pam_access.so not recognizing host name in access.conf

Josef Moellers jmoellers at suse.de
Tue Feb 7 12:36:28 UTC 2017 

On 03.02.2017 14:52, Tomas Mraz wrote:
> On Fri, 2017-01-27 at 14:09 +0100, Josef Moellers wrote:
>> On 26.01.2017 16:40, Josef Moellers wrote:
>>> Hi,
>>> The following specification in access.conf does not work as
>>> expected:
>>> -:username:ALL EXCEPT localhost
>>> The manual page access.conf.5 claims that the third field may
>>> contain
>>> host names, but the code only checks for numerical IP addresses by
>>> calling inet_pton().
>>> Is this desired behavior or am I missing something.
>>> I'm willing to write a patch.
>>
>> I suspect that "tok" and "string" need to be swapped in the second
>> half
>> of network_netmask_match():
> 
> No, this is not the case, the code is correct in what it is intended to
> do. There is simply missing the matching for case where the application
> calling the PAM module sets PAM_RHOST to an IP address (or an alias
> name) and you want to use localhost in access.conf.
> 
> I am not saying that support for this cannot be added but it is another
> matching code to add, you cannot simply hijack network_netmask_match()
> for that purpose.

I have attached a patch which will build an addrinfo list from "tok" and
match the given IP address ("string") against all the members of this
list, returning YES on the first match. In the case of an IP address in
access.conf, the list contains only a single member, the IP address
itself, in case of a hostname, the list will contain all IP addresses
the hostname resolves to.

While going through the code, I also found one bug:
            char *endptr = NULL;
            netmask = strtol(netmask_ptr, &endptr, 0);
-           if ((endptr == NULL) || (*endptr != '\0'))
+           if ((endptr == netmask_ptr) || (*endptr != '\0'))
                { /* invalid netmask value */
                  return NO;

>From the manual page of strtXXX:
"If  endptr is not NULL, strtol() stores the address of the first
invalid character in *endptr.  If there were no digits at all, strtol()
stores the original value of nptr in *endptr (and returns 0)."

Josef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam-hostnames-in-access_conf.patch
Type: text/x-patch
Size: 5536 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20170207/c609c619/attachment.bin>

More information about the Pam-list mailing list