lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1082 - in nss-pam-ldapd: . compat debian man pam

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1082 - in nss-pam-ldapd: . compat debian man pam



Author: arthur
Date: Thu May  6 23:40:22 2010
New Revision: 1082
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1082

Log:
implement a minimum_uid option for the PAM module to ignore users that have a 
lower numeric user id

Modified:
   nss-pam-ldapd/compat/pam_compat.h
   nss-pam-ldapd/configure.ac
   nss-pam-ldapd/debian/libpam-ldapd.pam-auth-update
   nss-pam-ldapd/man/pam_ldap.8.xml
   nss-pam-ldapd/pam/pam.c

Modified: nss-pam-ldapd/compat/pam_compat.h
==============================================================================
--- nss-pam-ldapd/compat/pam_compat.h   Wed May  5 12:58:46 2010        (r1081)
+++ nss-pam-ldapd/compat/pam_compat.h   Thu May  6 23:40:22 2010        (r1082)
@@ -1,7 +1,7 @@
 /*
    pam_compat.h - provide a replacement definitions for some pam functions
 
-   Copyright (C) 2009 Arthur de Jong
+   Copyright (C) 2009, 2010 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -33,9 +33,20 @@
 #else /* not HAVE_PAM_PAM_MODULES_H */
 #include <pam/pam_modules.h>
 #endif /* not HAVE_PAM_PAM_MODULES_H */
+#ifdef HAVE_SECURITY_PAM_MODUTIL_H
+#include <security/pam_modutil.h>
+#endif /* HAVE_SECURITY_PAM_MODUTIL_H */
 
+/* define our own replacement pam_get_authtok() if it wasn't found */
 #ifndef HAVE_PAM_GET_AUTHTOK
 int pam_get_authtok(pam_handle_t *pamh,int item,const char **authtok,const 
char *prompt);
 #endif /* HAVE_PAM_GET_AUTHTOK */
 
+/* fall back to using getpwnam() if pam_modutil_getpwnam() isn't defined */
+#ifndef HAVE_PAM_MODUTIL_GETGWNAM
+#include <sys/types.h>
+#include <pwd.h>
+#define pam_modutil_getpwnam(pamh,user) getpwnam(user)
+#endif /* not HAVE_PAM_MODUTIL_GETGWNAM */
+
 #endif /* _COMPAT_LDAP_COMPAT_H */

Modified: nss-pam-ldapd/configure.ac
==============================================================================
--- nss-pam-ldapd/configure.ac  Wed May  5 12:58:46 2010        (r1081)
+++ nss-pam-ldapd/configure.ac  Thu May  6 23:40:22 2010        (r1082)
@@ -225,6 +225,7 @@
       ])
   AC_CHECK_HEADERS(pam/pam_modules.h)
   AC_CHECK_HEADERS(security/pam_ext.h)
+  AC_CHECK_HEADERS(security/pam_modutil.h)
   # at least one of security/pam_modules.h or pam/pam_modules.h is required
   if test "x$ac_cv_header_security_pam_modules_h" != "xyes" && \
      test "x$ac_cv_header_pam_pam_modules_h" != "xyes"
@@ -309,6 +310,7 @@
   AC_SEARCH_LIBS(pam_get_data,pam,,AC_MSG_ERROR(no PAM library available))
   # replace the pam_get_authtok() function if it's unavailable
   AC_REPLACE_FUNCS(pam_get_authtok)
+  AC_CHECK_FUNCS(pam_modutil_getpwnam)
   # restore CFLAGS and LIBS
   CFLAGS="$save_CFLAGS"
   LIBS="$save_LIBS"

