diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf
--- Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_access/access.conf 2017-09-08 14:06:16.420102221 +0200
@@ -18,7 +18,7 @@
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
-# permission : users : origins
+# permission:users:origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
@@ -79,44 +79,44 @@
##############################################################################
#
# User "root" should be allowed to get access via cron .. tty5 tty6.
-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
#
# User "root" should be allowed to get access from hosts with ip addresses.
-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
-#+ : root : 127.0.0.1
+#+:root:192.168.200.1 192.168.200.4 192.168.200.9
+#+:root:127.0.0.1
#
# User "root" should get access from network 192.168.201.
# This term will be evaluated by string matching.
# comment: It might be better to use network/netmask instead.
# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
-#+ : root : 192.168.201.
+#+:root:192.168.201.
#
# User "root" should be able to have access from domain.
# Uses string matching also.
-#+ : root : .foo.bar.org
+#+:root:.foo.bar.org
#
# User "root" should be denied to get access from all other sources.
-#- : root : ALL
+#-:root:ALL
#
# User "foo" and members of netgroup "nis_group" should be
# allowed to get access from all sources.
# This will only work if netgroup service is available.
-#+ : @nis_group foo : ALL
+#+:@nis_group foo:ALL
#
# User "john" should get access from ipv4 net/mask
-#+ : john : 127.0.0.0/24
+#+:john:127.0.0.0/24
#
# User "john" should get access from ipv4 as ipv6 net/mask
-#+ : john : ::ffff:127.0.0.0/127
+#+:john:::ffff:127.0.0.0/127
#
# User "john" should get access from ipv6 host address
-#+ : john : 2001:4ca0:0:101::1
+#+:john:2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
-#+ : john : 2001:4ca0:0:101:0:0:0:1
+#+:john:2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
-#+ : john : 2001:4ca0:0:101::/64
+#+:john:2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
-#- : ALL : ALL
+#-:ALL:ALL
diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml
--- Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml 2017-09-08 14:05:41.126320653 +0200
@@ -21,8 +21,12 @@
<para>
The <filename>/etc/security/access.conf</filename> file specifies
(<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+ (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
+ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>), or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name</replaceable>)
combinations for which a login will be either accepted or refused.
</para>
<para>
@@ -33,7 +37,14 @@
combination, or, in case of non-networked logins, the first entry
that matches the
(<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
- combination. The permissions field of that table entry determines
+ combination, or in the case of non-networked logins without a
+ tty, the first entry that matches the
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>) or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name/</replaceable>)
+ combination. The permissions field of that table entry
+ determines
whether the login will be accepted or refused.
</para>
@@ -65,14 +76,27 @@
<para>
The third field, the <replaceable>origins</replaceable>
field, should be a list of one or more tty names (for non-networked
- logins), host names, domain names (begin with "."), host addresses,
+ logins), X <varname>$DISPLAY</varname> values or PAM service
+ names (for non-networked logins without a tty), host names,
+ domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network addresses
with network mask (where network mask can be a decimal number or an
internet address also), <emphasis>ALL</emphasis> (which always matches)
- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
- keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
- not set and <origin> field is thus set from
- <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
+ or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
+ keyword matches if and only if
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ when called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
+ empty string (and therefore the
+ <replaceable>origins</replaceable> field is compared against the
+ return value of
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_TTY</emphasis> or, absent that,
+ <emphasis>PAM_SERVICE</emphasis>).
+ </para>
+
+ <para>
If supported by the system you can use
<emphasis>@netgroupname</emphasis> in host or user patterns. The
<emphasis>@@netgroupname</emphasis> syntax is supported in the user
@@ -115,7 +139,7 @@
<emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
<emphasis>tty6</emphasis>.
</para>
- <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
+ <para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
<para>
User <emphasis>root</emphasis> should be allowed to get access from
@@ -123,8 +147,8 @@
connection have to be a IPv4 one, a IPv6 connection from a host with
one of this IPv4 addresses does work, too.
</para>
- <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para>
- <para>+ : root : 127.0.0.1</para>
+ <para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para>
+ <para>+:root:127.0.0.1</para>
<para>
User <emphasis>root</emphasis> should get access from network
@@ -134,44 +158,44 @@
<emphasis>192.168.201.0/24</emphasis> or
<emphasis>192.168.201.0/255.255.255.0</emphasis>.
</para>
- <para>+ : root : 192.168.201.</para>
+ <para>+:root:192.168.201.</para>
<para>
User <emphasis>root</emphasis> should be able to have access from hosts
<emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
(uses string matching also).
</para>
- <para>+ : root : foo1.bar.org foo2.bar.org</para>
+ <para>+:root:foo1.bar.org foo2.bar.org</para>
<para>
User <emphasis>root</emphasis> should be able to have access from
domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
</para>
- <para>+ : root : .foo.bar.org</para>
+ <para>+:root:.foo.bar.org</para>
<para>
User <emphasis>root</emphasis> should be denied to get access
from all other sources.
</para>
- <para>- : root : ALL</para>
+ <para>-:root:ALL</para>
<para>
User <emphasis>foo</emphasis> and members of netgroup
<emphasis>admins</emphasis> should be allowed to get access
from all sources. This will only work if netgroup service is available.
</para>
- <para>+ : @admins foo : ALL</para>
+ <para>+:@admins foo:ALL</para>
<para>
User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
should get access from IPv6 host address.
</para>
- <para>+ : john foo : 2001:db8:0:101::1</para>
+ <para>+:john foo:2001:db8:0:101::1</para>
<para>
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
</para>
- <para>+ : john : 2001:db8:0:101::/64</para>
+ <para>+:john:2001:db8:0:101::/64</para>
<para>
Disallow console logins to all but the shutdown, sync and all
@@ -182,10 +206,22 @@
<para>
All other users should be denied to get access from all sources.
