pam_login_access vs. pam_access
Mike Becher
Mike.Becher at lrz-muenchen.de
Tue Jan 31 21:36:17 UTC 2006
On Mon, 30 Jan 2006, Thorsten Kukuk wrote:
>
> On Fri, Jan 27, Thorsten Kukuk wrote:
>
> > On Thu, Jan 05, Mike Becher wrote:
> >
> > > Hi again,
> > >
> > > because I don't know whether my patch for pam_access module (please
> > > have a look at forwarded message but without patch) will be accepted
> > > by list moderator or not (message was too large, larger than 40kB
> > > because patch size is 100735 bytes) I post it again but now in 5
> > > pieces in messages with subject: "pam_access patch part X of 5"
> > >
> > > I hope this code finds the way into official distribution of
> > > Linux-PAM.
> >
> > I looked at it and the code is terrible. My first step will be to
> > merge only the basic stuff like netmasks and IPv6, not the external
> > helper and compatibility hacks.
>
> Attached is my patch against current CVS. Using IP addresses in
> access.conf works now, even if PAM_RHOSTS is set to a name. It
> also looks at all IP addresses, not only the first one.
>
> This patch is topic for discussion, at least the access.conf.5 manual
> page needs some rework.
Thanks for your effort. I have looked at the patch and have done some
changes.
1) My patch includes creation of missed manual login.access.5.
2) If we check if inet_ntop, inet_pton and yp_get_default_domain exists
then we should provide some alternativ if configure will them not found.
I think compilation should work also and I have inserted some #ifdef
and some snipsets of original code from pam_access.c. What do you think
about that?
3) Some correctness in access.conf.5.
I think it is OK if someone can use module only in case of `account' and
`auth'. That's it for now...
Best regards,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/access.conf.5 Linux-PAM-0.99.3.0/modules/pam_access/access.conf.5
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/access.conf.5 2006-01-31 20:38:27.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/access.conf.5 2006-01-31 22:16:35.547507512 +0100
@@ -11,29 +11,22 @@
access.conf \- The login access control table file
.SH "DESCRIPTION"
.PP
-Original
-\fBlogin.access\fR(5)
-manual was provided by
-\fIGuido van Rooij\fR
-which was renamed to
-\fBaccess.conf\fR(5)
-to reflect relation to default config file. The
-\fIaccess.conf\fR
-file specifies (\fIuser\fR,
-\fIhost\fR), (\fIuser\fR,
-\fInetwork/netmask\fR) or (\fIuser\fR,
-\fItty\fR) combinations for which a login will be either accepted or refused.
-.PP
-When someone logs in, the file
-\fIaccess.conf\fR
-is scanned for the first entry that matches the (\fIuser\fR,
-\fIhost\fR) or (\fIuser\fR,
-\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR,
-\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused.
-.PP
-Each line of the login access control table has three fields separated by a
-\fI:\fR
-character (colon) and looks like:
+Original \fBlogin.access\fR(5) manual was provided by \fIGuido van
+Rooij\fR which was renamed to \fBaccess.conf\fR(5) to reflect relation
+to default config file. The \fIaccess.conf\fR file specifies
+(\fIuser\fR, \fIhost\fR), (\fIuser\fR, \fInetwork/netmask\fR) or
+(\fIuser\fR, \fItty\fR) combinations for which a login will be either
+accepted or refused.
+.PP
+When someone logs in, the file \fIaccess.conf\fR is scanned for the
+first entry that matches the (\fIuser\fR, \fIhost\fR) or (\fIuser\fR,
+\fInetwork/netmask\fR) combination, or, in case of non\-networked
+logins, the first entry that matches the (\fIuser\fR, \fItty\fR)
+combination. The permissions field of that table entry determines
+whether the login will be accepted or refused.
+.PP
+Each line of the login access control table has three fields separated
+by a \fI:\fR character (colon) and looks like:
.PP
\fIPERMISSION\fR
:
@@ -41,39 +34,33 @@
:
\fIORIGINS\fR
.PP
-The first field, the
-\fIPERMISSION\fR
-field, can be either a
-\fI+\fR
-character (plus) for access granted or a
-\fI\-\fR
-character (minus) for access denied.
+The first field, the \fIPERMISSION\fR field, can be either a \fI+\fR
+character (plus) for access granted or a \fI\-\fR character (minus)
+for access denied.
+.PP
+The second field, the \fIUSERS\fR field, should be a list of one or
+more login names, group names, or \fIALL\fR (which always matches).
+.PP
+The third field, the \fIORIGINS\fR field, should be a list of one or
+more tty names (for non\-networked logins), host names, domain names
+(begin with "."), host addresses, internet network numbers (end with
+"."), internet network addresses with network mask (where network mask
+can be a decimal number or an internet address also), \fIALL\fR (which
+always matches) or \fILOCAL\fR (which matches any string that does not
+contain a "." character). If you run NIS you can use
+\fI@\fR\fInetgroupname\fR in host or user patterns.
+.PP
+The \fIEXCEPT\fR operator makes it possible to write very compact
+rules.
+.PP
+The group file is searched only when a name does not match that of the
+logged\-in user. Only groups are matched in which users are explicitly
+listed. So be carefull if a user gots the same name like a group.
.PP
-The second field, the
-\fIUSERS\fR
-field, should be a list of one or more login names, group names, or
-\fIALL\fR
-(which always matches).
+However a user's primary group id value will be ignored.
.PP
-The third field, the
-\fIORIGINS\fR
-field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
-\fIALL\fR
-(which always matches) or
-\fILOCAL\fR
-(which matches any string that does not contain a "." character). If you run NIS you can use
-\fI@\fR\fInetgroupname\fR
-in host or user patterns.
-.PP
-The
-\fIEXCEPT\fR
-operator makes it possible to write very compact rules.
-.PP
-The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed: the program does not look at a user's primary group id value.
-.PP
-The
-\fI#\fR
-character at start of line (no space at front) can be used to mark this line as a comment line.
+The \fI#\fR character at start of line (no space at front) can be used
+to mark this line as a comment line.
.PP
\fIHINT:\fR
.PP
@@ -85,113 +72,79 @@
.PP
\fI \- : ALL : ALL \fR
.PP
-as last line in access control files. So it is clear that all users that aren't matched by lines before are getting access granted or denied. If you don't do this a user gets access to a service if access was not explicitly denied for him through a rule.
+as last line in access control files. So it is clear that all users
+that aren't matched by lines before are getting access granted or
+denied. If you don't do this a user gets access to a service if access
+was not explicitly denied for him through a rule.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
-\fIaccess.conf\fR
-file.
+\fIaccess.conf\fR file.
.PP
-User
-\fIroot\fR
-should be allowed to get access via
-\fIsu\fR,
-\fIcron\fR,
-\fIxdm\fR, X11 terminal
-\fI:0\fR, ...,
-\fItty5\fR\fItty6\fR.
+User \fIroot\fR should be allowed to get access via \fIsu\fR,
+\fIcron\fR, \fIxdm\fR, X11 terminal \fI:0\fR, ..., \fItty5\fR
+\fItty6\fR.
.PP
+ : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6
.PP
-User
-\fIroot\fR
-should be allowed to get access from hosts with IPv4 addresses:
+User \fIroot\fR should be allowed to get access from hosts with IPv4
+addresses:
.PP
+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
.PP
+ : root : 127.0.0.1
.PP
-User
-\fIroot\fR
-should get access from network
-192.168.201.
-where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of
-192.168.201.
-is
-\fI192.168.201.0/24\fR
-or
-\fI192.168.201.0/255.255.255.0\fR
-.
+User \fIroot\fR should get access from network 192.168.201. where the
+term will be evaluated by string matching. But it might be better to
+use network/netmask instead. The same meaning of 192.168.201. is
+\fI192.168.201.0/24\fR or \fI192.168.201.0/255.255.255.0\fR .
.PP
+ : root : 192.168.201.
.PP
-User
-\fIroot\fR
-should be able to have access from hosts
-\fIfoo1.bar.org\fR
-and
-\fIfoo2.bar.org\fR
-(uses string matching also).
+User \fIroot\fR should be able to have access from hosts
+\fIfoo1.bar.org\fR and \fIfoo2.bar.org\fR (uses string matching also).
