kern/115162: [libpam] [patch] Add check for target user's group
list to pam_group
Matthijs Kooijman
matthijs at stdin.nl
Fri Aug 3 10:40:02 UTC 2007
>Number: 115162
>Category: kern
>Synopsis: [libpam] [patch] Add check for target user's group list to pam_group
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 03 10:40:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Matthijs Kooijman
>Release: 6.2-RELEASE
>Organization:
I.C.T.S.V. Inter-Actief
>Environment:
FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007 matthijs at zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a i386
>Description:
The added patch adds a "target" option to the pam_group module. This option makes pam_group do its checks against the target user's group list instead of the applicant's group.
This behaviour can be used to limit user logins to a specific group for networked services, where there is no identified applicant yet, such as for ssh logins.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- pam_group.c.orig Wed Aug 1 20:43:51 2007
+++ pam_group.c.target Wed Aug 1 21:56:37 2007
@@ -69,10 +69,14 @@
if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
return (PAM_IGNORE);
- /* get applicant */
- if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
- || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
- return (PAM_AUTH_ERR);
+ /* get applicant, unless we should compare with the target account */
+ if (!openpam_get_option(pamh, "target"))
+ if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
+ || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
+ return (PAM_AUTH_ERR);
+
+ /* Note that if the target option is set, pwd will contain the target
+ account instead of applicant's account now */
/* get regulating group */
if ((group = openpam_get_option(pamh, "group")) == NULL)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list