svn commit: r270400 - stable/9/lib/libpam/modules/pam_group

Dag-Erling Smørgrav des at FreeBSD.org
Sat Aug 23 11:40:19 UTC 2014 

Author: des
Date: Sat Aug 23 11:40:18 2014
New Revision: 270400
URL: http://svnweb.freebsd.org/changeset/base/270400

Log:
  MFH (r268888): fix false negative for empty groups
  PR:		109416
  
  MFH (r268890): add support for "account" facility
  PR:		115164

Modified:
  stable/9/lib/libpam/modules/pam_group/pam_group.8
  stable/9/lib/libpam/modules/pam_group/pam_group.c
Directory Properties:
  stable/9/lib/libpam/   (props changed)

Modified: stable/9/lib/libpam/modules/pam_group/pam_group.8
==============================================================================
--- stable/9/lib/libpam/modules/pam_group/pam_group.8	Sat Aug 23 11:38:31 2014	(r270399)
+++ stable/9/lib/libpam/modules/pam_group/pam_group.8	Sat Aug 23 11:40:18 2014	(r270400)
@@ -33,7 +33,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 9, 2011
+.Dd July 19, 2014
 .Dt PAM_GROUP 8
 .Os
 .Sh NAME
@@ -48,6 +48,11 @@
 .Sh DESCRIPTION
 The group service module for PAM accepts or rejects users based on
 their membership in a particular file group.
+.Nm pam_group
+provides functionality for two PAM categories: authentication and
+account management.
+In terms of the module-type parameter, they are the ``auth'' and
+``account'' features.
 .Pp
 The following options may be passed to the
 .Nm

Modified: stable/9/lib/libpam/modules/pam_group/pam_group.c
==============================================================================
--- stable/9/lib/libpam/modules/pam_group/pam_group.c	Sat Aug 23 11:38:31 2014	(r270399)
+++ stable/9/lib/libpam/modules/pam_group/pam_group.c	Sat Aug 23 11:40:18 2014	(r270400)
@@ -47,15 +47,14 @@ __FBSDID("$FreeBSD$");
 #include <unistd.h>
 
 #define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <security/openpam.h>
 
-
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
+static int
+pam_group(pam_handle_t *pamh)
 {
 	int local, remote;
 	const char *group, *user;
@@ -96,14 +95,12 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL)
 		goto failed;
 
-	/* check if the group is empty */
-	if (*grp->gr_mem == NULL)
-		goto failed;
-
-	/* check membership */
+	/* check if user's own primary group */
 	if (pwd->pw_gid == grp->gr_gid)
 		goto found;
-	for (list = grp->gr_mem; *list != NULL; ++list)
+
+	/* iterate over members */
+	for (list = grp->gr_mem; list != NULL && *list != NULL; ++list)
 		if (strcmp(*list, pwd->pw_name) == 0)
 			goto found;
 
@@ -123,6 +120,14 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 }
 
 PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char *argv[] __unused)
+{
+
+	return (pam_group(pamh));
+}
+
+PAM_EXTERN int
 pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused,
     int argc __unused, const char *argv[] __unused)
 {
@@ -130,4 +135,12 @@ pam_sm_setcred(pam_handle_t * pamh __unu
 	return (PAM_SUCCESS);
 }
 
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char *argv[] __unused)
+{
+
+	return (pam_group(pamh));
+}
+
 PAM_MODULE_ENTRY("pam_group");

More information about the svn-src-stable-9 mailing list