From c681bd104627139eac2f40fe303e1f67676233e8 Mon Sep 17 00:00:00 2001 From: Yousong Zhou Date: Wed, 17 Jun 2015 15:33:43 +0800 Subject: [PATCH 7/7] Check if innetgr is available at compile time. innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto Signed-off-by: Khem Raj Signed-off-by: Yousong Zhou --- modules/pam_group/pam_group.c | 4 ++++ modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++---- modules/pam_time/pam_time.c | 4 ++++ 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index be5f20f..6a065ca 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service, } /* If buffer starts with @, we are using netgroups */ if (buffer[0] == '@') +#ifdef HAVE_INNETGR good &= innetgr (&buffer[1], NULL, user, NULL); +#else + pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); +#endif /* otherwise, if the buffer starts with %, it's a UNIX group */ else if (buffer[0] == '%') good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index aa828fc..c0c68a0 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) } /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ static int -evaluate_innetgr(const char *host, const char *user, const char *group) +evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) { +#ifdef HAVE_INNETGR if (innetgr(group, host, user, NULL) == 1) return PAM_SUCCESS; +#else + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); +#endif + return PAM_AUTH_ERR; } /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ static int -evaluate_notinnetgr(const char *host, const char *user, const char *group) +evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) { +#ifdef HAVE_INNETGR if (innetgr(group, host, user, NULL) == 0) return PAM_SUCCESS; +#else + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); +#endif return PAM_AUTH_ERR; } @@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug, const void *rhost; if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) rhost = NULL; - return evaluate_innetgr(rhost, user, right); + return evaluate_innetgr(pamh, rhost, user, right); } /* (Rhost, user) is not in this group. */ if (strcasecmp(qual, "notinnetgr") == 0) { const void *rhost; if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) rhost = NULL; - return evaluate_notinnetgr(rhost, user, right); + return evaluate_notinnetgr(pamh, rhost, user, right); } /* Fail closed. */ return PAM_SERVICE_ERR; diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index c94737c..0b34a14 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service, } /* If buffer starts with @, we are using netgroups */ if (buffer[0] == '@') +#ifdef HAVE_INNETGR good &= innetgr (&buffer[1], NULL, user, NULL); +#else + pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); +#endif else good &= logic_field(pamh, user, buffer, count, is_same); D(("with user: %s", good ? "passes":"fails" )); -- 1.7.10.4