[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_login_access vs. pam_access



On Mon, 30 Jan 2006, Thorsten Kukuk wrote:

> 
> On Fri, Jan 27, Thorsten Kukuk wrote:
> 
> > On Thu, Jan 05, Mike Becher wrote:
> > 
> > > Hi again,
> > > 
> > > because I don't know whether my patch for pam_access module (please
> > > have a look at forwarded message but without patch) will be accepted
> > > by list moderator or not (message was too large, larger than 40kB
> > > because patch size is 100735 bytes) I post it again but now in 5
> > > pieces in messages with subject: "pam_access patch part X of 5"
> > > 
> > > I hope this code finds the way into official distribution of
> > > Linux-PAM.
> > 
> > I looked at it and the code is terrible. My first step will be to
> > merge only the basic stuff like netmasks and IPv6, not the external
> > helper and compatibility hacks.
> 
> Attached is my patch against current CVS. Using IP addresses in
> access.conf works now, even if PAM_RHOSTS is set to a name. It
> also looks at all IP addresses, not only the first one.
> 
> This patch is topic for discussion, at least the access.conf.5 manual
> page needs some rework.
Thanks for your effort. I have looked at the patch and have done some 
changes.

1) My patch includes creation of missed manual login.access.5.
2) If we check if inet_ntop, inet_pton and yp_get_default_domain exists 
then we should provide some alternativ if configure will them not found.
I think compilation should work also and I have inserted some #ifdef
and some snipsets of original code from pam_access.c. What do you think 
about that?
3) Some correctness in access.conf.5.

I think it is OK if someone can use module only in case of `account' and 
`auth'. That's it for now...

