summaryrefslogtreecommitdiff
path: root/Linux-PAM/libpam
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 16:15:40 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 17:00:25 -0800
commit9727ff2a3fa0e94a42b34a579027bacf4146d571 (patch)
tree893f3d050906e7cb2284f97cf4577bb5e8ccbb60 /Linux-PAM/libpam
parent281e859131adad49301befbc50cfc5cd282c6937 (diff)
parentb2661a54ac276d20268dba45b4e025d58458241e (diff)
New upstream version 0.99.10.0
Diffstat (limited to 'Linux-PAM/libpam')
-rw-r--r--Linux-PAM/libpam/Makefile.am4
-rw-r--r--Linux-PAM/libpam/include/security/_pam_macros.h13
-rw-r--r--Linux-PAM/libpam/include/security/_pam_types.h14
-rw-r--r--Linux-PAM/libpam/include/security/pam_modutil.h3
-rw-r--r--Linux-PAM/libpam/libpam.map5
-rw-r--r--Linux-PAM/libpam/pam_audit.c54
-rw-r--r--Linux-PAM/libpam/pam_dispatch.c66
-rw-r--r--Linux-PAM/libpam/pam_end.c13
-rw-r--r--Linux-PAM/libpam/pam_handlers.c210
-rw-r--r--Linux-PAM/libpam/pam_item.c29
-rw-r--r--Linux-PAM/libpam/pam_misc.c22
-rw-r--r--Linux-PAM/libpam/pam_modutil_getgrgid.c2
-rw-r--r--Linux-PAM/libpam/pam_modutil_getgrnam.c2
-rw-r--r--Linux-PAM/libpam/pam_modutil_getpwnam.c2
-rw-r--r--Linux-PAM/libpam/pam_modutil_getpwuid.c2
-rw-r--r--Linux-PAM/libpam/pam_modutil_getspnam.c2
-rw-r--r--Linux-PAM/libpam/pam_private.h22
-rw-r--r--Linux-PAM/libpam/pam_start.c3
-rw-r--r--Linux-PAM/libpam/pam_static_modules.h18
19 files changed, 358 insertions, 128 deletions
diff --git a/Linux-PAM/libpam/Makefile.am b/Linux-PAM/libpam/Makefile.am
index a0955441..0daca423 100644
--- a/Linux-PAM/libpam/Makefile.am
+++ b/Linux-PAM/libpam/Makefile.am
@@ -20,11 +20,11 @@ include_HEADERS = include/security/_pam_compat.h \
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
pam_modutil_private.h pam_static_modules.h
-libpam_la_LDFLAGS = -no-undefined -version-info 81:9:81
+libpam_la_LDFLAGS = -no-undefined -version-info 81:10:81
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
if STATIC_MODULES
- libpam_la_LIBADD += `ls ../modules/pam_*/*.lo` \
+ libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \
@LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil
endif
if HAVE_VERSIONING
diff --git a/Linux-PAM/libpam/include/security/_pam_macros.h b/Linux-PAM/libpam/include/security/_pam_macros.h
index f7da10a7..bd107cfb 100644
--- a/Linux-PAM/libpam/include/security/_pam_macros.h
+++ b/Linux-PAM/libpam/include/security/_pam_macros.h
@@ -25,6 +25,15 @@ do { \
*__xx__++ = '\0'; \
} while (0)
+#define _pam_overwrite_n(x,n) \
+do { \
+ register char *__xx__; \
+ register unsigned int __i__ = 0; \
+ if ((__xx__=(x))) \
+ for (;__i__<n; __i__++) \
+ __xx__[__i__] = 0; \
+} while (0)
+
/*
* Don't just free it, forget it too.
*/
@@ -85,7 +94,7 @@ static void _pam_output_debug_info(const char *file, const char *fn
{
FILE *logfile;
int must_close = 1, fd;
-
+
#ifdef O_NOFOLLOW
if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) {
#else
@@ -111,7 +120,7 @@ static void _pam_output_debug(const char *format, ...)
va_list args;
FILE *logfile;
int must_close = 1, fd;
-
+
va_start(args, format);
#ifdef O_NOFOLLOW
diff --git a/Linux-PAM/libpam/include/security/_pam_types.h b/Linux-PAM/libpam/include/security/_pam_types.h
index 45bae97b..2f7e807f 100644
--- a/Linux-PAM/libpam/include/security/_pam_types.h
+++ b/Linux-PAM/libpam/include/security/_pam_types.h
@@ -138,8 +138,11 @@ typedef struct pam_handle pam_handle_t;
#define PAM_OLDAUTHTOK 7 /* The old authentication token */
#define PAM_RUSER 8 /* The remote user name */
#define PAM_USER_PROMPT 9 /* the prompt for getting a username */
+/* Linux-PAM extensions */
#define PAM_FAIL_DELAY 10 /* app supplied function to override failure
delays */
+#define PAM_XDISPLAY 11 /* X display name */
+#define PAM_XAUTHDATA 12 /* X server authentication data */
/* -------------- Special defines used by Linux-PAM -------------- */
@@ -279,6 +282,17 @@ struct pam_conv {
void *appdata_ptr;
};
+/* Used by the PAM_XAUTHDATA pam item. Contains X authentication
+ data used by modules to connect to the user's X display. Note:
+ this structure is intentionally compatible with xcb_auth_info_t. */
+
+struct pam_xauth_data {
+ int namelen;
+ char *name;
+ int datalen;
+ char *data;
+};
+
/* ... adapted from the pam_appl.h file created by Theodore Ts'o and
*
* Copyright Theodore Ts'o, 1996. All rights reserved.
