← Back to team overview

maria-developers team mailing list archive

  1. maria-developers team
  2. Mailing list archive
  3. Message #08951

Re: [Commits] 50dc8c0: MDEV-8842 add group support to pam_user_map module.

  Thread PreviousDate PreviousThread Next 
Hi again.

See the next version :)
http://lists.askmonty.org/pipermail/commits/2015-October/008513.html

HF

07.10.2015 13:57, Sergei Golubchik wrote:

Hi, Holyfoot!

On Oct 07, holyfoot@xxxxxxxxxxxx wrote:

revision-id: 50dc8c0e8a27d18a3d75ff43a87975fcd5e0e7f6 (mariadb-10.1.7-67-g50dc8c0)
parent(s): bed4e847950eef50930b44632eea43416e7b37d1
committer: Alexey Botchkov
timestamp: 2015-10-07 00:51:33 +0500
message:

MDEV-8842 add group support to pam_user_map module.
Added to the pam_user_map module.

Looks pretty much ok. Just one suggestion:
I'd keep groups in the pam_sm_authenticate and passed
the pointer down to user_in_group.
Indeed, there may many @group entries in the mapping file, seems like a
waste do repopulate group array every time.


---
  plugin/auth_pam/mapper/pam_user_map.c | 59 +++++++++++++++++++++++++++++++++--
  1 file changed, 57 insertions(+), 2 deletions(-)

diff --git a/plugin/auth_pam/mapper/pam_user_map.c b/plugin/auth_pam/mapper/pam_user_map.c
index e73ab6d..a3008bd 100644
--- a/plugin/auth_pam/mapper/pam_user_map.c
+++ b/plugin/auth_pam/mapper/pam_user_map.c
@@ -13,22 +13,71 @@ auth            required        pam_user_map.so
And create /etc/security/user_map.conf with the desired mapping 
    in the format:  orig_user_name: mapped_user_name
+                  @user's_group_name: mapped_user_name
  =========================================================
-#comments and emty lines are ignored
+#comments and emtpy lines are ignored
  john: jack
  bob:  admin
  top:  accounting
+@group_ro: readonly
  =========================================================
*/ +#include <stdlib.h> 
  #include <stdio.h>
  #include <syslog.h>
+#include <grp.h>
+#include <pwd.h>
+#include <limits.h>
  #include <security/pam_modules.h>
#define FILENAME "/etc/security/user_map.conf" 
  #define skip(what) while (*s && (what)) s++
+#define GROUP_BUFFER_SIZE 100 
+int user_in_group(const char *user, const char *group)
+{
+  gid_t group_buffer[GROUP_BUFFER_SIZE];
+  gid_t *groups= group_buffer;
+  gid_t group_id;
+  gid_t user_group_id;
+  int ng, i;
+
+  {
+    struct passwd *pw= getpwnam(user);
+    struct group *g= getgrnam(group);
+    if (pw == NULL || g == NULL)
+      return 0;
+    user_group_id= pw->pw_gid;
+    group_id= g->gr_gid;
+  }
+
+  ng= GROUP_BUFFER_SIZE;
+  if (getgrouplist(user, user_group_id, groups, &ng) < 0)
+  {
+    /* The rare case when the user is present in more than */
+    /* GROUP_BUFFER_SIZE groups.                           */
+    groups= (gid_t *) malloc(ng * sizeof (gid_t));
+    if (!groups)
+      return 0;
+
+    (void) getgrouplist(user, user_group_id, groups, &ng);
+  }
+
+  for (i= 0; i < ng; i++)
+  {
+    if (groups[i] == group_id)
+      break;
+  }
+
+  if (groups != group_buffer)
+    free(groups);
+
+  return i < ng;
+}
+
+
  int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      int argc, const char *argv[])
  {
@@ -51,10 +100,14 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
    while (fgets(buf, sizeof(buf), f) != NULL)
    {
      char *s= buf, *from, *to, *end_from, *end_to;
+    int check_group;
+
      line++;
skip(isspace(*s)); 
      if (*s == '#' || *s == 0) continue;
+    if ((check_group= *s == '@'))
+      s++;
      from= s;
      skip(isalnum(*s) || (*s == '_'));
      end_from= s;
@@ -67,7 +120,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      if (end_to == to) goto syntax_error;
*end_from= *end_to= 0; 
-    if (strcmp(username, from) == 0)
+    if (check_group ?
+          user_in_group(username, from) :
+          (strcmp(username, from) == 0))
      {
        pam_err= pam_set_item(pamh, PAM_USER, to);
        goto ret;

Regards,
Sergei

References

  Thread PreviousDate PreviousThread Next