90 lines
3.4 KiB
Diff
90 lines
3.4 KiB
Diff
From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
|
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
Date: Tue, 6 Apr 2021 12:27:38 +0200
|
|
Subject: [PATCH] pam_access: clean up the remote host matching code
|
|
|
|
* modules/pam_access/pam_access.c (from_match): Split out remote_match()
|
|
function and avoid calling it when matching against LOCAL keyword.
|
|
There is also no point in doing domain match against TTY or SERVICE.
|
|
---
|
|
modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
|
|
1 file changed, 27 insertions(+), 15 deletions(-)
|
|
|
|
Index: Linux-PAM-1.3.0/modules/pam_access/pam_access.c
|
|
===================================================================
|
|
--- Linux-PAM-1.3.0.orig/modules/pam_access/pam_access.c
|
|
+++ Linux-PAM-1.3.0/modules/pam_access/pam_access.c
|
|
@@ -166,6 +166,7 @@ static int list_match (pam_handle_t *, c
|
|
static int user_match (pam_handle_t *, char *, struct login_info *);
|
|
static int group_match (pam_handle_t *, const char *, const char *, int);
|
|
static int from_match (pam_handle_t *, char *, struct login_info *);
|
|
+static int remote_match (pam_handle_t *, char *, struct login_info *);
|
|
static int string_match (pam_handle_t *, const char *, const char *, int);
|
|
static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
|
|
|
|
@@ -584,11 +585,9 @@ group_match (pam_handle_t *pamh, const c
|
|
/* from_match - match a host or tty against a list of tokens */
|
|
|
|
static int
|
|
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
|
|
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
|
|
{
|
|
const char *string = item->from;
|
|
- int tok_len;
|
|
- int str_len;
|
|
int rv;
|
|
|
|
if (item->debug)
|
|
@@ -611,13 +610,28 @@ from_match (pam_handle_t *pamh UNUSED, c
|
|
} else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
|
|
/* ALL or exact match */
|
|
return rv;
|
|
- } else if (tok[0] == '.') { /* domain: match last fields */
|
|
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
|
|
- && strcasecmp(tok, string + str_len - tok_len) == 0)
|
|
- return (YES);
|
|
- } else if (item->from_remote_host == 0) { /* local: no PAM_RHOSTS */
|
|
- if (strcasecmp(tok, "LOCAL") == 0)
|
|
- return (YES);
|
|
+ } else if (strcasecmp(tok, "LOCAL") == 0) {
|
|
+ /* LOCAL matches only local accesses */
|
|
+ if (!item->from_remote_host)
|
|
+ return YES;
|
|
+ return NO;
|
|
+ } else if (item->from_remote_host) {
|
|
+ return remote_match(pamh, tok, item);
|
|
+ }
|
|
+ return NO;
|
|
+}
|
|
+
|
|
+static int
|
|
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
|
|
+{
|
|
+ const char *string = item->from;
|
|
+ size_t tok_len = strlen(tok);
|
|
+ size_t str_len;
|
|
+
|
|
+ if (tok[0] == '.') { /* domain: match last fields */
|
|
+ if ((str_len = strlen(string)) > tok_len
|
|
+ && strcasecmp(tok, string + str_len - tok_len) == 0)
|
|
+ return YES;
|
|
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
|
|
struct addrinfo hint;
|
|
|
|
@@ -654,13 +668,11 @@ from_match (pam_handle_t *pamh UNUSED, c
|
|
runp = runp->ai_next;
|
|
}
|
|
}
|
|
- } else {
|
|
- /* Assume network/netmask with a IP of a host. */
|
|
- if (network_netmask_match(pamh, tok, string, item))
|
|
- return YES;
|
|
+ return NO;
|
|
}
|
|
|
|
- return NO;
|
|
+ /* Assume network/netmask with an IP of a host. */
|
|
+ return network_netmask_match(pamh, tok, string, item);
|
|
}
|
|
|
|
/* string_match - match a string against one token */
|