.PP
+ : root : foo1.bar.org foo2.bar.org
.PP
-User
-\fIroot\fR
-should be able to have access from domain
+User \fIroot\fR should be able to have access from domain
\fIfoo.bar.org (uses string matching also).\fR
.PP
+ : root : .foo.bar.org
.PP
-User
-\fIroot\fR
-should be denied to get access from all other sources.
+User \fIroot\fR should be denied to get access from all other sources.
.PP
\- : root : ALL
.PP
-User
-\fIfoo\fR
-and members of NIS group
-\fInis_group\fR
-should be allowed to get access from all sources. This will only work if NIS service is available.
+User \fIfoo\fR and members of NIS group \fInis_group\fR should be
+allowed to get access from all sources. This will only work if NIS
+service is available.
.PP
+ : @nis_group foo : ALL
.PP
-User
-\fIxfs\fR
-and
-\fIfoo\fR
-should be allowed to get acccess via
-\fIsu .\fR
+User \fIxfs\fR and \fIfoo\fR should be allowed to get acccess via
+\fIsu\fR .
.PP
+ : xfs foo : su
.PP
-User
-\fIjohn\fR
-should get access from IPv4 net/mask.
+User \fIjohn\fR should get access from IPv4 net/mask.
.PP
+ : john : 127.0.0.0/24
.PP
-User
-\fIjohn\fR
-should get access from IPv4 as IPv6 net/mask.
+User \fIjohn\fR should get access from IPv4 network (represented as
+IPv6 net/mask).
.PP
+ : john : ::ffff:127.0.0.0/127
.PP
-User
-\fIjohn\fR
-should get access from IPv6 host address.
+User \fIjohn\fR should get access from IPv6 host address.
.PP
+ : john : 2001:4ca0:0:101::1
.PP
-User
-\fIjohn\fR
-should get access from IPv6 host address (same as above).
+User \fIjohn\fR should get access from IPv6 host address (same as
+above).
.PP
+ : john : 2001:4ca0:0:101:0:0:0:1
.PP
-User
-\fIjohn\fR
-should get access from IPv6 net/mask.
+User \fIjohn\fR should get access from IPv6 net/mask.
.PP
+ : john : 2001:4ca0:0:101::/64
.PP
@@ -200,29 +153,19 @@
\- : ALL : ALL
.SH "FILES"
.PP
-Normally the
-\fIaccess.conf\fR
-file resides in
-\fI/etc/security\fR
-but this depends on configuration at compilation time. Thats why please run
-\fBcheck_login_access\fR(8)
-to find out which is the default config file for
-\fBpam_access\fR(8).
+Normally the \fIaccess.conf\fR file resides in \fI/etc/security\fR but
+this depends on configuration at compilation time. Thats why please
+run \fBcheck_login_access\fR(8) to find out which is the default
+config file for \fBpam_access\fR(8).
.SH "SEE ALSO"
.PP
\fBcheck_login_access\fR(8)\fI,\fR\fBpam_access\fR(8)\fI,\fR\fBpam.d\fR(8)\fI,\fR
-and
-\fBpam\fR(8).
+and \fBpam\fR(8).
.SH "AUTHORS"
.PP
-Original
-\fBlogin.access\fR(5)
-manual was provided by
-\fIGuido van Rooij\fR
-which was renamed to
-\fBaccess.conf\fR(5)
-to reflect relation to default config file.
-.PP
-\fINetwork address / netmask\fR
-description and example text was introduced by
-\fIMike Becher <mike.becher at lrz\-muenchen.de>.\fR
+Original \fBlogin.access\fR(5) manual was provided by \fIGuido van
+Rooij\fR which was renamed to \fBaccess.conf\fR(5) to reflect relation
+to default config file.
