From nobody@FreeBSD.org  Fri Aug  3 11:04:05 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 46D4116A41A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Aug 2007 11:04:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 152DA13C494
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Aug 2007 11:04:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l73B443o054195
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 3 Aug 2007 11:04:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l73B446I054194;
	Fri, 3 Aug 2007 11:04:04 GMT
	(envelope-from nobody)
Message-Id: <200708031104.l73B446I054194@www.freebsd.org>
Date: Fri, 3 Aug 2007 11:04:04 GMT
From: Matthijs Kooijman <matthijs@stdin.nl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [libpam] [patch] Add check for target user's group list to pam_group 
X-Send-Pr-Version: www-3.0

>Number:         115164
>Category:       kern
>Synopsis:       [libpam] [patch] [request] Add support for the account category to pam_group
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 03 11:10:09 GMT 2007
>Closed-Date:    
>Last-Modified:  Sat Jan 26 09:28:07 UTC 2008
>Originator:     Matthijs Kooijman
>Release:        6.2-RELEASE
>Organization:
I.C.T.S.V. Inter-Actief
>Environment:
FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007     matthijs@zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a  i386

>Description:
The added patch adds support for the account category to pam_group. This allows the group checks to be performed for both the auth and account features instead of only the auth feature.

Together with my target patch [1] this can be used to perform group checking for ssh logins, even when pam is not used for authentication (such as with private key logins).

[1]: http://www.freebsd.org/cgi/query-pr.cgi?pr=115162
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Common subdirectories: pam_group.orig/imp and pam_group.account/imp
diff -u pam_group.orig/pam_group.8 pam_group.account/pam_group.8
--- pam_group.orig/pam_group.8	Fri Aug  3 11:31:56 2007
+++ pam_group.account/pam_group.8	Fri Aug  3 11:49:02 2007
@@ -47,6 +47,10 @@
 .Sh DESCRIPTION
 The group service module for PAM accepts or rejects users based on
 their membership in a particular file group.
+.Nm pam_group
+provides functionality for two PAM categories: authentication and account
+management.  In terms of the module-type parameter, they are the ``auth'' and
+``account'' features.
 .Pp
 The following options may be passed to the
 .Nm
diff -u pam_group.orig/pam_group.c pam_group.account/pam_group.c
--- pam_group.orig/pam_group.c	Fri Aug  3 11:31:56 2007
+++ pam_group.account/pam_group.c	Fri Aug  3 11:34:59 2007
@@ -46,11 +46,18 @@
 #include <unistd.h>
 
 #define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <security/openpam.h>
 
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char *argv[] __unused)
+{
+	return pam_sm_authenticate(pamh, flags, argc, argv);
+}
 
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,


>Release-Note:
>Audit-Trail:

From: Matthijs Kooijman <m.kooijman@student.utwente.nl>
To: bug-followup@FreeBSD.org, matthijs@stdin.nl
Cc:  
Subject: Re: kern/115164: [libpam] [patch] Add check for target user's group list to pam_group
Date: Fri, 3 Aug 2007 13:12:31 +0200

 Hmm, forgot to change the subject line from my previous PR. Could someone
 perhaps change it to something more appropriate, such as "Add support for the account category to pam_group"?
 
 Sorry for the noise...
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Aug 3 13:54:13 UTC 2007 
Responsible-Changed-Why:  
Hi Dag-Erling can you also have a look at this one please? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115164 
>Unformatted:
