From owner-svn-src-all@FreeBSD.ORG Sat Aug 23 11:40:41 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AEE918F5; Sat, 23 Aug 2014 11:40:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 901F23BAD; Sat, 23 Aug 2014 11:40:41 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s7NBefSJ061805; Sat, 23 Aug 2014 11:40:41 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s7NBef8H061800; Sat, 23 Aug 2014 11:40:41 GMT (envelope-from des@FreeBSD.org) Message-Id: <201408231140.s7NBef8H061800@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Sat, 23 Aug 2014 11:40:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r270401 - stable/10/lib/libpam/modules/pam_group X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2014 11:40:41 -0000 Author: des Date: Sat Aug 23 11:40:40 2014 New Revision: 270401 URL: http://svnweb.freebsd.org/changeset/base/270401 Log: MFH (r268888): fix false negative for empty groups PR: 109416 MFH (r268890): add support for "account" facility PR: 115164 Modified: stable/10/lib/libpam/modules/pam_group/pam_group.8 stable/10/lib/libpam/modules/pam_group/pam_group.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libpam/modules/pam_group/pam_group.8 ============================================================================== --- stable/10/lib/libpam/modules/pam_group/pam_group.8 Sat Aug 23 11:40:18 2014 (r270400) +++ stable/10/lib/libpam/modules/pam_group/pam_group.8 Sat Aug 23 11:40:40 2014 (r270401) @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 9, 2011 +.Dd July 19, 2014 .Dt PAM_GROUP 8 .Os .Sh NAME @@ -48,6 +48,11 @@ .Sh DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group. +.Nm pam_group +provides functionality for two PAM categories: authentication and +account management. +In terms of the module-type parameter, they are the ``auth'' and +``account'' features. .Pp The following options may be passed to the .Nm Modified: stable/10/lib/libpam/modules/pam_group/pam_group.c ============================================================================== --- stable/10/lib/libpam/modules/pam_group/pam_group.c Sat Aug 23 11:40:18 2014 (r270400) +++ stable/10/lib/libpam/modules/pam_group/pam_group.c Sat Aug 23 11:40:40 2014 (r270401) @@ -47,15 +47,14 @@ __FBSDID("$FreeBSD$"); #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include #include #include - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) +static int +pam_group(pam_handle_t *pamh) { int local, remote; const char *group, *user; @@ -96,14 +95,12 @@ pam_sm_authenticate(pam_handle_t *pamh, if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL) goto failed; - /* check if the group is empty */ - if (*grp->gr_mem == NULL) - goto failed; - - /* check membership */ + /* check if user's own primary group */ if (pwd->pw_gid == grp->gr_gid) goto found; - for (list = grp->gr_mem; *list != NULL; ++list) + + /* iterate over members */ + for (list = grp->gr_mem; list != NULL && *list != NULL; ++list) if (strcmp(*list, pwd->pw_name) == 0) goto found; @@ -123,6 +120,14 @@ pam_sm_authenticate(pam_handle_t *pamh, } PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc __unused, const char *argv[] __unused) { @@ -130,4 +135,12 @@ pam_sm_setcred(pam_handle_t * pamh __unu return (PAM_SUCCESS); } +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (pam_group(pamh)); +} + PAM_MODULE_ENTRY("pam_group");