+.PP
+\fINetwork address / netmask\fR description and example text was
+introduced by \fIMike Becher <mike.becher at lrz\-muenchen.de>.\fR
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/login.access.5 Linux-PAM-0.99.3.0/modules/pam_access/login.access.5
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/login.access.5 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/login.access.5 2006-01-31 20:41:32.000000000 +0100
@@ -0,0 +1 @@
+.so man5/access.conf.5
diff -u -r -N Linux-PAM-0.99.3.0.kukuk/modules/pam_access/pam_access.c Linux-PAM-0.99.3.0/modules/pam_access/pam_access.c
--- Linux-PAM-0.99.3.0.kukuk/modules/pam_access/pam_access.c 2006-01-31 20:38:27.000000000 +0100
+++ Linux-PAM-0.99.3.0/modules/pam_access/pam_access.c 2006-01-31 21:44:53.559653616 +0100
@@ -164,6 +164,9 @@
const char *netmask)
{
int itis = NO;
+
+#if defined(HAVE_INET_PTON)
+
/* We use struct sockaddr_storage addr because
* struct in_addr/in6_addr is an integral part
* of struct sockaddr and we doesn't want to
@@ -172,7 +175,7 @@
struct sockaddr_storage addr0;
struct sockaddr_storage addr1;
int addr_type0 = 0;
- int addr_type1 = 0;
+ int addr_type1 = 0;
/* normalize addr0 */
itis = NO;
@@ -246,6 +249,7 @@
sizeof(struct sockaddr_storage)) == 0) {
return(YES);
}
+#endif /* HAVE_INET_PTON */
return(NO);
}
@@ -254,6 +258,8 @@
number_to_netmask (long netmask, int addr_type,
char *ipaddr_buf, size_t ipaddr_buf_len)
{
+#if defined(HAVE_INET_NTOP)
+
/* We use struct sockaddr_storage addr because
* struct in_addr/in6_addr is an integral part
* of struct sockaddr and we doesn't want to
@@ -300,6 +306,7 @@
if (ipaddr_dst == ipaddr_buf) {
return (ipaddr_buf);
}
+#endif /* HAVE_INET_NTOP */
return (NULL);
}
@@ -439,8 +446,9 @@
netgroup_match (pam_handle_t *pamh, const char *group,
const char *machine, const char *user)
{
+ int retval = NO;
+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN)
char *mydomain = NULL;
- int retval;
yp_get_default_domain(&mydomain);
@@ -451,8 +459,12 @@
"netgroup_match: %d (group=%s, machine=%s, user=%s, domain=%s)",
retval, group ? group : "NULL", machine ? machine : "NULL",
user ? user : "NULL", mydomain ? mydomain : "NULL");
+#else
+ pam_syslog(pamh, LOG_ERR,
+ "netgroup_match: no NIS support, error on line with netgroup @%s",
+ group ? group : "NULL");
+#endif /* HAVE_YP_GET_DEFAULT_DOMAIN */
return retval;
-
}
/* user_match - match a username against one token */
@@ -530,6 +542,7 @@
if (strchr(string, '.') == 0)
return (YES);
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
+#if defined(HAVE_INET_NTOP)
struct addrinfo *res;
struct addrinfo hint;
@@ -563,10 +576,16 @@
freeaddrinfo (res);
}
}
+#else
+ /* old simple check if the network string match */
+ if (strncmp(tok, string, tok_len) == 0)
+ return YES;
+#endif /* HAVE_INET_NTOP */
} else if (isipaddr(string, NULL) == YES) {
/* Assume network/netmask with a IP of a host. */
if (network_netmask_match(pamh, tok, string))
return YES;
+#if defined(HAVE_INET_NTOP)
} else {
/* Assume network/netmask with a name of a host. */
struct addrinfo *res;
@@ -601,6 +620,7 @@
}
freeaddrinfo (res);
}
+#endif /* HAVE_INET_NTOP */
}
return NO;
@@ -642,6 +662,8 @@
{
int itis = YES;
+#if defined(HAVE_INET_PTON)
+
/* We use struct sockaddr_storage addr because
* struct in_addr/in6_addr is an integral part
* of struct sockaddr and we doesn't want to
@@ -667,6 +689,20 @@
else
itis = NO;
+#else
+
+ /* Simple check only for ipv4 addresses */
+ unsigned int i;
+
+ for (i = 0; itis && i < strlen(string); i++) {
+ itis = (string[i] == '.') || isdigit(string[i]);
+ }
+ if ((itis == YES) && (addr_type != NULL)) {
+ *addr_type = AF_INET;
+ }
+
+#endif /* HAVE_INET_PTON */
+
return itis;
}
More information about the Pam-list
mailing list