[PATCH] Default behaviour of pam_access

Sat Jan 22 22:03:10 UTC 2005

I was caught out by the fact that pam_access defaults to allowing
access. Had I been asked what its default was, I would have said
PAM_IGNORE.

I offer this patch which leaves the default at PAM_SUCCESS but allows
the administrator to specify an alternative default as a module
option with default=[allow|ignore|deny].

I haven't patched the sysadmin's guide; I will send a patch to the
SGML if this patch is accepted.

-- 
ROCKALL MALIN
NORTHEAST 5 TO 7 BACKING NORTHWEST 4 OR 5, OCCASIONALLY 6 IN MALIN.
MAINLY FAIR. GOOD
-------------- next part --------------
diff -Naur pam_access.orig/README pam_access/README

--- pam_access.orig/README	2001-04-29 05:17:16.000000000 +0100
+++ pam_access/README	2005-01-22 21:45:38.000000000 +0000
@@ -11,6 +11,9 @@
 # logins, the first entry that matches the (user, tty) combination.  The
 # permissions field of that table entry determines whether the login will 
 # be accepted or refused.
+#
+# If no line matches, access will be ALLOWED. To alter this, specify the module
+# argument 'default=[allow|ignore|deny]'.
 # 
 # Format of the login access control table is three fields separated by a
 # ":" character:
diff -Naur pam_access.orig/access.conf pam_access/access.conf
--- pam_access.orig/access.conf	2005-01-21 12:01:20.000000000 +0000
+++ pam_access/access.conf	2005-01-22 21:48:01.000000000 +0000
@@ -6,6 +6,9 @@
 # permissions field of that table entry determines whether the login will 
 # be accepted or refused.
 # 
+# If no line matches, access will be ALLOWED. To alter this, specify the module
+# argument 'default=[allow|ignore|deny]'.
+#
 # Format of the login access control table is three fields separated by a
 # ":" character:
 #
diff -Naur pam_access.orig/pam_access.c pam_access/pam_access.c
--- pam_access.orig/pam_access.c	2005-01-21 12:01:20.000000000 +0000
+++ pam_access/pam_access.c	2005-01-21 16:45:00.000000000 +0000
@@ -87,6 +87,7 @@
 
 static const char *fs = ":";			/* field separator */
 static const char sep[] = ", \t";		/* list-element separator */
+static int def_ret = PAM_SUCCESS;		/* default return status */
 
  /* Constants to be used in assignments only, not in comparisons... */
 
@@ -122,6 +123,7 @@
 static int parse_args(struct login_info *loginfo, int argc, const char **argv)
 {
     int i;
+    const char *cp;
 
     for (i=0; i<argc; ++i) {
 	if (!strncmp("fieldsep=", argv[i], 9)) {
@@ -140,7 +142,11 @@
 			 , loginfo->service, 11 + argv[i]);
 		return 0;
 	    }
-	    
+	} else if (!strncmp("default=",argv[i],8)) {
+	    cp = argv[i]+8;
+	    if (!strncmp("allow",cp,5)) {def_ret=PAM_SUCCESS;}
+	    else if (!strncmp("deny",cp,4)) {def_ret=PAM_PERM_DENIED;}
+	    else if (!strncmp("ignore",cp,6)) {def_ret=PAM_IGNORE;}
 	} else {
 	    _log_err("unrecognized option [%s]", argv[i]);
 	}
@@ -213,7 +219,8 @@
     } else if (errno != ENOENT) {
 	_log_err("cannot open %s: %m", item->config_file);
     }
-    return (match == 0 || (line[0] == '+'));
+    if (match == 0) return def_ret;
+    return (line[0] == '+')?PAM_SUCCESS:PAM_PERM_DENIED;
 }
 
 /* list_match - match an item against a list of tokens with exceptions */
@@ -402,6 +409,7 @@
     const char *user=NULL, *service=NULL;
     char *from=NULL;
     struct passwd *user_pw;
+    int ret;
 
     if ((pam_get_item(pamh, PAM_SERVICE, (const void **)&service)
 	!= PAM_SUCCESS) || (service == NULL) || (*service == ' ')) {
@@ -466,11 +474,14 @@
 	return PAM_ABORT;
     }
 
-    if (login_access(&loginfo)) {
-	return (PAM_SUCCESS);
-    } else {
-	_log_err("access denied for user `%s' from `%s'",user,from);
-	return (PAM_PERM_DENIED);
+    switch (ret=login_access(&loginfo)) {
+	case PAM_SUCCESS:
+	case PAM_IGNORE:
+		return ret;
+		break;
+	default:
+		_log_err("access denied for user `%s' from `%s'",user,from);
+		return (PAM_PERM_DENIED);
     }
 }
 
