Date: Sat, 23 Aug 2014 11:40:41 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r270401 - stable/10/lib/libpam/modules/pam_group Message-ID: <201408231140.s7NBef8H061800@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sat Aug 23 11:40:40 2014 New Revision: 270401 URL: http://svnweb.freebsd.org/changeset/base/270401 Log: MFH (r268888): fix false negative for empty groups PR: 109416 MFH (r268890): add support for "account" facility PR: 115164 Modified: stable/10/lib/libpam/modules/pam_group/pam_group.8 stable/10/lib/libpam/modules/pam_group/pam_group.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libpam/modules/pam_group/pam_group.8 ============================================================================== --- stable/10/lib/libpam/modules/pam_group/pam_group.8 Sat Aug 23 11:40:18 2014 (r270400) +++ stable/10/lib/libpam/modules/pam_group/pam_group.8 Sat Aug 23 11:40:40 2014 (r270401) @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 9, 2011 +.Dd July 19, 2014 .Dt PAM_GROUP 8 .Os .Sh NAME @@ -48,6 +48,11 @@ .Sh DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group. +.Nm pam_group +provides functionality for two PAM categories: authentication and +account management. +In terms of the module-type parameter, they are the ``auth'' and +``account'' features. .Pp The following options may be passed to the .Nm Modified: stable/10/lib/libpam/modules/pam_group/pam_group.c ============================================================================== --- stable/10/lib/libpam/modules/pam_group/pam_group.c Sat Aug 23 11:40:18 2014 (r270400) +++ stable/10/lib/libpam/modules/pam_group/pam_group.c Sat Aug 23 11:40:40 2014 (r270401) @@ -47,15 +47,14 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/openpam.h> - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) +static int +pam_group(pam_handle_t *pamh) { int local, remote; const char *group, *user; @@ -96,14 +95,12 @@ pam_sm_authenticate(pam_handle_t *pamh, if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL) goto failed; - /* check if the group is empty */ - if (*grp->gr_mem == NULL) - goto failed; - - /* check membership */ + /* check if user's own primary group */ if (pwd->pw_gid == grp->gr_gid) goto found; - for (list = grp->gr_mem; *list != NULL; ++list) + + /* iterate over members */ + for (list = grp->gr_mem; list != NULL && *list != NULL; ++list) if (strcmp(*list, pwd->pw_name) == 0) goto found; @@ -123,6 +120,14 @@ pam_sm_authenticate(pam_handle_t *pamh, } PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc __unused, const char *argv[] __unused) { @@ -130,4 +135,12 @@ pam_sm_setcred(pam_handle_t * pamh __unu return (PAM_SUCCESS); } +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + PAM_MODULE_ENTRY("pam_group");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201408231140.s7NBef8H061800>