</para>
- <para>- : ALL : ALL</para>
+ <para>-:ALL:ALL</para>
</refsect1>
+ <refsect1 id="access.conf-notes">
+ <title>NOTES</title>
+ <para>
+ The default separators of list items in a field are space, ',', and tabulator
+ characters. Thus conveniently if spaces are put at the beginning and the end of
+ the fields they are ignored. However if the list separator is changed with the
+ <emphasis>listsep</emphasis> option, the spaces will become part of the actual
+ item and the line will be most probably ignored. For this reason, it is not
+ recommended to put spaces around the ':' characters.
+ </para>
+ </refsect1>
+
<refsect1 id="access.conf-see_also">
<title>SEE ALSO</title>
<para>
diff -up Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update Linux-PAM-1.1.8/modules/pam_access/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_access/Makefile.am 2017-09-08 14:10:47.223163175 +0200
@@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS)
+ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \
+ -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(NIS_CFLAGS)
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.c
--- Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2017-09-08 14:03:45.620762824 +0200
@@ -44,6 +44,7 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
+#include <glob.h>
#ifdef HAVE_RPCSVC_YPCLNT_H
#include <rpcsvc/ypclnt.h>
#endif
@@ -90,6 +91,7 @@
#define ALL 2
#define YES 1
#define NO 0
+#define NOMATCH -1
/*
* A structure to bundle up all login-related information to keep the
@@ -412,13 +414,17 @@ login_access (pam_handle_t *pamh, struct
return NO;
}
#ifdef HAVE_LIBAUDIT
- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
- nonall_match == YES))) {
+ if (!item->noaudit && (match == YES || (match == ALL &&
+ nonall_match == YES)) && line[0] == '-') {
pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
"pam_access", 0);
}
#endif
- return (match == NO || (line[0] == '+'));
+ if (match == NO)
+ return NOMATCH;
+ if (line[0] == '+')
+ return YES;
+ return NO;
}
@@ -524,7 +530,9 @@ user_match (pam_handle_t *pamh, char *to
/* Try to split on a pattern (@*[^@]+)(@+.*) */
for (at = tok; *at == '@'; ++at);
- if ((at = strchr(at, '@')) != NULL) {
+ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') {
+ return (group_match (pamh, tok, string, item->debug));
+ } else if ((at = strchr(at, '@')) != NULL) {
/* split user@host pattern */
if (item->hostname == NULL)
return NO;
@@ -549,9 +557,7 @@ user_match (pam_handle_t *pamh, char *to
hostname = item->hostname;
}
return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
- return (group_match (pamh, tok, string, item->debug));
- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
return rv;
else if (item->only_new_group_syntax == NO &&
pam_modutil_user_in_group_nam_nam (pamh,
@@ -573,7 +579,7 @@ group_match (pam_handle_t *pamh, const c
if (debug)
pam_syslog (pamh, LOG_DEBUG,
- "group_match: grp=%s, user=%s", grptok, usr);
+ "group_match: grp=%s, user=%s", tok, usr);
if (strlen(tok) < 3)
return NO;
@@ -808,6 +814,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
const char *user=NULL;
const void *void_from=NULL;
const char *from;
+ const char const *default_config = PAM_ACCESS_CONFIG;
struct passwd *user_pw;
char hostname[MAXHOSTNAMELEN + 1];
int rv;
@@ -829,7 +836,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
*/
memset(&loginfo, '\0', sizeof(loginfo));
loginfo.user = user_pw;
- loginfo.config_file = PAM_ACCESS_CONFIG;
+ loginfo.config_file = default_config;
/* parse the argument list */
@@ -900,6 +907,26 @@ pam_sm_authenticate (pam_handle_t *pamh,
rv = login_access(pamh, &loginfo);
+ if (rv == NOMATCH && loginfo.config_file == default_config) {
+ glob_t globbuf;
+ int i, glob_rv;
+
+ /* We do not manipulate locale as setlocale() is not
+ * thread safe. We could use uselocale() in future.
+ */
+ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
+ if (!glob_rv) {
+ /* Parse the *.conf files. */
+ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
+ loginfo.config_file = globbuf.gl_pathv[i];
+ rv = login_access(pamh, &loginfo);
+ if (rv != NOMATCH)
+ break;
+ }
+ globfree(&globbuf);
+ }
+ }
+
if (loginfo.gai_rv == 0 && loginfo.res)
freeaddrinfo(loginfo.res);
diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml
--- Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml 2017-09-08 14:04:25.365642960 +0200
@@ -50,16 +50,25 @@
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on login
names, host or domain names, internet addresses or network numbers,
- or on terminal line names in case of non-networked logins.
+ or on terminal line names, X <varname>$DISPLAY</varname> values,
+ or PAM service names in case of non-networked logins.
</para>
<para>
By default rules for access management are taken from config file
<filename>/etc/security/access.conf</filename> if you don't specify
another file.
+ Then individual <filename>*.conf</filename> files from the
+ <filename>/etc/security/access.d/</filename> directory are read.
+ The files are parsed one after another in the order of the system locale.
+ The effect of the individual files is the same as if all the files were
+ concatenated together in the order of parsing. This means that once
+ a pattern is matched in some file no further files are parsed.
+ If a config file is explicitly specified with the <option>accessfile</option>
+ option the files in the above directory are not parsed.
</para>
<para>
If Linux PAM is compiled with audit support the module will report
- when it denies access based on origin (host or tty).
+ when it denies access based on origin (host, tty, etc.).
</para>
</refsect1>