pam_login_access vs. pam_access (fwd)
Thorsten Kukuk
kukuk at suse.de
Fri Jan 27 20:39:51 UTC 2006
On Thu, Jan 05, Mike Becher wrote:
> Hi again,
>
> because I don't know whether my patch for pam_access module (please
> have a look at forwarded message but without patch) will be accepted
> by list moderator or not (message was too large, larger than 40kB
> because patch size is 100735 bytes) I post it again but now in 5
> pieces in messages with subject: "pam_access patch part X of 5"
>
> I hope this code finds the way into official distribution of
> Linux-PAM.
I looked at it and the code is terrible. My first step will be to
merge only the basic stuff like netmasks and IPv6, not the external
helper and compatibility hacks.
At first, functions like convert_hostname_r are by no means thread
safe/reentrant only because the use no static buffer, as long as
they use non-reentrant functions like gethostbyname().
The second problem is that from gethostbyname only the first IP is
used. This was already broken in the old version, but now it depends
on if the IPv4 or the IPv6 address is the first one which is returned,
pure luck if this is really working.
getaddrinfo should be used instead.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk at suse.de
SUSE LINUX Products GmbH Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
More information about the Pam-list
mailing list