mirror of
https://github.com/linux-pam/linux-pam.git
synced 2024-11-23 01:33:43 +08:00
Relevant BUGIDs: none
Purpose of commit: new feature
Commit summary:
---------------
2005-12-16 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_group/pam_group.c (check_account): Implement
support for netgroups.
* modules/pam_group/group.conf: Add all documentation to this
example config file and don't reference to outdated configs.
* modules/pam_group/README: New.
* modules/pam_group/Makefile.am: Add README to EXTRADIST.
This commit is contained in:
Thorsten Kukuk
parent
4c2c1683d7
commit
6c45b51f44
4
AUTHORS
4
AUTHORS
@ -1,7 +1,7 @@
|
||||
Original authors and current maintainers of Linux-PAM:
|
||||
|
||||
Andrew G. Morgan <morgan@linux.kernel.org>
|
||||
Andrew G. Morgan <morgan@kernel.org>
|
||||
Dmitry V. Levin <ldv@altlinux.org>
|
||||
Thorsten Kukuk <kukuk@suse.de>
|
||||
Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
Sebastien Tricaud <toady@gscore.org>
|
||||
Tomas Mraz <t8m@centrum.cz>
|
||||
|
||||
12
ChangeLog
12
ChangeLog
@ -1,3 +1,15 @@
|
||||
2005-12-16 Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
|
||||
* modules/pam_group/pam_group.c (check_account): Implement
|
||||
support for netgroups.
|
||||
|
||||
* modules/pam_group/group.conf: Add all documentation to this
|
||||
example config file and don't reference to outdated configs.
|
||||
|
||||
* modules/pam_group/README: New.
|
||||
|
||||
* modules/pam_group/Makefile.am: Add README to EXTRADIST.
|
||||
|
||||
2005-12-15 Thorsten Kukuk <kukuk@suse.de>
|
||||
|
||||
* modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't report an
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
EXTRA_DIST = group.conf
|
||||
EXTRA_DIST = README group.conf
|
||||
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
23
modules/pam_group/README
Normal file
23
modules/pam_group/README
Normal file
@ -0,0 +1,23 @@
|
||||
|
||||
This is a help file for the pam_group module. It explains the need for
|
||||
pam_group and also the syntax of the /etc/security/group.conf file.
|
||||
|
||||
1. Introduction
|
||||
===============
|
||||
|
||||
It is desirable to give extra privileges to a user running a specific
|
||||
PAM aware application at various times of the day and on specific days
|
||||
or over various terminal lines by adding this user to extra groups.
|
||||
|
||||
The pam_group module is intended to offer a configurable module that
|
||||
satisfies this purpose, within the context of Linux-PAM.
|
||||
|
||||
2. the /etc/security/group.conf file
|
||||
===================================
|
||||
|
||||
Its syntax is described in the sample group.conf file.
|
||||
|
||||
unrecognised rules are ignored (but an error is logged to syslog(3))
