Support for AIX 7.1 TL4.

Added function getgrset in get_user_groups to query the users groups, funcion getgrent in AIX does not query ldap, only nis and local. Resolves: #74
jhrozek · Dec 26, 2017 · 7190892 · 7190892
1 parent 388a577
commit 7190892
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ pam_hbac was tested on the following operating systems and releases:
   * FreeBSD - tested with FreeBSD 10.2
   * Solaris - tested with Solaris 11 and Omnios. Some users run pam_hbac on Solaris 10 as well.
   * HPUX - tested with HPUX 11.31 - no SSL/TLS yet
+  * AIX - tested with AIX 7.1 TL4
 
 Building from source
 ====================

diff --git a/configure.ac b/configure.ac
@@ -58,7 +58,7 @@ AC_SUBST(NSS_CFLAGS)
 # Solaris and Linux NSS interface differs, check what we are compiling for
 AM_CHECK_POSIX_GETPWNAM
 AM_CHECK_POSIX_GETGRGID
-AC_CHECK_FUNCS(getgrouplist _getgroupsbymember)
+AC_CHECK_FUNCS(getgrouplist _getgroupsbymember getgrset)
 
 # Check if the compiler supports optional attributes
 CC_ATTRIBUTE_PRINTF

diff --git a/doc/README.AIX b/doc/README.AIX
@@ -0,0 +1,65 @@
+This file describes how to configure pam_hbac for access control on a
+AIX machine.
+
+Only tested on AIX 7.1 TL4.
+
+Prerequisities
+==============
+Please make sure your AIX client is able to resolve and authenticate
+the IPA or AD users. For example, for users coming from an AD trust:
+    $ id administrator@win.trust.test
+    $ su - administrator@win.trust.test
+A good starting point for this configuration is to read:
+    https://www.freeipa.org/page/ConfiguringUnixClients
+
+Building from source
+====================
+The build environment used to build the module was obtained from the AIX Toolbox
+for Linux Applications (https://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html).
+It is recommended to use the yum.sh script provided at the top of their webpage,
+it will install the RPM package manager and provide the yum utility
+(https://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/yum.sh) that
+will ensure all dependencies are installed.
+Please make sure all required dependencies are installed. On AIX 7.1 TL4, this
+would be:
+    autoconf-2.69-1 automake-1.15-1 gcc-6.3.0-1 gcc-cpp-6.3.0-1 gettext-0.19.7-1 \
+    glib2-2.48.0-1 libtool-2.4.6-2 m4-1.4.13-1 openldap-2.4.40-2 pkg-config-0.19-6
+
+This build does not have manpages. In AIX the utility a2x does something other than
+converting asciidoc. It must be either removed from the PATH variable or you
+need to explicitly add the --disable-man-pages option to the configure
+invocation, otherwise the build will fail.
+When building for AIX, use the following invocation:
+    $ export M4=/usr/linux/bin/m4
+    $ autoreconf -if
+    $ LDFLAGS="-L/usr/lib" LIBS="-lpthread" ./configure --sysconfdir=/etc/security/ldap \
+            --with-pammoddir=/usr/lib/security --disable-man-pages
+
+SSL/TLS
+=======
+SSL is working, SSL_PATH points to a certificate file.
+
+Configuration
+=============
+You need to configure the module itself, then include the module in the
+PAM stack. Please see the pam_hbac.conf(5) man page for the available
+configuration options.
+
+This has only been tested with the sshd service.
+When the config file is created, put the following into /etc/pam.conf:
+    sshd     account required       pam_hbac.so ignore_unknown_user ignore_authinfo_unavail
+
+Adding the option `ignore_unknown_user` is important on AIX for the same
+reason Linux systems normally use `pam_localuser.so` - pam_hbac looks up
+accounts using NSS calls and a failure to look up a user would deny access,
+because no rules would apply. Additionally, pam_hbac returns PAM_UNKNOWN_USER
+for root, which might be impractical if you decide to put the module into
+the system-wide configuration.
+
+Similarly, adding the `ignore_authinfo_unavail` option is handy in case
+the LDAP server is not reachable. In that case, pam_hbac would return
+PAM_IGNORE and proceed with the rest of the stack instead of a hard error.
+
+Before making any changes to the PAM stack, please make sure to have a root
+console open until you finish testing of pam_hbac setup, to make sure you
+don't lock yourself out of the system!
diff --git a/src/pam_hbac_obj.c b/src/pam_hbac_obj.c
@@ -39,7 +39,7 @@
 #include "pam_hbac_obj_int.h"
 #include "config.h"
 
-#if !defined(HAVE_GETGROUPLIST) && !defined(HAVE__GETGROUPSBYMEMBER)
+#if !defined(HAVE_GETGROUPLIST) && !defined(HAVE__GETGROUPSBYMEMBER) && !defined(HAVE_GETGRSET)
 static int
 ph_getgrouplist_fallback(const char *name, gid_t primary_gid,
                          gid_t *groups, int *ngroups_ptr)
@@ -172,6 +172,34 @@ get_user_groups(const char *name, gid_t primary_gid,
         ret = 0;
         *ngroups_ptr = ngroups;
     }
+#elif defined(HAVE_GETGRSET)
+    int ngroups;
+    long max_group_len;
+    char *gid_list_s, *gid_s;
+
+    ngroups = 0;
+    max_group_len = sysconf(_SC_LOGIN_NAME_MAX);
+
+    /* string containing comma separated list of gids the user belongs to */
+    gid_list_s = getgrset(name);
+    if (gid_list_s == NULL) {
+        return EIO;
+    }
+
+    gid_s = malloc(sizeof(char)*max_group_len);
+    if (gid_s == NULL) {
+        free(gid_list_s);
+        return ENOMEM;
+    }
+
+    while ((gid_s = strsep(&gid_list_s, ",")) != NULL) {
+        groups[ngroups++] = atoi(gid_s);
+    }
+
+    ret = 0;
+    *ngroups_ptr = ngroups;
+
+    free(gid_list_s);
 #else
     /* for systems lacking the above functions, tested on hpux only */
     ret = ph_getgrouplist_fallback(name, primary_gid, groups, ngroups_ptr);