From owner-svn-src-all@FreeBSD.ORG Sat Mar 12 11:12:30 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A56F1065678; Sat, 12 Mar 2011 11:12:30 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 574F18FC2D; Sat, 12 Mar 2011 11:12:30 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p2CBCUac017257; Sat, 12 Mar 2011 11:12:30 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p2CBCUPP017254; Sat, 12 Mar 2011 11:12:30 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201103121112.p2CBCUPP017254@svn.freebsd.org> From: Dag-Erling Smorgrav Date: Sat, 12 Mar 2011 11:12:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r219563 - head/lib/libpam/modules/pam_group X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 11:12:30 -0000 Author: des Date: Sat Mar 12 11:12:30 2011 New Revision: 219563 URL: http://svn.freebsd.org/changeset/base/219563 Log: Add "ruser" and "luser" options. The former corresponds to the current behavior, where the module checks that the supplicant is a member of the required group. The latter checks the target user instead. If neither option was specified, pam_group(8) assumes "ruser" and issues a warning. I intend to eventually change the default to "luser" to match the behavior of similarly-named service modules in other operating systems. MFC after: 1 month Modified: head/lib/libpam/modules/pam_group/pam_group.8 head/lib/libpam/modules/pam_group/pam_group.c Modified: head/lib/libpam/modules/pam_group/pam_group.8 ============================================================================== --- head/lib/libpam/modules/pam_group/pam_group.8 Sat Mar 12 09:41:25 2011 (r219562) +++ head/lib/libpam/modules/pam_group/pam_group.8 Sat Mar 12 11:12:30 2011 (r219563) @@ -1,4 +1,5 @@ .\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" Portions of this software were developed for the FreeBSD Project by @@ -32,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 6, 2003 +.Dd March 9, 2011 .Dt PAM_GROUP 8 .Os .Sh NAME @@ -64,10 +65,23 @@ it does exist and the applicant is a mem Specify the name of the group to check. The default is .Dq Li wheel . +.It Cm luser +Accept or reject based on the target user's group membership. .It Cm root_only Skip this module entirely if the target account is not the superuser account. +.It Cm ruser +Accept or reject based on the supplicant's group membership. +This is the default. .El +.Pp +Note that the +.Cm luser +and +.Cm ruser +options are mutually exclusive, and that +.Nm +will fail if both are specified. .Sh SEE ALSO .Xr pam.conf 5 , .Xr pam 8 Modified: head/lib/libpam/modules/pam_group/pam_group.c ============================================================================== --- head/lib/libpam/modules/pam_group/pam_group.c Sat Mar 12 09:41:25 2011 (r219562) +++ head/lib/libpam/modules/pam_group/pam_group.c Sat Mar 12 11:12:30 2011 (r219563) @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * Portions of this software were developed for the FreeBSD Project by @@ -56,6 +57,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) { + int local, remote; const char *group, *user; const void *ruser; char *const *list; @@ -69,10 +71,24 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only")) return (PAM_IGNORE); - /* get applicant */ - if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS - || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) - return (PAM_AUTH_ERR); + /* check local / remote */ + local = openpam_get_option(pamh, "luser") ? 1 : 0; + remote = openpam_get_option(pamh, "ruser") ? 1 : 0; + if (local && remote) { + openpam_log(PAM_LOG_ERROR, + "the luser and ruser options are mutually exclusive"); + return (PAM_SERVICE_ERR); + } else if (local) { + /* we already have the correct struct passwd */ + } else { + if (!remote) + openpam_log(PAM_LOG_NOTICE, + "neither luser nor ruser specified, assuming ruser"); + /* default / historical behavior */ + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS || + ruser == NULL || (pwd = getpwnam(ruser)) == NULL) + return (PAM_AUTH_ERR); + } /* get regulating group */ if ((group = openpam_get_option(pamh, "group")) == NULL)