static int user_match(char *tok, struct login_info *item) { char *string = item->user->pw_name; struct login_info fake_item; struct group *group; int i; char *at; /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, if the * token is a group that contains the username, or if the token is the * name of the user's primary group. */ if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ *at = 0; fake_item.from = myhostname(); return (user_match(tok, item) && from_match(at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, (char *) 0, string)); } else if (string_match(tok, string)) { /* ALL or exact match */ return (YES); } else if ((group = getgrnam(tok))) { /* try group membership */ if (item->user->pw_gid == group->gr_gid) return (YES); for (i = 0; group->gr_mem[i]; i++) if (strcasecmp(string, group->gr_mem[i]) == 0) return (YES); } return (NO); }
static int user_match (pam_handle_t *pamh, char *tok, struct login_info *item) { char *string = item->user->pw_name; struct login_info fake_item; char *at; int rv; if (item->debug) pam_syslog (pamh, LOG_DEBUG, "user_match: tok=%s, item=%s", tok, string); /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, if the * token is a group that contains the username, or if the token is the * name of the user's primary group. */ /* Try to split on a pattern (@*[^@]+)(@+.*) */ for (at = tok; *at == '@'; ++at); if ((at = strchr(at, '@')) != NULL) { /* split user@host pattern */ if (item->hostname == NULL) return NO; memcpy (&fake_item, item, sizeof(fake_item)); fake_item.from = item->hostname; fake_item.gai_rv = 0; fake_item.res = NULL; fake_item.from_remote_host = 1; /* hostname should be resolvable */ *at = 0; if (!user_match (pamh, tok, item)) return NO; rv = from_match (pamh, at + 1, &fake_item); if (fake_item.gai_rv == 0 && fake_item.res) freeaddrinfo(fake_item.res); return rv; } else if (tok[0] == '@') { /* netgroup */ const char *hostname = NULL; if (tok[1] == '@') { /* add hostname to netgroup match */ if (item->hostname == NULL) return NO; ++tok; hostname = item->hostname; } return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') return (group_match (pamh, tok, string, item->debug)); else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ return rv; else if (item->only_new_group_syntax == NO && pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) /* try group membership */ return YES; return NO; }
/* user_match - match a username against one token */ static bool user_match (const char *tok, const char *string) { struct group *group; #ifdef PRIMARY_GROUP_MATCH struct passwd *userinf; #endif char *at; /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return true if the token fully matches the username, or if * the token is a group that contains the username. */ at = strchr (tok + 1, '@'); if (NULL != at) { /* split user@host pattern */ *at = '\0'; return ( user_match (tok, string) && from_match (at + 1, myhostname ())); #if HAVE_INNETGR } else if (tok[0] == '@') { /* netgroup */ return (netgroup_match (tok + 1, (char *) 0, string)); #endif } else if (string_match (tok, string)) { /* ALL or exact match */ return true; /* local, no need for xgetgrnam */ } else if ((group = getgrnam (tok)) != NULL) { /* try group membership */ int i; for (i = 0; NULL != group->gr_mem[i]; i++) { if (strcasecmp (string, group->gr_mem[i]) == 0) { return true; } } #ifdef PRIMARY_GROUP_MATCH /* * If the string is an user whose initial GID matches the token, * accept it. May avoid excessively long lines in /etc/group. * Radu-Adrian Feurdean <*****@*****.**> * * XXX - disabled by default for now. Need to verify that * getpwnam() doesn't have some nasty side effects. --marekm */ /* local, no need for xgetpwnam */ userinf = getpwnam (string); if (NULL != userinf) { if (userinf->pw_gid == group->gr_gid) { return true; } } #endif } return false; }
static int user_match (pam_handle_t *pamh, char *tok, struct login_info *item) { char *string = item->user->pw_name; struct login_info fake_item; char *at; int rv; if (item->debug) pam_syslog (pamh, LOG_DEBUG, "user_match: tok=%s, item=%s", tok, string); /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, if the * token is a group that contains the username, or if the token is the * name of the user's primary group. */ if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ if (item->hostname == NULL) return NO; fake_item.from = item->hostname; *at = 0; return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ const char *hostname = NULL; if (tok[1] == '@') { /* add hostname to netgroup match */ if (item->hostname == NULL) return NO; ++tok; hostname = item->hostname; } return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') return (group_match (pamh, tok, string, item->debug)); else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ return rv; else if (item->only_new_group_syntax == NO && pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) /* try group membership */ return YES; return NO; }