Best regards,
  mike

-----------------------------------------------------------------------------
 Mike Becher                              Mike Becher lrz-muenchen de
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-289-28721      
 Gruppe Hochleistungssysteme              fax:   +49-89-280-9460
 Barer Strasse 21                    
 D-80333 Muenchen
 Germany                   
-----------------------------------------------------------------------------
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/access.conf.5 Linux-PAM-0.99.3.0/modules/pam_access/access.conf.5
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/access.conf.5	2006-01-31 20:38:27.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/access.conf.5	2006-01-31 22:16:35.547507512 +0100
@@ -11,29 +11,22 @@
 access.conf \- The login access control table file
 .SH "DESCRIPTION"
 .PP
-Original
-\fBlogin.access\fR(5)
-manual was provided by
-\fIGuido van Rooij\fR
-which was renamed to
-\fBaccess.conf\fR(5)
-to reflect relation to default config file. The
-\fIaccess.conf\fR
-file specifies (\fIuser\fR,
-\fIhost\fR), (\fIuser\fR,
-\fInetwork/netmask\fR) or (\fIuser\fR,
-\fItty\fR) combinations for which a login will be either accepted or refused.
-.PP
-When someone logs in, the file
-\fIaccess.conf\fR
-is scanned for the first entry that matches the (\fIuser\fR,
-\fIhost\fR) or (\fIuser\fR,
-\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR,
-\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused.
-.PP
-Each line of the login access control table has three fields separated by a
-\fI:\fR
-character (colon) and looks like:
+Original \fBlogin.access\fR(5) manual was provided by \fIGuido van
+Rooij\fR which was renamed to \fBaccess.conf\fR(5) to reflect relation
+to default config file. The \fIaccess.conf\fR file specifies
+(\fIuser\fR, \fIhost\fR), (\fIuser\fR, \fInetwork/netmask\fR) or
+(\fIuser\fR, \fItty\fR) combinations for which a login will be either
+accepted or refused.
+.PP
+When someone logs in, the file \fIaccess.conf\fR is scanned for the
+first entry that matches the (\fIuser\fR, \fIhost\fR) or (\fIuser\fR,
+\fInetwork/netmask\fR) combination, or, in case of non\-networked
+logins, the first entry that matches the (\fIuser\fR, \fItty\fR)
+combination. The permissions field of that table entry determines
+whether the login will be accepted or refused.
+.PP
+Each line of the login access control table has three fields separated
+by a \fI:\fR character (colon) and looks like:
 .PP
 \fIPERMISSION\fR
 :
@@ -41,39 +34,33 @@
 :
 \fIORIGINS\fR
 .PP
-The first field, the
-\fIPERMISSION\fR
-field, can be either a
-\fI+\fR
-character (plus) for access granted or a
-\fI\-\fR
-character (minus) for access denied.
+The first field, the \fIPERMISSION\fR field, can be either a \fI+\fR
+character (plus) for access granted or a \fI\-\fR character (minus)
+for access denied.
+.PP
+The second field, the \fIUSERS\fR field, should be a list of one or
+more login names, group names, or \fIALL\fR (which always matches).
+.PP
+The third field, the \fIORIGINS\fR field, should be a list of one or
+more tty names (for non\-networked logins), host names, domain names
+(begin with "."), host addresses, internet network numbers (end with
+"."), internet network addresses with network mask (where network mask
+can be a decimal number or an internet address also), \fIALL\fR (which
+always matches) or \fILOCAL\fR (which matches any string that does not
+contain a "." character). If you run NIS you can use
+\fI \fR\fInetgroupname\fR in host or user patterns.
+.PP
+The \fIEXCEPT\fR operator makes it possible to write very compact
+rules.
+.PP
+The group file is searched only when a name does not match that of the
+logged\-in user. Only groups are matched in which users are explicitly
+listed. So be carefull if a user gots the same name like a group.
 .PP
-The second field, the
-\fIUSERS\fR
-field, should be a list of one or more login names, group names, or
-\fIALL\fR
-(which always matches).
+However a user's primary group id value will be ignored.
 .PP
-The third field, the
-\fIORIGINS\fR
-field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
-\fIALL\fR
-(which always matches) or
-\fILOCAL\fR
-(which matches any string that does not contain a "." character). If you run NIS you can use
-\fI \fR\fInetgroupname\fR
-in host or user patterns.
-.PP
-The
-\fIEXCEPT\fR
-operator makes it possible to write very compact rules.
-.PP
-The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed: the program does not look at a user's primary group id value.
-.PP
-The
-\fI#\fR
-character at start of line (no space at front) can be used to mark this line as a comment line.
+The \fI#\fR character at start of line (no space at front) can be used
+to mark this line as a comment line.
 .PP
 \fIHINT:\fR
 .PP
@@ -85,113 +72,79 @@
 .PP
 \fI \- : ALL : ALL \fR
 .PP
-as last line in access control files. So it is clear that all users that aren't matched by lines before are getting access granted or denied. If you don't do this a user gets access to a service if access was not explicitly denied for him through a rule.
+as last line in access control files. So it is clear that all users
+that aren't matched by lines before are getting access granted or
+denied. If you don't do this a user gets access to a service if access
+was not explicitly denied for him through a rule.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fIaccess.conf\fR
-file.
+\fIaccess.conf\fR file.
 .PP
-User
-\fIroot\fR
