From 89463b4460a784a008d456da9696da986c4a275f Mon Sep 17 00:00:00 2001
From: David Bartley <dtbartle@csclub.uwaterloo.ca>
Date: Fri, 10 Aug 2007 02:44:40 -0400
Subject: [PATCH] Added allowed usernames check Ignore entries without the
 objectClass=member attribute

---
 debian/changelog |  7 +++++++
 pam_csc.c        | 23 ++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 1e08b6a..7b7144d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpam-csc (1.3) stable testing; urgency=low
+
+  * Added allowed usernames check
+  * Ignore entries without the objectClass=member attribute
+
+ -- David Bartley <dtbartle@csclub.uwaterloo.ca>  Thu, 09 Aug 2007 04:03:37 -0400
+
 libpam-csc (1.2) stable testing; urgency=low
 
   * Optimized querying by using single query and using asynch functions
diff --git a/pam_csc.c b/pam_csc.c
index c7274dc..f2220d3 100644
--- a/pam_csc.c
+++ b/pam_csc.c
@@ -36,6 +36,7 @@
 #define PAM_CSC_CSCF_SASL_REALM     "STUDENT.CS.UWATERLOO.CA"
 #define PAM_CSC_LDAP_TIMEOUT        5
 #define PAM_CSC_MINIMUM_UID         1000
+#define PAM_CSC_ALLOWED_USERNAMES   {"nobody"}
 #define PAM_CSC_EXPIRED_MSG \
     "*****************************************************************************\n" \
     "*                                                                           *\n" \
@@ -49,6 +50,8 @@
     "(pam_csc): %s was not registered for current term or previous term - denying login\n"
 #define PAM_CSC_SYSLOG_EXPIRED_ERROR \
     "(pam_csc): %s was not registered for current term but was registered for previous term - permitting login\n"
+#define PAM_CSC_SYSLOG_NOT_A_MEMBER \
+    "(pam_csc): %s is not a member account - permitting login\n"
 #define PAM_CSC_SYSLOG_CSCF_DISALLOWED \
     "(pam_csc): %s is using a CSCF machine but is not enrolled in CS - denying login\n"
 #define PAM_CSC_SYSLOG_SASL_UNRECOGNIZED_CALLBACK \
@@ -162,6 +165,8 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
     int retval = PAM_SUCCESS;
     const char* username;
     struct passwd* pwd;
+    const char* allowed_usernames[] = PAM_CSC_ALLOWED_USERNAMES;
+    int i;
     time_t cur_time;
     struct tm* local_time;
     int long_term;
@@ -194,6 +199,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
         return PAM_SUCCESS;
     }
 
+    /* check username */
+    for(i = 0; i < sizeof(allowed_usernames) / sizeof(char*); i++)
+    {
+        if(strcmp(allowed_usernames[i], username) == 0)
+        {
+            return PAM_SUCCESS;
+        }
+    }
+
     /* escape username */
     WARN_ZERO( username_escaped = pam_csc_escape_ldap_string(username) );
 
@@ -270,7 +284,14 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
 
     /* get CSC entry */
     WARN_ZERO( entry = ldap_first_entry(ld_csc, res_csc) )
-    WARN_ZERO( values = ldap_get_values(ld_csc, entry, "term") )
+    values = ldap_get_values(ld_csc, entry, "term");
+    if(!values)
+    {
+        syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_NOT_A_MEMBER, 
+            username);
+        retval = PAM_SUCCESS;
+        goto cleanup;
+    }
 
     /* iterate through term attributes */
     expired = true;