Dimitris Glynos | 7 Dec 22:17 2009

pam_group: group-based access

Hello all,

I've been looking for a way to dynamically add groups to users
belonging to a certain user-group.

For example, I would like to dynamically add to the group 'plugdev',
all users belonging to the 'Domain Users' group.

>From a quick look at the pam_group module I see that it supports
netgroups but not regular user groups (the kind you get from
/etc/groups).

To this end, I'm attaching a short patch that enables group-based access
in pam_group. Since the ' <at> ' sign is reserved for specifying netgroups,
I'm using the '%' sign to specify user-groups in the config file, like 
this:

xsh; tty* ; %users ; Al0000-2400 ; disk

Also, some tweaking has been done on the code that parses the config
file. To be able to specify user-groups containing spaces, but still
retain backwards compatibility with space-delimited lists, I've
introduced the escaped space '\ ' sequence, which is used like this:

gdm ; * ; %Domain\ Users ; Al0000-2400 ; plugdev

Documentation files, along with the sample config file have been 
updated to reflect these changes.

A few words regarding the implementation:
(Continue reading)

Paul B. Henson | 8 Dec 04:21 2009
Picon

Better group membership checking for pam_listfile item=group


One of my colleagues wrote a patch to improve pam_listfile and submitted
it:

	http://www.redhat.com/archives/pam-list/2009-September/msg00003.html

We never heard anything back. He has since moved on, but I'd like to follow
up on this and try to get this included in pam so we don't need to maintain
a locally patched version.

Is there a bugzilla or something somewhere to submit this to, or what is
the best way to get it considered for inclusion?

Thanks...

--

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
Solar Designer | 8 Dec 06:20 2009

Re: Better group membership checking for pam_listfile item=group

On Mon, Dec 07, 2009 at 07:21:41PM -0800, Paul B. Henson wrote:
> One of my colleagues wrote a patch to improve pam_listfile and submitted
> it:
> 
> 	http://www.redhat.com/archives/pam-list/2009-September/msg00003.html
> 
> We never heard anything back. He has since moved on, but I'd like to follow
> up on this and try to get this included in pam so we don't need to maintain
> a locally patched version.
> 
> Is there a bugzilla or something somewhere to submit this to, or what is
> the best way to get it considered for inclusion?

I cannot answer your question (I'm not the right person for that), but I
thought you could want to be aware that there exists a re-implementation
of pam_listfile, which we're maintaining and using in Openwall GNU/*/Linux:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/pam/
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/pam/pam_listfile.c
http://archives.neohapsis.com/archives/pam-list/2000-12/0084.html

I don't know the current status of pam_listfile in the official
Linux-PAM, but in 2001 a reasonable action was to replace it in its
entirety, which we did.

I don't know if the re-implementation shares the same inefficiency that
you're addressing with a patch to the original implementation now.

Alexander
(Continue reading)

Tomas Mraz | 8 Dec 10:07 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Mon, 2009-12-07 at 19:21 -0800, Paul B. Henson wrote: 
> One of my colleagues wrote a patch to improve pam_listfile and submitted
> it:
> 
> 	http://www.redhat.com/archives/pam-list/2009-September/msg00003.html
> 
> We never heard anything back. He has since moved on, but I'd like to follow
> up on this and try to get this included in pam so we don't need to maintain
> a locally patched version.
> 
> Is there a bugzilla or something somewhere to submit this to, or what is
> the best way to get it considered for inclusion?

This is already included (slightly improved patch) in the Linux-PAM CVS.
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_listfile/pam_listfile.c?r1=1.16&r2=1.17

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
Thorsten Kukuk | 8 Dec 10:11 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Mon, Dec 07, Paul B. Henson wrote:

> Is there a bugzilla or something somewhere to submit this to, or what is
> the best way to get it considered for inclusion?

In general it is a very good idea to submit bug reports and patches
to the project page on sourceforge:

http://sourceforge.net/projects/pam/

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Paul B. Henson | 8 Dec 22:34 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Mon, 7 Dec 2009, Solar Designer wrote:

> I don't know if the re-implementation shares the same inefficiency that
> you're addressing with a patch to the original implementation now.

Looks like it does; I don't know how much the stock pam_listfile has
changed from what it was when you guys replaced it, but you might want to
consider applying a similar change to yours, it makes it a lot more
efficient and actually usable in a large environment.

--

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
Paul B. Henson | 8 Dec 22:38 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Tue, 8 Dec 2009, Tomas Mraz wrote:

> This is already included (slightly improved patch) in the Linux-PAM CVS.
> http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_listfile/pam_listfile.c?r1=1.16&r2=1.17

Excellent! Thanks. BTW, I see you work at Red Hat; I have a ticket open for
RHEL5 to get this patch back ported, I haven't gotten a response yet.
Anything you can do to push that through would be greatly appreciated :)...

--

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
Paul B. Henson | 8 Dec 22:56 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Tue, 8 Dec 2009, Thorsten Kukuk wrote:

> In general it is a very good idea to submit bug reports and patches to
> the project page on sourceforge:
>
> http://sourceforge.net/projects/pam/

Thanks for the pointer. The top hit for "linux pam" on google is:

	http://www.kernel.org/pub/linux/libs/pam/

The sourceforge site doesn't even show up on the first page. The above site
still claims to be authoritative for the package, does anyone here happen
to have write privileges on it and could update it to point to the new
sourceforge site? That would probably help future people looking for the
bug tracker.

--

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
Thorsten Kukuk | 8 Dec 23:27 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Tue, Dec 08, Paul B. Henson wrote:

> On Tue, 8 Dec 2009, Thorsten Kukuk wrote:
> 
> > In general it is a very good idea to submit bug reports and patches to
> > the project page on sourceforge:
> >
> > http://sourceforge.net/projects/pam/
> 
> Thanks for the pointer. The top hit for "linux pam" on google is:
> 
> 	http://www.kernel.org/pub/linux/libs/pam/

Yes, that's the main Linux-PAM entry page.

> The sourceforge site doesn't even show up on the first page. The above site
> still claims to be authoritative for the package, does anyone here happen
> to have write privileges on it and could update it to point to the new
> sourceforge site? That would probably help future people looking for the
> bug tracker.

Did you read the above page? Especially the hint about sourceforge?

And the Linux-PAM sources contains a README with:

"That said, please report problems to the bug reporting database
on sourceforge.net."

  Thorsten

(Continue reading)

Paul B. Henson | 9 Dec 00:30 2009
Picon

Re: Better group membership checking for pam_listfile item=group

On Tue, 8 Dec 2009, Thorsten Kukuk wrote:

> Did you read the above page?

Yes.

> Especially the hint about sourceforge?

"If you want bleeding edge stuff, you might like to check out the
sourceforge PAM site."

I guess that was a bit vague, and I must have missed it. It seems it
wouldn't hurt to update the page (and possibly the FAQ) to more
clearly point to sourceforge.

> And the Linux-PAM sources contains a README with:
>
> "That said, please report problems to the bug reporting database
> on sourceforge.net."

My recently departed colleague wrote the patch, so I wasn't working with
the source code, and relied upon Google...

Sorry...

--

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
(Continue reading)


Gmane