-should be allowed to get access via
-\fIsu\fR,
-\fIcron\fR,
-\fIxdm\fR, X11 terminal
-\fI:0\fR, ...,
-\fItty5\fR\fItty6\fR.
+User \fIroot\fR should be allowed to get access via \fIsu\fR,
+\fIcron\fR, \fIxdm\fR, X11 terminal \fI:0\fR, ..., \fItty5\fR
+\fItty6\fR.
 .PP
 + : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6
 .PP
-User
-\fIroot\fR
-should be allowed to get access from hosts with IPv4 addresses:
+User \fIroot\fR should be allowed to get access from hosts with IPv4
+addresses:
 .PP
 + : root : 192.168.200.1 192.168.200.4 192.168.200.9
 .PP
 + : root : 127.0.0.1
 .PP
-User
-\fIroot\fR
-should get access from network
-192.168.201.
-where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of
-192.168.201.
-is
-\fI192.168.201.0/24\fR
-or
-\fI192.168.201.0/255.255.255.0\fR
-.
+User \fIroot\fR should get access from network 192.168.201.  where the
+term will be evaluated by string matching. But it might be better to
+use network/netmask instead. The same meaning of 192.168.201.  is
+\fI192.168.201.0/24\fR or \fI192.168.201.0/255.255.255.0\fR .
 .PP
 + : root : 192.168.201.
 .PP
-User
-\fIroot\fR
-should be able to have access from hosts
-\fIfoo1.bar.org\fR
-and
-\fIfoo2.bar.org\fR
-(uses string matching also).
+User \fIroot\fR should be able to have access from hosts
+\fIfoo1.bar.org\fR and \fIfoo2.bar.org\fR (uses string matching also).
 .PP
 + : root : foo1.bar.org foo2.bar.org
 .PP
-User
-\fIroot\fR
-should be able to have access from domain
+User \fIroot\fR should be able to have access from domain
 \fIfoo.bar.org (uses string matching also).\fR
 .PP
 + : root : .foo.bar.org
 .PP
-User
-\fIroot\fR
-should be denied to get access from all other sources.
+User \fIroot\fR should be denied to get access from all other sources.
 .PP
 \- : root : ALL
 .PP
-User
-\fIfoo\fR
-and members of NIS group
-\fInis_group\fR
-should be allowed to get access from all sources. This will only work if NIS service is available.
+User \fIfoo\fR and members of NIS group \fInis_group\fR should be
+allowed to get access from all sources. This will only work if NIS
+service is available.
 .PP
 + : @nis_group foo : ALL
 .PP
-User
-\fIxfs\fR
-and
-\fIfoo\fR
-should be allowed to get acccess via
-\fIsu .\fR
+User \fIxfs\fR and \fIfoo\fR should be allowed to get acccess via
+\fIsu\fR .
 .PP
 + : xfs foo : su
 .PP
-User
-\fIjohn\fR
-should get access from IPv4 net/mask.
+User \fIjohn\fR should get access from IPv4 net/mask.
 .PP
 + : john : 127.0.0.0/24
 .PP
-User
-\fIjohn\fR
-should get access from IPv4 as IPv6 net/mask.
+User \fIjohn\fR should get access from IPv4 network (represented as
+IPv6 net/mask).
 .PP
 + : john : ::ffff:127.0.0.0/127
 .PP
-User
-\fIjohn\fR
-should get access from IPv6 host address.
+User \fIjohn\fR should get access from IPv6 host address.
 .PP
 + : john : 2001:4ca0:0:101::1
 .PP
-User
-\fIjohn\fR
-should get access from IPv6 host address (same as above).
+User \fIjohn\fR should get access from IPv6 host address (same as
+above).
 .PP
 + : john : 2001:4ca0:0:101:0:0:0:1
 .PP
-User
-\fIjohn\fR
-should get access from IPv6 net/mask.
+User \fIjohn\fR should get access from IPv6 net/mask.
 .PP
 + : john : 2001:4ca0:0:101::/64
 .PP
@@ -200,29 +153,19 @@
 \- : ALL : ALL
 .SH "FILES"
 .PP
-Normally the
-\fIaccess.conf\fR
-file resides in
-\fI/etc/security\fR
-but this depends on configuration at compilation time. Thats why please run
-\fBcheck_login_access\fR(8)
-to find out which is the default config file for
-\fBpam_access\fR(8).
+Normally the \fIaccess.conf\fR file resides in \fI/etc/security\fR but
+this depends on configuration at compilation time. Thats why please
+run \fBcheck_login_access\fR(8) to find out which is the default
+config file for \fBpam_access\fR(8).
 .SH "SEE ALSO"
 .PP
 \fBcheck_login_access\fR(8)\fI,\fR\fBpam_access\fR(8)\fI,\fR\fBpam.d\fR(8)\fI,\fR
-and
-\fBpam\fR(8).
+and \fBpam\fR(8).
 .SH "AUTHORS"
 .PP
-Original
-\fBlogin.access\fR(5)
-manual was provided by
-\fIGuido van Rooij\fR
-which was renamed to
-\fBaccess.conf\fR(5)
-to reflect relation to default config file.
-.PP
-\fINetwork address / netmask\fR
-description and example text was introduced by
-\fIMike Becher <mike becher lrz\-muenchen de>.\fR
+Original \fBlogin.access\fR(5) manual was provided by \fIGuido van
+Rooij\fR which was renamed to \fBaccess.conf\fR(5) to reflect relation
+to default config file.
+.PP
+\fINetwork address / netmask\fR description and example text was
+introduced by \fIMike Becher <mike becher lrz\-muenchen de>.\fR
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/login.access.5 Linux-PAM-0.99.3.0/modules/pam_access/login.access.5
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/login.access.5	1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/login.access.5	2006-01-31 20:41:32.000000000 +0100
@@ -0,0 +1 @@
+.so man5/access.conf.5
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/pam_access.c Linux-PAM-0.99.3.0/modules/pam_access/pam_access.c
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/pam_access.c	2006-01-31 20:38:27.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/pam_access.c	2006-01-31 21:44:53.559653616 +0100
@@ -164,6 +164,9 @@
    const char *netmask)
 {
   int itis = NO;
+
+#if defined(HAVE_INET_PTON)
+
   /* We use struct sockaddr_storage addr because
    * struct in_addr/in6_addr is an integral part
    * of struct sockaddr and we doesn't want to
@@ -172,7 +175,7 @@
   struct sockaddr_storage addr0;
   struct sockaddr_storage addr1;
   int addr_type0 = 0;
- int addr_type1 = 0;
+  int addr_type1 = 0;
 
