MDEV-8842 add group support to pam_user_map module.

Alexey Botchkov · Alexey Botchkov · commit b0935fc5dafb · 2015-10-09T03:25:08.000+05:00
Added to the pam_user_map module.
diff --git a/plugin/auth_pam/mapper/pam_user_map.c b/plugin/auth_pam/mapper/pam_user_map.c
@@ -13,29 +13,92 @@ auth            required        pam_user_map.so
 
   And create /etc/security/user_map.conf with the desired mapping
   in the format:  orig_user_name: mapped_user_name
+                  @user's_group_name: mapped_user_name
 =========================================================
-#comments and emty lines are ignored
+#comments and emtpy lines are ignored
 john: jack
 bob:  admin
 top:  accounting
+@group_ro: readonly
 =========================================================
 
 */
 
+#include <stdlib.h>
 #include <stdio.h>
 #include <syslog.h>
+#include <grp.h>
+#include <pwd.h>
+
 #include <security/pam_modules.h>
 
 #define FILENAME "/etc/security/user_map.conf"
 #define skip(what) while (*s && (what)) s++
 
+#define GROUP_BUFFER_SIZE 100
+
+
+static int populate_user_groups(const char *user, gid_t **groups)
+{
+  gid_t user_group_id;
+  gid_t *loc_groups= *groups;
+  int ng;
+
+  {
+    struct passwd *pw= getpwnam(user);
+    if (!pw)
+      return 0;
+    user_group_id= pw->pw_gid;
+  }
+
+  ng= GROUP_BUFFER_SIZE;
+  if (getgrouplist(user, user_group_id, loc_groups, &ng) < 0)
+  {
+    /* The rare case when the user is present in more than */
+    /* GROUP_BUFFER_SIZE groups.                           */
+    loc_groups= (gid_t *) malloc(ng * sizeof (gid_t));
+    if (!loc_groups)
+      return 0;
+
+    (void) getgrouplist(user, user_group_id, loc_groups, &ng);
+    *groups= loc_groups;
+  }
+
+  return ng;
+}
+
+
+static int user_in_group(const gid_t *user_groups, int ng,const char *group)
+{
+  gid_t group_id;
+
+  {
+    struct group *g= getgrnam(group);
+    if (!g)
+      return 0;
+    group_id= g->gr_gid;
+  }
+
+  for (; user_groups < user_groups + ng; user_groups++)
+  {
+    if (*user_groups == group_id)
+      return 1;
+  }
+
+  return 0;
+}
+
+
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
     int argc, const char *argv[])
 {
   int pam_err, line= 0;
   const char *username;
   char buf[256];
   FILE *f;
+  gid_t group_buffer[GROUP_BUFFER_SIZE];
+  gid_t *groups= group_buffer;
+  int n_groups= -1;
 
   f= fopen(FILENAME, "r");
   if (f == NULL)
@@ -51,10 +114,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
   while (fgets(buf, sizeof(buf), f) != NULL)
   {
     char *s= buf, *from, *to, *end_from, *end_to;
+    int check_group;
+
     line++;
 
     skip(isspace(*s));
     if (*s == '#' || *s == 0) continue;
+    if ((check_group= *s == '@'))
+    {
+      if (n_groups < 0)
+        n_groups= populate_user_groups(username, &groups);
+      s++;
+    }
     from= s;
     skip(isalnum(*s) || (*s == '_'));
     end_from= s;
@@ -67,7 +138,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
     if (end_to == to) goto syntax_error;
 
     *end_from= *end_to= 0;
-    if (strcmp(username, from) == 0)
+    if (check_group ?
+          user_in_group(groups, n_groups, from) :
+          (strcmp(username, from) == 0))
     {
       pam_err= pam_set_item(pamh, PAM_USER, to);
       goto ret;
@@ -80,7 +153,11 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
   pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
   pam_err= PAM_SYSTEM_ERR;
 ret:
+  if (groups != group_buffer)
+    free(groups);
+
   fclose(f);
+
   return pam_err;
 }
 