diff --git a/Linux-PAM/libpam/include/security/pam_modutil.h b/Linux-PAM/libpam/include/security/pam_modutil.h
index efb72436..ffdf5ad0 100644
--- a/Linux-PAM/libpam/include/security/pam_modutil.h
+++ b/Linux-PAM/libpam/include/security/pam_modutil.h
@@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count);
extern int
pam_modutil_write(int fd, const char *buffer, int count);
+extern int PAM_NONNULL((1,3))
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+ const char *message, int retval);
#ifdef __cplusplus
}
#endif
diff --git a/Linux-PAM/libpam/libpam.map b/Linux-PAM/libpam/libpam.map
index 1c2c4480..e37fc356 100644
--- a/Linux-PAM/libpam/libpam.map
+++ b/Linux-PAM/libpam/libpam.map
@@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 {
pam_modutil_read;
pam_modutil_write;
};
+
+LIBPAM_MODUTIL_1.1 {
+ global:
+ pam_modutil_audit_write;
+} LIBPAM_MODUTIL_1.0;
diff --git a/Linux-PAM/libpam/pam_audit.c b/Linux-PAM/libpam/pam_audit.c
index 240d4a89..6fd6a0c1 100644
--- a/Linux-PAM/libpam/pam_audit.c
+++ b/Linux-PAM/libpam/pam_audit.c
@@ -6,9 +6,10 @@
Authors:
Steve Grubb <sgrubb@redhat.com> */
-#include "pam_private.h"
#include <stdio.h>
#include <syslog.h>
+#include "pam_private.h"
+#include "pam_modutil_private.h"
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
@@ -56,26 +57,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
return rc;
}
-int
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+static int
+_pam_audit_open(pam_handle_t *pamh)
{
- const char *message;
- int type;
int audit_fd;
-
audit_fd = audit_open();
if (audit_fd < 0) {
/* You get these error codes only when the kernel doesn't have
* audit compiled in. */
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
- return retval;
+ return -2;
/* this should only fail in case of extreme resource shortage,
* need to prevent login in that case for CAPP compliance.
*/
pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m");
+ return -1;
+ }
+
+ return audit_fd;
+}
+
+int
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+{
+ const char *message;
+ int type;
+ int audit_fd;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
return PAM_SYSTEM_ERR;
+ } else if (audit_fd == -2) {
+ return retval;
}
switch (action) {
@@ -142,4 +156,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
return 0;
}
+int
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+ const char *message, int retval)
+{
+ int audit_fd;
+ int rc;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+ return PAM_SYSTEM_ERR;
+ } else if (audit_fd == -2) {
+ return retval;
+ }
+
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
+
+ audit_close(audit_fd);
+
+ return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS;
+}
+
+#else
+int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED,
+ const char *message UNUSED, int retval UNUSED)
+{
+ return PAM_SUCCESS;
+}
#endif /* HAVE_LIBAUDIT */
diff --git a/Linux-PAM/libpam/pam_dispatch.c b/Linux-PAM/libpam/pam_dispatch.c
index ab032d74..fa4e5ed4 100644
--- a/Linux-PAM/libpam/pam_dispatch.c
+++ b/Linux-PAM/libpam/pam_dispatch.c
@@ -34,7 +34,8 @@
static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
_pam_boolean resumed, int use_cached_chain)
{
- int depth, impression, status, skip_depth;
+ int depth, impression, status, skip_depth, prev_level, stack_level;
+ struct _pam_substack_state *substates = NULL;
IF_NO_PAMH("_pam_dispatch_aux", pamh, PAM_SYSTEM_ERR);
@@ -54,27 +55,51 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
skip_depth = pamh->former.depth;
status = pamh->former.status;
impression = pamh->former.impression;
+ substates = pamh->former.substates;
/* forget all that */
pamh->former.impression = _PAM_UNDEF;
pamh->former.status = PAM_MUST_FAIL_CODE;
pamh->former.depth = 0;
+ pamh->former.substates = NULL;
} else {
skip_depth = 0;
- impression = _PAM_UNDEF;
- status = PAM_MUST_FAIL_CODE;
+ substates = malloc(PAM_SUBSTACK_MAX_LEVEL * sizeof(*substates));
+ if (substates == NULL) {
+ pam_syslog(pamh, LOG_CRIT,
+ "_pam_dispatch_aux: no memory for substack states");
+ return PAM_BUF_ERR;
+ }
+ substates[0].impression = impression = _PAM_UNDEF;
+ substates[0].status = status = PAM_MUST_FAIL_CODE;
}
+ prev_level = 0;
+
/* Loop through module logic stack */
- for (depth=0 ; h != NULL ; h = h->next, ++depth) {
+ for (depth=0 ; h != NULL ; prev_level = stack_level, h = h->next, ++depth) {
int retval, cached_retval, action;
+ stack_level = h->stack_level;
+
/* skip leading modules if they have already returned */
if (depth < skip_depth) {
continue;
}
+ /* remember state if we are entering a substack */
+ if (prev_level < stack_level) {
+ substates[stack_level].impression = impression;
+ substates[stack_level].status = status;
+ }
+
/* attempt to call the module */
- if (h->func == NULL) {
+ if (h->handler_type == PAM_HT_MUST_FAIL) {
+ D(("module poorly listed in PAM config; forcing failure"));
+ retval = PAM_MUST_FAIL_CODE;
+ } else if (h->handler_type == PAM_HT_SUBSTACK) {
+ D(("skipping substack handler"));
+ continue;
+ } else if (h->func == NULL) {
D(("module function is not defined, indicating failure"));
retval = PAM_MODULE_UNKNOWN;
} else {
@@ -83,10 +108,6 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