Modified: nss-pam-ldapd/debian/libpam-ldapd.pam-auth-update
==============================================================================
--- nss-pam-ldapd/debian/libpam-ldapd.pam-auth-update   Wed May  5 12:58:46 
2010        (r1081)
+++ nss-pam-ldapd/debian/libpam-ldapd.pam-auth-update   Thu May  6 23:40:22 
2010        (r1082)
@@ -3,17 +3,17 @@
 Priority: 128
 Auth-Type: Primary
 Auth-Initial:
-       [success=end default=ignore]    pam_ldap.so
+       [success=end default=ignore]    pam_ldap.so minimum_uid=1000
 Auth:
-       [success=end default=ignore]    pam_ldap.so use_first_pass
+       [success=end default=ignore]    pam_ldap.so minimum_uid=1000 
use_first_pass
 Account-Type: Primary
 Account:
-       [success=end default=ignore]    pam_ldap.so
+       [success=end default=ignore]    pam_ldap.so minimum_uid=1000
 Password-Type: Primary
 Password-Initial:
-       [success=end default=ignore]    pam_ldap.so
+       [success=end default=ignore]    pam_ldap.so minimum_uid=1000
 Password:
-       [success=end default=ignore]    pam_ldap.so try_first_pass
+       [success=end default=ignore]    pam_ldap.so minimum_uid=1000 
try_first_pass
 Session-Type: Additional
 Session:
-       optional                        pam_ldap.so
+       optional                        pam_ldap.so minimum_uid=1000

Modified: nss-pam-ldapd/man/pam_ldap.8.xml
==============================================================================
--- nss-pam-ldapd/man/pam_ldap.8.xml    Wed May  5 12:58:46 2010        (r1081)
+++ nss-pam-ldapd/man/pam_ldap.8.xml    Thu May  6 23:40:22 2010        (r1082)
@@ -147,6 +147,19 @@
      </para>
     </listitem>
    </varlistentry>
+   <varlistentry>
+    <term>
+     <option>minimum_uid=<emphasis remap="I">UID</emphasis></option>
+    </term>
+    <listitem>
+     <para>
+      This option causes the <acronym>PAM</acronym> module to ignore the user
+      if the user id is lower than the specified value. This can be used to
+      only authenticate normal users (non-system users) using
+      <acronym>LDAP</acronym> (e.g. by setting it to 1000).
+     </para>
+    </listitem>
+   </varlistentry>
   </variablelist>
  </refsect1>
 

Modified: nss-pam-ldapd/pam/pam.c
==============================================================================
--- nss-pam-ldapd/pam/pam.c     Wed May  5 12:58:46 2010        (r1081)
+++ nss-pam-ldapd/pam/pam.c     Thu May  6 23:40:22 2010        (r1082)
@@ -254,6 +254,8 @@
   int first_pass=0,ignore_flags=0;
   int i;
   pld_ctx *ctx;
+  uid_t minimum_uid=0;
+  struct passwd *pwd;
   /* go over arguments */
   for (i=0;i<argc;i++)
   {
@@ -269,6 +271,8 @@
       /* ignore */;
     else if (strcmp(argv[i],"debug")==0)
       /* ignore */;
+    else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
+      minimum_uid=(uid_t)atoi(argv[i]+12);
     else
       syslog(LOG_AUTHPRIV|LOG_ERR,"unknown option: %s",argv[i]);
   }
@@ -276,6 +280,15 @@
   rc=pam_get_user(pamh,(const char **)&username,NULL);
   if (rc!=PAM_SUCCESS)
     return rc;
+  if ((username==NULL)||(username[0]=='\0'))
+    return PAM_USER_UNKNOWN;
+  /* check uid */
+  if (minimum_uid>0)
+  {
+    pwd=pam_modutil_getpwnam(args->pamh,username);
+    if ((pwd!=NULL)&&(pwd->pw_uid<minimum_uid))
+      return ignore_flags&IGNORE_UNKNOWN?PAM_IGNORE:PAM_USER_UNKNOWN;
+  }
   /* get our context */
   rc=ctx_get(pamh,username,&ctx);
   if (rc!=PAM_SUCCESS)
@@ -386,7 +399,9 @@
   int i;
   struct pam_conv *appconv;
   pld_ctx *ctx=NULL, ctx2;
-
+  uid_t minimum_uid=0;
+  struct passwd *pwent;
+  /* go over arguments */
   for (i=0;i<argc;i++)
   {
     if (strcmp(argv[i],"use_first_pass")==0)
@@ -401,6 +416,8 @@
       ignore_flags|=IGNORE_UNAVAIL;
     else if (strcmp(argv[i],"debug")==0)
       ;
+    else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
+      minimum_uid=(uid_t)atoi(argv[i]+12);
     else
       syslog(LOG_AUTHPRIV|LOG_ERR,"unknown option: %s",argv[i]);
   }
@@ -411,13 +428,19 @@
   rc=pam_get_item(pamh,PAM_CONV,(const void **)&appconv);
   if (rc!=PAM_SUCCESS)
     return rc;
-
+  /* get user name */
   rc=pam_get_user(pamh,(const char **)&username,NULL);
   if (rc!=PAM_SUCCESS)
     return rc;
-
   if ((username==NULL)||(username[0]=='\0'))
     return PAM_USER_UNKNOWN;
+  /* check uid */
+  if (minimum_uid>0)
+  {
+    pwent=pam_modutil_getpwnam(args->pamh,username);
+    if ((pwent!=NULL)&&(pwent->pw_uid<minimum_uid))
+      return ignore_flags&IGNORE_UNKNOWN?PAM_IGNORE:PAM_USER_UNKNOWN;
+  }
 
