From 565ca3f60058f22d083572930833aaff2292ac20 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 19 Aug 2006 00:23:15 +1000
Subject: [PATCH]    - dtucker@cvs.openbsd.org 2006/08/14 12:40:25     
 [servconf.c servconf.h sshd_config.5]      Add ability to match groups to
 Match keyword in sshd_config.  Feedback      djm@, stevesk@, ok stevesk@.

---
 ChangeLog     |  6 +++++-
 servconf.c    | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 servconf.h    |  3 ++-
 sshd_config.5 |  3 ++-
 4 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 674d2b9e3..328f0c116 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,10 @@
      Revert previous include file ordering change, for ssh to compile under
      gcc2 (or until openssl include files are cleaned of parameter names
      in function prototypes)
+   - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
+     [servconf.c servconf.h sshd_config.5]
+     Add ability to match groups to Match keyword in sshd_config.  Feedback
+     djm@, stevesk@, ok stevesk@.
 
 20060817
  - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
@@ -5235,4 +5239,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4488 2006/08/18 14:22:40 djm Exp $
+$Id: ChangeLog,v 1.4489 2006/08/18 14:23:15 djm Exp $
diff --git a/servconf.c b/servconf.c
index 5884b95be..1f80de22d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -16,6 +16,7 @@
 #include <sys/socket.h>
 
 #include <netdb.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -37,6 +38,7 @@
 #include "mac.h"
 #include "match.h"
 #include "channels.h"
+#include "groupaccess.h"
 
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
@@ -496,6 +498,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
  *		PermittedChannelRequests session,forwarded-tcpip
  */
 
+static int
+match_cfg_line_group(const char *grps, int line, const char *user)
+{
+	int result = 0;
+	u_int ngrps = 0;
+	char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
+	struct passwd *pw;
+
+	/*
+	 * Even if we do not have a user yet, we still need to check for
+	 * valid syntax.
+	 */
+	arg = cp = xstrdup(grps);
+	while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
+		if (ngrps >= MAX_MATCH_GROUPS) {
+			error("line %d: too many groups in Match Group", line);
+			result = -1;
+			goto out;
+		}
+		grplist[ngrps++] = p;
+	}
+
+	if (user == NULL)
+		goto out;
+
+	if ((pw = getpwnam(user)) == NULL) {
+		debug("Can't match group at line %d because user %.100s does "
+		    "not exist", line, user);
+	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+		debug("Can't Match group because user %.100s not in any group "
+		    "at line %d", user, line);
+	} else if (ga_match(grplist, ngrps) != 1) {
+		debug("user %.100s does not match group %.100s at line %d",
+		    user, arg, line);
+	} else {
+		debug("user %.100s matched group %.100s at line %d", user,
+		    arg, line);
+		result = 1;
+	}
+out:
+	ga_free();
+	xfree(arg);
+	return result;
+}
+
 static int
 match_cfg_line(char **condition, int line, const char *user, const char *host,
     const char *address)
@@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
 			else
 				debug("user %.100s matched 'User %.100s' at "
 				    "line %d", user, arg, line);
+		} else if (strcasecmp(attrib, "group") == 0) {
+			switch (match_cfg_line_group(arg, line, user)) {
+			case -1:
+				return -1;
+			case 0:
+				result = 0;
+			}
 		} else if (strcasecmp(attrib, "host") == 0) {
 			if (!host) {
 				result = 0;
diff --git a/servconf.h b/servconf.h
index 2593b1cd1..ad496f64b 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -25,6 +25,7 @@
 #define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
 #define MAX_HOSTKEYS		256	/* Max # hostkeys. */
 #define MAX_ACCEPT_ENV		256	/* Max # of env vars. */
+#define MAX_MATCH_GROUPS	256	/* Max # of groups for Match. */
 
 /* permit_root_login */
 #define	PERMIT_NOT_SET		-1
diff --git a/sshd_config.5 b/sshd_config.5
index ff5457dff..3c20c1faa 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.69 2006/08/14 12:40:25 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -488,6 +488,7 @@ The arguments to
 are one or more criteria-pattern pairs.
 The available criteria are
 .Cm User ,
+.Cm Group ,
 .Cm Host ,
 and
 .Cm Address .