pam_modules/list/list.c

	list.c revision ce0ce47a28e767d5bf7dec161e16b4f621aa39a1
fa9e4066f08beec538e775443c5be79dd423fcabahrens/*
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER START
fa9e4066f08beec538e775443c5be79dd423fcabahrens *
fa9e4066f08beec538e775443c5be79dd423fcabahrens * The contents of this file are subject to the terms of the
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * Common Development and Distribution License (the "License").
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * You may not use this file except in compliance with the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens *
fa9e4066f08beec538e775443c5be79dd423fcabahrens * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fa9e4066f08beec538e775443c5be79dd423fcabahrens * or http://www.opensolaris.org/os/licensing.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * See the License for the specific language governing permissions
fa9e4066f08beec538e775443c5be79dd423fcabahrens * and limitations under the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens *
fa9e4066f08beec538e775443c5be79dd423fcabahrens * When distributing Covered Code, include this CDDL HEADER in each
fa9e4066f08beec538e775443c5be79dd423fcabahrens * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * If applicable, add the following below this CDDL HEADER, with the
fa9e4066f08beec538e775443c5be79dd423fcabahrens * fields enclosed by brackets "[]" replaced with your own identifying
fa9e4066f08beec538e775443c5be79dd423fcabahrens * information: Portions Copyright [yyyy] [name of copyright owner]
fa9e4066f08beec538e775443c5be79dd423fcabahrens *
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER END
fa9e4066f08beec538e775443c5be79dd423fcabahrens */
fa9e4066f08beec538e775443c5be79dd423fcabahrens
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson/*
fa9e4066f08beec538e775443c5be79dd423fcabahrens * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * Use is subject to license terms.
fa9e4066f08beec538e775443c5be79dd423fcabahrens */
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <stdio.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <string.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <sys/types.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <sys/stat.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <syslog.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <netdb.h>
fa9e4066f08beec538e775443c5be79dd423fcabahrens#include <malloc.h>
13506d1eefbbc37e2f12a0528831d9f6d4c361d7maybee#include <unistd.h>
e05725b117836db173257fae43fb0746eb857fb5bonwick#include <errno.h>
13506d1eefbbc37e2f12a0528831d9f6d4c361d7maybee#include <security/pam_appl.h>
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick#include <security/pam_modules.h>
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick#include <security/pam_impl.h>
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick#define ILLEGAL_COMBINATION "pam_list: illegal combination of options"
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsontypedef enum {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    LIST_EXTERNAL_FILE,
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    LIST_PLUS_CHECK,
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    LIST_COMPAT_MODE
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson} pam_list_mode_t;
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonstatic const char *
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonstring_mode_type(pam_list_mode_t op_mode, boolean_t allow)
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson{
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    return ((op_mode == LIST_COMPAT_MODE) ? "compat" :
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        (allow ? "allow" : "deny"));
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson}
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonstatic void
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilsonlog_illegal_combination(const char *s1, const char *s2)
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson{
fa9e4066f08beec538e775443c5be79dd423fcabahrens    __pam_log(LOG_AUTH | LOG_ERR, ILLEGAL_COMBINATION
fa9e4066f08beec538e775443c5be79dd423fcabahrens        " %s and %s", s1, s2);
fa9e4066f08beec538e775443c5be79dd423fcabahrens}
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens/*ARGSUSED*/
fa9e4066f08beec538e775443c5be79dd423fcabahrensint
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilsonpam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
fa9e4066f08beec538e775443c5be79dd423fcabahrens{
fa9e4066f08beec538e775443c5be79dd423fcabahrens    FILE    *fd;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    const char  *allowdeny_filename = PF_PATH;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    char    buf[BUFSIZ];
fa9e4066f08beec538e775443c5be79dd423fcabahrens    char    hostname[MAXHOSTNAMELEN];
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    char    *username = NULL;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    char    *bufp;
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    char    *rhost;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    char    *limit;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    int userok = 0;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    int hostok = 0;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    int i;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    int allow_deny_test = 0;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   debug = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   allow = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   matched = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   check_user = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   check_host = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    boolean_t   check_exact = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens    pam_list_mode_t op_mode = LIST_PLUS_CHECK;
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens    for (i = 0; i < argc; ++i) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if (strncasecmp(argv[i], "debug", sizeof ("debug")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            debug = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "user", sizeof ("user")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            check_user = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "nouser",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            sizeof ("nouser")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            check_user = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "host", sizeof ("host")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            check_host = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "nohost",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            sizeof ("nohost")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            check_host = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "user_host_exact",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            sizeof ("user_host_exact")) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            check_exact = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strcasecmp(argv[i], "compat") == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (op_mode == LIST_PLUS_CHECK) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                op_mode = LIST_COMPAT_MODE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            } else {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                log_illegal_combination("compat",
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    string_mode_type(op_mode, allow));
fa9e4066f08beec538e775443c5be79dd423fcabahrens                return (PAM_SERVICE_ERR);
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "allow=",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            sizeof ("allow=") - 1) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (op_mode == LIST_PLUS_CHECK) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allowdeny_filename = argv[i] +
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    sizeof ("allow=") - 1;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                op_mode = LIST_EXTERNAL_FILE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow_deny_test++;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            } else {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                log_illegal_combination("allow",
