tag 644411 patch
thanks
Hello,
please see my attached quilt patch,
which adds the following feature:
parameter exempt_group=<groupname>
The patch also includes the documentation about the new parameter for the
pam_nologin (8) manpage.
Bye,
Simon
Adds a new parameter exempt_group. Members of the group specified
alre still allowed to log in, despite the existence of /etc/nologin.
Author: Simon Kainz <ska...@debian.org>,
Index: pam_nologin/pam_nologin.8.xml
===================================================================
--- pam_nologin.orig/modules/pam_nologin/pam_nologin.8.xml
+++ pam_nologin/modules/pam_nologin/pam_nologin.8.xml
@@ -22,6 +22,9 @@
file=<replaceable>/path/nologin</replaceable>
</arg>
<arg choice="opt">
+ exempt_group=<replaceable>group_name</replaceable>
+ </arg>
+ <arg choice="opt">
successok
</arg>
</cmdsynopsis>
@@ -54,6 +57,18 @@
<filename>/var/run/nologin</filename> or
<filename>/etc/nologin</filename>.
</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>exempt_group=<replaceable>groupname</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Specify a group name which allows logins despite the existence of eg.
+ <filename>/var/run/nologin</filename> or
+ <filename>/etc/nologin</filename>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
Index: pam_nologin/pam_nologin.c
===================================================================
--- pam_nologin.orig/modules/pam_nologin/pam_nologin.c
+++ pam_nologin/modules/pam_nologin/pam_nologin.c
@@ -42,6 +42,7 @@
struct opt_s {
int retval_when_nofile;
const char *nologin_file;
+ const char *exempt_group;
};
static void
@@ -52,13 +53,16 @@ parse_args(pam_handle_t *pamh, int argc,
memset(opts, 0, sizeof(*opts));
opts->retval_when_nofile = PAM_IGNORE;
-
+
for (i=0; i<argc; ++i) {
if (!strcmp("successok", argv[i])) {
opts->retval_when_nofile = PAM_SUCCESS;
} else if (!strncmp("file=", argv[i], 5)) {
opts->nologin_file = argv[i] + 5;
- } else {
+ } else if (!strncmp("exempt_group=",argv[i],13)) {
+ opts->exempt_group = argv[i] + 13;
+ }
+ else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]);
}
}
@@ -93,8 +97,44 @@ static int perform_check(pam_handle_t *p
int msg_style = PAM_TEXT_INFO;
struct passwd *user_pwd;
struct stat st;
+ struct group *gr;
+
+ gid_t *groups=0;
+ int ngroups=0;
+ int j;
user_pwd = pam_modutil_getpwnam(pamh, username);
+
+
+ if (!(opts->exempt_group==NULL) && !(user_pwd == NULL))
+ {
+ // get number of groups current user is member of
+ getgrouplist(username, user_pwd->pw_gid, groups, &ngroups);
+ groups = malloc(ngroups * sizeof (gid_t));
+
+ if (!groups)
+ {
+ pam_syslog(pamh, LOG_ERR, "out of memory");
+ retval = PAM_BUF_ERR;
+ goto clean_up_fd;
+ }
+
+ // get list of groups
+ getgrouplist(username, user_pwd->pw_gid, groups, &ngroups);
+
+ for (j=0;j<ngroups;j++)
+ {
+ gr = getgrgid(groups[j]);
+ if (!strcmp(gr->gr_name,opts->exempt_group))
+ { user_pwd->pw_uid=0; /* pretending to be root */
+ pam_syslog(pamh, LOG_ERR, "user [%s] is in exempt group [%s] - Login permitted!", username,opts->exempt_group);
+ }
+ }
+ free(groups);
+
+ }
+
+
if (user_pwd == NULL) {
retval = PAM_USER_UNKNOWN;
msg_style = PAM_ERROR_MSG;