retval = h->func(pamh, flags, h->argc, h->argv);
pamh->mod_name=NULL;
D(("module returned: %s", pam_strerror(pamh, retval)));
- if (h->must_fail) {
- D(("module poorly listed in PAM config; forcing failure"));
- retval = PAM_MUST_FAIL_CODE;
- }
}
/*
@@ -100,6 +121,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
pamh->former.impression = impression;
pamh->former.status = status;
pamh->former.depth = depth;
+ pamh->former.substates = substates;
D(("module %d returned PAM_INCOMPLETE", depth));
return retval;
@@ -176,8 +198,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
switch (action) {
case _PAM_ACTION_RESET:
- impression = _PAM_UNDEF;
- status = PAM_MUST_FAIL_CODE;
+ impression = substates[stack_level].impression;
+ status = substates[stack_level].status;
break;
case _PAM_ACTION_OK:
@@ -244,9 +266,13 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
}
/* this means that we need to skip #action stacked modules */
- do {
- h = h->next;
- } while ( --action > 0 && h != NULL );
+ while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
+ do {
+ h = h->next;
+ ++depth;
+ } while (h->next != NULL && h->next->stack_level > stack_level);
+ --action;
+ }
/* note if we try to skip too many modules action is
still non-zero and we snag the next if. */
@@ -254,14 +280,19 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
/* this case is a syntax error: we can't succeed */
if (action) {
- D(("action syntax error"));
+ pam_syslog(pamh, LOG_ERR, "bad jump in stack");
impression = _PAM_NEGATIVE;
status = PAM_MUST_FAIL_CODE;
}
}
- }
-
+ continue;
+
decision_made: /* by getting here we have made a decision */
+ while (h->next != NULL && h->next->stack_level >= stack_level) {
+ h = h->next;
+ ++depth;
+ }
+ }
/* Sanity check */
if ( status == PAM_SUCCESS && impression != _PAM_POSITIVE ) {
@@ -269,6 +300,7 @@ decision_made: /* by getting here we have made a decision */
status = PAM_MUST_FAIL_CODE;
}
+ free(substates);
/* We have made a decision about the modules executed */
return status;
}
diff --git a/Linux-PAM/libpam/pam_end.c b/Linux-PAM/libpam/pam_end.c
index 23a9dd5d..a2d94085 100644
--- a/Linux-PAM/libpam/pam_end.c
+++ b/Linux-PAM/libpam/pam_end.c
@@ -1,7 +1,7 @@
/* pam_end.c */
/*
- * $Id: pam_end.c,v 1.4 2006/01/12 10:06:49 t8m Exp $
+ * $Id: pam_end.c,v 1.7 2008/01/28 14:50:21 kukuk Exp $
*/
#include "pam_private.h"
@@ -71,6 +71,17 @@ int pam_end(pam_handle_t *pamh, int pam_status)
_pam_drop(pamh->pam_conversation);
pamh->fail_delay.delay_fn_ptr = NULL;
+ _pam_drop(pamh->former.substates);
+
+ _pam_overwrite(pamh->xdisplay);
+ _pam_drop(pamh->xdisplay);
+
+ _pam_overwrite(pamh->xauth.name);
+ _pam_drop(pamh->xauth.name);
+ _pam_overwrite_n(pamh->xauth.data, (unsigned int)pamh->xauth.datalen);
+ _pam_drop(pamh->xauth.data);
+ _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth));
+
/* and finally liberate the memory for the pam_handle structure */
_pam_drop(pamh);
diff --git a/Linux-PAM/libpam/pam_handlers.c b/Linux-PAM/libpam/pam_handlers.c
index 87d781d2..11508145 100644
--- a/Linux-PAM/libpam/pam_handlers.c
+++ b/Linux-PAM/libpam/pam_handlers.c
@@ -18,7 +18,7 @@
#define BUF_SIZE 1024
#define MODULE_CHUNK 4
-#define UNKNOWN_MODULE_PATH "<*unknown module path*>"
+#define UNKNOWN_MODULE "<*unknown module*>"
#ifndef _PAM_ISA
#define _PAM_ISA "."
#endif
@@ -28,7 +28,7 @@ static int _pam_assemble_line(FILE *f, char *buf, int buf_len);
static void _pam_free_handlers_aux(struct handler **hp);
static int _pam_add_handler(pam_handle_t *pamh
- , int must_fail, int other, int type
+ , int must_fail, int other, int stack_level, int type
, int *actions, const char *mod_path
, int argc, char **argv, int argvlen);
@@ -43,6 +43,7 @@ static int _pam_add_handler(pam_handle_t *pamh
static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
, const char *service /* specific file */
, int module_type /* specific type */
+ , int stack_level /* level of substack */
#ifdef PAM_READ_BOTH_CONFS
, int not_other
#endif /* PAM_READ_BOTH_CONFS */
@@ -51,6 +52,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
, const char *known_service /* specific file */
, int requested_module_type /* specific type */
+ , int stack_level /* level of substack */
#ifdef PAM_READ_BOTH_CONFS
, int not_other
#endif /* PAM_READ_BOTH_CONFS */
@@ -68,7 +70,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
int module_type, actions[_PAM_RETURN_VALUES];
int other; /* set if module is for PAM_DEFAULT_SERVICE */
int res; /* module added successfully? */
- int must_fail=0; /* a badly formatted line must fail when used */
+ int handler_type = PAM_HT_MODULE; /* regular handler from a module */
int argc;
char **argv;
int argvlen;
@@ -92,6 +94,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
/* accept "service name" or PAM_DEFAULT_SERVICE modules */
if (!strcasecmp(this_service, pamh->service_name) || other) {
int pam_include = 0;
+ int substack = 0;
/* This is a service we are looking for */
D(("_pam_init_handlers: Found PAM config entry for: %s"
@@ -105,7 +108,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
"(%s) empty module type", this_service);
module_type = (requested_module_type != PAM_T_ANY) ?
requested_module_type : PAM_T_AUTH; /* most sensitive */
- must_fail = 1; /* install as normal but fail when dispatched */
+ handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
} else if (!strcasecmp("auth", tok)) {
module_type = PAM_T_AUTH;
} else if (!strcasecmp("session", tok)) {
@@ -121,9 +124,9 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
this_service, tok);
module_type = (requested_module_type != PAM_T_ANY) ?
requested_module_type : PAM_T_AUTH; /* most sensitive */
- must_fail = 1; /* install as normal but fail when dispatched */
+ handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
}
- D(("Using %s config entry: %s", must_fail?"BAD ":"", tok));
+ D(("Using %s config entry: %s", handler_type?"BAD ":"", tok));
if (requested_module_type != PAM_T_ANY &&
module_type != requested_module_type) {
D(("Skipping config entry: %s (requested=%d, found=%d)",
@@ -145,7 +148,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
pam_syslog(pamh, LOG_ERR,
"(%s) no control flag supplied", this_service);
_pam_set_default_control(actions, _PAM_ACTION_BAD);
- must_fail = 1;
+ handler_type = PAM_HT_MUST_FAIL;
} else if (!strcasecmp("required", tok)) {
D(("*PAM_F_REQUIRED*"));
actions[PAM_SUCCESS] = _PAM_ACTION_OK;
@@ -171,6 +174,11 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
} else if (!strcasecmp("include", tok)) {
D(("*PAM_F_INCLUDE*"));
pam_include = 1;
+ substack = 0;
+ } else if (!strcasecmp("substack", tok)) {
+ D(("*PAM_F_SUBSTACK*"));
+ pam_include = 1;
+ substack = 1;
} else {
D(("will need to parse %s", tok));
_pam_parse_control(actions, tok);
@@ -180,7 +188,18 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
tok = _pam_StrTok(NULL, " \n\t", &nexttok);
if (pam_include) {
- if (_pam_load_conf_file(pamh, tok, this_service, module_type
+ if (substack) {
+ res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+ stack_level, module_type, actions, tok,
+ 0, NULL, 0);
+ if (res != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "error adding substack %s", tok);
+ D(("failed to load module - aborting"));
+ return PAM_ABORT;
+ }
+ }
+ if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+ stack_level + substack
#ifdef PAM_READ_BOTH_CONFS
, !other
#endif /* PAM_READ_BOTH_CONFS */
@@ -188,7 +207,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
continue;
_pam_set_default_control(actions, _PAM_ACTION_BAD);
mod_path = NULL;
- must_fail = 1;
+ handler_type = PAM_HT_MUST_FAIL;
nexttok = NULL;
} else if (tok != NULL) {
mod_path = tok;
@@ -199,7 +218,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
pam_syslog(pamh, LOG_ERR,
"(%s) no module name supplied", this_service);
mod_path = NULL;
- must_fail = 1;
+ handler_type = PAM_HT_MUST_FAIL;
}
/* nexttok points to remaining arguments... */
@@ -219,7 +238,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
int y;
D(("CONF%s: %s%s %d %s %d"
- , must_fail?"<*will fail*>":""
+ , handler_type==PAM_HT_MUST_FAIL?"<*will fail*>":""
, this_service, other ? "(backup)":""
, module_type
, mod_path, argc));
@@ -235,7 +254,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
}
#endif
- res = _pam_add_handler(pamh, must_fail, other
+ res = _pam_add_handler(pamh, handler_type, other, stack_level
, module_type, actions, mod_path
, argc, argv, argvlen);
if (res != PAM_SUCCESS) {
@@ -252,6 +271,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
, const char *service /* specific file */
, int module_type /* specific type */
+ , int stack_level /* level of substack */
#ifdef PAM_READ_BOTH_CONFS
, int not_other
#endif /* PAM_READ_BOTH_CONFS */
@@ -263,6 +283,12 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
D(("_pam_load_conf_file called"));
+ if (stack_level >= PAM_SUBSTACK_MAX_LEVEL) {
+ D(("maximum level of substacks reached"));
+ pam_syslog(pamh, LOG_ERR, "maximum level of substacks reached");
+ return PAM_ABORT;
+ }
+
if (config_name == NULL) {
D(("no config file supplied"));
pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service);
@@ -280,7 +306,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
D(("opening %s", config_name));
f = fopen(config_name, "r");
if (f != NULL) {
- retval = _pam_parse_conf_file(pamh, f, service, module_type
+ retval = _pam_parse_conf_file(pamh, f, service, module_type, stack_level
#ifdef PAM_READ_BOTH_CONFS
, not_other
#endif /* PAM_READ_BOTH_CONFS */
@@ -379,7 +405,8 @@ int _pam_init_handlers(pam_handle_t *pamh)
f = fopen(filename, "r");
if (f != NULL) {
/* would test magic here? */
- retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY
+ retval = _pam_parse_conf_file(pamh, f, pamh->service_name,
+ PAM_T_ANY, 0
#ifdef PAM_READ_BOTH_CONFS
, 0
#endif /* PAM_READ_BOTH_CONFS */
