tags 326407 + patch stop With a /etc/security/time.conf spec like this and the pam_time module in use: *;*;x|y;!Al0000-2400
User "x" will still be let in, because of logic_field doing an is_same (agrees) check on "x" and "x|y" with len 1... Matching logic in is_same will say "x|y" is a substring of "x" (because of len), but then is_same will fail because of the mismatching strlen check. Since the string is const in logic_field, the trick of saving the character and temporarily putting in a '\0' didn't work and strndup'ing it seemed like overkill... Hopefully the "partial match" check in is_same works without side effects. For more details see: http://bugs.debian.org/326407 diff -uriNp pam-1.0.1-orig/modules/pam_time/pam_time.c pam-1.0.1/modules/pam_time/pam_time.c --- pam-1.0.1-orig/modules/pam_time/pam_time.c 2007-12-07 16:40:02.000000000 +0100 +++ pam-1.0.1/modules/pam_time/pam_time.c 2008-10-29 23:25:22.000000000 +0100 @@ -345,6 +345,7 @@ is_same(pam_handle_t *pamh UNUSED, const { int i; const char *a; + int partial = (len != strlen(b)); a = A; for (i=0; len > 0; ++i, --len) { @@ -358,8 +359,8 @@ is_same(pam_handle_t *pamh UNUSED, const /* Ok, we know that b is a substring from A and does not contain wildcards, but now the length of both strings must be the same, - too. */ - if (strlen (a) != strlen(b)) + too (unless we're doing a partial check of b's content). */ + if (!partial && (strlen (a) != strlen(b))) return FALSE; return ( !len ); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