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    string_mode_type(op_mode, allow));
fa9e4066f08beec538e775443c5be79dd423fcabahrens                return (PAM_SERVICE_ERR);
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (strncasecmp(argv[i], "deny=",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            sizeof ("deny=") - 1) == 0) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (op_mode == LIST_PLUS_CHECK) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allowdeny_filename = argv[i] +
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    sizeof ("deny=") - 1;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                op_mode = LIST_EXTERNAL_FILE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow_deny_test++;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            } else {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                log_illegal_combination("deny",
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    string_mode_type(op_mode, allow));
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson                return (PAM_SERVICE_ERR);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            }
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        } else {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            __pam_log(LOG_AUTH | LOG_ERR,
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson                "pam_list: illegal option %s", argv[i]);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            return (PAM_SERVICE_ERR);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        }
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    }
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    if (((check_user || check_host || check_exact) == B_FALSE) ||
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        (allow_deny_test > 1)) {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        __pam_log(LOG_AUTH | LOG_ERR, ILLEGAL_COMBINATION);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        return (PAM_SERVICE_ERR);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    }
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    if ((op_mode == LIST_COMPAT_MODE) && (check_user == B_FALSE)) {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        log_illegal_combination("compat", "nouser");
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        return (PAM_SERVICE_ERR);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    }
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson    if (debug) {
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson        __pam_log(LOG_AUTH | LOG_DEBUG,
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            "pam_list: check_user = %d, check_host = %d,"
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            "check_exact = %d\n",
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson            check_user, check_host, check_exact);
88ecc943b4eb72f7c4fbbd8435997b85ef171fc3George Wilson
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        __pam_log(LOG_AUTH | LOG_DEBUG,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            "pam_list: auth_file: %s, %s\n", allowdeny_filename,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            (op_mode == LIST_COMPAT_MODE) ? "compat mode" :
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            (allow ? "allow file" : "deny file"));
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    }
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    (void) pam_get_item(pamh, PAM_USER, (void**)&username);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    if ((check_user || check_exact) && ((username == NULL) ||
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        (*username == '\0'))) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        __pam_log(LOG_AUTH | LOG_ERR,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            "pam_list: username not supplied, critical error");
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        return (PAM_USER_UNKNOWN);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    }
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    (void) pam_get_item(pamh, PAM_RHOST, (void**)&rhost);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    if ((check_host || check_exact) && ((rhost == NULL) ||
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        (*rhost == '\0'))) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        if (gethostname(hostname, MAXHOSTNAMELEN) == 0) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            rhost = hostname;
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        } else {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            __pam_log(LOG_AUTH | LOG_ERR,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick                "pam_list: error by gethostname - %m");
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            return (PAM_SERVICE_ERR);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        }
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    }
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    if (debug) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        __pam_log(LOG_AUTH | LOG_DEBUG,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            "pam_list: pam_sm_acct_mgmt for (%s,%s,)",
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            (rhost != NULL) ? rhost : "", username);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    }
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    if (strlen(allowdeny_filename) == 0) {
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        __pam_log(LOG_AUTH | LOG_ERR,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick            "pam_list: file name not specified");
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick        return (PAM_SERVICE_ERR);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick    }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens    if ((fd = fopen(allowdeny_filename, "rF")) == NULL) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens        __pam_log(LOG_AUTH | LOG_ERR, "pam_list: fopen of %s: %s",
fa9e4066f08beec538e775443c5be79dd423fcabahrens            allowdeny_filename, strerror(errno));
fa9e4066f08beec538e775443c5be79dd423fcabahrens        return (PAM_SERVICE_ERR);
fa9e4066f08beec538e775443c5be79dd423fcabahrens    }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens    while (fgets(buf, BUFSIZ, fd) != NULL) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens        /* lines longer than BUFSIZ-1 */
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if ((strlen(buf) == (BUFSIZ - 1)) &&
fa9e4066f08beec538e775443c5be79dd423fcabahrens            (buf[BUFSIZ - 2] != '\n')) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            while ((fgetc(fd) != '\n') && (!feof(fd))) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                continue;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens            __pam_log(LOG_AUTH | LOG_DEBUG,
fa9e4066f08beec538e775443c5be79dd423fcabahrens                "pam_list: long line in file,"
fa9e4066f08beec538e775443c5be79dd423fcabahrens                "more than %d chars, the rest ignored", BUFSIZ - 1);
fa9e4066f08beec538e775443c5be79dd423fcabahrens        }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens        /* remove unneeded colons if necessary */
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if ((limit = strpbrk(buf, ":\n")) != NULL) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            *limit = '\0';
fa9e4066f08beec538e775443c5be79dd423fcabahrens        }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens        /* ignore free values */
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if (buf[0] == '\0') {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            continue;
fa9e4066f08beec538e775443c5be79dd423fcabahrens        }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens        bufp = buf;
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens        /* test for interesting lines = +/- in /etc/passwd */
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if (op_mode == LIST_COMPAT_MODE) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* simple + matches all */