   rc=ctx_get(pamh,username,&ctx);
   if (rc!=PAM_SUCCESS)
@@ -500,7 +523,9 @@
   int i;
   pld_ctx *ctx=NULL;
   const char *service=NULL,*tty=NULL,*rhost=NULL,*ruser=NULL;
-
+  uid_t minimum_uid=0;
+  struct passwd *pwent;
+  /* go over arguments */
   for (i=0;i<argc;i++)
   {
     if (strcmp(argv[i],"use_first_pass")==0)
@@ -515,19 +540,27 @@
       ignore_flags|=IGNORE_UNAVAIL;
     else if (strcmp(argv[i],"debug")==0)
       ;
+    else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
+      minimum_uid=(uid_t)atoi(argv[i]+12);
     else
       syslog(LOG_AUTHPRIV|LOG_ERR,"unknown option: %s",argv[i]);
   }
 
   if (flags & PAM_SILENT)
     *no_warn=1;
-
+  /* get user name */
   rc=pam_get_user(pamh,(const char **)&username,NULL);
   if (rc!=PAM_SUCCESS)
     return rc;
-
   if ((username==NULL)||(username[0]=='\0'))
     return PAM_USER_UNKNOWN;
+  /* check uid */
+  if (minimum_uid>0)
+  {
+    pwent=pam_modutil_getpwnam(args->pamh,username);
+    if ((pwent!=NULL)&&(pwent->pw_uid<minimum_uid))
+      return ignore_flags&IGNORE_UNKNOWN?PAM_IGNORE:PAM_USER_UNKNOWN;
+  }
 
   rc=ctx_get(pamh,username,&ctx);
   if (rc!=PAM_SUCCESS)
@@ -638,6 +671,7 @@
   int i;
   struct pam_conv *appconv;
   pld_ctx *ctx=NULL;
+  uid_t minimum_uid=0;
   struct passwd *pwent;
   /* parse module options */
   for (i=0;i<argc;i++)
@@ -656,6 +690,8 @@
       ignore_flags|=IGNORE_UNAVAIL;
     else if (strcmp(argv[i],"debug")==0)
       ;
+    else if (strncmp(argv[i], "minimum_uid=", 12) == 0)
+      minimum_uid=(uid_t)atoi(argv[i]+12);
     else
       syslog(LOG_AUTHPRIV|LOG_ERR,"unknown option: %s",argv[i]);
   }
@@ -666,13 +702,19 @@
   rc=pam_get_item(pamh,PAM_CONV,(const void **)&appconv);
   if (rc!=PAM_SUCCESS)
     return rc;
-
+  /* get user name */
   rc=pam_get_user(pamh,(const char **)&username,NULL);
   if (rc!=PAM_SUCCESS)
     return rc;
-
-  if (username==NULL)
+  if ((username==NULL)||(username[0]=='\0'))
     return PAM_USER_UNKNOWN;
+  /* check uid */
+  if (minimum_uid>0)
+  {
+    pwent=pam_modutil_getpwnam(args->pamh,username);
+    if ((pwent!=NULL)&&(pwent->pw_uid<minimum_uid))
+      return ignore_flags&IGNORE_UNKNOWN?PAM_IGNORE:PAM_USER_UNKNOWN;
+  }
 
   rc=ctx_get(pamh,username,&ctx);
   if (rc!=PAM_SUCCESS)
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits