Date: Fri, 3 Aug 2007 11:04:04 GMT From: Matthijs Kooijman <matthijs@stdin.nl> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/115164: [libpam] [patch] Add check for target user's group list to pam_group Message-ID: <200708031104.l73B446I054194@www.freebsd.org> Resent-Message-ID: <200708031110.l73BA9bV006695@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115164 >Category: kern >Synopsis: [libpam] [patch] Add check for target user's group list to pam_group >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Aug 03 11:10:09 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Matthijs Kooijman >Release: 6.2-RELEASE >Organization: I.C.T.S.V. Inter-Actief >Environment: FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007 matthijs@zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a i386 >Description: The added patch adds support for the account category to pam_group. This allows the group checks to be performed for both the auth and account features instead of only the auth feature. Together with my target patch [1] this can be used to perform group checking for ssh logins, even when pam is not used for authentication (such as with private key logins). [1]: http://www.freebsd.org/cgi/query-pr.cgi?pr=115162 >How-To-Repeat: >Fix: Patch attached with submission follows: Common subdirectories: pam_group.orig/imp and pam_group.account/imp diff -u pam_group.orig/pam_group.8 pam_group.account/pam_group.8 --- pam_group.orig/pam_group.8 Fri Aug 3 11:31:56 2007 +++ pam_group.account/pam_group.8 Fri Aug 3 11:49:02 2007 @@ -47,6 +47,10 @@ .Sh DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group. +.Nm pam_group +provides functionality for two PAM categories: authentication and account +management. In terms of the module-type parameter, they are the ``auth'' and +``account'' features. .Pp The following options may be passed to the .Nm diff -u pam_group.orig/pam_group.c pam_group.account/pam_group.c --- pam_group.orig/pam_group.c Fri Aug 3 11:31:56 2007 +++ pam_group.account/pam_group.c Fri Aug 3 11:34:59 2007 @@ -46,11 +46,18 @@ #include <unistd.h> #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/openpam.h> +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708031104.l73B446I054194>