .Pp -The group file is searched only when a name does not match that of the -logged-in user. -Only groups are matched in which users are explicitly -listed: the program does not look at a user's primary group id value. +The user's groups are checked against the name(s) in the second field +only when it/they do not match the user's login name. +Each group the user is in, including his or her login group, will be +checked until the first match is found. .Sh FILES .Bl -tag -width /etc/login.access -compact .It Pa /etc/login.access --- src/lib/libpam/modules/pam_login_access/login_access.c.orig Wed Oct 18 12:19:37 2006 +++ src/lib/libpam/modules/pam_login_access/login_access.c Wed Oct 18 14:02:24 2006 @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -156,6 +157,7 @@ user_match(const char *tok, const char *string) { struct group *group; + struct passwd *pw; int i; /* @@ -172,6 +174,13 @@ for (i = 0; group->gr_mem[i]; i++) if (strcasecmp(string, group->gr_mem[i]) == 0) return (YES); + } + /* Check if the user's login group matches token. */ + if ((pw = getpwnam(string)) != NULL) { + group = getgrgid(pw->pw_gid); + if (strcasecmp(tok, group->gr_name) == 0) { + return(YES); + } } return (NO); } >Release-Note: >Audit-Trail: >Unformatted: