#
369345 |
|
24-Feb-2021 |
markj |
pam_login_access: Fix negative entry matching logic
PR: 252194 Approved by: so Security: CVE-2020-25580 Security: FreeBSD-SA-21:03.pam_login_access
(cherry picked from commit 6ab923cbca8759503a08683a5978b9ebf5efd607)
Git Hash: dae05d22d64ea218abe5883be539c2b41c20b1fb Git Author: markj@FreeBSD.org
|
#
359117 |
|
19-Mar-2020 |
cy |
MFC r358070:
This commit makes significant changes to pam_login_access(8) to bring it up to par with the Linux pam_access(8).
Like the Linux pam_access(8) our pam_login_access(8) is a service module for pam(3) that allows a administrator to limit access from specified remote hosts or terminals. Unlike the Linux pam_access, pam_login_access is missing some features which are added by this commit:
Access file can now be specified. The default remains /etc/access.conf. The syntax is consistent with Linux pam_access.
By default usernames are matched. If the username fails to match a match against a group name is attempted. The new nodefgroup module option will only match a username and no attempt to match a group name is made. Group names must be specified in brackets, "()" when nodefgroup is specified. Otherwise the old backward compatible behavior is used. This is consistent with Linux pam_access.
A new field separator module option allows the replacement of the default colon (:) with any other character. This facilitates potential future specification of X displays. This is also consistent with Linux pam_access.
A new list separator module option to replace the default space/comma/tab with another character. This too is consistent with Linux pam_access.
Linux pam_access options not implemented in this commit are the debug and audit options. These will be implemented at a later date.
Reviewed by: bjk, bcr (for manpages) Approved by: des (blanket, implicit) Differential Revision: https://reviews.freebsd.org/D23198
|
#
359116 |
|
19-Mar-2020 |
cy |
MFC r358066:
When pam_login_access(5) fails to match a username it attempts to match the primary group a user belongs to. This commit extends the match to secondary groups a user belongs to as well, just as the Linux pam_access(5) does.
Approved by: des (implicit, blanket)
|
#
359115 |
|
19-Mar-2020 |
cy |
MFC r358065:
The words ALL, LOCAL, and EXCEPT have special meaning and are documented as in the login.access(5) man page. However strcasecmp() is used to compare for these special strings. Because of this User accounts and groups with the corresponding lowercase names are misintrepreted to have special whereas they should not.
This commit fixes this, conforming to the man page and to how the Linux pam_access(8) handles these special words.
Approved by: des (implicit, blanket)
|
#
358197 |
|
21-Feb-2020 |
cy |
MFC r358069:
strchr() returns a pointer not an int.
Reported by: bjk Approved by: des (blanket, implicit)
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
297755 |
|
09-Apr-2016 |
pfg |
libpam: replace 0 with NULL for pointers.
Found with devel/coccinelle.
Reviewed by: des
|
#
169976 |
|
25-May-2007 |
des |
Re-add support for NIS netgroups (heavily modified from patch in PR)
PR: bin/112955 Submitted by: A. Blake Cooper <blake@cluebie.net> MFC after: 3 weeks
|
#
126643 |
|
05-Mar-2004 |
markm |
Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror) that this provokes. "Wherever possible" means "In the kernel OR NOT C++" (implying C).
There are places where (void *) pointers are not valid, such as for function pointers, but in the special case of (void *)0, agreement settles on it being OK.
Most of the fixes were NULL where an integer zero was needed; many of the fixes were NULL where ascii <nul> ('\0') was needed, and a few were just "other".
Tested on: i386 sparc64
|
#
90145 |
|
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
#
90093 |
|
01-Feb-2002 |
des |
Post-repocopy cleanup.
Sponsored by: DARPA, NAI Labs
|
#
89994 |
|
30-Jan-2002 |
des |
Still with asbestos longjohns on, completely PAMify login(1) and remove code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
|
#
87628 |
|
10-Dec-2001 |
dwmalone |
Style improvements recommended by Bruce as a follow up to some of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags. 2) Vendor tags should not be compiled (though copyrights probably should). 3) There should be no blank line between including cdefs and __FBSDIF.
|
#
87233 |
|
02-Dec-2001 |
markm |
Use __FBSDID(). Also do a bit of cosmetic #if and header-order cleaning-up.
|
#
87177 |
|
01-Dec-2001 |
markm |
Style fixups.
Sort function declarations, includes. Make consistent WRT use of _P() macro (ugh!)
Inspired by: bde
|
#
87173 |
|
01-Dec-2001 |
markm |
WARNS=2 fixes.
Reviewed by: bde (a while back)
|
#
29922 |
|
28-Sep-1997 |
markm |
Changes for KTH KerberosIV. Also quieten -Wall a bit.
|
#
22230 |
|
02-Feb-1997 |
pst |
Cruft cleanup to eliminate useless warnings
|
#
8874 |
|
30-May-1995 |
rgrimes |
Remove trailing whitespace.
|
#
2198 |
|
21-Aug-1994 |
guido |
Add skey supprot Reviewed by: Submitted by: guido
|