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if ((buf[0] == '+') && (buf[1] == '\0')) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                matched = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                break;
13506d1eefbbc37e2f12a0528831d9f6d4c361d7maybee            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* simple - is not defined */
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if ((buf[0] == '-') && (buf[1] == '\0')) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                __pam_log(LOG_AUTH | LOG_ERR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    "pam_list: simple minus unknown, "
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    "illegal line in " PF_PATH);
fa9e4066f08beec538e775443c5be79dd423fcabahrens                (void) fclose(fd);
fa9e4066f08beec538e775443c5be79dd423fcabahrens                return (PAM_SERVICE_ERR);
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* @ is not allowed on the first position */
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (buf[0] == '@') {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                __pam_log(LOG_AUTH | LOG_ERR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens                    "pam_list: @ is not allowed on the first "
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    "position in " PF_PATH);
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                (void) fclose(fd);
fa9e4066f08beec538e775443c5be79dd423fcabahrens                return (PAM_SERVICE_ERR);
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* -user or -@netgroup */
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            if (buf[0] == '-') {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow = B_FALSE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                bufp++;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* +user or +@netgroup */
fa9e4066f08beec538e775443c5be79dd423fcabahrens            } else if (buf[0] == '+') {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                allow = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens                bufp++;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            /* user */
fa9e4066f08beec538e775443c5be79dd423fcabahrens            } else {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                allow = B_TRUE;
fa9e4066f08beec538e775443c5be79dd423fcabahrens            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens        } else if (op_mode == LIST_PLUS_CHECK) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (((buf[0] != '+') && (buf[0] != '-')) ||
fa9e4066f08beec538e775443c5be79dd423fcabahrens                (buf[1] == '\0')) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens                continue;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            }
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (buf[0] == '+') {
5f5f7a6f9c8e9c1587a54e690556d756ec67558cahrens                allow = B_TRUE;
5f5f7a6f9c8e9c1587a54e690556d756ec67558cahrens            } else {
5f5f7a6f9c8e9c1587a54e690556d756ec67558cahrens                allow = B_FALSE;
5f5f7a6f9c8e9c1587a54e690556d756ec67558cahrens            }
5f5f7a6f9c8e9c1587a54e690556d756ec67558cahrens            bufp++;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick        }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick
fa9e4066f08beec538e775443c5be79dd423fcabahrens        /*
fa9e4066f08beec538e775443c5be79dd423fcabahrens         * if -> netgroup line
fa9e4066f08beec538e775443c5be79dd423fcabahrens         * else -> user line
fa9e4066f08beec538e775443c5be79dd423fcabahrens         */
fa9e4066f08beec538e775443c5be79dd423fcabahrens        if ((bufp[0] == '@') && (bufp[1] != '\0')) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens            bufp++;
fa9e4066f08beec538e775443c5be79dd423fcabahrens
fa9e4066f08beec538e775443c5be79dd423fcabahrens            if (check_exact) {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                if (innetgr(bufp, rhost, username,
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson                    NULL) == 1) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson                    matched = B_TRUE;
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson                    break;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            } else {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson                if (check_user) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson                    userok = innetgr(bufp, NULL, username,
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                        NULL);
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                } else {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    userok = 1;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                if (check_host) {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    hostok = innetgr(bufp, rhost, NULL,
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                        NULL);
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                } else {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    hostok = 1;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                if (userok && hostok) {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    matched = B_TRUE;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    break;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick        } else {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            if (check_user) {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                if (strcmp(bufp, username) == 0) {
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    matched = B_TRUE;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                    break;
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick                }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick            }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick        }
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick        /*
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick         * No match found in /etc/passwd yet.  For compat mode
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick         * a failure to match should result in a return of
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick         * PAM_PERM_DENIED which is achieved below if 'matched'
ecc2d604e885a75cc75e647b5641af99d5a6f4a6bonwick         * is false and 'allow' is true.
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson         */
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        if (op_mode == LIST_COMPAT_MODE) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson            allow = B_TRUE;
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        }
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    }
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    (void) fclose(fd);
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    if (debug) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        __pam_log(LOG_AUTH | LOG_DEBUG,
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson            "pam_list: %s for %s", matched ? "matched" : "no match",
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson            allow ? "allow" : "deny");
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    }
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    if (matched) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        return (allow ? PAM_SUCCESS : PAM_PERM_DENIED);
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    }
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    /*
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson     * For compatibility with passwd_compat mode to prevent root access
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson     * denied.
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson     */
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    if (op_mode == LIST_PLUS_CHECK) {
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson        return (PAM_IGNORE);
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    }
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson    return (allow ? PAM_PERM_DENIED : PAM_SUCCESS);
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson}
d6e555bdd793b8bc8fe57d5f12c3d69c813d0661George Wilson