pam/bsc1184358-prevent-LOCAL-from-being-resolved.patch

From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 6 Apr 2021 12:27:38 +0200
Subject: [PATCH] pam_access: clean up the remote host matching code

* modules/pam_access/pam_access.c (from_match): Split out remote_match()
  function and avoid calling it when matching against LOCAL keyword.
  There is also no point in doing domain match against TTY or SERVICE.
---
 modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 98848c54..b493c7bd 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *,
 static int user_match (pam_handle_t *, char *, struct login_info *);
 static int group_match (pam_handle_t *, const char *, const char *, int);
 static int from_match (pam_handle_t *, char *, struct login_info *);
+static int remote_match (pam_handle_t *, char *, struct login_info *);
 static int string_match (pam_handle_t *, const char *, const char *, int);
 static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
 
@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr,
 /* from_match - match a host or tty against a list of tokens */
 
 static int
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
 {
     const char *string = item->from;
-    int        tok_len;
-    int        str_len;
     int        rv;
 
     if (item->debug)
@@ -616,13 +615,28 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
     } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
         /* ALL or exact match */
 	return rv;
-    } else if (tok[0] == '.') {			/* domain: match last fields */
-	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
-	    && strcasecmp(tok, string + str_len - tok_len) == 0)
-	    return (YES);
-    } else if (item->from_remote_host == 0) {	/* local: no PAM_RHOSTS */
-	if (strcasecmp(tok, "LOCAL") == 0)
-	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {
+	    /* LOCAL matches only local accesses */
+	    if (!item->from_remote_host)
+	        return YES;
+	    return NO;
+    } else if (item->from_remote_host) {
+        return remote_match(pamh, tok, item);
+    }
+    return NO;
+}
+
+static int
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+{
+    const char *string = item->from;
+    size_t tok_len = strlen(tok);
+    size_t str_len;
+
+    if (tok[0] == '.') {			/* domain: match last fields */
+      if ((str_len = strlen(string)) > tok_len
+	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+	return YES;
     } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
       struct addrinfo hint;
 
@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
 	      runp = runp->ai_next;
 	    }
 	}
-    } else {
-      /* Assume network/netmask with a IP of a host.  */
-      if (network_netmask_match(pamh, tok, string, item))
-	return YES;
+      return NO;
     }
 
-    return NO;
+    /* Assume network/netmask with an IP of a host.  */
+    return network_netmask_match(pamh, tok, string, item);
 }
 
 /* string_match - match a string against one token */