Add ignore_groups option

configure.ac

@@ -46,6 +46,7 @@ dnl Probe for the functionality of the PAM libraries and their include file
 dnl naming.  Mac OS X puts them in pam/* instead of security/*.
 AC_SEARCH_LIBS([pam_set_data], [pam])
 AC_CHECK_FUNCS([pam_getenv pam_getenvlist pam_modutil_getpwnam])
+AC_CHECK_FUNCS([pam_modutil_getgrnam getgrouplist])
 AC_REPLACE_FUNCS([pam_syslog pam_vsyslog])
 AC_CHECK_HEADERS([security/pam_modutil.h], [],
     [AC_CHECK_HEADERS([pam/pam_modutil.h])])

docs/pam_krb5.pod

@@ -293,6 +293,14 @@ want to use I<minimum_uid> instead.
 
 This option can be set in C<[appdefaults]> in F<krb5.conf>.
 
+=item ignore_groups
+
+[1.1] Do not do anything if the username is in any of the groups supplied
+in the comma delineated list.  This is mainly for cases where you have 
+users that need to be skipped that cannot be ignored by I<minimum_uid>.
+
+This option can be set in C<[appdefaults]> in F<krb5.conf>.
+
 =item minimum_uid=<uid>
 
 [2.0] Do not do anything if the authenticated account name corresponds to

module/internal.h

@@ -59,6 +59,7 @@ struct pam_config {
     bool force_alt_auth; /* Alt principal must be used if it exists. */
     bool ignore_k5login; /* Don't check .k5login files. */
     bool ignore_root;    /* Skip authentication for root. */
+    char *ignore_groups; /* Comma delineated list of groups of users to skip */
     long minimum_uid;    /* Ignore users below this UID. */
     bool only_alt_auth;  /* Alt principal must be used. */
     bool search_k5login; /* Try password with each line of .k5login. */

module/options.c

@@ -46,6 +46,7 @@ static const struct option options[] = {
     { K(force_pwchange),     true,  BOOL   (false) },
     { K(forwardable),        true,  BOOL   (false) },
     { K(ignore_k5login),     true,  BOOL   (false) },
+    { K(ignore_groups),      true,  STRING (NULL)  },
     { K(ignore_root),        true,  BOOL   (false) },
     { K(keytab),             true,  STRING (NULL)  },
     { K(minimum_uid),        true,  NUMBER (0)     },

module/support.c

@@ -25,6 +25,37 @@
 #include <pam-util/args.h>
 #include <pam-util/logging.h>
 
+#ifdef HAVE_GETGROUPLIST
+#include <grp.h>
+static int checkgrouplist(const char *user, gid_t primary, gid_t target)
+{
+    gid_t *grouplist = NULL;
+    int agroups, ngroups, i;
+    ngroups = agroups = 3;
+    do {
+        grouplist = malloc(sizeof(gid_t) * agroups);
+        if (grouplist == NULL) {
+            return 0;
+        }
+        ngroups = agroups;
+        i = getgrouplist(user, primary, grouplist, &ngroups);
+        if ((i < 0) || (ngroups < 1)) {
+            agroups *= 2;
+            free(grouplist);
+        } else {
+            for (i = 0; i < ngroups; i++) {
+                if (grouplist[i] == target) {
+                    free(grouplist);
+                    return 1;
+                }
+            }
+            free(grouplist);
+        }
+    } while (((i < 0) || (ngroups < 1)) && (agroups < 10000));
+    return 0;
+}
+#endif
+
 
 /*
  * Given the PAM arguments and the user we're authenticating, see if we should
@@ -36,6 +67,11 @@ int
 pamk5_should_ignore(struct pam_args *args, PAM_CONST char *username)
 {
     struct passwd *pwd;
+#ifdef HAVE_GETGROUPLIST
+	char* group;
+    struct group *grp;
+    char* rest;
+#endif
 
     if (args->config->ignore_root && strcmp("root", username) == 0) {
         putil_debug(args, "ignoring root user");
@@ -50,6 +86,24 @@ pamk5_should_ignore(struct pam_args *args, PAM_CONST char *username)
             return 1;
         }
     }
+#ifdef HAVE_GETGROUPLIST
+	if (args->config->ignore_groups) {
+    		rest = args->config->ignore_groups;
+        	pwd = pam_modutil_getpwnam(args->pamh, username);
+			if (pwd != NULL ) { 
+    			while ((group = strtok_r(rest, ",", &rest))) {
+			    	grp = pam_modutil_getgrnam(args->pamh, group);
+					if (grp != NULL 
+						&& checkgrouplist(pwd->pw_name,
+							   pwd->pw_gid, grp->gr_gid)) {
+            			putil_debug(args, "ignoring user in ignored group (%s)",
+                        		group);
+							return 1;
+					}
+				}
+			}
+    }
+#endif
     return 0;
 }
 
@@ -139,3 +193,4 @@ pamk5_authorized(struct pam_args *args)
 
     return PAM_SUCCESS;
 }
+

portable/pam.h

@@ -113,6 +113,10 @@ BEGIN_DECLS
 #    define pam_modutil_getpwnam(h, u) getpwnam(u)
 #endif
 
+#if !HAVE_PAM_MODUTIL_GETGRNAM
+#    define pam_modutil_getgrnam(h, u) getgrnam(u)
+#endif
+
 /* Prototype missing optional PAM functions. */
 #if !HAVE_PAM_SYSLOG
 void pam_syslog(const pam_handle_t *, int, const char *, ...);