pam_login_access vs. pam_access
Mike Becher
Mike.Becher at lrz-muenchen.de
Fri Feb 3 10:15:40 UTC 2006
On Wed, 1 Feb 2006, Thorsten Kukuk wrote:
> On Tue, Jan 31, Mike Becher wrote:
>
> > 1) My patch includes creation of missed manual login.access.5.
>
> Yes, that needs to be removed from Makefile.am. I discussed this with
> the other main Linux-PAM developers and we agree that we don't wish to
> have the compat code in it.
OK, then it should be so.
>
> > 2) If we check if inet_ntop, inet_pton and yp_get_default_domain exists
> > then we should provide some alternativ if configure will them not found.
>
> That's something which needs to be fixed in another way. Instead of
> yp_get_default_domain domainname() should be used. Meand we would also
> get ride of -lnsl. But are there really systems which don't provide
> that function?
I don't know how it is on other non-Linux platforms. I only know Solaris
2.5.1 and above and HP-UX 10.20 and above gots this function. Older HP-UX
doesn't provide that in all cases. But questions are:
* who use such old OSs at this time?
and
* should Linux-PAM compatible on such platforms?
More problematic seems to be innetgr(). We should also check for this. I
found a comment in point of that at:
http://www2.physics.umd.edu/~payerle/Software/PAM/pam_netgroups.html
>
> > 3) Some correctness in access.conf.5.
>
> Are there real content changes? I could only find reformating.
Yes ... changes are made in point of group stuff.
> access.conf.5 is now generated from a xml file, I fixed all the bugs
> in it yesterday evening, attached is my latest revesion.
Ok, now I have put a patch against xml file in this mail.
> I removed for example this "su" service from it, su sets PAM_TTY, so
> a rule with servie "su" will never work. Services, which set PAM_RHOSTS
> or PAM_TTY cannot by used with their name.
You are right.
>
> There where also comments about group membership, but pam_access does not
> have code for this.
It gots code for this. Please have a look at function user_match() which
calls pam_modutil_user_in_group_nam_nam(). To clearify this we should
write
pam_modutil_user_in_group_nam_nam(pamh, string, tok)
instead of
pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)
or should rename variable
char *string ... to char *pw_name
Or what do you think of that?
A question in point of check_login_access program... OK, it could get
another name, but isn't it good to have a program to evaluate content of
access table in point of syntax and sematic check? I think it is.
How we can include such a program into Linux-PAM ? Or should we let it be?
Best regards,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------
-------------- next part --------------
--- Linux-PAM-0.99.3.0/modules/pam_access/access.conf.5.xml 2006-02-03 10:23:28.297849096 +0100
+++ Linux-PAM-0.99.3.0.kukuk/modules/pam_access/access.conf.5.xml 2006-02-03 10:11:55.738134176 +0100
@@ -86,17 +86,6 @@
</para>
<para>
- The group file is searched only when a name does not match that of
- the logged-in user. Only groups are matched in which users are
- explicitly listed. So be carefull if a user gots the same name like a
- group.
- </para>
-
- <para>
- However a user's primary group id value will be ignored.
- </para>
-
- <para>
The "<emphasis>#</emphasis>" character at start of line (no space
at front) can be used to mark this line as a comment line.
</para>
More information about the Pam-list
mailing list