pam_access: rework resolving of tokens as hostname

* modules/pam_access/pam_access.c: separate resolving of IP addresses
  from hostnames. Don't resolve TTYs or display variables as hostname
  (#834).
  Add "nodns" option to disallow resolving of tokens as hostname.
* modules/pam_access/pam_access.8.xml: document nodns option
* modules/pam_access/access.conf.5.xml: document that hostnames should
  be written as FQHN.

modules/pam_access/access.conf.5.xml

@@ -233,6 +233,10 @@
       An IPv6 link local host address must contain the interface
       identifier. IPv6 link local network/netmask is not supported.
     </para>
+    <para>
+      Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
+      confusion with device names or PAM service names.
+    </para>
   </refsect1>
 
   <refsect1 xml:id="access.conf-see_also">

modules/pam_access/pam_access.8.xml

@@ -22,11 +22,14 @@
       <arg choice="opt" rep="norepeat">
         debug
       </arg>
+      <arg choice="opt" rep="norepeat">
+        noaudit
+      </arg>
       <arg choice="opt" rep="norepeat">
         nodefgroup
       </arg>
       <arg choice="opt" rep="norepeat">
-        noaudit
+        nodns
       </arg>
       <arg choice="opt" rep="norepeat">
         quiet_log
@@ -132,6 +135,33 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          nodefgroup
+        </term>
+        <listitem>
+          <para>
+            User tokens which are not enclosed in parentheses will not be
+	    matched against the group database. The backwards compatible default is
+            to try the group database match even for tokens not enclosed
+            in parentheses.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          nodns
+        </term>
+        <listitem>
+          <para>
+	    Do not try to resolve tokens as hostnames, only IPv4 and IPv6
+	    addresses will be resolved. Which means to allow login from a
+	    remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
           quiet_log
@@ -185,20 +215,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>
-          nodefgroup
-        </term>
-        <listitem>
-          <para>
-            User tokens which are not enclosed in parentheses will not be
-	    matched against the group database. The backwards compatible default is
-            to try the group database match even for tokens not enclosed
-            in parentheses.
-          </para>
-        </listitem>
-      </varlistentry>
-
     </variablelist>
   </refsect1>
 

modules/pam_access/pam_access.c

@@ -100,6 +100,7 @@ struct login_info {
     int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
     int noaudit;			/* Do not audit denials */
     int quiet_log;			/* Do not log denials */
+    int nodns;                          /* Do not try to resolve tokens as hostnames */
     const char *fs;			/* field separator */
     const char *sep;			/* list-element separator */
     int from_remote_host;               /* If PAM_RHOST was used for from */
@@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
 	    loginfo->noaudit = YES;
 	} else if (strcmp (argv[i], "quiet_log") == 0) {
 	    loginfo->quiet_log = YES;
+	} else if (strcmp (argv[i], "nodns") == 0) {
+	    loginfo->nodns = YES;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
 	}
@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
       if ((str_len = strlen(string)) > tok_len
 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
 	return YES;
-    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
+    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers/subnet (end with ".") */
       struct addrinfo hint;
 
       memset (&hint, '\0', sizeof (hint));
@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
 }
 
 
+static int
+is_device (pam_handle_t *pamh, const char *tok)
+{
+  struct stat st;
+  const char *dev = "/dev/";
+  char *devname;
+
+  devname = malloc (strlen(dev) + strlen (tok) + 1);
+  if (devname == NULL) {
+      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
+      /*
+       * We should return an error and abort, but pam_access has no good
+       * error handling.
+       */
+      return NO;
+  }
+
+  char *cp = stpcpy (devname, dev);
+  strcpy (cp, tok);
+
+  if (lstat(devname, &st) != 0)
+    {
+      free (devname);
+      return NO;
+    }
+  free (devname);
+
+  if (S_ISCHR(st.st_mode))
+    return YES;
+
+  return NO;
+}
+
 /* network_netmask_match - match a string against one token
  * where string is a hostname or ip (v4,v6) address and tok
  * represents either a hostname, a single ip (v4,v6) address
@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh,
 	    return NO;
 	  }
       }
+    else if (isipaddr(tok, NULL, NULL) == YES)
+      {
+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+	  {
+	    if (item->debug)
+	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
+
+	    return NO;
+	  }
+	netmask_ptr = NULL;
+      }
+    else if (item->nodns)
+      {
+	/* Only hostnames are left, which we would need to resolve via DNS */
+	return NO;
+      }
     else
       {
+	/* Bail out on X11 Display entries and ttys. */
+	if (tok[0] == ':')
+	  {
+	    if (item->debug)
+	      pam_syslog (pamh, LOG_DEBUG,
+			  "network_netmask_match: tok=%s is X11 display", tok);
+	    return NO;
+	  }
+	if (is_device (pamh, tok))
+	  {
+	    if (item->debug)
+	      pam_syslog (pamh, LOG_DEBUG,
+			  "network_netmask_match: tok=%s is a TTY", tok);
+	    return NO;
+	  }
+
         /*
-	 * It is either an IP address or a hostname.
+	 * It is most likely a hostname.
 	 * Let getaddrinfo sort everything out
 	 */
 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)