@@ -400,7 +427,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
D(("checking %s", PAM_CONFIG));
if ((f = fopen(PAM_CONFIG,"r")) != NULL) {
- retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 1);
+ retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1);
fclose(f);
} else
#endif /* PAM_READ_BOTH_CONFS */
@@ -419,9 +446,8 @@ int _pam_init_handlers(pam_handle_t *pamh)
f = fopen(PAM_DEFAULT_SERVICE_FILE, "r");
if (f != NULL) {
/* would test magic here? */
- retval = _pam_parse_conf_file(pamh, f
- , PAM_DEFAULT_SERVICE
- , PAM_T_ANY
+ retval = _pam_parse_conf_file(pamh, f, PAM_DEFAULT_SERVICE,
+ PAM_T_ANY, 0
#ifdef PAM_READ_BOTH_CONFS
, 0
#endif /* PAM_READ_BOTH_CONFS */
@@ -454,7 +480,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
return PAM_ABORT;
}
- retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY
+ retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0
#ifdef PAM_READ_BOTH_CONFS
, 0
#endif /* PAM_READ_BOTH_CONFS */
@@ -581,46 +607,19 @@ extract_modulename(const char *mod_path)
return retval;
}
-int _pam_add_handler(pam_handle_t *pamh
- , int must_fail, int other, int type
- , int *actions, const char *mod_path
- , int argc, char **argv, int argvlen)
+static struct loaded_module *
+_pam_load_module(pam_handle_t *pamh, const char *mod_path)
{
- struct loaded_module *mod;
int x = 0;
- struct handler **handler_p;
- struct handler **handler_p2;
- struct handlers *the_handlers;
- const char *sym, *sym2;
- char *mod_full_path=NULL;
+ int success;
#ifndef PAM_STATIC
char *mod_full_isa_path=NULL, *isa=NULL;
#endif
- servicefn func, func2;
- int success;
-
- D(("called."));
- IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR);
-
- /* if NULL set to something that can be searched for */
- switch (mod_path != NULL) {
- default:
- if (mod_path[0] == '/') {
- break;
- }
- if (asprintf(&mod_full_path, "%s%s",
- DEFAULT_MODULE_PATH, mod_path) >= 0) {
- mod_path = mod_full_path;
- break;
- }
- mod_full_path = NULL;
- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
- case 0:
- mod_path = UNKNOWN_MODULE_PATH;
- }
+ struct loaded_module *mod;
- D(("_pam_add_handler: adding type %d, module `%s'",type,mod_path));
- mod = pamh->handlers.module;
+ D(("_pam_load_module: loading module `%s'", mod_path));
+
+ mod = pamh->handlers.module;
/* First, ensure the module is loaded */
while (x < pamh->handlers.modules_used) {
@@ -639,9 +638,8 @@ int _pam_add_handler(pam_handle_t *pamh
if (tmp == NULL) {
D(("cannot enlarge module pointer memory"));
pam_syslog(pamh, LOG_ERR,
- "realloc returned NULL in _pam_add_handler");
- _pam_drop(mod_full_path);
- return PAM_ABORT;
+ "realloc returned NULL in _pam_load_module");
+ return NULL;
}
pamh->handlers.module = tmp;
pamh->handlers.modules_allocated += MODULE_CHUNK;
@@ -654,10 +652,10 @@ int _pam_add_handler(pam_handle_t *pamh
/* Only load static function if function was not found dynamically.
* This code should work even if no dynamic loading is available. */
if (success != PAM_SUCCESS) {
- D(("_pam_add_handler: open static handler %s", mod_path));
+ D(("_pam_load_module: open static handler %s", mod_path));
mod->dl_handle = _pam_open_static_handler(pamh, mod_path);
if (mod->dl_handle == NULL) {
- D(("_pam_add_handler: unable to find static handler %s",
+ D(("_pam_load_module: unable to find static handler %s",
mod_path));
pam_syslog(pamh, LOG_ERR,
"unable to open static handler %s", mod_path);
@@ -670,15 +668,15 @@ int _pam_add_handler(pam_handle_t *pamh
}
}
#else
- D(("_pam_add_handler: _pam_dlopen(%s)", mod_path));
+ D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
mod->dl_handle = _pam_dlopen(mod_path);
- D(("_pam_add_handler: _pam_dlopen'ed"));
- D(("_pam_add_handler: dlopen'ed"));
+ D(("_pam_load_module: _pam_dlopen'ed"));
+ D(("_pam_load_module: dlopen'ed"));
if (mod->dl_handle == NULL) {
if (strstr(mod_path, "$ISA")) {
mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1);
if (mod_full_isa_path == NULL) {
- D(("_pam_handler: couldn't get memory for mod_path"));
+ D(("_pam_load_module: couldn't get memory for mod_path"));
pam_syslog(pamh, LOG_ERR, "no memory for module path");
success = PAM_ABORT;
} else {
@@ -694,9 +692,9 @@ int _pam_add_handler(pam_handle_t *pamh
}
}
if (mod->dl_handle == NULL) {
- D(("_pam_add_handler: _pam_dlopen(%s) failed", mod_path));
- pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s)", mod_path);
- pam_syslog(pamh, LOG_ERR, "[error: %s]", _pam_dlerror());
+ D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path));
+ pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path,
+ _pam_dlerror());
/* Don't abort yet; static code may be able to find function.
* But defaults to abort if nothing found below... */
} else {
@@ -717,7 +715,7 @@ int _pam_add_handler(pam_handle_t *pamh
/* indicate its name - later we will search for it by this */
if ((mod->name = _pam_strdup(mod_path)) == NULL) {
- D(("_pam_handler: couldn't get memory for mod_path"));
+ D(("_pam_load_module: couldn't get memory for mod_path"));
pam_syslog(pamh, LOG_ERR, "no memory for module path");
success = PAM_ABORT;
}
@@ -726,18 +724,54 @@ int _pam_add_handler(pam_handle_t *pamh
mod += x; /* the located module */
success = PAM_SUCCESS;
}
+ return success == PAM_SUCCESS ? mod : NULL;
+}
+
+int _pam_add_handler(pam_handle_t *pamh
+ , int handler_type, int other, int stack_level, int type
+ , int *actions, const char *mod_path
+ , int argc, char **argv, int argvlen)
+{
+ struct loaded_module *mod = NULL;
+ struct handler **handler_p;
+ struct handler **handler_p2;
+ struct handlers *the_handlers;
+ const char *sym, *sym2;
+ char *mod_full_path;
+ servicefn func, func2;
+ int mod_type = PAM_MT_FAULTY_MOD;
+
+ D(("called."));
+ IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR);
- _pam_drop(mod_full_path);
- mod_path = NULL; /* no longer needed or trusted */
+ D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'",
+ type, handler_type, mod_path));
- /* Now return error if necessary after trying all possible ways... */
- if (success != PAM_SUCCESS)
- return(success);
+ if (handler_type == PAM_HT_MODULE && mod_path != NULL) {
+ if (mod_path[0] == '/') {
+ mod = _pam_load_module(pamh, mod_path);
+ } else if (asprintf(&mod_full_path, "%s%s",
+ DEFAULT_MODULE_PATH, mod_path) >= 0) {
+ mod = _pam_load_module(pamh, mod_full_path);
+ _pam_drop(mod_full_path);
+ } else {
+ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+ return PAM_ABORT;
+ }
+
+ if (mod == NULL) {
+ /* if we get here with NULL it means allocation error */
+ return PAM_ABORT;
+ }
+
+ mod_type = mod->type;
+ }
+
+ if (mod_path == NULL)
+ mod_path = UNKNOWN_MODULE;
/*
- * At this point 'mod' points to the stored/loaded module. If its
- * dl_handle is unknown, then we must be able to indicate dispatch
- * failure with 'must_fail'
+ * At this point 'mod' points to the stored/loaded module.
*/
/* Now define the handler(s) based on mod->dlhandle and type */
@@ -780,43 +814,43 @@ int _pam_add_handler(pam_handle_t *pamh
/* are the modules reliable? */
if (
#ifdef PAM_STATIC
- mod->type != PAM_MT_STATIC_MOD
+ mod_type != PAM_MT_STATIC_MOD
&&
#else
- mod->type != PAM_MT_DYNAMIC_MOD
+ mod_type != PAM_MT_DYNAMIC_MOD
&&
#endif
- mod->type != PAM_MT_FAULTY_MOD
+ mod_type != PAM_MT_FAULTY_MOD
) {
- D(("_pam_add_handlers: illegal module library type; %d", mod->type));
+ D(("_pam_add_handlers: illegal module library type; %d", mod_type));
pam_syslog(pamh, LOG_ERR,
"internal error: module library type not known: %s;%d",
- sym, mod->type);
+ sym, mod_type);
return PAM_ABORT;
}
/* now identify this module's functions - for non-faulty modules */
#ifdef PAM_STATIC
- if ((mod->type == PAM_MT_STATIC_MOD) &&
+ if ((mod_type == PAM_MT_STATIC_MOD) &&
(func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) {
pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym);
}
#else
- if ((mod->type == PAM_MT_DYNAMIC_MOD) &&
+ if ((mod_type == PAM_MT_DYNAMIC_MOD) &&
!(func = _pam_dlsym(mod->dl_handle, sym)) ) {
pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym);
}
#endif
if (sym2) {
#ifdef PAM_STATIC
- if ((mod->type == PAM_MT_STATIC_MOD) &&
+ if ((mod_type == PAM_MT_STATIC_MOD) &&
(func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2))
== NULL) {
pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2);
}
#else
- if ((mod->type == PAM_MT_DYNAMIC_MOD) &&
+ if ((mod_type == PAM_MT_DYNAMIC_MOD) &&
!(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) {
pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2);
}
@@ -835,14 +869,15 @@ int _pam_add_handler(pam_handle_t *pamh
return (PAM_ABORT);
}
- (*handler_p)->must_fail = must_fail; /* failure forced? */
+ (*handler_p)->handler_type = handler_type;
+ (*handler_p)->stack_level = stack_level;
(*handler_p)->func = func;
memcpy((*handler_p)->actions,actions,sizeof((*handler_p)->actions));
(*handler_p)->cached_retval = _PAM_INVALID_RETVAL;
(*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
(*handler_p)->argc = argc;
(*handler_p)->argv = argv; /* not a copy */
- (*handler_p)->mod_name = extract_modulename(mod->name);
+ (*handler_p)->mod_name = extract_modulename(mod_path);
(*handler_p)->next = NULL;
/* some of the modules have a second calling function */
@@ -857,7 +892,8 @@ int _pam_add_handler(pam_handle_t *pamh
return (PAM_ABORT);
}
- (*handler_p2)->must_fail = must_fail; /* failure forced? */
+ (*handler_p2)->handler_type = handler_type;
+ (*handler_p2)->stack_level = stack_level;
(*handler_p2)->func = func2;
memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions));
(*handler_p2)->cached_retval = _PAM_INVALID_RETVAL; /* ignored */
@@ -873,7 +909,7 @@ int _pam_add_handler(pam_handle_t *pamh
} else {
(*handler_p2)->argv = NULL; /* no arguments */
}
- (*handler_p2)->mod_name = extract_modulename(mod->name);
+ (*handler_p2)->mod_name = extract_modulename(mod_path);
(*handler_p2)->next = NULL;
}
diff --git a/Linux-PAM/libpam/pam_item.c b/Linux-PAM/libpam/pam_item.c
