From nobody@FreeBSD.org  Fri Aug  3 10:36:09 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6428616A46E
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Aug 2007 10:36:09 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4B7F213C478
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Aug 2007 10:36:09 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l73Aa8nO047179
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 3 Aug 2007 10:36:08 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l73Aa8jM047178;
	Fri, 3 Aug 2007 10:36:08 GMT
	(envelope-from nobody)
Message-Id: <200708031036.l73Aa8jM047178@www.freebsd.org>
Date: Fri, 3 Aug 2007 10:36:08 GMT
From: Matthijs Kooijman <matthijs@stdin.nl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [libpam] [patch] Add check for target user's group list to pam_group 
X-Send-Pr-Version: www-3.0

>Number:         115162
>Category:       kern
>Synopsis:       [libpam] [patch] [request] Add check for target user's group list to pam_group
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 03 10:40:01 GMT 2007
>Closed-Date:    
>Last-Modified:  Sat Jan 26 09:28:21 UTC 2008
>Originator:     Matthijs Kooijman
>Release:        6.2-RELEASE
>Organization:
I.C.T.S.V. Inter-Actief
>Environment:
FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007     matthijs@zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a  i386

>Description:
The added patch adds a "target" option to the pam_group module. This option makes pam_group do its checks against the target user's group list instead of the applicant's group.

This behaviour can be used to limit user logins to a specific group for networked services, where there is no identified applicant yet, such as for ssh logins.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- pam_group.c.orig	Wed Aug  1 20:43:51 2007
+++ pam_group.c.target	Wed Aug  1 21:56:37 2007
@@ -69,10 +69,14 @@
 	if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
 		return (PAM_IGNORE);
 
-	/* get applicant */
-	if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
-	    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
-		return (PAM_AUTH_ERR);
+	/* get applicant, unless we should compare with the target account */
+	if (!openpam_get_option(pamh, "target"))
+		if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
+		    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
+			return (PAM_AUTH_ERR);
+
+	/* Note that if the target option is set, pwd will contain the target
+	   account instead of applicant's account now */
 
 	/* get regulating group */
 	if ((group = openpam_get_option(pamh, "group")) == NULL)


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Aug 3 10:54:49 UTC 2007 
Responsible-Changed-Why:  
Hi Dag-Erling, can you have a look at this please as being the 
maintainer of our PAM installation? Thanks in advance! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115162 

From: Matthijs Kooijman <m.kooijman@student.utwente.nl>
To: bug-followup@FreeBSD.org, matthijs@stdin.nl
Cc:  
Subject: Re: kern/115162: [libpam] [patch] Add check for target user's group list to pam_group
Date: Fri, 3 Aug 2007 13:02:12 +0200

 --w7PDEPdKQumQfZlR
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Woops, added an old version of the patch. This new version also includes an
 updated manpage.
 
 --w7PDEPdKQumQfZlR
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="pam_group_target.diff"
 
 Common subdirectories: pam_group.orig/imp and pam_group.target/imp
 diff -u pam_group.orig/pam_group.8 pam_group.target/pam_group.8
 --- pam_group.orig/pam_group.8	Fri Aug  3 11:31:56 2007
 +++ pam_group.target/pam_group.8	Fri Aug  3 11:32:57 2007
 @@ -67,6 +67,8 @@
  .It Cm root_only
  Skip this module entirely if the target account is not the superuser
  account.
 +.It Cm target
 +Check against the group list of the target user, instead of the applicant's group list.
  .El
  .Sh SEE ALSO
  .Xr pam.conf 5 ,
 diff -u pam_group.orig/pam_group.c pam_group.target/pam_group.c
 --- pam_group.orig/pam_group.c	Fri Aug  3 11:31:56 2007
 +++ pam_group.target/pam_group.c	Fri Aug  3 11:32:57 2007
 @@ -69,10 +69,14 @@
  	if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only"))
  		return (PAM_IGNORE);
  
 -	/* get applicant */
 -	if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
 -	    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
 -		return (PAM_AUTH_ERR);
 +	/* get applicant, unless we should compare with the target account */
 +	if (!openpam_get_option(pamh, "target"))
 +		if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
 +		    || ruser == NULL || (pwd = getpwnam(ruser)) == NULL)
 +			return (PAM_AUTH_ERR);
 +
 +	/* Note that if the target option is set, pwd will contain the target
 +	   account instead of applicant's account now */
  
  	/* get regulating group */
  	if ((group = openpam_get_option(pamh, "group")) == NULL)
 
 --w7PDEPdKQumQfZlR--
>Unformatted:
