diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 60 |
1 files changed, 25 insertions, 35 deletions
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | 36 | RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); |
37 | 37 | ||
38 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
39 | #include "rsa.h" | 39 | #include "rsa.h" |
@@ -46,6 +46,7 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | |||
46 | #include "compat.h" | 46 | #include "compat.h" |
47 | #include "channels.h" | 47 | #include "channels.h" |
48 | #include "match.h" | 48 | #include "match.h" |
49 | #include "groupaccess.h" | ||
49 | #ifdef HAVE_LOGIN_H | 50 | #ifdef HAVE_LOGIN_H |
50 | #include <login.h> | 51 | #include <login.h> |
51 | #endif | 52 | #endif |
@@ -62,11 +63,11 @@ RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); | |||
62 | extern ServerOptions options; | 63 | extern ServerOptions options; |
63 | 64 | ||
64 | /* | 65 | /* |
65 | * Check if the user is allowed to log in via ssh. If user is listed in | 66 | * Check if the user is allowed to log in via ssh. If user is listed |
66 | * DenyUsers or user's primary group is listed in DenyGroups, false will | 67 | * in DenyUsers or one of user's groups is listed in DenyGroups, false |
67 | * be returned. If AllowUsers isn't empty and user isn't listed there, or | 68 | * will be returned. If AllowUsers isn't empty and user isn't listed |
68 | * if AllowGroups isn't empty and user isn't listed there, false will be | 69 | * there, or if AllowGroups isn't empty and one of user's groups isn't |
69 | * returned. | 70 | * listed there, false will be returned. |
70 | * If the user's shell is not executable, false will be returned. | 71 | * If the user's shell is not executable, false will be returned. |
71 | * Otherwise true is returned. | 72 | * Otherwise true is returned. |
72 | */ | 73 | */ |
@@ -74,7 +75,6 @@ int | |||
74 | allowed_user(struct passwd * pw) | 75 | allowed_user(struct passwd * pw) |
75 | { | 76 | { |
76 | struct stat st; | 77 | struct stat st; |
77 | struct group *grp; | ||
78 | char *shell; | 78 | char *shell; |
79 | int i; | 79 | int i; |
80 | #ifdef WITH_AIXAUTHENTICATE | 80 | #ifdef WITH_AIXAUTHENTICATE |
@@ -82,10 +82,10 @@ allowed_user(struct passwd * pw) | |||
82 | #endif /* WITH_AIXAUTHENTICATE */ | 82 | #endif /* WITH_AIXAUTHENTICATE */ |
83 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 83 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
84 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 84 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
85 | struct spwd *spw; | 85 | struct spwd *spw; |
86 | 86 | ||
87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
88 | if (!pw) | 88 | if (!pw || !pw->pw_name) |
89 | return 0; | 89 | return 0; |
90 | 90 | ||
91 | spw = getspnam(pw->pw_name); | 91 | spw = getspnam(pw->pw_name); |
@@ -103,7 +103,7 @@ allowed_user(struct passwd * pw) | |||
103 | } | 103 | } |
104 | #else | 104 | #else |
105 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 105 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
106 | if (!pw) | 106 | if (!pw || !pw->pw_name) |
107 | return 0; | 107 | return 0; |
108 | #endif | 108 | #endif |
109 | 109 | ||
@@ -121,16 +121,12 @@ allowed_user(struct passwd * pw) | |||
121 | 121 | ||
122 | /* Return false if user is listed in DenyUsers */ | 122 | /* Return false if user is listed in DenyUsers */ |
123 | if (options.num_deny_users > 0) { | 123 | if (options.num_deny_users > 0) { |
124 | if (!pw->pw_name) | ||
125 | return 0; | ||
126 | for (i = 0; i < options.num_deny_users; i++) | 124 | for (i = 0; i < options.num_deny_users; i++) |
127 | if (match_pattern(pw->pw_name, options.deny_users[i])) | 125 | if (match_pattern(pw->pw_name, options.deny_users[i])) |
128 | return 0; | 126 | return 0; |
129 | } | 127 | } |
130 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | 128 | /* Return false if AllowUsers isn't empty and user isn't listed there */ |
131 | if (options.num_allow_users > 0) { | 129 | if (options.num_allow_users > 0) { |
132 | if (!pw->pw_name) | ||
133 | return 0; | ||
134 | for (i = 0; i < options.num_allow_users; i++) | 130 | for (i = 0; i < options.num_allow_users; i++) |
135 | if (match_pattern(pw->pw_name, options.allow_users[i])) | 131 | if (match_pattern(pw->pw_name, options.allow_users[i])) |
136 | break; | 132 | break; |
@@ -138,35 +134,29 @@ allowed_user(struct passwd * pw) | |||
138 | if (i >= options.num_allow_users) | 134 | if (i >= options.num_allow_users) |
139 | return 0; | 135 | return 0; |
140 | } | 136 | } |
141 | /* Get the primary group name if we need it. Return false if it fails */ | ||
142 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { | 137 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { |
143 | grp = getgrgid(pw->pw_gid); | 138 | /* Get the user's group access list (primary and supplementary) */ |
144 | if (!grp) | 139 | if (ga_init(pw->pw_name, pw->pw_gid) == 0) |
145 | return 0; | 140 | return 0; |
146 | 141 | ||
147 | /* Return false if user's group is listed in DenyGroups */ | 142 | /* Return false if one of user's groups is listed in DenyGroups */ |
148 | if (options.num_deny_groups > 0) { | 143 | if (options.num_deny_groups > 0) |
149 | if (!grp->gr_name) | 144 | if (ga_match(options.deny_groups, |
145 | options.num_deny_groups)) { | ||
146 | ga_free(); | ||
150 | return 0; | 147 | return 0; |
151 | for (i = 0; i < options.num_deny_groups; i++) | 148 | } |
152 | if (match_pattern(grp->gr_name, options.deny_groups[i])) | ||
153 | return 0; | ||
154 | } | ||
155 | /* | 149 | /* |
156 | * Return false if AllowGroups isn't empty and user's group | 150 | * Return false if AllowGroups isn't empty and one of user's groups |
157 | * isn't listed there | 151 | * isn't listed there |
158 | */ | 152 | */ |
159 | if (options.num_allow_groups > 0) { | 153 | if (options.num_allow_groups > 0) |
160 | if (!grp->gr_name) | 154 | if (!ga_match(options.allow_groups, |
155 | options.num_allow_groups)) { | ||
156 | ga_free(); | ||
161 | return 0; | 157 | return 0; |
162 | for (i = 0; i < options.num_allow_groups; i++) | 158 | } |
163 | if (match_pattern(grp->gr_name, options.allow_groups[i])) | 159 | ga_free(); |
164 | break; | ||
165 | /* i < options.num_allow_groups iff we break for | ||
166 | loop */ | ||
167 | if (i >= options.num_allow_groups) | ||
168 | return 0; | ||
169 | } | ||
170 | } | 160 | } |
171 | 161 | ||
172 | #ifdef WITH_AIXAUTHENTICATE | 162 | #ifdef WITH_AIXAUTHENTICATE |