Re: pam_login_access vs. pam_access

Mike Becher <Mike.Becher@xxxxxxxxxxxxxxx> · Fri, 3 Feb 2006 11:15:40 +0100 (CET)

On Wed, 1 Feb 2006, Thorsten Kukuk wrote:

> On Tue, Jan 31, Mike Becher wrote:
> 
> > 1) My patch includes creation of missed manual login.access.5.
> 
> Yes, that needs to be removed from Makefile.am. I discussed this with
> the other main Linux-PAM developers and we agree that we don't wish to
> have the compat code in it.
OK, then it should be so.

> 
> > 2) If we check if inet_ntop, inet_pton and yp_get_default_domain exists 
> > then we should provide some alternativ if configure will them not found.
> 
> That's something which needs to be fixed in another way. Instead of
> yp_get_default_domain domainname() should be used. Meand we would also
> get ride of -lnsl. But are there really systems which don't provide
> that function?
I don't know how it is on other non-Linux platforms. I only know Solaris 
2.5.1 and above and HP-UX 10.20 and above gots this function. Older HP-UX 
doesn't provide that in all cases. But questions are:
* who use such old OSs at this time?
and
* should Linux-PAM compatible on such platforms?
More problematic seems to be innetgr(). We should also check for this. I 
found a comment in point of that at:
  http://www2.physics.umd.edu/~payerle/Software/PAM/pam_netgroups.html

> 
> > 3) Some correctness in access.conf.5.
> 
> Are there real content changes? I could only find reformating.
Yes ... changes are made in point of group stuff.

> access.conf.5 is now generated from a xml file, I fixed all the bugs
> in it yesterday evening, attached is my latest revesion. 
Ok, now I have put a patch against xml file in this mail.

> I removed for example this "su" service from it, su sets PAM_TTY, so
> a rule with servie "su" will never work. Services, which set PAM_RHOSTS
> or PAM_TTY cannot by used with their name.
You are right.

> 
> There where also comments about group membership, but pam_access does not
> have code for this.
It gots code for this. Please have a look at function user_match() which 
calls pam_modutil_user_in_group_nam_nam(). To clearify this we should 
write
  pam_modutil_user_in_group_nam_nam(pamh, string, tok)
instead of
  pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)
or should rename variable
  char   *string ... to char *pw_name
Or what do you think of that?

A question in point of check_login_access program... OK, it could get 
another name, but isn't it good to have a program to evaluate content of 
access table in point of syntax and sematic check? I think it is.
How we can include such a program into Linux-PAM ? Or should we let it be?

Best regards,
  mike

-----------------------------------------------------------------------------
 Mike Becher                              Mike.Becher@xxxxxxxxxxxxxxx
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-289-28721      
 Gruppe Hochleistungssysteme              fax:   +49-89-280-9460
 Barer Strasse 21                    
 D-80333 Muenchen
 Germany                   
-----------------------------------------------------------------------------