Bugfix: auth PAM check for membership in primary and supplementary groups

This commit is contained in:
Štěpán Henek 2013-09-27 21:14:27 +02:00
parent ee687bea18
commit 7c03089601

@ -50,6 +50,7 @@ def is_authenticated(user, password):
# Check whether the group exists # Check whether the group exists
try: try:
# Obtain supplementary groups
members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
except KeyError: except KeyError:
log.LOGGER.debug( log.LOGGER.debug(
@ -57,9 +58,18 @@ def is_authenticated(user, password):
GROUP_MEMBERSHIP) GROUP_MEMBERSHIP)
return False return False
# Check whether the user belongs to the required group # Check whether the user exists
for member in members: try:
if member == user: # Get user primary group
primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name
except KeyError:
log.LOGGER.debug(
"The PAM user (%s) doesn't exist" %
user)
return False
# Check whether the user belongs to the required group (primary or supplementary)
if primary_group == GROUP_MEMBERSHIP or user in members:
log.LOGGER.debug( log.LOGGER.debug(
"The PAM user belongs to the required group (%s)" % "The PAM user belongs to the required group (%s)" %
GROUP_MEMBERSHIP) GROUP_MEMBERSHIP)
@ -68,7 +78,6 @@ def is_authenticated(user, password):
return True return True
else: else:
log.LOGGER.debug("Wrong PAM password") log.LOGGER.debug("Wrong PAM password")
break
else: else:
log.LOGGER.debug( log.LOGGER.debug(
"The PAM user doesn't belong to the required group (%s)" % "The PAM user doesn't belong to the required group (%s)" %