|
||||
|
||||
--------------------
|
||||
Bugs to the list <pam-list@redhat.com>
|
||||
@ -1,10 +1,7 @@
|
||||
##
|
||||
## Note, to get this to work as it is currently typed you need
|
||||
##
|
||||
## 1. to run an application as root
|
||||
## 2. add the following groups to the /etc/group file:
|
||||
## floppy, games, sound
|
||||
##
|
||||
#
|
||||
# This is the configuration file for the pam_group module.
|
||||
#
|
||||
|
||||
#
|
||||
# *** Please note that giving group membership on a session basis is
|
||||
# *** NOT inherently secure. If a user can create an executable that
|
||||
@ -16,11 +13,9 @@
|
||||
# *** "chgrp games toplay; chmod g+s toplay". They are basically able
|
||||
# *** to play games any time... You have been warned. AGM
|
||||
#
|
||||
# this is an example configuration file for the pam_group module. Its
|
||||
# syntax is based on that of the pam_time module and (at some point in
|
||||
# the distant past was inspired by the 'shadow' package)
|
||||
|
||||
#
|
||||
# the syntax of the lines is as follows:
|
||||
# The syntax of the lines is as follows:
|
||||
#
|
||||
# services;ttys;users;times;groups
|
||||
#
|
||||
@ -28,15 +23,59 @@
|
||||
# newlines). From reading these comments, it is clear that
|
||||
# text following a '#' is ignored to the end of the line.
|
||||
#
|
||||
# the first four fields are described in the pam_time directory.
|
||||
# The only difference for these is how the time field is interpretted:
|
||||
# it is used to indicate "when" these groups are to be given to the user.
|
||||
# the combination of individual users/terminals etc is a logic list
|
||||
# namely individual tokens that are optionally prefixed with '!' (logical
|
||||
# not) and separated with '&' (logical and) and '|' (logical or).
|
||||
#
|
||||
# services
|
||||
# is a logic list of PAM service names that the rule applies to.
|
||||
#
|
||||
# ttys
|
||||
# is a logic list of terminal names that this rule applies to.
|
||||
#
|
||||
# users
|
||||
# is a logic list of users or a netgroup of users to whom this
|
||||
# rule applies.
|
||||
#
|
||||
# NB. For these items the simple wildcard '*' may be used only once.
|
||||
# With netgroups no wildcards or logic operators are allowed.
|
||||
#
|
||||
# times
|
||||
# It is used to indicate "when" these groups are to be given to the
|
||||
# user. The format here is a logic list of day/time-range
|
||||
# entries the days are specified by a sequence of two character
|
||||
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
|
||||
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
|
||||
# bar Monday. The two character combinations accepted are
|
||||
#
|
||||
# Mo Tu We Th Fr Sa Su Wk Wd Al
|
||||
#
|
||||
# the last two being week-end days and all 7 days of the week
|
||||
# respectively. As a final example, AlFr means all days except Friday.
|
||||
#
|
||||
# Each day/time-range can be prefixed with a '!' to indicate "anything
|
||||
# but"
|
||||
#
|
||||
# The time-range part is two 24-hour times HHMM separated by a hyphen
|
||||
# indicating the start and finish time (if the finish time is smaller
|
||||
# than the start time it is deemed to apply on the following day).
|
||||
#
|
||||
# groups
|
||||
# The (comma or space separated) list of groups that the user
|
||||
# The (comma or space separated) list of groups that the user
|
||||
# inherits membership of. These groups are added if the previous
|
||||
# fields are satisfied by the user's request
|
||||
#
|
||||
# For a rule to be active, ALL of service+ttys+users must be satisfied
|
||||
# by the applying process.
|
||||
#
|
||||
|
||||
#
|
||||
# Note, to get this to work as it is currently typed you need
|
||||
#
|
||||
# 1. to run an application as root
|
||||
# 2. add the following groups to the /etc/group file:
|
||||
# floppy, games, sound
|
||||
#
|
||||
|
||||
#
|
||||
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
|
||||
|
||||
@ -6,11 +6,6 @@
|
||||
* Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6
|
||||
*/
|
||||
|
||||
static const char rcsid[] =
|
||||
"$Id$;\n"
|
||||
"Version 0.5 for Linux-PAM\n"
|
||||
"Copyright (c) Andrew G. Morgan 1996 <morgan@linux.kernel.org>\n";
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include <sys/file.h>
|
||||
@ -27,6 +22,7 @@ static const char rcsid[] =
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#define PAM_GROUP_BUFLEN 1000
|
||||
#define FIELD_SEPARATOR ';' /* this is new as of .02 */
|
||||
@ -686,7 +682,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
|
||||
"%s: no user entry #%d", PAM_GROUP_CONF, count);
|
||||
continue;
|
||||
}
|
||||
good &= logic_field(pamh,user, buffer, count, is_same);
|
||||
/* If buffer starts with @, we are using netgroups */
|
||||
if (buffer[0] == '@')
|
||||
good &= innetgr (&buffer[1], NULL, user, NULL);
|
||||
else
|
||||
good &= logic_field(pamh,user, buffer, count, is_same);
|
||||
D(("with user: %s", good ? "passes":"fails" ));
|
||||
|
||||
/* here we get the time field */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user