mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
Permit multiple ``allow user'' lines in any given section
This avoids line length limits when large numbers of users are allowed access to ppp.
This commit is contained in:
parent
4da144c091
commit
dd49e719c1
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=63052
@ -3065,10 +3065,11 @@ The
|
||||
.Sq default
|
||||
section is always checked first (even though it is only ever automatically
|
||||
loaded at startup).
|
||||
Each successive
|
||||
.Dq allow users
|
||||
command overrides the previous one, so it's possible to allow users access
|
||||
to everything except a given label by specifying default users in the
|
||||
commands are cumulative in a given section, but users allowed in any given
|
||||
section override users allowed in the default section, so it's possible to
|
||||
allow users access to everything except a given label by specifying default
|
||||
users in the
|
||||
.Sq default
|
||||
section, and then specifying a new user list for that label.
|
||||
.Pp
|
||||
|
@ -3065,10 +3065,11 @@ The
|
||||
.Sq default
|
||||
section is always checked first (even though it is only ever automatically
|
||||
loaded at startup).
|
||||
Each successive
|
||||
.Dq allow users
|
||||
command overrides the previous one, so it's possible to allow users access
|
||||
to everything except a given label by specifying default users in the
|
||||
commands are cumulative in a given section, but users allowed in any given
|
||||
section override users allowed in the default section, so it's possible to
|
||||
allow users access to everything except a given label by specifying default
|
||||
users in the
|
||||
.Sq default
|
||||
section, and then specifying a new user list for that label.
|
||||
.Pp
|
||||
|
@ -201,7 +201,9 @@ AllowUsers(struct cmdargs const *arg)
|
||||
int f;
|
||||
struct passwd *pwd;
|
||||
|
||||
userok = 0;
|
||||
if (userok == -1)
|
||||
userok = 0;
|
||||
|
||||
pwd = getpwuid(ID0realuid());
|
||||
if (pwd != NULL)
|
||||
for (f = arg->argn; f < arg->argc; f++)
|
||||
@ -422,15 +424,19 @@ system_IsValid(const char *name, struct prompt *prompt, int mode)
|
||||
* functions. arg->bundle will be set to NULL for these commands !
|
||||
*/
|
||||
int def, how, rs;
|
||||
int defuserok;
|
||||
|
||||
def = !strcmp(name, "default");
|
||||
how = ID0realuid() == 0 ? SYSTEM_EXISTS : SYSTEM_VALIDATE;
|
||||
userok = 0;
|
||||
userok = -1;
|
||||
modeok = 1;
|
||||
modereq = mode;
|
||||
|
||||
rs = ReadSystem(NULL, "default", CONFFILE, prompt, NULL, how);
|
||||
|
||||
defuserok = userok;
|
||||
userok = -1;
|
||||
|
||||
if (!def) {
|
||||
if (rs == -1)
|
||||
rs = 0; /* we don't care that ``default'' doesn't exist */
|
||||
@ -445,6 +451,9 @@ system_IsValid(const char *name, struct prompt *prompt, int mode)
|
||||
return _PATH_PPP "/" CONFFILE ": File not found";
|
||||
}
|
||||
|
||||
if (userok == -1)
|
||||
userok = defuserok;
|
||||
|
||||
if (how == SYSTEM_EXISTS)
|
||||
userok = modeok = 1;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user