diff options
| author | Steve Langasek <vorlon@debian.org> | 2019-02-11 16:13:42 -0800 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-02-12 06:07:57 +0000 |
| commit | 668b13da8f830c38388cecac45539972e80cb246 (patch) | |
| tree | ba3a4e02ed5ec62fe645dfa810c01d26decf591f /modules | |
| parent | f00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb (diff) | |
| parent | 3b77a78d575b8ab56bb0e828499df328d55c925f (diff) | |
New upstream version 1.3.1
Diffstat (limited to 'modules')
101 files changed, 696 insertions, 355 deletions
diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am index 6c0f738e..924b7219 100644 --- a/modules/pam_access/Makefile.am +++ b/modules/pam_access/Makefile.am @@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ + -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_access/Makefile.in b/modules/pam_access/Makefile.in index a95dc1fe..02a35cb0 100644 --- a/modules/pam_access/Makefile.in +++ b/modules/pam_access/Makefile.in @@ -573,7 +573,8 @@ XMLS = README.xml access.conf.5.xml pam_access.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ + -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_access.la diff --git a/modules/pam_access/README b/modules/pam_access/README index f605c240..0e16c0d8 100644 --- a/modules/pam_access/README +++ b/modules/pam_access/README @@ -10,7 +10,13 @@ names, internet addresses or network numbers, or on terminal line names, X $DISPLAY values, or PAM service names in case of non-networked logins. By default rules for access management are taken from config file /etc/security -/access.conf if you don't specify another file. +/access.conf if you don't specify another file. Then individual *.conf files +from the /etc/security/access.d/ directory are read. The files are parsed one +after another in the order of the system locale. The effect of the individual +files is the same as if all the files were concatenated together in the order +of parsing. This means that once a pattern is matched in some file no further +files are parsed. If a config file is explicitly specified with the accessfile +option the files in the above directory are not parsed. If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). @@ -66,49 +72,49 @@ access.conf. User root should be allowed to get access via cron, X11 terminal :0, tty1, ..., tty5, tty6. -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6 User root should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. -+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 ++:root:192.168.200.1 192.168.200.4 192.168.200.9 -+ : root : 127.0.0.1 ++:root:127.0.0.1 User root should get access from network 192.168.201. where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/ 255.255.255.0. -+ : root : 192.168.201. ++:root:192.168.201. User root should be able to have access from hosts foo1.bar.org and foo2.bar.org (uses string matching also). -+ : root : foo1.bar.org foo2.bar.org ++:root:foo1.bar.org foo2.bar.org User root should be able to have access from domain foo.bar.org (uses string matching also). -+ : root : .foo.bar.org ++:root:.foo.bar.org User root should be denied to get access from all other sources. -- : root : ALL +-:root:ALL User foo and members of netgroup admins should be allowed to get access from all sources. This will only work if netgroup service is available. -+ : @admins foo : ALL ++:@admins foo:ALL User john and foo should get access from IPv6 host address. -+ : john foo : 2001:db8:0:101::1 ++:john foo:2001:db8:0:101::1 User john should get access from IPv6 net/mask. -+ : john : 2001:db8:0:101::/64 ++:john:2001:db8:0:101::/64 Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. @@ -117,5 +123,5 @@ which are a member of the wheel group. All other users should be denied to get access from all sources. -- : ALL : ALL +-:ALL:ALL diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index 74c5fbe8..47b6b84c 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -18,7 +18,7 @@ # pam_access with X applications that provide PAM_TTY values that are # the display variable like "host:0".] # -# permission : users : origins +# permission:users:origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. @@ -79,44 +79,44 @@ ############################################################################## # # User "root" should be allowed to get access via cron .. tty5 tty6. -#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 # # User "root" should be allowed to get access from hosts with ip addresses. -#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 -#+ : root : 127.0.0.1 +#+:root:192.168.200.1 192.168.200.4 192.168.200.9 +#+:root:127.0.0.1 # # User "root" should get access from network 192.168.201. # This term will be evaluated by string matching. # comment: It might be better to use network/netmask instead. # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 -#+ : root : 192.168.201. +#+:root:192.168.201. # # User "root" should be able to have access from domain. # Uses string matching also. -#+ : root : .foo.bar.org +#+:root:.foo.bar.org # # User "root" should be denied to get access from all other sources. -#- : root : ALL +#-:root:ALL # # User "foo" and members of netgroup "nis_group" should be # allowed to get access from all sources. # This will only work if netgroup service is available. -#+ : @nis_group foo : ALL +#+:@nis_group foo:ALL # # User "john" should get access from ipv4 net/mask -#+ : john : 127.0.0.0/24 +#+:john:127.0.0.0/24 # # User "john" should get access from ipv4 as ipv6 net/mask -#+ : john : ::ffff:127.0.0.0/127 +#+:john:::ffff:127.0.0.0/127 # # User "john" should get access from ipv6 host address -#+ : john : 2001:4ca0:0:101::1 +#+:john:2001:4ca0:0:101::1 # # User "john" should get access from ipv6 host address (same as above) -#+ : john : 2001:4ca0:0:101:0:0:0:1 +#+:john:2001:4ca0:0:101:0:0:0:1 # # User "john" should get access from ipv6 net/mask -#+ : john : 2001:4ca0:0:101::/64 +#+:john:2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. -#- : ALL : ALL +#-:ALL:ALL diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 index 5ef63053..8e7ea4cf 100644 --- a/modules/pam_access/access.conf.5 +++ b/modules/pam_access/access.conf.5 @@ -2,12 +2,12 @@ .\" Title: access.conf .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "ACCESS\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "ACCESS\&.CONF" "5" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -119,15 +119,15 @@ should be allowed to get access via \fItty5\fR, \fItty6\fR\&. .PP -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6 .PP User \fIroot\fR should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&. .PP -+ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9 ++:root:192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9 .PP -+ : root : 127\&.0\&.0\&.1 ++:root:127\&.0\&.0\&.1 .PP User \fIroot\fR @@ -140,7 +140,7 @@ is or \fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&. .PP -+ : root : 192\&.168\&.201\&. ++:root:192\&.168\&.201\&. .PP User \fIroot\fR @@ -150,7 +150,7 @@ and \fIfoo2\&.bar\&.org\fR (uses string matching also)\&. .PP -+ : root : foo1\&.bar\&.org foo2\&.bar\&.org ++:root:foo1\&.bar\&.org foo2\&.bar\&.org .PP User \fIroot\fR @@ -158,13 +158,13 @@ should be able to have access from domain \fIfoo\&.bar\&.org\fR (uses string matching also)\&. .PP -+ : root : \&.foo\&.bar\&.org ++:root:\&.foo\&.bar\&.org .PP User \fIroot\fR should be denied to get access from all other sources\&. .PP -\- : root : ALL +\-:root:ALL .PP User \fIfoo\fR @@ -172,7 +172,7 @@ and members of netgroup \fIadmins\fR should be allowed to get access from all sources\&. This will only work if netgroup service is available\&. .PP -+ : @admins foo : ALL ++:@admins foo:ALL .PP User \fIjohn\fR @@ -180,13 +180,13 @@ and \fIfoo\fR should get access from IPv6 host address\&. .PP -+ : john foo : 2001:db8:0:101::1 ++:john foo:2001:db8:0:101::1 .PP User \fIjohn\fR should get access from IPv6 net/mask\&. .PP -+ : john : 2001:db8:0:101::/64 ++:john:2001:db8:0:101::/64 .PP Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&. .PP @@ -194,7 +194,12 @@ Disallow console logins to all but the shutdown, sync and all other accounts, wh .PP All other users should be denied to get access from all sources\&. .PP -\- : ALL : ALL +\-:ALL:ALL +.SH "NOTES" +.PP +The default separators of list items in a field are space, \*(Aq,\*(Aq, and tabulator characters\&. Thus conveniently if spaces are put at the beginning and the end of the fields they are ignored\&. However if the list separator is changed with the +\fIlistsep\fR +option, the spaces will become part of the actual item and the line will be most probably ignored\&. For this reason, it is not recommended to put spaces around the \*(Aq:\*(Aq characters\&. .SH "SEE ALSO" .PP \fBpam_access\fR(8), diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index d686d92b..386346b9 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -139,7 +139,7 @@ <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>, <emphasis>tty6</emphasis>. </para> - <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para> + <para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para> <para> User <emphasis>root</emphasis> should be allowed to get access from @@ -147,8 +147,8 @@ connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. </para> - <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para> - <para>+ : root : 127.0.0.1</para> + <para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para> + <para>+:root:127.0.0.1</para> <para> User <emphasis>root</emphasis> should get access from network @@ -158,44 +158,44 @@ <emphasis>192.168.201.0/24</emphasis> or <emphasis>192.168.201.0/255.255.255.0</emphasis>. </para> - <para>+ : root : 192.168.201.</para> + <para>+:root:192.168.201.</para> <para> User <emphasis>root</emphasis> should be able to have access from hosts <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis> (uses string matching also). </para> - <para>+ : root : foo1.bar.org foo2.bar.org</para> + <para>+:root:foo1.bar.org foo2.bar.org</para> <para> User <emphasis>root</emphasis> should be able to have access from domain <emphasis>foo.bar.org</emphasis> (uses string matching also). </para> - <para>+ : root : .foo.bar.org</para> + <para>+:root:.foo.bar.org</para> <para> User <emphasis>root</emphasis> should be denied to get access from all other sources. </para> - <para>- : root : ALL</para> + <para>-:root:ALL</para> <para> User <emphasis>foo</emphasis> and members of netgroup <emphasis>admins</emphasis> should be allowed to get access from all sources. This will only work if netgroup service is available. </para> - <para>+ : @admins foo : ALL</para> + <para>+:@admins foo:ALL</para> <para> User <emphasis>john</emphasis> and <emphasis>foo</emphasis> should get access from IPv6 host address. </para> - <para>+ : john foo : 2001:db8:0:101::1</para> + <para>+:john foo:2001:db8:0:101::1</para> <para> User <emphasis>john</emphasis> should get access from IPv6 net/mask. </para> - <para>+ : john : 2001:db8:0:101::/64</para> + <para>+:john:2001:db8:0:101::/64</para> <para> Disallow console logins to all but the shutdown, sync and all @@ -206,10 +206,22 @@ <para> All other users should be denied to get access from all sources. </para> - <para>- : ALL : ALL</para> + <para>-:ALL:ALL</para> </refsect1> + <refsect1 id="access.conf-notes"> + <title>NOTES</title> + <para> + The default separators of list items in a field are space, ',', and tabulator + characters. Thus conveniently if spaces are put at the beginning and the end of + the fields they are ignored. However if the list separator is changed with the + <emphasis>listsep</emphasis> option, the spaces will become part of the actual + item and the line will be most probably ignored. For this reason, it is not + recommended to put spaces around the ':' characters. + </para> + </refsect1> + <refsect1 id="access.conf-see_also"> <title>SEE ALSO</title> <para> diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 index 2a2a2c26..138c3c48 100644 --- a/modules/pam_access/pam_access.8 +++ b/modules/pam_access/pam_access.8 @@ -2,12 +2,12 @@ .\" Title: pam_access .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ACCESS" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ACCESS" "8" "05/18/2018" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,7 +40,13 @@ values, or PAM service names in case of non\-networked logins\&. .PP By default rules for access management are taken from config file /etc/security/access\&.conf -if you don\*(Aqt specify another file\&. +if you don\*(Aqt specify another file\&. Then individual +*\&.conf +files from the +/etc/security/access\&.d/ +directory are read\&. The files are parsed one after another in the order of the system locale\&. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\&. This means that once a pattern is matched in some file no further files are parsed\&. If a config file is explicitly specified with the +\fBaccessfile\fR +option the files in the above directory are not parsed\&. .PP If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc\&.)\&. .SH "OPTIONS" diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index c629a9f3..9a6556cc 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -57,6 +57,14 @@ By default rules for access management are taken from config file <filename>/etc/security/access.conf</filename> if you don't specify another file. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/access.d/</filename> directory are read. + The files are parsed one after another in the order of the system locale. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. This means that once + a pattern is matched in some file no further files are parsed. + If a config file is explicitly specified with the <option>accessfile</option> + option the files in the above directory are not parsed. </para> <para> If Linux PAM is compiled with audit support the module will report diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 3ac1ad00..80d885dd 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -44,6 +44,7 @@ #include <arpa/inet.h> #include <netdb.h> #include <sys/socket.h> +#include <glob.h> #ifdef HAVE_LIBAUDIT #include <libaudit.h> #endif @@ -87,6 +88,7 @@ #define ALL 2 #define YES 1 #define NO 0 +#define NOMATCH -1 /* * A structure to bundle up all login-related information to keep the @@ -415,7 +417,11 @@ login_access (pam_handle_t *pamh, struct login_info *item) "pam_access", 0); } #endif - return (match == NO || (line[0] == '+')); + if (match == NO) + return NOMATCH; + if (line[0] == '+') + return YES; + return NO; } @@ -516,7 +522,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) /* Try to split on a pattern (@*[^@]+)(@+.*) */ for (at = tok; *at == '@'; ++at); - if ((at = strchr(at, '@')) != NULL) { + if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { + return (group_match (pamh, tok, string, item->debug)); + } else if ((at = strchr(at, '@')) != NULL) { /* split user@host pattern */ if (item->hostname == NULL) return NO; @@ -541,9 +549,7 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) hostname = item->hostname; } return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); - } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') - return (group_match (pamh, tok, string, item->debug)); - else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ return rv; else if (item->only_new_group_syntax == NO && pam_modutil_user_in_group_nam_nam (pamh, @@ -727,7 +733,7 @@ network_netmask_match (pam_handle_t *pamh, { /* netmask as integre value */ char *endptr = NULL; netmask = strtol(netmask_ptr, &endptr, 0); - if ((endptr == NULL) || (*endptr != '\0')) + if ((endptr == netmask_ptr) || (*endptr != '\0')) { /* invalid netmask value */ return NO; } @@ -800,6 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *user=NULL; const void *void_from=NULL; const char *from; + const char const *default_config = PAM_ACCESS_CONFIG; struct passwd *user_pw; char hostname[MAXHOSTNAMELEN + 1]; int rv; @@ -821,7 +828,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, */ memset(&loginfo, '\0', sizeof(loginfo)); loginfo.user = user_pw; - loginfo.config_file = PAM_ACCESS_CONFIG; + loginfo.config_file = default_config; /* parse the argument list */ @@ -892,6 +899,26 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, rv = login_access(pamh, &loginfo); + if (rv == NOMATCH && loginfo.config_file == default_config) { + glob_t globbuf; + int i, glob_rv; + + /* We do not manipulate locale as setlocale() is not + * thread safe. We could use uselocale() in future. + */ + glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); + if (!glob_rv) { + /* Parse the *.conf files. */ + for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { + loginfo.config_file = globbuf.gl_pathv[i]; + rv = login_access(pamh, &loginfo); + if (rv != NOMATCH) + break; + } + globfree(&globbuf); + } + } + if (loginfo.gai_rv == 0 && loginfo.res) freeaddrinfo(loginfo.res); diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8 index 849b4821..3ed37e8e 100644 --- a/modules/pam_cracklib/pam_cracklib.8 +++ b/modules/pam_cracklib/pam_cracklib.8 @@ -2,12 +2,12 @@ .\" Title: pam_cracklib .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_CRACKLIB" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_CRACKLIB" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 16549319..45c02aba 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -64,12 +64,6 @@ extern char *FascistCheck(char *pw, const char *dictpath); #define CRACKLIB_DICTS NULL #endif -/* For Translators: "%s%s" could be replaced with "<service> " or "". */ -#define PROMPT1 _("New %s%spassword: ") -/* For Translators: "%s%s" could be replaced with "<service> " or "". */ -#define PROMPT2 _("Retype new %s%spassword: ") -#define MISTYPED_PASS _("Sorry, passwords do not match.") - #ifdef MIN #undef MIN #endif @@ -408,7 +402,7 @@ static int simple(struct cracklib_options *opt, const char *new) } else sameclass++; } - if (opt->max_class_repeat > 1 && sameclass > opt->max_class_repeat) { + if (opt->max_class_repeat > 0 && sameclass > opt->max_class_repeat) { return 1; } } diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8 index 476bc924..bba7f934 100644 --- a/modules/pam_debug/pam_debug.8 +++ b/modules/pam_debug/pam_debug.8 @@ -2,12 +2,12 @@ .\" Title: pam_debug .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_DEBUG" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DEBUG" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 index ad2142eb..662a3081 100644 --- a/modules/pam_deny/pam_deny.8 +++ b/modules/pam_deny/pam_deny.8 @@ -2,12 +2,12 @@ .\" Title: pam_deny .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_DENY" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DENY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_echo/pam_echo.8 b/modules/pam_echo/pam_echo.8 index b0e5cc03..f291bff8 100644 --- a/modules/pam_echo/pam_echo.8 +++ b/modules/pam_echo/pam_echo.8 @@ -2,12 +2,12 @@ .\" Title: pam_echo .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ECHO" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ECHO" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c index 8e3d35f9..38303880 100644 --- a/modules/pam_echo/pam_echo.c +++ b/modules/pam_echo/pam_echo.c @@ -76,7 +76,7 @@ replace_and_print (pam_handle_t *pamh, const char *mesg) output = malloc (length); if (output == NULL) { - pam_syslog (pamh, LOG_ERR, "running out of memory"); + pam_syslog (pamh, LOG_CRIT, "running out of memory"); return PAM_BUF_ERR; } diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 index 2c9e11c7..2a3ea165 100644 --- a/modules/pam_env/pam_env.8 +++ b/modules/pam_env/pam_env.8 @@ -2,12 +2,12 @@ .\" Title: pam_env .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ENV" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ENV" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 0b8002f8..3846e359 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -384,7 +384,7 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) length = strcspn(buffer," \t\n"); if ((var->name = malloc(length + 1)) == NULL) { - pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); + pam_syslog(pamh, LOG_CRIT, "Couldn't malloc %d bytes", length+1); return PAM_BUF_ERR; } @@ -440,7 +440,7 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) if (length) { if ((*valptr = malloc(length + 1)) == NULL) { D(("Couldn't malloc %d bytes", length+1)); - pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); + pam_syslog(pamh, LOG_CRIT, "Couldn't malloc %d bytes", length+1); return PAM_BUF_ERR; } (void)strncpy(*valptr,ptr,length); @@ -653,7 +653,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) free(*value); if ((*value = malloc(strlen(tmp) +1)) == NULL) { D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); - pam_syslog (pamh, LOG_ERR, "Couldn't malloc %lu bytes for expanded var", + pam_syslog (pamh, LOG_CRIT, "Couldn't malloc %lu bytes for expanded var", (unsigned long)strlen(tmp)+1); return PAM_BUF_ERR; } @@ -722,7 +722,7 @@ static int _define_var(pam_handle_t *pamh, int ctrl, VAR *var) D(("Called.")); if (asprintf(&envvar, "%s=%s", var->name, var->value) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); return PAM_BUF_ERR; } @@ -814,7 +814,7 @@ handle_env (pam_handle_t *pamh, int argc, const char **argv) else { if (asprintf(&envpath, "%s/%s", user_entry->pw_dir, user_env_file) < 0) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); + pam_syslog(pamh, LOG_CRIT, "Out of memory"); return PAM_BUF_ERR; } if (stat(envpath, &statbuf) == 0) { diff --git a/modules/pam_env/pam_env.conf.5 b/modules/pam_env/pam_env.conf.5 index c19505c9..ffa35a13 100644 --- a/modules/pam_env/pam_env.conf.5 +++ b/modules/pam_env/pam_env.conf.5 @@ -2,12 +2,12 @@ .\" Title: pam_env.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ENV\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ENV\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 index 877223c3..f4cff034 100644 --- a/modules/pam_exec/pam_exec.8 +++ b/modules/pam_exec/pam_exec.8 @@ -2,12 +2,12 @@ .\" Title: pam_exec .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_EXEC" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_EXEC" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 0ab65489..52dc6818 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -177,9 +177,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh, return retval; } - pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strndupa (resp, PAM_MAX_RESP_SIZE); - _pam_drop (resp); + if (resp) + { + pam_set_item (pamh, PAM_AUTHTOK, resp); + authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } } else authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); @@ -426,7 +429,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (tmp == NULL) { free(envlist); - pam_syslog (pamh, LOG_ERR, "realloc environment failed: %m"); + pam_syslog (pamh, LOG_CRIT, "realloc environment failed: %m"); _exit (ENOMEM); } envlist = tmp; @@ -439,7 +442,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item) < 0) { free(envlist); - pam_syslog (pamh, LOG_ERR, "prepare environment failed: %m"); + pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } envlist[envlen++] = envstr; @@ -449,7 +452,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (asprintf(&envstr, "PAM_TYPE=%s", pam_type) < 0) { free(envlist); - pam_syslog (pamh, LOG_ERR, "prepare environment failed: %m"); + pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } envlist[envlen++] = envstr; diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8 index c5612428..60818dda 100644 --- a/modules/pam_faildelay/pam_faildelay.8 +++ b/modules/pam_faildelay/pam_faildelay.8 @@ -2,12 +2,12 @@ .\" Title: pam_faildelay .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_FAILDELAY" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FAILDELAY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_filter/pam_filter.8 b/modules/pam_filter/pam_filter.8 index 39eab3a9..e4588f68 100644 --- a/modules/pam_filter/pam_filter.8 +++ b/modules/pam_filter/pam_filter.8 @@ -2,12 +2,12 @@ .\" Title: pam_filter .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_FILTER" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FILTER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 6e6a0cf7..8ab7981a 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -78,13 +78,13 @@ static int process_args(pam_handle_t *pamh } else if (strcmp("run1",*argv) == 0) { ctrl |= FILTER_RUN1; if (argc <= 0) { - pam_syslog(pamh, LOG_ALERT, "no run filter supplied"); + pam_syslog(pamh, LOG_ERR, "no run filter supplied"); } else break; } else if (strcmp("run2",*argv) == 0) { ctrl |= FILTER_RUN2; if (argc <= 0) { - pam_syslog(pamh, LOG_ALERT, "no run filter supplied"); + pam_syslog(pamh, LOG_ERR, "no run filter supplied"); } else break; } else { @@ -261,7 +261,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, int fd[2], child=0, child2=0, aterminal; if (filtername == NULL || *filtername != '/') { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "filtername not permitted; full pathname required"); return PAM_ABORT; } @@ -310,7 +310,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */ if ( tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_mode) < 0 ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "couldn't put terminal in RAW mode: %m"); close(fd[0]); return PAM_ABORT; @@ -329,7 +329,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, */ if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) { - pam_syslog(pamh, LOG_CRIT, "couldn't open a stream pipe: %m"); + pam_syslog(pamh, LOG_ERR, "couldn't open a stream pipe: %m"); return PAM_ABORT; } } @@ -338,7 +338,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( (child = fork()) < 0 ) { - pam_syslog(pamh, LOG_WARNING, "first fork failed: %m"); + pam_syslog(pamh, LOG_ERR, "first fork failed: %m"); if (aterminal) { (void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode); close(fd[0]); @@ -369,20 +369,20 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, /* make this process it's own process leader */ if (setsid() == -1) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "child cannot become new session: %m"); return PAM_ABORT; } /* grant slave terminal */ if (grantpt (fd[0]) < 0) { - pam_syslog(pamh, LOG_WARNING, "Cannot grant acccess to slave terminal"); + pam_syslog(pamh, LOG_ERR, "Cannot grant acccess to slave terminal"); return PAM_ABORT; } /* unlock slave terminal */ if (unlockpt (fd[0]) < 0) { - pam_syslog(pamh, LOG_WARNING, "Cannot unlock slave terminal"); + pam_syslog(pamh, LOG_ERR, "Cannot unlock slave terminal"); return PAM_ABORT; } @@ -390,7 +390,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, terminal = ptsname(fd[0]); /* returned value should not be freed */ if (terminal == NULL) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "Cannot get the name of the slave terminal: %m"); return PAM_ABORT; } @@ -399,7 +399,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, close(fd[0]); /* process is the child -- uses line fd[1] */ if (fd[1] < 0) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "cannot open slave terminal: %s: %m", terminal); return PAM_ABORT; } @@ -408,7 +408,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, parent's was before we set it into RAW mode */ if ( tcsetattr(fd[1], TCSANOW, &stored_mode) < 0 ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "cannot set slave terminal mode: %s: %m", terminal); close(fd[1]); return PAM_ABORT; @@ -424,7 +424,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO || dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO || dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "unable to re-assign STDIN/OUT/ERR: %m"); close(fd[1]); return PAM_ABORT; @@ -435,7 +435,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( fcntl(STDIN_FILENO, F_SETFD, 0) || fcntl(STDOUT_FILENO,F_SETFD, 0) || fcntl(STDERR_FILENO,F_SETFD, 0) ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "unable to re-assign STDIN/OUT/ERR: %m"); return PAM_ABORT; } @@ -462,7 +462,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( (child2 = fork()) < 0 ) { - pam_syslog(pamh, LOG_WARNING, "filter fork failed: %m"); + pam_syslog(pamh, LOG_ERR, "filter fork failed: %m"); child2 = 0; } else if ( child2 == 0 ) { /* exec the child filter */ @@ -470,7 +470,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO || dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO || dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "unable to re-assign APPIN/OUT/ERR: %m"); close(fd[0]); _exit(1); @@ -481,7 +481,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 || fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 || fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_ERR, "unable to retain APPIN/OUT/ERR: %m"); close(APPIN_FILENO); close(APPOUT_FILENO); @@ -495,7 +495,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, /* getting to here is an error */ - pam_syslog(pamh, LOG_ALERT, "filter: %s: %m", filtername); + pam_syslog(pamh, LOG_ERR, "filter: %s: %m", filtername); _exit(1); } else { /* wait for either of the two children to exit */ @@ -524,7 +524,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, child2 = 0; } else { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "programming error <chid=%d,lstatus=%x> " "in file %s at line %d", chid, lstatus, __FILE__, __LINE__); @@ -562,7 +562,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, } else { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "programming error <chid=%d,lstatus=%x> " "in file %s at line %d", chid, lstatus, __FILE__, __LINE__); diff --git a/modules/pam_ftp/pam_ftp.8 b/modules/pam_ftp/pam_ftp.8 index 6561985c..1d5c9b7b 100644 --- a/modules/pam_ftp/pam_ftp.8 +++ b/modules/pam_ftp/pam_ftp.8 @@ -2,12 +2,12 @@ .\" Title: pam_ftp .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_FTP" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FTP" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 6b6cf2a0..1c2f1456 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -71,11 +71,10 @@ _pam_parse(pam_handle_t *pamh, int argc, const char **argv, const char **users) * return 1 if listed 0 if not. */ -static int lookup(const char *name, const char *list, const char **_user) +static int lookup(const char *name, const char *list, char **_user) { int anon = 0; - *_user = name; /* this is the default */ if (list && *list) { const char *l; char *list_copy, *x; @@ -86,12 +85,14 @@ static int lookup(const char *name, const char *list, const char **_user) while (list_copy && (l = strtok_r(x, ",", &sptr))) { x = NULL; if (!strcmp(name, l)) { - *_user = list; + *_user = list_copy; anon = 1; + break; } } - _pam_overwrite(list_copy); - _pam_drop(list_copy); + if (*_user != list_copy) { + free(list_copy); + } } else { #define MAX_L 2 static const char *l[MAX_L] = { "ftp", "anonymous" }; @@ -99,7 +100,7 @@ static int lookup(const char *name, const char *list, const char **_user) for (i=0; i<MAX_L; ++i) { if (!strcmp(l[i], name)) { - *_user = l[0]; + *_user = strdup(l[0]); anon = 1; break; } @@ -117,6 +118,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, { int retval, anon=0, ctrl; const char *user; + char *anon_user = NULL; const char *users = NULL; /* @@ -134,15 +136,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } if (!(ctrl & PAM_NO_ANON)) { - anon = lookup(user, users, &user); + anon = lookup(user, users, &anon_user); } if (anon) { - retval = pam_set_item(pamh, PAM_USER, (const void *)user); - if (retval != PAM_SUCCESS || user == NULL) { + retval = pam_set_item(pamh, PAM_USER, (const void *)anon_user); + if (retval != PAM_SUCCESS || anon_user == NULL) { pam_syslog(pamh, LOG_ERR, "user resetting failed"); return PAM_USER_UNKNOWN; } + free(anon_user); } /* diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 index a106f919..933a22ec 100644 --- a/modules/pam_group/group.conf.5 +++ b/modules/pam_group/group.conf.5 @@ -2,12 +2,12 @@ .\" Title: group.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "GROUP\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "GROUP\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 index 4dcce3ca..804c921a 100644 --- a/modules/pam_group/pam_group.8 +++ b/modules/pam_group/pam_group.8 @@ -2,12 +2,12 @@ .\" Title: pam_group .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_GROUP" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_GROUP" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 263b3d51..8cd178c0 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -91,7 +91,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) if (! *buf) { *buf = (char *) calloc(1, PAM_GROUP_BUFLEN+1); if (! *buf) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); D(("no memory")); *state = STATE_EOF; return -1; diff --git a/modules/pam_issue/pam_issue.8 b/modules/pam_issue/pam_issue.8 index bfab9dbb..5d61a643 100644 --- a/modules/pam_issue/pam_issue.8 +++ b/modules/pam_issue/pam_issue.8 @@ -2,12 +2,12 @@ .\" Title: pam_issue .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ISSUE" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ISSUE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c index 5b5ee416..5fa21c37 100644 --- a/modules/pam_issue/pam_issue.c +++ b/modules/pam_issue/pam_issue.c @@ -105,7 +105,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, char *new_prompt = realloc(issue_prompt, size); if (new_prompt == NULL) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto out; } @@ -141,7 +141,7 @@ read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt) } if ((issue = malloc(st.st_size + 1)) == NULL) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); return PAM_BUF_ERR; } @@ -167,7 +167,7 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) *prompt = NULL; if ((issue = malloc(size)) == NULL) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); return PAM_BUF_ERR; } @@ -277,8 +277,8 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) return PAM_BUF_ERR; } issue = new_issue; - strcat(issue, buf); } + strcat(issue, buf); } if (ferror(fp)) { diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 index c9715933..4dfbffbc 100644 --- a/modules/pam_keyinit/pam_keyinit.8 +++ b/modules/pam_keyinit/pam_keyinit.8 @@ -2,12 +2,12 @@ .\" Title: pam_keyinit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_KEYINIT" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_KEYINIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 index 649d5fb6..738bd1eb 100644 --- a/modules/pam_lastlog/pam_lastlog.8 +++ b/modules/pam_lastlog/pam_lastlog.8 @@ -2,12 +2,12 @@ .\" Title: pam_lastlog .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_LASTLOG" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LASTLOG" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1e2f08d2..1a796b99 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -204,7 +204,7 @@ last_login_open(pam_handle_t *pamh, int announce, uid_t uid) D(("unable to create %s file", _PATH_LASTLOG)); return -1; } - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "file %s created", _PATH_LASTLOG); D(("file %s created", _PATH_LASTLOG)); } else { @@ -290,7 +290,7 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t /* TRANSLATORS: " from <host>" */ if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE, last_login.ll_host) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto cleanup; } @@ -302,7 +302,7 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t /* TRANSLATORS: " on <terminal>" */ if (asprintf(&line, _(" on %.*s"), UT_LINESIZE, last_login.ll_line) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto cleanup; } @@ -480,7 +480,7 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt } if (retval != 0) - pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP); + pam_syslog(pamh, LOG_ERR, "corruption detected in %s", _PATH_BTMP); retval = PAM_SUCCESS; if (failed) { @@ -504,7 +504,7 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt /* TRANSLATORS: " from <host>" */ if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE, utuser.ut_host) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto cleanup; } @@ -516,7 +516,7 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt /* TRANSLATORS: " on <terminal>" */ if (asprintf(&line, _(" on %.*s"), UT_LINESIZE, utuser.ut_line) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto cleanup; } diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 index b94af83f..1404553c 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 @@ -2,12 +2,12 @@ .\" Title: limits.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "LIMITS\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "LIMITS\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -331,7 +331,8 @@ ftp hard nproc 0 \fBpam_limits\fR(8), \fBpam.d\fR(5), \fBpam\fR(8), -\fBgetrlimit\fR(2)\fBgetrlimit\fR(3p) +\fBgetrlimit\fR(2), +\fBgetrlimit\fR(3p) .SH "AUTHOR" .PP pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com> diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 72857982..380a1399 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -335,7 +335,7 @@ ftp hard nproc 0 <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, - <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> </para> </refsect1> diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 index a9c81786..64044fff 100644 --- a/modules/pam_limits/pam_limits.8 +++ b/modules/pam_limits/pam_limits.8 @@ -2,12 +2,12 @@ .\" Title: pam_limits .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_LIMITS" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_LIMITS" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index d63c683e..4bc4ae71 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -286,7 +286,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, } if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) { /* process does not exist anymore */ - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_INFO, "Stale utmp entry (pid %d) for '%s' ignored", ut->ut_pid, user); continue; @@ -299,10 +299,10 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, endutent(); if (count > limit) { if (name) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "Too many logins (max %d) for %s", limit, name); } else { - pam_syslog(pamh, LOG_WARNING, "Too many system logins (max %d)", limit); + pam_syslog(pamh, LOG_NOTICE, "Too many system logins (max %d)", limit); } return LOGIN_ERR; } @@ -1025,7 +1025,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, ctrl = _pam_parse(pamh, argc, argv, pl); retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); if ( user_name == NULL || retval != PAM_SUCCESS ) { - pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username"); + pam_syslog(pamh, LOG_ERR, "open_session - error recovering username"); return PAM_SESSION_ERR; } @@ -1039,7 +1039,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, retval = init_limits(pamh, pl, ctrl); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "cannot initialize"); + pam_syslog(pamh, LOG_ERR, "cannot initialize"); return PAM_ABORT; } @@ -1082,7 +1082,7 @@ out: globfree(&globbuf); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE); + pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ",CONF_FILE); return retval; } diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 index f40611e1..f3d54258 100644 --- a/modules/pam_listfile/pam_listfile.8 +++ b/modules/pam_listfile/pam_listfile.8 @@ -2,12 +2,12 @@ .\" Title: pam_listfile .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_LISTFILE" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LISTFILE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index c2364065..5723598e 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -364,7 +364,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, (void) pam_get_item(pamh, PAM_SERVICE, &service); (void) pam_get_user(pamh, &user_name, NULL); if (!quiet) - pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", + pam_syslog (pamh, LOG_NOTICE, "Refused user %s for service %s", user_name, (const char *)service); return PAM_AUTH_ERR; } diff --git a/modules/pam_localuser/README b/modules/pam_localuser/README index 50663ead..e4c932cb 100644 --- a/modules/pam_localuser/README +++ b/modules/pam_localuser/README @@ -25,7 +25,7 @@ file=/path/passwd EXAMPLES -Add the following line to /etc/pam.d/su to allow only local users in group +Add the following lines to /etc/pam.d/su to allow only local users or group wheel to use su. account sufficient pam_localuser.so diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 index 1604060b..bb83430c 100644 --- a/modules/pam_localuser/pam_localuser.8 +++ b/modules/pam_localuser/pam_localuser.8 @@ -2,12 +2,12 @@ .\" Title: pam_localuser .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_LOCALUSER" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOCALUSER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -70,15 +70,15 @@ PAM_SERVICE_ERR No username was given\&. .RE .PP -PAM_USER_UNKNOWN +PAM_PERM_DENIED .RS 4 -User not known\&. +The user is not listed in the passwd file\&. .RE .SH "EXAMPLES" .PP -Add the following line to +Add the following lines to /etc/pam\&.d/su -to allow only local users in group wheel to use su\&. +to allow only local users or group wheel to use su\&. .sp .if n \{\ .RS 4 diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml index b06a0bf7..2a8b2e04 100644 --- a/modules/pam_localuser/pam_localuser.8.xml +++ b/modules/pam_localuser/pam_localuser.8.xml @@ -106,16 +106,16 @@ <term>PAM_SERVICE_ERR</term> <listitem> <para> - No username was given. + No username was given. </para> </listitem> </varlistentry> <varlistentry> - <term>PAM_USER_UNKNOWN</term> + <term>PAM_PERM_DENIED</term> <listitem> <para> - User not known. + The user is not listed in the passwd file. </para> </listitem> </varlistentry> @@ -127,8 +127,8 @@ <refsect1 id='pam_localuser-examples'> <title>EXAMPLES</title> <para> - Add the following line to <filename>/etc/pam.d/su</filename> to - allow only local users in group wheel to use su. + Add the following lines to <filename>/etc/pam.d/su</filename> to + allow only local users or group wheel to use su. <programlisting> account sufficient pam_localuser.so account required pam_wheel.so diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8 index 444c79c3..8c5949e4 100644 --- a/modules/pam_loginuid/pam_loginuid.8 +++ b/modules/pam_loginuid/pam_loginuid.8 @@ -2,12 +2,12 @@ .\" Title: pam_loginuid .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_LOGINUID" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOGINUID" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_mail/pam_mail.8 b/modules/pam_mail/pam_mail.8 index 7e2be9f8..41e6e443 100644 --- a/modules/pam_mail/pam_mail.8 +++ b/modules/pam_mail/pam_mail.8 @@ -2,12 +2,12 @@ .\" Title: pam_mail .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_MAIL" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MAIL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8 b/modules/pam_mkhomedir/mkhomedir_helper.8 index a9d9889a..de85f2fa 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.8 +++ b/modules/pam_mkhomedir/mkhomedir_helper.8 @@ -2,12 +2,12 @@ .\" Title: mkhomedir_helper .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "MKHOMEDIR_HELPER" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "MKHOMEDIR_HELPER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c index 9fafe6ab..9e204c16 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.c +++ b/modules/pam_mkhomedir/mkhomedir_helper.c @@ -338,16 +338,18 @@ make_parent_dirs(char *dir, int make) char *cp = strrchr(dir, '/'); struct stat st; - if (!cp || cp == dir) + if (!cp) return rc; - *cp = '\0'; - if (stat(dir, &st) && errno == ENOENT) - rc = make_parent_dirs(dir, 1); - *cp = '/'; + if (cp != dir) { + *cp = '\0'; + if (stat(dir, &st) && errno == ENOENT) + rc = make_parent_dirs(dir, 1); + *cp = '/'; - if (rc != PAM_SUCCESS) - return rc; + if (rc != PAM_SUCCESS) + return rc; + } if (make && mkdir(dir, 0755) && errno != EEXIST) { pam_syslog(NULL, LOG_ERR, "unable to create directory %s: %m", dir); diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8 b/modules/pam_mkhomedir/pam_mkhomedir.8 index 704e62d5..3efcad50 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.8 +++ b/modules/pam_mkhomedir/pam_mkhomedir.8 @@ -2,12 +2,12 @@ .\" Title: pam_mkhomedir .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_MKHOMEDIR" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_MKHOMEDIR" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_motd/README b/modules/pam_motd/README index 12a8fcc7..c16938c1 100644 --- a/modules/pam_motd/README +++ b/modules/pam_motd/README @@ -14,14 +14,36 @@ motd=/path/filename The /path/filename file is displayed as message of the day. +motd_dir=/path/dirname.d + + The /path/dirname.d directory is scanned and each file contained inside of + it is displayed. + +When no options are given, the default is to display both /etc/motd and the +contents of /etc/motd.d. Specifying either option (or both) will disable this +default behavior. + EXAMPLES The suggested usage for /etc/pam.d/login is: -session optional pam_motd.so motd=/etc/motd +session optional pam_motd.so + + +To use a motd file from a different location: + +session optional pam_motd.so motd=/elsewhere/motd + + +To use a motd file from elsewhere, along with a corresponding .d directory: + +session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d AUTHOR pam_motd was written by Ben Collins <bcollins@debian.org>. +The motd_dir= option was added by Allison Karlitskaya +<allison.karlitskaya@redhat.com>. + diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 index d63f54fb..21c2ed76 100644 --- a/modules/pam_motd/pam_motd.8 +++ b/modules/pam_motd/pam_motd.8 @@ -2,12 +2,12 @@ .\" Title: pam_motd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_MOTD" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MOTD" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -45,6 +45,18 @@ The /path/filename file is displayed as message of the day\&. .RE +.PP +\fBmotd_dir=\fR\fB\fI/path/dirname\&.d\fR\fR +.RS 4 +The +/path/dirname\&.d +directory is scanned and each file contained inside of it is displayed\&. +.RE +.PP +When no options are given, the default is to display both +/etc/motd +and the contents of +/etc/motd\&.d\&. Specifying either option (or both) will disable this default behavior\&. .SH "MODULE TYPES PROVIDED" .PP Only the @@ -66,7 +78,39 @@ is: .RS 4 .\} .nf -session optional pam_motd\&.so motd=/etc/motd +session optional pam_motd\&.so + +.fi +.if n \{\ +.RE +.\} +.PP +To use a +motd +file from a different location: +.sp +.if n \{\ +.RS 4 +.\} +.nf +session optional pam_motd\&.so motd=/elsewhere/motd + +.fi +.if n \{\ +.RE +.\} +.PP +To use a +motd +file from elsewhere, along with a corresponding +\&.d +directory: +.sp +.if n \{\ +.RS 4 +.\} +.nf +session optional pam_motd\&.so motd=/elsewhere/motd motd_dir=/elsewhere/motd\&.d .fi .if n \{\ @@ -82,3 +126,7 @@ session optional pam_motd\&.so motd=/etc/motd .SH "AUTHOR" .PP pam_motd was written by Ben Collins <bcollins@debian\&.org>\&. +.PP +The +\fBmotd_dir=\fR +option was added by Allison Karlitskaya <allison\&.karlitskaya@redhat\&.com>\&. diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml index ff92154e..906c4ed0 100644 --- a/modules/pam_motd/pam_motd.8.xml +++ b/modules/pam_motd/pam_motd.8.xml @@ -52,7 +52,24 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>motd_dir=<replaceable>/path/dirname.d</replaceable></option> + </term> + <listitem> + <para> + The <filename>/path/dirname.d</filename> directory is scanned + and each file contained inside of it is displayed. + </para> + </listitem> + </varlistentry> </variablelist> + <para> + When no options are given, the default is to display both + <filename>/etc/motd</filename> and the contents of + <filename>/etc/motd.d</filename>. Specifying either option (or both) + will disable this default behavior. + </para> </refsect1> <refsect1 id="pam_motd-types"> @@ -81,7 +98,20 @@ <para> The suggested usage for <filename>/etc/pam.d/login</filename> is: <programlisting> -session optional pam_motd.so motd=/etc/motd +session optional pam_motd.so + </programlisting> + </para> + <para> + To use a <filename>motd</filename> file from a different location: + <programlisting> +session optional pam_motd.so motd=/elsewhere/motd + </programlisting> + </para> + <para> + To use a <filename>motd</filename> file from elsewhere, along with a + corresponding <filename>.d</filename> directory: + <programlisting> +session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d </programlisting> </para> </refsect1> @@ -109,6 +139,10 @@ session optional pam_motd.so motd=/etc/motd <para> pam_motd was written by Ben Collins <bcollins@debian.org>. </para> + <para> + The <option>motd_dir=</option> option was added by + Allison Karlitskaya <allison.karlitskaya@redhat.com>. + </para> </refsect1> </refentry> diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index 11c7b565..cc828d7e 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -17,6 +17,7 @@ #include <stdlib.h> #include <unistd.h> #include <fcntl.h> +#include <dirent.h> #include <sys/types.h> #include <sys/stat.h> #include <pwd.h> @@ -33,6 +34,7 @@ #define PAM_SM_SESSION #define DEFAULT_MOTD "/etc/motd" +#define DEFAULT_MOTD_D "/etc/motd.d" #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -47,14 +49,60 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, } static char default_motd[] = DEFAULT_MOTD; +static char default_motd_dir[] = DEFAULT_MOTD_D; + +static void try_to_display_fd(pam_handle_t *pamh, int fd) +{ + struct stat st; + char *mtmp = NULL; + + /* fill in message buffer with contents of motd */ + if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) + return; + + if (!(mtmp = malloc(st.st_size+1))) + return; + + if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { + if (mtmp[st.st_size-1] == '\n') + mtmp[st.st_size-1] = '\0'; + else + mtmp[st.st_size] = '\0'; + + pam_info (pamh, "%s", mtmp); + } + + _pam_drop(mtmp); +} + +static void try_to_display_directory(pam_handle_t *pamh, const char *dirname) +{ + DIR *dirp; + + dirp = opendir(dirname); + + if (dirp != NULL) { + struct dirent *entry; + + while ((entry = readdir(dirp))) { + int fd = openat(dirfd(dirp), entry->d_name, O_RDONLY); + + if (fd >= 0) { + try_to_display_fd(pamh, fd); + close(fd); + } + } + + closedir(dirp); + } +} int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval = PAM_IGNORE; - int fd; const char *motd_path = NULL; - char *mtmp = NULL; + const char *motd_dir_path = NULL; if (flags & PAM_SILENT) { return retval; @@ -72,41 +120,39 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, "motd= specification missing argument - ignored"); } } + else if (!strncmp(*argv,"motd_dir=",9)) { + + motd_dir_path = 9 + *argv; + if (*motd_dir_path != '\0') { + D(("set motd.d path: %s", motd_dir_path)); + } else { + motd_dir_path = NULL; + pam_syslog(pamh, LOG_ERR, + "motd_dir= specification missing argument - ignored"); + } + } else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } - if (motd_path == NULL) + if (motd_path == NULL && motd_dir_path == NULL) { motd_path = default_motd; + motd_dir_path = default_motd_dir; + } - while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { - struct stat st; - - /* fill in message buffer with contents of motd */ - if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) - break; - - if (!(mtmp = malloc(st.st_size+1))) - break; - - if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) - break; + if (motd_path != NULL) { + int fd = open(motd_path, O_RDONLY, 0); - if (mtmp[st.st_size-1] == '\n') - mtmp[st.st_size-1] = '\0'; - else - mtmp[st.st_size] = '\0'; - - pam_info (pamh, "%s", mtmp); - break; + if (fd >= 0) { + try_to_display_fd(pamh, fd); + close(fd); + } } - _pam_drop (mtmp); - - if (fd >= 0) - close(fd); + if (motd_dir_path != NULL) + try_to_display_directory(pamh, motd_dir_path); - return retval; + return retval; } /* end of module definition */ diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index 1c754f75..be3458f8 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -2,12 +2,12 @@ .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index e3110593..630f1a92 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -2,12 +2,12 @@ .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d02ea09e..f541f891 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -712,7 +712,7 @@ static char *md5hash(const char *instname, struct instance_data *idata) MD5((const unsigned char *)instname, strlen(instname), inst_digest); if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { - pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); + pam_syslog(idata->pamh, LOG_CRIT, "Unable to allocate buffer"); return NULL; } @@ -801,12 +801,12 @@ static int form_context(const struct polydir_s *polyptr, scontext = context_new(scon); if (! scontext) { - pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); goto fail; } fcontext = context_new(*origcon); if (! fcontext) { - pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); goto fail; } if (context_range_set(fcontext, context_range_get(scontext)) != 0) { @@ -815,7 +815,7 @@ static int form_context(const struct polydir_s *polyptr, } *i_context=strdup(context_str(fcontext)); if (! *i_context) { - pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + pam_syslog(idata->pamh, LOG_CRIT, "out of memory"); goto fail; } @@ -1130,7 +1130,7 @@ static int check_inst_parent(char *ipath, struct instance_data *idata) */ inst_parent = (char *) malloc(strlen(ipath)+1); if (!inst_parent) { - pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string"); + pam_syslog(idata->pamh, LOG_CRIT, "Error allocating pathname string"); return PAM_SESSION_ERR; } diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8 index 4c457b71..d65cd85c 100644 --- a/modules/pam_nologin/pam_nologin.8 +++ b/modules/pam_nologin/pam_nologin.8 @@ -2,12 +2,12 @@ .\" Title: pam_nologin .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_NOLOGIN" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NOLOGIN" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 9fd91fdb..56897670 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -75,7 +75,7 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) int fd = -1; if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { - pam_syslog(pamh, LOG_WARNING, "cannot determine username"); + pam_syslog(pamh, LOG_ERR, "cannot determine username"); return PAM_USER_UNKNOWN; } @@ -111,7 +111,7 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) mtmp = malloc(st.st_size+1); if (!mtmp) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_BUF_ERR; goto clean_up_fd; } diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 index dfab5319..021c7590 100644 --- a/modules/pam_permit/pam_permit.8 +++ b/modules/pam_permit/pam_permit.8 @@ -2,12 +2,12 @@ .\" Title: pam_permit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_PERMIT" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PERMIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_pwhistory/pam_pwhistory.8 b/modules/pam_pwhistory/pam_pwhistory.8 index 526967f5..45899be3 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8 +++ b/modules/pam_pwhistory/pam_pwhistory.8 @@ -2,12 +2,12 @@ .\" Title: pam_pwhistory .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_PWHISTORY" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PWHISTORY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 index 9f8462b9..c52a5d85 100644 --- a/modules/pam_rhosts/pam_rhosts.8 +++ b/modules/pam_rhosts/pam_rhosts.8 @@ -2,12 +2,12 @@ .\" Title: pam_rhosts .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_RHOSTS" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_RHOSTS" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 index a2c6a4d0..d5f04e36 100644 --- a/modules/pam_rootok/pam_rootok.8 +++ b/modules/pam_rootok/pam_rootok.8 @@ -2,12 +2,12 @@ .\" Title: pam_rootok .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_ROOTOK" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ROOTOK" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 index c704d920..95747fea 100644 --- a/modules/pam_securetty/pam_securetty.8 +++ b/modules/pam_securetty/pam_securetty.8 @@ -2,12 +2,12 @@ .\" Title: pam_securetty .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SECURETTY" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SECURETTY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index e279efac..cb1da252 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -101,7 +101,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, retval = pam_get_item(pamh, PAM_TTY, &void_uttyname); uttyname = void_uttyname; if (retval != PAM_SUCCESS || uttyname == NULL) { - pam_syslog (pamh, LOG_WARNING, "cannot determine user's tty"); + pam_syslog (pamh, LOG_ERR, "cannot determine user's tty"); return PAM_SERVICE_ERR; } @@ -214,7 +214,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } if (retval) { - pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", + pam_syslog(pamh, LOG_NOTICE, "access denied: tty '%s' is not secure !", uttyname); retval = PAM_AUTH_ERR; diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 index 026fec13..5822cc13 100644 --- a/modules/pam_selinux/pam_selinux.8 +++ b/modules/pam_selinux/pam_selinux.8 @@ -2,12 +2,12 @@ .\" Title: pam_selinux .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SELINUX" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SELINUX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 6daba1ed..348cdd40 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -524,7 +524,7 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data, data->default_user_context = strdup(contextlist[0]); freeconary(contextlist); if (!data->default_user_context) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); + pam_syslog(pamh, LOG_CRIT, "Out of memory"); return PAM_BUF_ERR; } @@ -573,7 +573,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) } if (!data->tty_path) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); + pam_syslog(pamh, LOG_CRIT, "Out of memory"); return PAM_BUF_ERR; } @@ -727,7 +727,7 @@ create_context(pam_handle_t *pamh, int argc, const char **argv, } if (!(data = calloc(1, sizeof(*data)))) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); + pam_syslog(pamh, LOG_CRIT, "Out of memory"); return PAM_BUF_ERR; } diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8 index 31a85477..71fd28d6 100644 --- a/modules/pam_sepermit/pam_sepermit.8 +++ b/modules/pam_sepermit/pam_sepermit.8 @@ -2,12 +2,12 @@ .\" Title: pam_sepermit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SEPERMIT" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SEPERMIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_sepermit/sepermit.conf.5 b/modules/pam_sepermit/sepermit.conf.5 index 8c8ccb42..d797b535 100644 --- a/modules/pam_sepermit/sepermit.conf.5 +++ b/modules/pam_sepermit/sepermit.conf.5 @@ -2,12 +2,12 @@ .\" Title: sepermit.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "SEPERMIT\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "SEPERMIT\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 index 095233bb..f0f6ea20 100644 --- a/modules/pam_shells/pam_shells.8 +++ b/modules/pam_shells/pam_shells.8 @@ -2,12 +2,12 @@ .\" Title: pam_shells .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SHELLS" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SHELLS" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index dff64c0a..07524beb 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -2,12 +2,12 @@ .\" Title: pam_succeed_if .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM .\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SUCCEED_IF" "8" "04/01/2016" "Linux-PAM" "Linux\-PAM" +.TH "PAM_SUCCEED_IF" "8" "05/18/2017" "Linux-PAM" "Linux\-PAM" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 856db0ca..aac3eeb0 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -323,7 +323,7 @@ evaluate(pam_handle_t *pamh, int debug, } /* If we have no idea what's going on, return an error. */ if (left != buf) { - pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left); + pam_syslog(pamh, LOG_ERR, "unknown attribute \"%s\"", left); return PAM_SERVICE_ERR; } if (debug) { @@ -455,7 +455,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* Get information about the user. */ pwd = pam_modutil_getpwuid(pamh, getuid()); if (pwd == NULL) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "error retrieving information about user %lu", (unsigned long)getuid()); return PAM_USER_UNKNOWN; @@ -465,7 +465,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* Get the user's name. */ ret = pam_get_user(pamh, &user, prompt); if ((ret != PAM_SUCCESS) || (user == NULL)) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", pam_strerror(pamh, ret)); return ret; @@ -543,7 +543,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, if (left || qual || right) { ret = PAM_SERVICE_ERR; - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "incomplete condition detected"); } else if (count == 0) { pam_syslog(pamh, LOG_INFO, diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8 index ea44dd8c..58070831 100644 --- a/modules/pam_tally/pam_tally.8 +++ b/modules/pam_tally/pam_tally.8 @@ -2,12 +2,12 @@ .\" Title: pam_tally .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TALLY" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TALLY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_tally2/pam_tally2.8 b/modules/pam_tally2/pam_tally2.8 index 920a90b0..4e700e70 100644 --- a/modules/pam_tally2/pam_tally2.8 +++ b/modules/pam_tally2/pam_tally2.8 @@ -2,12 +2,12 @@ .\" Title: pam_tally2 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TALLY2" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TALLY2" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index 9f3bebeb..da1c0481 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -959,6 +959,18 @@ main( int argc UNUSED, char **argv ) exit(1); } + if (cline_reset == 0) { + struct stat st; + + if (stat(cline_filename, &st) && errno == ENOENT) { + if (!cline_quiet) { + memset(&tally, 0, sizeof(tally)); + print_one(&tally, uid); + } + return 0; /* no file => nothing to reset */ + } + } + i=get_tally(NULL, uid, cline_filename, &tfile, &tally, 0); if ( i != PAM_SUCCESS ) { if (tfile != -1) diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index ec8e70c6..194427d3 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -2,12 +2,12 @@ .\" Title: pam_time .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TIME" "8" "04/01/2016" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_TIME" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index b67a4c24..26a374b5 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -120,7 +120,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) if (! *buf) { *buf = (char *) calloc(1, PAM_TIME_BUFLEN+1); if (! *buf) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); D(("no memory")); *state = STATE_EOF; return -1; diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 index 4438dbf8..f6f16170 100644 --- a/modules/pam_time/time.conf.5 +++ b/modules/pam_time/time.conf.5 @@ -2,12 +2,12 @@ .\" Title: time.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "TIME\&.CONF" "5" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "TIME\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 index 872d66e3..5e804ab0 100644 --- a/modules/pam_timestamp/pam_timestamp.8 +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -2,12 +2,12 @@ .\" Title: pam_timestamp .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TIMESTAMP" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index b18efdfd..e29ce6e9 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -211,7 +211,7 @@ check_login_time(const char *ruser, time_t timestamp) if (ut->ut_type != USER_PROCESS) { continue; } - if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user) != 0)) { + if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) { continue; } if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) { @@ -608,7 +608,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * /* Generate the message. */ text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size()); if (text == NULL) { - pam_syslog(pamh, LOG_ERR, "unable to allocate memory: %m"); + pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m"); return PAM_SESSION_ERR; } p = text; diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 index 2f0213a8..b90ab317 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8 +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -2,12 +2,12 @@ .\" Title: pam_timestamp_check .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TIMESTAMP_CHECK" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP_CHECK" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README index 83e58c3a..ac947a32 100644 --- a/modules/pam_tty_audit/README +++ b/modules/pam_tty_audit/README @@ -11,15 +11,15 @@ OPTIONS disable=patterns - For each user matching one of comma-separated glob patterns, disable TTY - auditing. This overrides any previous enable option matching the same user - name on the command line. + For each user matching patterns, disable TTY auditing. This overrides any + previous enable option matching the same user name on the command line. See + NOTES for further description of patterns. enable=patterns - For each user matching one of comma-separated glob patterns, enable TTY - auditing. This overrides any previous disable option matching the same user - name on the command line. + For each user matching patterns, enable TTY auditing. This overrides any + previous disable option matching the same user name on the command line. + See NOTES for further description of patterns. open_only @@ -45,6 +45,11 @@ the first option for most daemons using PAM. To view the data that was logged by the kernel to audit use the command aureport --tty. +The patterns are comma separated lists of glob patterns or ranges of uids. A +range is specified as min_uid:max_uid where one of these values can be empty. +If min_uid is empty only user with the uid max_uid will be matched. If max_uid +is empty users with the uid greater than or equal to min_uid will be matched. + EXAMPLES Audit all administrative actions. diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 index 616f7d7e..e0800815 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8 +++ b/modules/pam_tty_audit/pam_tty_audit.8 @@ -2,12 +2,12 @@ .\" Title: pam_tty_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/11/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TTY_AUDIT" "8" "04/11/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TTY_AUDIT" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,18 +39,20 @@ The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By def .PP \fBdisable=\fR\fB\fIpatterns\fR\fR .RS 4 -For each user matching one of comma\-separated glob +For each user matching \fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous \fBenable\fR -option matching the same user name on the command line\&. +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. .RE .PP \fBenable=\fR\fB\fIpatterns\fR\fR .RS 4 -For each user matching one of comma\-separated glob +For each user matching \fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous \fBdisable\fR -option matching the same user name on the command line\&. +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. .RE .PP \fBopen_only\fR @@ -89,6 +91,20 @@ as the first option for most daemons using PAM\&. .PP To view the data that was logged by the kernel to audit use the command \fBaureport \-\-tty\fR\&. +.PP +The +\fB\fIpatterns\fR\fR +are comma separated lists of glob patterns or ranges of uids\&. A range is specified as +\fImin_uid\fR:\fImax_uid\fR +where one of these values can be empty\&. If +\fImin_uid\fR +is empty only user with the uid +\fImax_uid\fR +will be matched\&. If +\fImax_uid\fR +is empty users with the uid greater than or equal to +\fImin_uid\fR +will be matched\&. .SH "EXAMPLES" .PP Audit all administrative actions\&. diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 552353ce..59a3406d 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -44,10 +44,10 @@ </term> <listitem> <para> - For each user matching one of comma-separated glob - <option><replaceable>patterns</replaceable></option>, disable - TTY auditing. This overrides any previous <option>enable</option> - option matching the same user name on the command line. + For each user matching <option><replaceable>patterns</replaceable></option>, + disable TTY auditing. This overrides any previous <option>enable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. </para> </listitem> </varlistentry> @@ -57,10 +57,10 @@ </term> <listitem> <para> - For each user matching one of comma-separated glob - <option><replaceable>patterns</replaceable></option>, enable - TTY auditing. This overrides any previous <option>disable</option> - option matching the same user name on the command line. + For each user matching <option><replaceable>patterns</replaceable></option>, + enable TTY auditing. This overrides any previous <option>disable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. </para> </listitem> </varlistentry> @@ -139,6 +139,16 @@ To view the data that was logged by the kernel to audit use the command <command>aureport --tty</command>. </para> + <para> + The <option><replaceable>patterns</replaceable></option> are comma separated + lists of glob patterns or ranges of uids. A range is specified as + <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where + one of these values can be empty. If <replaceable>min_uid</replaceable> is + empty only user with the uid <replaceable>max_uid</replaceable> will be + matched. If <replaceable>max_uid</replaceable> is empty users with the uid + greater than or equal to <replaceable>min_uid</replaceable> will be + matched. + </para> </refsect1> <refsect1 id='pam_tty_audit-examples'> diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index bce3ab77..79e5d511 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -199,6 +199,54 @@ cleanup_old_status (pam_handle_t *pamh, void *data, int error_status) free (data); } +enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN, + UID_RANGE_ONE, UID_RANGE_ERR }; + +static enum uid_range +parse_uid_range(pam_handle_t *pamh, const char *s, + uid_t *min_uid, uid_t *max_uid) +{ + const char *range = s; + const char *pmax; + char *endptr; + enum uid_range rv = UID_RANGE_MM; + + if ((pmax=strchr(range, ':')) == NULL) + return UID_RANGE_NONE; + ++pmax; + + if (range[0] == ':') + rv = UID_RANGE_ONE; + else { + errno = 0; + *min_uid = strtoul (range, &endptr, 10); + if (errno != 0 || (range == endptr) || *endptr != ':') { + pam_syslog(pamh, LOG_DEBUG, + "wrong min_uid value in '%s'", s); + return UID_RANGE_ERR; + } + } + + if (*pmax == '\0') { + if (rv == UID_RANGE_ONE) + return UID_RANGE_ERR; + + return UID_RANGE_MIN; + } + + errno = 0; + *max_uid = strtoul (pmax, &endptr, 10); + if (errno != 0 || (pmax == endptr) || *endptr != '\0') { + pam_syslog(pamh, LOG_DEBUG, + "wrong max_uid value in '%s'", s); + return UID_RANGE_ERR; + } + + if (rv == UID_RANGE_ONE) + *min_uid = *max_uid; + return rv; +} + int pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -208,6 +256,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; + struct passwd *pwd; #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD int log_passwd; #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ @@ -220,6 +269,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } + pwd = pam_modutil_getpwnam(pamh, user); + if (pwd == NULL) + { + pam_syslog(pamh, LOG_WARNING, + "open_session unknown user '%s'", user); + return PAM_SESSION_ERR; + } + command = CMD_NONE; open_only = 0; #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD @@ -237,13 +294,31 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) copy = strdup (strchr (argv[i], '=') + 1); if (copy == NULL) return PAM_SESSION_ERR; - for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; + for (tok = strtok_r (copy, ",", &tok_data); + tok != NULL && command != this_command; tok = strtok_r (NULL, ",", &tok_data)) { - if (fnmatch (tok, user, 0) == 0) + uid_t min_uid = 0, max_uid = 0; + switch (parse_uid_range(pamh, tok, &min_uid, &max_uid)) { - command = this_command; - break; + case UID_RANGE_NONE: + if (fnmatch (tok, user, 0) == 0) + command = this_command; + break; + case UID_RANGE_MM: + if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid) + command = this_command; + break; + case UID_RANGE_MIN: + if (pwd->pw_uid >= min_uid) + command = this_command; + break; + case UID_RANGE_ONE: + if (pwd->pw_uid == max_uid) + command = this_command; + break; + case UID_RANGE_ERR: + break; } } free (copy); diff --git a/modules/pam_umask/README b/modules/pam_umask/README index 330e2ade..274dbf60 100644 --- a/modules/pam_umask/README +++ b/modules/pam_umask/README @@ -11,14 +11,14 @@ created files. The PAM module tries to get the umask value from the following places in the following order: - • umask= argument - • umask= entry in the user's GECOS field - • UMASK= entry from /etc/default/login + • umask= argument • UMASK entry from /etc/login.defs + • UMASK= entry from /etc/default/login + The GECOS field is split on comma ',' characters. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the diff --git a/modules/pam_umask/pam_umask.8 b/modules/pam_umask/pam_umask.8 index b37ac6d3..fd2d8a8a 100644 --- a/modules/pam_umask/pam_umask.8 +++ b/modules/pam_umask/pam_umask.8 @@ -2,12 +2,12 @@ .\" Title: pam_umask .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_UMASK" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UMASK" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -46,7 +46,7 @@ The PAM module tries to get the umask value from the following places in the fol .sp -1 .IP \(bu 2.3 .\} -umask= argument +umask= entry in the user\*(Aqs GECOS field .RE .sp .RS 4 @@ -57,7 +57,7 @@ umask= argument .sp -1 .IP \(bu 2.3 .\} -umask= entry in the user\*(Aqs GECOS field +umask= argument .RE .sp .RS 4 @@ -68,7 +68,7 @@ umask= entry in the user\*(Aqs GECOS field .sp -1 .IP \(bu 2.3 .\} -UMASK= entry from /etc/default/login +UMASK entry from /etc/login\&.defs .RE .sp .RS 4 @@ -79,7 +79,7 @@ UMASK= entry from /etc/default/login .sp -1 .IP \(bu 2.3 .\} -UMASK entry from /etc/login\&.defs +UMASK= entry from /etc/default/login .RE .PP The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&. diff --git a/modules/pam_umask/pam_umask.8.xml b/modules/pam_umask/pam_umask.8.xml index 1e8d130b..92693f7f 100644 --- a/modules/pam_umask/pam_umask.8.xml +++ b/modules/pam_umask/pam_umask.8.xml @@ -48,22 +48,22 @@ <itemizedlist> <listitem> <para> - umask= argument + umask= entry in the user's GECOS field </para> </listitem> <listitem> <para> - umask= entry in the user's GECOS field + umask= argument </para> </listitem> <listitem> <para> - UMASK= entry from /etc/default/login + UMASK entry from /etc/login.defs </para> </listitem> <listitem> <para> - UMASK entry from /etc/login.defs + UMASK= entry from /etc/default/login </para> </listitem> </itemizedlist> diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 index 4ca84495..b3808f1a 100644 --- a/modules/pam_unix/pam_unix.8 +++ b/modules/pam_unix/pam_unix.8 @@ -2,12 +2,12 @@ .\" Title: pam_unix .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/19/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_UNIX" "8" "04/19/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UNIX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 782d84ac..88331149 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -201,7 +201,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) uname = void_uname; D(("user = `%s'", uname)); if (retval != PAM_SUCCESS || uname == NULL) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "could not identify user (from uid=%lu)", (unsigned long int)getuid()); return PAM_USER_UNKNOWN; @@ -209,7 +209,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = get_account_info(pamh, uname, &pwent, &spent); if (retval == PAM_USER_UNKNOWN) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "could not identify user (from getpwnam(%s))", uname); return retval; diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 673861e4..fce6bce1 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -77,14 +77,12 @@ #define _UNIX_AUTHTOK "-UN*X-PASS" #define AUTH_RETURN \ -do { \ - if (ret_data) { \ - D(("recording return code for next time [%d]", \ - retval)); \ - *ret_data = retval; \ - pam_set_data(pamh, "unix_setcred_return", \ - (void *) ret_data, setcred_free); \ - } \ +do { \ + D(("recording return code for next time [%d]", \ + retval)); \ + *ret_data = retval; \ + pam_set_data(pamh, "unix_setcred_return", \ + (void *) ret_data, setcred_free); \ D(("done. [%s]", pam_strerror(pamh, retval))); \ return retval; \ } while (0) @@ -112,6 +110,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) /* Get a few bytes so we can pass our return value to pam_sm_setcred() and pam_sm_acct_mgmt(). */ ret_data = malloc(sizeof(int)); + if (!ret_data) { + D(("cannot malloc ret_data")); + pam_syslog(pamh, LOG_CRIT, + "pam_unix_auth: cannot allocate ret_data"); + return PAM_BUF_ERR; + } /* get the user'name' */ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index c2e43423..9fdebefb 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -774,7 +774,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "password - new password not obtained"); } pass_old = NULL; /* tidy up */ @@ -864,7 +864,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) _pam_delete(tpass); pass_old = pass_new = NULL; } else { /* something has broken with the module */ - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_CRIT, "password received unknown request"); retval = PAM_ABORT; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index dbc62983..03e7dcd9 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -77,7 +77,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ @@ -112,7 +112,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 5d6a1484..9c1771e2 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1023,7 +1023,7 @@ helper_verify_password(const char *name, const char *p, int nullok) retval = get_pwd_hash(name, &pwd, &salt); if (pwd == NULL || salt == NULL) { - helper_log_err(LOG_WARNING, "check pass; user unknown"); + helper_log_err(LOG_NOTICE, "check pass; user unknown"); retval = PAM_USER_UNKNOWN; } else { retval = verify_pwd_hash(p, salt, nullok); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index fc8595e9..f2e28d35 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -345,7 +345,7 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) ); if (failure->count > UNIX_MAX_RETRIES) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_NOTICE, "service(%s) ignoring max retries; %d > %d", service == NULL ? "**unknown**" : (const char *)service, failure->count, @@ -744,12 +744,12 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "check pass; user (%s) unknown", name); } else { name = NULL; if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "check pass; user unknown"); } else { /* don't log failure as another pam module can succeed */ diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 index 48bba9e0..46048995 100644 --- a/modules/pam_unix/unix_chkpwd.8 +++ b/modules/pam_unix/unix_chkpwd.8 @@ -2,12 +2,12 @@ .\" Title: unix_chkpwd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "UNIX_CHKPWD" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_CHKPWD" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 61675ed2..39c84dbf 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -43,7 +43,7 @@ static int _check_expiry(const char *uname) retval = get_account_info(uname, &pwent, &spent); if (retval != PAM_SUCCESS) { - helper_log_err(LOG_ALERT, "could not obtain user info (%s)", uname); + helper_log_err(LOG_ERR, "could not obtain user info (%s)", uname); printf("-1\n"); return retval; } diff --git a/modules/pam_unix/unix_update.8 b/modules/pam_unix/unix_update.8 index 637c3cc7..c5eab08c 100644 --- a/modules/pam_unix/unix_update.8 +++ b/modules/pam_unix/unix_update.8 @@ -2,12 +2,12 @@ .\" Title: unix_update .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "UNIX_UPDATE" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_UPDATE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 index 235ecdf3..7f8fd358 100644 --- a/modules/pam_userdb/pam_userdb.8 +++ b/modules/pam_userdb/pam_userdb.8 @@ -2,12 +2,12 @@ .\" Title: pam_userdb .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_USERDB" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_USERDB" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 09ab8d33..cab37b30 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -397,7 +397,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, return PAM_SERVICE_ERR; case -1: /* incorrect password */ - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "user `%s' denied access (incorrect password)", username); return PAM_AUTH_ERR; diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 index f45223c9..26eac145 100644 --- a/modules/pam_warn/pam_warn.8 +++ b/modules/pam_warn/pam_warn.8 @@ -2,12 +2,12 @@ .\" Title: pam_warn .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_WARN" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WARN" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 index 0a4f804a..d59ee467 100644 --- a/modules/pam_wheel/pam_wheel.8 +++ b/modules/pam_wheel/pam_wheel.8 @@ -2,12 +2,12 @@ .\" Title: pam_wheel .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/19/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_WHEEL" "8" "04/19/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WHEEL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index f916eadb..86f8cc13 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -2,12 +2,12 @@ .\" Title: pam_xauth .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/01/2016 +.\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_XAUTH" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_XAUTH" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 6778aa84..3339def8 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -683,7 +683,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, if (asprintf(&d, "DISPLAY=%s", display) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); cookiefile = NULL; retval = PAM_SESSION_ERR; goto cleanup; @@ -700,7 +700,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, char *d; if (asprintf(&d, "XAUTHLOCALHOSTNAME=%s", xauthlocalhostname) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); + pam_syslog(pamh, LOG_CRIT, "out of memory"); retval = PAM_SESSION_ERR; goto cleanup; } |