Merge pull request #68 from shenek/master

PAM fixes
2013-10-01 04:02:36 -07:00 · 2013-10-01 04:02:36 -07:00 · 7ce8caa913
commit 7ce8caa913
parent 72d40d45e5 7c03089601
1 changed files with 24 additions and 12 deletions
--- a/radicale/auth/PAM.py
+++ b/radicale/auth/PAM.py
@ -36,6 +36,9 @@ GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership")
 def is_authenticated(user, password):
    """Check if ``user``/``password`` couple is valid."""
    if user is None or password is None:
      return False
    # Check whether the user exists in the PAM system
    try:
        pwd.getpwnam(user).pw_uid
@ -47,6 +50,7 @@ def is_authenticated(user, password):
    # Check whether the group exists
    try:
        # Obtain supplementary groups
        members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
    except KeyError:
        log.LOGGER.debug(
@ -54,18 +58,26 @@ def is_authenticated(user, password):
            GROUP_MEMBERSHIP)
        return False
-    # Check whether the user belongs to the required group
+    # Check whether the user exists
-    for member in members:
+    try:
-        if member == user:
+        # Get user primary group
-            log.LOGGER.debug(
+        primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name
-                "The PAM user belongs to the required group (%s)" %
+    except KeyError:
-                GROUP_MEMBERSHIP)
+        log.LOGGER.debug(
-            # Check the password
+            "The PAM user (%s) doesn't exist" %
-            if pam.authenticate(user, password):
+            user)
-                return True
+        return False
-            else:
+
-                log.LOGGER.debug("Wrong PAM password")
+    # Check whether the user belongs to the required group (primary or supplementary)
-            break
+    if primary_group == GROUP_MEMBERSHIP or user in members:
        log.LOGGER.debug(
            "The PAM user belongs to the required group (%s)" %
            GROUP_MEMBERSHIP)
        # Check the password
        if pam.authenticate(user, password):
            return True
        else:
            log.LOGGER.debug("Wrong PAM password")
    else:
        log.LOGGER.debug(
            "The PAM user doesn't belong to the required group (%s)" %