index 41d5b816..2d7985c8 100644
--- a/Linux-PAM/libpam/pam_item.c
+++ b/Linux-PAM/libpam/pam_item.c
@@ -1,7 +1,7 @@
/* pam_item.c */
/*
- * $Id: pam_item.c,v 1.13 2006/03/12 10:26:30 kukuk Exp $
+ * $Id: pam_item.c,v 1.15 2008/01/28 14:50:21 kukuk Exp $
*/
#include "pam_private.h"
@@ -138,6 +138,25 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item)
pamh->fail_delay.delay_fn_ptr = item;
break;
+ case PAM_XDISPLAY:
+ RESET(pamh->xdisplay, item);
+ break;
+
+ case PAM_XAUTHDATA:
+ if (pamh->xauth.namelen) {
+ _pam_overwrite(pamh->xauth.name);
+ free(pamh->xauth.name);
+ }
+ if (pamh->xauth.datalen) {
+ _pam_overwrite_n(pamh->xauth.data,
+ (unsigned int) pamh->xauth.datalen);
+ free(pamh->xauth.data);
+ }
+ pamh->xauth = *((const struct pam_xauth_data *) item);
+ pamh->xauth.name = _pam_strdup(pamh->xauth.name);
+ pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen);
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
@@ -220,6 +239,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item)
*item = pamh->fail_delay.delay_fn_ptr;
break;
+ case PAM_XDISPLAY:
+ *item = pamh->xdisplay;
+ break;
+
+ case PAM_XAUTHDATA:
+ *item = &pamh->xauth;
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
diff --git a/Linux-PAM/libpam/pam_misc.c b/Linux-PAM/libpam/pam_misc.c
index 770c9cce..574a570e 100644
--- a/Linux-PAM/libpam/pam_misc.c
+++ b/Linux-PAM/libpam/pam_misc.c
@@ -137,6 +137,28 @@ char *_pam_strdup(const char *x)
return new; /* return the duplicate or NULL on error */
}
+/*
+ * Safe duplication of memory buffers. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ */
+
+char *_pam_memdup(const char *x, int len)
+{
+ register char *new=NULL;
+
+ if (x != NULL) {
+ if ((new = malloc(len)) == NULL) {
+ len = 0;
+ pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory");
+ } else {
+ memcpy (new, x, len);
+ }
+ x = NULL;
+ }
+
+ return new; /* return the duplicate or NULL on error */
+}
+
/* Generate argv, argc from s */
/* caller must free(argv) */
diff --git a/Linux-PAM/libpam/pam_modutil_getgrgid.c b/Linux-PAM/libpam/pam_modutil_getgrgid.c
index 420068f7..5b862872 100644
--- a/Linux-PAM/libpam/pam_modutil_getgrgid.c
+++ b/Linux-PAM/libpam/pam_modutil_getgrgid.c
@@ -1,5 +1,5 @@
/*
- * $Id: pam_modutil_getgrgid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getgrgid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
*
* This function provides a thread safer version of getgrgid() for use
* with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getgrnam.c b/Linux-PAM/libpam/pam_modutil_getgrnam.c
index 908f816d..99c90800 100644
--- a/Linux-PAM/libpam/pam_modutil_getgrnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getgrnam.c
@@ -1,5 +1,5 @@
/*
- * $Id: pam_modutil_getgrnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getgrnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
*
* This function provides a thread safer version of getgrnam() for use
* with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getpwnam.c b/Linux-PAM/libpam/pam_modutil_getpwnam.c
index 6bb7d195..b81617d5 100644
--- a/Linux-PAM/libpam/pam_modutil_getpwnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getpwnam.c
@@ -1,5 +1,5 @@
/*
- * $Id: pam_modutil_getpwnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getpwnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
*
* This function provides a thread safer version of getpwnam() for use
* with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getpwuid.c b/Linux-PAM/libpam/pam_modutil_getpwuid.c
index 15fe077c..3ea02488 100644
--- a/Linux-PAM/libpam/pam_modutil_getpwuid.c
+++ b/Linux-PAM/libpam/pam_modutil_getpwuid.c
@@ -1,5 +1,5 @@
/*
- * $Id: pam_modutil_getpwuid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getpwuid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
*
* This function provides a thread safer version of getpwuid() for use
* with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getspnam.c b/Linux-PAM/libpam/pam_modutil_getspnam.c
index 1c926063..6c02e9c2 100644
--- a/Linux-PAM/libpam/pam_modutil_getspnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getspnam.c
@@ -1,5 +1,5 @@
/*
- * $Id: pam_modutil_getspnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getspnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
*
* This function provides a thread safer version of getspnam() for use
* with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_private.h b/Linux-PAM/libpam/pam_private.h
index 8b7d9146..333f4d0f 100644
--- a/Linux-PAM/libpam/pam_private.h
+++ b/Linux-PAM/libpam/pam_private.h
@@ -44,7 +44,7 @@
#define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */
struct handler {
- int must_fail;
+ int handler_type;
int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv);
int actions[_PAM_RETURN_VALUES];
/* set by authenticate, open_session, chauthtok(1st)
@@ -54,8 +54,13 @@ struct handler {
char **argv;
struct handler *next;
char *mod_name;
+ int stack_level;
};
+#define PAM_HT_MODULE 0
+#define PAM_HT_MUST_FAIL 1
+#define PAM_HT_SUBSTACK 2
+
struct loaded_module {
char *name;
int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */
@@ -76,7 +81,7 @@ struct handlers {
};
struct service {
- struct loaded_module *module; /* Only used for dynamic loading */
