You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

106 lines
3.9 KiB

From c681bd104627139eac2f40fe303e1f67676233e8 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 15:33:43 +0800
Subject: [PATCH 7/7] Check if innetgr is available at compile time.
innetgr may not be there so make sure that when innetgr is not present
then we inform about it and not use it.
* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
modules/pam_group/pam_group.c | 4 ++++
modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++----
modules/pam_time/pam_time.c | 4 ++++
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index be5f20f..6a065ca 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
+#endif
/* otherwise, if the buffer starts with %, it's a UNIX group */
else if (buffer[0] == '%')
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aa828fc..c0c68a0 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
}
/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
static int
-evaluate_innetgr(const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
+
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
-evaluate_notinnetgr(const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
return PAM_AUTH_ERR;
}
@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_innetgr(rhost, user, right);
+ return evaluate_innetgr(pamh, rhost, user, right);
}
/* (Rhost, user) is not in this group. */
if (strcasecmp(qual, "notinnetgr") == 0) {
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_notinnetgr(rhost, user, right);
+ return evaluate_notinnetgr(pamh, rhost, user, right);
}
/* Fail closed. */
return PAM_SERVICE_ERR;
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
index c94737c..0b34a14 100644
--- a/modules/pam_time/pam_time.c
+++ b/modules/pam_time/pam_time.c
@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service,
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
+#endif
else
good &= logic_field(pamh, user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));
--
1.7.10.4