.\" Copyright (c) 2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
.\" All rights reserved.
.\"
.\" Portions of this software were developed for the FreeBSD Project by
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/lib/libpam/modules/pam_group/pam_group.8,v 1.3 2004/07/02 23:52:17 ru Exp $
+.\" $FreeBSD: src/lib/libpam/modules/pam_group/pam_group.8,v 1.4 2011/03/12 11:12:30 des Exp $
.\"
-.Dd February 6, 2003
+.Dd December 24, 2011
.Dt PAM_GROUP 8
.Os
.Sh NAME
Specify the name of the group to check.
The default is
.Dq Li wheel .
+.It Cm luser
+Accept or reject based on the target user's group membership.
.It Cm root_only
Skip this module entirely if the target account is not the superuser
account.
+.It Cm ruser
+Accept or reject based on the supplicant's group membership.
+This is the default.
.El
+.Pp
+Note that the
+.Cm luser
+and
+.Cm ruser
+options are mutually exclusive, and that
+.Nm
+will fail if both are specified.
.Sh SEE ALSO
.Xr pam.conf 5 ,
.Xr pam 8
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2011 Dag-Erling Smørgrav
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/lib/libpam/modules/pam_group/pam_group.c,v 1.4 2003/12/11 13:55:15 des Exp $
+ * $FreeBSD: src/lib/libpam/modules/pam_group/pam_group.c,v 1.6 2011/03/12 11:26:37 des Exp $
*/
#include <sys/types.h>
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
+ int local, remote;
const char *group, *user;
const void *ruser;
char *const *list;
if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
return (PAM_IGNORE);
- /* get applicant */
- if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
- || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
- return (PAM_AUTH_ERR);
+ /* check local / remote */
+ local = openpam_get_option(pamh, "luser") ? 1 : 0;
+ remote = openpam_get_option(pamh, "ruser") ? 1 : 0;
+ if (local && remote) {
+ openpam_log(PAM_LOG_ERROR, "(pam_group) "
+ "the luser and ruser options are mutually exclusive");
+ return (PAM_SERVICE_ERR);
+ } else if (local) {
+ /* we already have the correct struct passwd */
+ } else {
+ if (!remote)
+ openpam_log(PAM_LOG_NOTICE, "(pam_group) "
+ "neither luser nor ruser specified, assuming ruser");
+ /* default / historical behavior */
+ if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS ||
+ ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
+ return (PAM_AUTH_ERR);
+ }
/* get regulating group */
if ((group = openpam_get_option(pamh, "group")) == NULL)
projects / dragonfly.git / commitdiff