+ struct loaded_module *module; /* Array of modules */
int modules_allocated;
int modules_used;
int handlers_loaded;
@@ -111,6 +116,12 @@ struct _pam_fail_delay {
const void *delay_fn_ptr;
};
+/* initial state in substack */
+struct _pam_substack_state {
+ int impression;
+ int status;
+};
+
struct _pam_former_state {
/* this is known and set by _pam_dispatch() */
int choice; /* which flavor of module function did we call? */
@@ -119,6 +130,7 @@ struct _pam_former_state {
int depth; /* how deep in the stack were we? */
int impression; /* the impression at that time */
int status; /* the status before returning incomplete */
+ struct _pam_substack_state *substates; /* array of initial substack states */
/* state info used by pam_get_user() function */
int fail_user;
@@ -140,9 +152,11 @@ struct pam_handle {
char *rhost;
char *ruser;
char *tty;
+ char *xdisplay;
struct pam_data *data;
struct pam_environ *env; /* structure to maintain environment list */
struct _pam_fail_delay fail_delay; /* helper function for easy delays */
+ struct pam_xauth_data xauth; /* auth info for X display */
struct service handlers;
struct _pam_former_state former; /* library state - support for
event driven applications */
@@ -175,6 +189,8 @@ struct pam_handle {
#define _PAM_ACTION_UNDEF -6 /* this is treated as an error
( = _PAM_ACTION_BAD) */
+#define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */
+
/* character tables for parsing config files */
extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF];
extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1];
@@ -253,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next);
char *_pam_strdup(const char *s);
+char *_pam_memdup(const char *s, int len);
+
int _pam_mkargv(char *s, char ***argv, int *argc);
void _pam_sanitize(pam_handle_t *pamh);
diff --git a/Linux-PAM/libpam/pam_start.c b/Linux-PAM/libpam/pam_start.c
index b2c62e54..d7198323 100644
--- a/Linux-PAM/libpam/pam_start.c
+++ b/Linux-PAM/libpam/pam_start.c
@@ -3,7 +3,7 @@
/* Creator Marc Ewing
* Maintained by AGM
*
- * $Id: pam_start.c,v 1.9 2006/07/24 15:47:40 kukuk Exp $
+ * $Id: pam_start.c,v 1.10 2007/10/19 17:06:30 t8m Exp $
*
*/
@@ -88,6 +88,7 @@ int pam_start (
(*pamh)->oldauthtok = NULL;
(*pamh)->fail_delay.delay_fn_ptr = NULL;
(*pamh)->former.choice = PAM_NOT_STACKED;
+ (*pamh)->former.substates = NULL;
#ifdef HAVE_LIBAUDIT
(*pamh)->audit_state = 0;
#endif
diff --git a/Linux-PAM/libpam/pam_static_modules.h b/Linux-PAM/libpam/pam_static_modules.h
index 27b70826..a66b486d 100644
--- a/Linux-PAM/libpam/pam_static_modules.h
+++ b/Linux-PAM/libpam/pam_static_modules.h
@@ -45,7 +45,9 @@ extern struct pam_module _pam_filter_modstruct;
extern struct pam_module _pam_ftp_modstruct;
extern struct pam_module _pam_group_modstruct;
extern struct pam_module _pam_issue_modstruct;
+#ifdef HAVE_KEY_MANAGEMENT
extern struct pam_module _pam_keyinit_modstruct;
+#endif
extern struct pam_module _pam_lastlog_modstruct;
extern struct pam_module _pam_limits_modstruct;
extern struct pam_module _pam_listfile_modstruct;
@@ -55,7 +57,7 @@ extern struct pam_module _pam_mail_modstruct;
extern struct pam_module _pam_mkhomedir_modstruct;
extern struct pam_module _pam_motd_modstruct;
#ifdef HAVE_UNSHARE
-extern struct pam_module _pam_namespace;
+extern struct pam_module _pam_namespace_modstruct;
#endif
extern struct pam_module _pam_nologin_modstruct;
extern struct pam_module _pam_permit_modstruct;
@@ -65,12 +67,16 @@ extern struct pam_module _pam_rootok_modstruct;
extern struct pam_module _pam_securetty_modstruct;
#ifdef WITH_SELINUX
extern struct pam_module _pam_selinux_modstruct;
+extern struct pam_module _pam_sepermit_modstruct;
#endif
extern struct pam_module _pam_shells_modstruct;
extern struct pam_module _pam_stress_modstruct;
extern struct pam_module _pam_succeed_if_modstruct;
extern struct pam_module _pam_tally_modstruct;
extern struct pam_module _pam_time_modstruct;
+#ifdef HAVE_AUDIT_TTY_STATUS
+extern struct pam_module _pam_tty_audit_modstruct;
+#endif
extern struct pam_module _pam_umask_modstruct;
extern struct pam_module _pam_unix_acct_modstruct;
extern struct pam_module _pam_unix_auth_modstruct;
@@ -92,12 +98,14 @@ static struct pam_module *static_modules[] = {
&_pam_echo_modstruct,
&_pam_env_modstruct,
&_pam_exec_modstruct,
- &_pam_faildelay,
+ &_pam_faildelay_modstruct,
&_pam_filter_modstruct,
&_pam_ftp_modstruct,
&_pam_group_modstruct,
&_pam_issue_modstruct,
+#ifdef HAVE_KEY_MANAGEMENT
&_pam_keyinit_modstruct,
+#endif
&_pam_lastlog_modstruct,
&_pam_limits_modstruct,
&_pam_listfile_modstruct,
@@ -107,7 +115,7 @@ static struct pam_module *static_modules[] = {
&_pam_mkhomedir_modstruct,
&_pam_motd_modstruct,
#ifdef HAVE_UNSHARE
- &_pam_namespace,
+ &_pam_namespace_modstruct,
#endif
&_pam_nologin_modstruct,
&_pam_permit_modstruct,
@@ -117,12 +125,16 @@ static struct pam_module *static_modules[] = {
&_pam_securetty_modstruct,
#ifdef WITH_SELINUX
&_pam_selinux_modstruct,
+ &_pam_sepermit_modstruct,
#endif
&_pam_shells_modstruct,
&_pam_stress_modstruct,
&_pam_succeed_if_modstruct,
&_pam_tally_modstruct,
&_pam_time_modstruct,
+#ifdef HAVE_AUDIT_TTY_STATUS
+ &_pam_tty_audit_modstruct,
+#endif
&_pam_umask_modstruct,
&_pam_unix_acct_modstruct,
&_pam_unix_auth_modstruct,