static int user_match(char *tok, struct login_info *item)
{
char *string = item->user->pw_name;
struct login_info fake_item;
struct group *group;
int i;
char *at;
/*
* If a token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the username, if the
* token is a group that contains the username, or if the token is the
* name of the user's primary group.
*/
if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
*at = 0;
fake_item.from = myhostname();
return (user_match(tok, item) && from_match(at + 1, &fake_item));
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, (char *) 0, string));
} else if (string_match(tok, string)) { /* ALL or exact match */
return (YES);
} else if ((group = getgrnam(tok))) { /* try group membership */
if (item->user->pw_gid == group->gr_gid)
return (YES);
for (i = 0; group->gr_mem[i]; i++)
if (strcasecmp(string, group->gr_mem[i]) == 0)
return (YES);
}
return (NO);
}
static int
user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
{
char *string = item->user->pw_name;
struct login_info fake_item;
char *at;
int rv;
if (item->debug)
pam_syslog (pamh, LOG_DEBUG,
"user_match: tok=%s, item=%s", tok, string);
/*
* If a token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the username, if the
* token is a group that contains the username, or if the token is the
* name of the user's primary group.
*/
/* Try to split on a pattern (@*[^@]+)(@+.*) */
for (at = tok; *at == '@'; ++at);
if ((at = strchr(at, '@')) != NULL) {
/* split user@host pattern */
if (item->hostname == NULL)
return NO;
memcpy (&fake_item, item, sizeof(fake_item));
fake_item.from = item->hostname;
fake_item.gai_rv = 0;
fake_item.res = NULL;
fake_item.from_remote_host = 1; /* hostname should be resolvable */
*at = 0;
if (!user_match (pamh, tok, item))
return NO;
rv = from_match (pamh, at + 1, &fake_item);
if (fake_item.gai_rv == 0 && fake_item.res)
freeaddrinfo(fake_item.res);
return rv;
} else if (tok[0] == '@') { /* netgroup */
const char *hostname = NULL;
if (tok[1] == '@') { /* add hostname to netgroup match */
if (item->hostname == NULL)
return NO;
++tok;
hostname = item->hostname;
}
return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
} else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
return (group_match (pamh, tok, string, item->debug));
else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
return rv;
else if (item->only_new_group_syntax == NO &&
pam_modutil_user_in_group_nam_nam (pamh,
item->user->pw_name, tok))
/* try group membership */
return YES;
return NO;
}
/* user_match - match a username against one token */
static bool user_match (const char *tok, const char *string)
{
struct group *group;
#ifdef PRIMARY_GROUP_MATCH
struct passwd *userinf;
#endif
char *at;
/*
* If a token has the magic value "ALL" the match always succeeds.
* Otherwise, return true if the token fully matches the username, or if
* the token is a group that contains the username.
*/
at = strchr (tok + 1, '@');
if (NULL != at) { /* split user@host pattern */
*at = '\0';
return ( user_match (tok, string)
&& from_match (at + 1, myhostname ()));
#if HAVE_INNETGR
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match (tok + 1, (char *) 0, string));
#endif
} else if (string_match (tok, string)) { /* ALL or exact match */
return true;
/* local, no need for xgetgrnam */
} else if ((group = getgrnam (tok)) != NULL) { /* try group membership */
int i;
for (i = 0; NULL != group->gr_mem[i]; i++) {
if (strcasecmp (string, group->gr_mem[i]) == 0) {
return true;
}
}
#ifdef PRIMARY_GROUP_MATCH
/*
* If the string is an user whose initial GID matches the token,
* accept it. May avoid excessively long lines in /etc/group.
* Radu-Adrian Feurdean <*****@*****.**>
*
* XXX - disabled by default for now. Need to verify that
* getpwnam() doesn't have some nasty side effects. --marekm
*/
/* local, no need for xgetpwnam */
userinf = getpwnam (string);
if (NULL != userinf) {
if (userinf->pw_gid == group->gr_gid) {
return true;
}
}
#endif
}
return false;
}
static int
user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
{
char *string = item->user->pw_name;
struct login_info fake_item;
char *at;
int rv;
if (item->debug)
pam_syslog (pamh, LOG_DEBUG,
"user_match: tok=%s, item=%s", tok, string);
/*
* If a token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the username, if the
* token is a group that contains the username, or if the token is the
* name of the user's primary group.
*/
if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
if (item->hostname == NULL)
return NO;
fake_item.from = item->hostname;
*at = 0;
return (user_match (pamh, tok, item) &&
from_match (pamh, at + 1, &fake_item));
} else if (tok[0] == '@') { /* netgroup */
const char *hostname = NULL;
if (tok[1] == '@') { /* add hostname to netgroup match */
if (item->hostname == NULL)
return NO;
++tok;
hostname = item->hostname;
}
return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
} else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
return (group_match (pamh, tok, string, item->debug));
else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
return rv;
else if (item->only_new_group_syntax == NO &&
pam_modutil_user_in_group_nam_nam (pamh,
item->user->pw_name, tok))
/* try group membership */
return YES;
return NO;
}
