| #
369345 |
|
24-Feb-2021 |
markj |
pam_login_access: Fix negative entry matching logic
PR: 252194
Approved by: so
Security: CVE-2020-25580
Security: FreeBSD-SA-21:03.pam_login_access
(cherry picked from commit 6ab923cbca8759503a08683a5978b9ebf5efd607)
Git Hash: dae05d22d64ea218abe5883be539c2b41c20b1fb
Git Author: markj@FreeBSD.org
|
| #
359117 |
|
19-Mar-2020 |
cy |
MFC r358070:
This commit makes significant changes to pam_login_access(8) to bring it
up to par with the Linux pam_access(8).
Like the Linux pam_access(8) our pam_login_access(8) is a service module
for pam(3) that allows a administrator to limit access from specified
remote hosts or terminals. Unlike the Linux pam_access, pam_login_access
is missing some features which are added by this commit:
Access file can now be specified. The default remains /etc/access.conf.
The syntax is consistent with Linux pam_access.
By default usernames are matched. If the username fails to match a match
against a group name is attempted. The new nodefgroup module option will
only match a username and no attempt to match a group name is made.
Group names must be specified in brackets, "()" when nodefgroup is
specified. Otherwise the old backward compatible behavior is used.
This is consistent with Linux pam_access.
A new field separator module option allows the replacement of the default
colon (:) with any other character. This facilitates potential future
specification of X displays. This is also consistent with Linux pam_access.
A new list separator module option to replace the default space/comma/tab
with another character. This too is consistent with Linux pam_access.
Linux pam_access options not implemented in this commit are the debug
and audit options. These will be implemented at a later date.
Reviewed by: bjk, bcr (for manpages)
Approved by: des (blanket, implicit)
Differential Revision: https://reviews.freebsd.org/D23198
|
| #
359116 |
|
19-Mar-2020 |
cy |
MFC r358066:
When pam_login_access(5) fails to match a username it attempts to
match the primary group a user belongs to. This commit extends the
match to secondary groups a user belongs to as well, just as the Linux
pam_access(5) does.
Approved by: des (implicit, blanket)
|
| #
359115 |
|
19-Mar-2020 |
cy |
MFC r358065:
The words ALL, LOCAL, and EXCEPT have special meaning and are documented
as in the login.access(5) man page. However strcasecmp() is used to compare
for these special strings. Because of this User accounts and groups with
the corresponding lowercase names are misintrepreted to have special
whereas they should not.
This commit fixes this, conforming to the man page and to how the Linux
pam_access(8) handles these special words.
Approved by: des (implicit, blanket)
|
| #
358197 |
|
21-Feb-2020 |
cy |
MFC r358069:
strchr() returns a pointer not an int.
Reported by: bjk
Approved by: des (blanket, implicit)
|
| #
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.
Additional commits post-branch will follow.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
297755 |
|
09-Apr-2016 |
pfg |
libpam: replace 0 with NULL for pointers.
Found with devel/coccinelle.
Reviewed by: des
|
| #
169976 |
|
25-May-2007 |
des |
Re-add support for NIS netgroups (heavily modified from patch in PR)
PR: bin/112955
Submitted by: A. Blake Cooper <blake@cluebie.net>
MFC after: 3 weeks
|
| #
126643 |
|
05-Mar-2004 |
markm |
Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).
There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.
Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".
Tested on: i386 sparc64
|
| #
90145 |
|
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
| #
90093 |
|
01-Feb-2002 |
des |
Post-repocopy cleanup.
Sponsored by: DARPA, NAI Labs
|
| #
89994 |
|
30-Jan-2002 |
des |
Still with asbestos longjohns on, completely PAMify login(1) and remove
code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
|
| #
87628 |
|
10-Dec-2001 |
dwmalone |
Style improvements recommended by Bruce as a follow up to some
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
|
| #
87233 |
|
02-Dec-2001 |
markm |
Use __FBSDID(). Also do a bit of cosmetic #if and header-order
cleaning-up.
|
| #
87177 |
|
01-Dec-2001 |
markm |
Style fixups.
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)
Inspired by: bde
|
| #
87173 |
|
01-Dec-2001 |
markm |
WARNS=2 fixes.
Reviewed by: bde (a while back)
|
| #
29922 |
|
28-Sep-1997 |
markm |
Changes for KTH KerberosIV.
Also quieten -Wall a bit.
|
| #
22230 |
|
02-Feb-1997 |
pst |
Cruft cleanup to eliminate useless warnings
|
| #
8874 |
|
30-May-1995 |
rgrimes |
Remove trailing whitespace.
|
| #
2198 |
|
21-Aug-1994 |
guido |
Add skey supprot
Reviewed by:
Submitted by: guido
|