   /* normalize addr0 */
   itis = NO;
@@ -246,6 +249,7 @@
               sizeof(struct sockaddr_storage)) == 0) {
     return(YES);
   }
+#endif /* HAVE_INET_PTON */
 
   return(NO);
 }
@@ -254,6 +258,8 @@
 number_to_netmask (long netmask, int addr_type,
 		   char *ipaddr_buf, size_t ipaddr_buf_len)
 {
+#if defined(HAVE_INET_NTOP)
+
   /* We use struct sockaddr_storage addr because
    * struct in_addr/in6_addr is an integral part
    * of struct sockaddr and we doesn't want to
@@ -300,6 +306,7 @@
   if (ipaddr_dst == ipaddr_buf) {
     return (ipaddr_buf);
   }
+#endif /* HAVE_INET_NTOP */
 
   return (NULL);
 }
@@ -439,8 +446,9 @@
 netgroup_match (pam_handle_t *pamh, const char *group,
 		const char *machine, const char *user)
 {
+  int retval = NO;
+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN)
   char *mydomain = NULL;
-  int retval;
 
   yp_get_default_domain(&mydomain);
 
@@ -451,8 +459,12 @@
 		"netgroup_match: %d (group=%s, machine=%s, user=%s, domain=%s)",
 		retval, group ? group : "NULL",  machine ? machine : "NULL",
 		user ? user : "NULL", mydomain ? mydomain : "NULL");
+#else
+  pam_syslog(pamh, LOG_ERR,
+    "netgroup_match: no NIS support, error on line with netgroup @%s",
+    group ? group : "NULL");
+#endif /* HAVE_YP_GET_DEFAULT_DOMAIN */
   return retval;
-
 }
 
 /* user_match - match a username against one token */
@@ -530,6 +542,7 @@
 	if (strchr(string, '.') == 0)
 	    return (YES);
     } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
+#if defined(HAVE_INET_NTOP)
       struct addrinfo *res;
       struct addrinfo hint;
 
@@ -563,10 +576,16 @@
 	      freeaddrinfo (res);
 	    }
 	}
+#else
+  /* old simple check if the network string match */
+  if (strncmp(tok, string, tok_len) == 0)
+    return YES;
+#endif /* HAVE_INET_NTOP */
     } else  if (isipaddr(string, NULL) == YES) {
       /* Assume network/netmask with a IP of a host.  */
       if (network_netmask_match(pamh, tok, string))
 	return YES;
+#if defined(HAVE_INET_NTOP)
     } else {
       /* Assume network/netmask with a name of a host.  */
       struct addrinfo *res;
@@ -601,6 +620,7 @@
 	    }
 	  freeaddrinfo (res);
 	}
+#endif /* HAVE_INET_NTOP */
     }
 
     return NO;
@@ -642,6 +662,8 @@
 {
   int itis = YES;
 
+#if defined(HAVE_INET_PTON)
+
   /* We use struct sockaddr_storage addr because
    * struct in_addr/in6_addr is an integral part
    * of struct sockaddr and we doesn't want to
@@ -667,6 +689,20 @@
   else
     itis = NO;
 
+#else
+
+  /* Simple check only for ipv4 addresses */
+  unsigned int i;
+
+  for (i = 0; itis && i < strlen(string); i++) {
+    itis = (string[i] == '.') || isdigit(string[i]);
+  }
+  if ((itis == YES) && (addr_type != NULL)) {
+    *addr_type = AF_INET;
+  }
+
+#endif /* HAVE_INET_PTON */
+
   return itis;
 }
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]