Mercurial > illumos > illumos-gate

changeset 3765:e36fc8d4b665

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PSARC/2007/069 remote roles update 6516612 pam_roles module needs to know about PAM_AUSER
author gww
date Mon, 05 Mar 2007 15:58:42 -0800
parents 74844940a161
children 0e6dc235b6f9
files usr/src/lib/pam_modules/roles/roles.c
diffstat 1 files changed, 29 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/lib/pam_modules/roles/roles.c	Mon Mar 05 13:11:00 2007 -0800
+++ b/usr/src/lib/pam_modules/roles/roles.c	Mon Mar 05 15:58:42 2007 -0800
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -56,6 +55,7 @@
 	userattr_t *user_entry;
 	char	*kva_value;
 	char	*username;
+	char	*auser;
 	char	*ruser;
 	char	*rhost;
 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
@@ -68,6 +68,8 @@
 
 	(void) pam_get_item(pamh, PAM_USER, (void **)&username);
 
+	(void) pam_get_item(pamh, PAM_AUSER, (void **)&auser);
+
 	(void) pam_get_item(pamh, PAM_RUSER, (void **)&ruser);
 
 	(void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
@@ -89,9 +91,12 @@
 
 		(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
 		__pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: "
-			"service = %s user = %s ruser = %s rhost = %s\n",
+			"service = %s, allow_remote = %d, user = %s auser = %s "
+			"ruser = %s rhost = %s\n",
 			(service) ? service : "not set",
+			allow_remote,
 			(username) ? username : "not set",
+			(auser) ? auser: "not set",
 			(ruser) ? ruser: "not set",
 			(rhost) ? rhost: "not set");
 	}
@@ -133,7 +138,23 @@
 
 	/* Who's the user requesting the role? */
 
-	if (ruser == NULL || *ruser == '\0') {
+	if (auser != NULL && *auser != '\0') {
+		/* authenticated requesting user */
+
+		user_entry = getusernam(auser);
+	} else if ((ruser != NULL && *ruser != '\0') &&
+	    (rhost == NULL || *rhost == '\0')) {
+		/*
+		 * PAM_RUSER is set but PAM_RHOST is not; this is
+		 * used by SMC and is a temporary solution until SMC
+		 * is converted to use the proper PAM_AUSER to specify
+		 * the "come-from" username.
+		 */
+		if (strcmp(username, ruser) == 0) {
+			return (PAM_IGNORE);
+		}
+		user_entry = getusernam(ruser);
+	} else {
 		/* user is implied by real UID */
 
 		if ((uid = getuid()) == 0) {
@@ -149,22 +170,10 @@
 			}
 			user_entry = getusernam(pw_entry->pw_name);
 		}
-	} else if (rhost == NULL || *rhost == '\0') {
-		/*
-		 * PAM_RUSER is set but PAM_RHOST is not; this is
-		 * used by SMC and is a temporary solution until a proper
-		 * interface is designed that specifies a "come-from"
-		 * username.
-		 */
-		if (strcmp(username, ruser) == 0) {
-			return (PAM_IGNORE);
-		}
-		user_entry = getusernam(ruser);
-	} else {
-		user_entry = getusernam(ruser);
 	}
 
-	if (rhost != NULL && allow_remote == 0) {
+	if ((rhost != NULL && *rhost != '\0') &&
+	    allow_remote == 0) {
 		/* don't allow remote roles for this service */
 
 		free_userattr(user_entry);