kern/115162: [libpam] [patch] Add check for target user's group list to pam_group

Matthijs Kooijman matthijs at stdin.nl
Fri Aug 3 10:40:02 UTC 2007 

>Number:         115162
>Category:       kern
>Synopsis:       [libpam] [patch] Add check for target user's group list to pam_group
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 03 10:40:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Matthijs Kooijman
>Release:        6.2-RELEASE
>Organization:
I.C.T.S.V. Inter-Actief
>Environment:
FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007     matthijs at zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a  i386

>Description:
The added patch adds a "target" option to the pam_group module. This option makes pam_group do its checks against the target user's group list instead of the applicant's group.

This behaviour can be used to limit user logins to a specific group for networked services, where there is no identified applicant yet, such as for ssh logins.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- pam_group.c.orig	Wed Aug  1 20:43:51 2007
+++ pam_group.c.target	Wed Aug  1 21:56:37 2007
@@ -69,10 +69,14 @@
 	if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
 		return (PAM_IGNORE);
 
-	/* get applicant */
-	if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
-	    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
-		return (PAM_AUTH_ERR);
+	/* get applicant, unless we should compare with the target account */
+	if (!openpam_get_option(pamh, "target"))
+		if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
+		    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
+			return (PAM_AUTH_ERR);
+
+	/* Note that if the target option is set, pwd will contain the target
+	   account instead of applicant's account now */
 
 	/* get regulating group */
 	if ((group = openpam_get_option(pamh, "group")) == NULL)


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list