Bug 89326 - [patch] Add pattern matching to login.access(5)
Summary: [patch] Add pattern matching to login.access(5)
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 6.0-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-20 20:50 UTC by Oliver Fromme
Modified: 2018-01-03 05:16 UTC (History)
1 user (show)

See Also:


Attachments
file.diff (6.15 KB, patch)
2005-11-20 20:50 UTC, Oliver Fromme
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Fromme 2005-11-20 20:50:24 UTC
The file login.access(5) can be used to restrict access
for users coming from certain remote hosts, or on certain
local terminals.  For example, we have some users who are
allowed to log in from virtual terminals only.  However,
it is tedious and error-prone to list all of the terminal
devices in the file.  The entry has to look like this:

+:foo bar:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7
+:foo bar:ttyv8 ttyv9 ttyva ttyvb ttyvc ttyvd ttyve ttyvf

Th patch presented in this PR allows to use patterns like
those used by the bourne shell (using wildcards "*", "?"
and "[").  The above entry is now much easier:

+:foo bar:ttyv?

Similarly, "ttyd?" can be used to restrict all of the
serial dial-in lines.

The patch is quite simple.  Basically I just replaced the
strcasecmp(3) function with fnmatch(3).  Normally, the
special wildcard characters ("*", "?", "[") don't appear
in terminal device names, and they're also forbidden in
host names, so there shouldn't be any regression cases.

The login.access(5) file is used at three different places
in the FreeBSD source tree:  in src/usr.bin/login, in
src/lib/libpam/modules/pam_login_access, and in src/cryp-
to/heimdal/appl/login.  The latter is third-party software,
so I'm not sure if it's appropriate to patch it in the
FreeBSD source tree.  However, for consistency, I patched
it in the same way and include the patch below for your
consideration.

The patch set also includes updates to the manual pages
which describe the feature, and also a clarification that
all matches are performed in a case-insensitive way.
(The latter is even true without my patch, but that
behaviour was undocumented.)

How-To-Repeat: 
n/a
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:41 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped