diff options
| -rw-r--r-- | CHANGELOG | 6 | ||||
| -rw-r--r-- | libpam/Makefile.am | 2 | ||||
| -rw-r--r-- | libpam/pam_item.c | 10 | ||||
| -rw-r--r-- | libpam/pam_private.h | 1 | ||||
| -rw-r--r-- | libpam_misc/Makefile.am | 2 | ||||
| -rw-r--r-- | libpamc/Makefile.am | 2 | ||||
| -rw-r--r-- | modules/pam_limits/pam_limits.c | 24 | ||||
| -rw-r--r-- | modules/pam_motd/pam_motd.c | 110 | ||||
| -rw-r--r-- | po/de.po | 2 |
9 files changed, 88 insertions, 71 deletions
@@ -77,7 +77,11 @@ BerliOS Bugs are marked with (BerliOS #XXXX). * pam_securetty: Be fail-close on user lookups, always log failures, not just with "debug" (Solar Designer) * Add gettext support -* Add translations for cs, hu, nb, pa and pt +* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR, + pt, zh_CN and zh_TW +* pam_limits: Apply ALT-Linux/OWL patch +* pam_motd: Apply ALT-Linux/OWL patch +* libpam: Cache pam_get_user() failures 0.80: Wed Jul 13 13:23:20 CEST 2005 * pam_tally: test for NULL data before dereferencing them (t8m) diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 9cf45e82..f33c3db3 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -14,7 +14,7 @@ include_HEADERS = $(addprefix include/security/, _pam_compat.h _pam_macros.h _pa noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h -libpam_la_LDFLAGS = -no-undefined -version-info 1:0:0 +libpam_la_LDFLAGS = -no-undefined -version-info 81:0:81 if HAVE_VERSIONING libpam_la_LDFLAGS += -Wl,--version-script=libpam.map endif diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 96e88247..ff35559e 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -50,10 +50,12 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) case PAM_USER: RESET(pamh->user, item); + pamh->former.fail_user = PAM_SUCCESS; break; case PAM_USER_PROMPT: RESET(pamh->prompt, item); + pamh->former.fail_user = PAM_SUCCESS; break; case PAM_TTY: @@ -127,6 +129,7 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) memcpy(tconv, item, sizeof(struct pam_conv)); _pam_drop(pamh->pam_conversation); pamh->pam_conversation = tconv; + pamh->former.fail_user = PAM_SUCCESS; } } break; @@ -254,6 +257,9 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) return PAM_SUCCESS; } + if (pamh->former.fail_user != PAM_SUCCESS) + return pamh->former.fail_user; + /* will need a prompt */ use_prompt = prompt; if (use_prompt == NULL) { @@ -308,6 +314,7 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) */ D(("pam_get_user: no response provided")); retval = PAM_CONV_ERR; + pamh->former.fail_user = retval; } else if (retval == PAM_SUCCESS) { /* copy the username */ /* * now we set the PAM_USER item -- this was missing from pre.53 @@ -316,7 +323,8 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) */ RESET(pamh->user, resp->resp); *user = pamh->user; - } + } else + pamh->former.fail_user = retval; if (resp) { /* diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 9d759ca9..53375bbb 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -122,6 +122,7 @@ struct _pam_former_state { int status; /* the status before returning incomplete */ /* state info used by pam_get_user() function */ + int fail_user; int want_user; char *prompt; /* saved prompt information */ diff --git a/libpam_misc/Makefile.am b/libpam_misc/Makefile.am index b5bc9048..25d83b2e 100644 --- a/libpam_misc/Makefile.am +++ b/libpam_misc/Makefile.am @@ -11,7 +11,7 @@ include_HEADERS = include/security/pam_misc.h AM_CFLAGS = -I$(top_srcdir)/libpam/include \ -I$(top_srcdir)/libpamc/include -I$(srcdir)/include -libpam_misc_la_LDFLAGS = -version-info 1:0:0 +libpam_misc_la_LDFLAGS = -no-undefined -version-info 81:0:81 if HAVE_VERSIONING libpam_misc_la_LDFLAGS += -Wl,--version-script=libpam_misc.map endif diff --git a/libpamc/Makefile.am b/libpamc/Makefile.am index 0bfd5f6b..5f33ecbf 100644 --- a/libpamc/Makefile.am +++ b/libpamc/Makefile.am @@ -14,7 +14,7 @@ noinst_HEADERS = libpamc.h AM_CFLAGS=-I$(top_srcdir)/libpam/include -I$(srcdir)/include -libpamc_la_LDFLAGS = -version-info 1:0:0 +libpamc_la_LDFLAGS = -no-undefined -version-info 81:0:81 if HAVE_VERSIONING libpamc_la_LDFLAGS += -Wl,--version-script=libpamc.map endif diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index d21ad16a..10ff8969 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -61,6 +61,7 @@ static const char *limits_def_names[] = { }; struct user_limits_struct { + int supported; int src_soft; int src_hard; struct rlimit limit; @@ -73,7 +74,6 @@ struct pam_limit_s { int flag_numsyslogins; /* whether to limit logins only for a specific user or to count all logins */ int priority; /* the priority to run user process with */ - int supported[RLIM_NLIMITS]; struct user_limits_struct limits[RLIM_NLIMITS]; char conf_file[BUFSIZ]; int utmp_after_pam_call; @@ -229,13 +229,12 @@ static int init_limits(struct pam_limit_s *pl) for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { - if (errno == EINVAL) { - pl->supported[i] = 0; - } else { + pl->limits[i].supported = 0; + if (errno != EINVAL) { retval = !PAM_SUCCESS; } } else { - pl->supported[i] = 1; + pl->limits[i].supported = 1; pl->limits[i].src_soft = LIMITS_DEF_NONE; pl->limits[i].src_hard = LIMITS_DEF_NONE; } @@ -570,12 +569,17 @@ static int setup_limits(pam_handle_t *pamh, } for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { - if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) - pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; - if (!pl->supported[i]) { + if (!pl->limits[i].supported) { /* skip it if its not known to the system */ continue; } + if (pl->limits[i].src_soft == LIMITS_DEF_NONE && + pl->limits[i].src_hard == LIMITS_DEF_NONE) { + /* skip it if its not initialized */ + continue; + } + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; status |= setrlimit(i, &pl->limits[i].limit); } @@ -634,7 +638,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, retval = init_limits(&pl); if (retval != PAM_SUCCESS) { _pam_log(LOG_WARNING, "cannot initialize"); - return PAM_IGNORE; + return PAM_ABORT; } retval = parse_config_file(pamh, pwd->pw_name, ctrl, &pl); @@ -644,7 +648,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } if (retval != PAM_SUCCESS) { _pam_log(LOG_WARNING, "error parsing the configuration file"); - return PAM_IGNORE; + return retval; } if (ctrl & PAM_DO_SETREUID) { diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index 291d76d9..5cea38bf 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -47,23 +47,17 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, static char default_motd[] = DEFAULT_MOTD; PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) { - int retval = PAM_IGNORE; - int fd; - char *mtmp=NULL; - char *motd_path=NULL; - const void *void_conv; - const struct pam_conv *conversation; - struct pam_message message; - struct pam_message *pmessage = &message; - struct pam_response *resp = NULL; - struct stat st; - - if (flags & PAM_SILENT) { + int retval = PAM_IGNORE; + int fd; + char *motd_path = NULL; + char *mtmp = NULL; + + if (flags & PAM_SILENT) { return retval; - } + } for (; argc-- > 0; ++argv) { if (!strncmp(*argv,"motd=",5)) { @@ -75,49 +69,55 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, D(("failed to duplicate motd path - ignored")); } } - } + } - if (motd_path == NULL) + if (motd_path == NULL) motd_path = default_motd; - message.msg_style = PAM_TEXT_INFO; - - if ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { - if (motd_path != default_motd) - free(motd_path); - /* fill in message buffer with contents of motd */ - if ((fstat(fd, &st) < 0) || !st.st_size) { - close(fd); - return retval; - } - message.msg = mtmp = malloc(st.st_size+1); - /* if malloc failed... */ - if (!message.msg) { - close(fd); - return retval; - } - if (_pammodutil_read(fd, mtmp, st.st_size) == st.st_size) { - if (mtmp[st.st_size-1] == '\n') - mtmp[st.st_size-1] = '\0'; - else - mtmp[st.st_size] = '\0'; - close(fd); - - /* Use conversation function to give user contents of motd */ - if (pam_get_item(pamh, PAM_CONV, &void_conv) == - PAM_SUCCESS && void_conv) { - conversation = void_conv; - conversation->conv(1, (const struct pam_message **)&pmessage, - &resp, conversation->appdata_ptr); - if (resp) - _pam_drop_reply(resp, 1); - } - } - free(mtmp); - } else { - if (motd_path != default_motd) - free(motd_path); - } + while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { + const void *void_conv = NULL; + struct pam_message message; + struct pam_message *pmessage = &message; + struct pam_response *resp = NULL; + struct stat st; + + /* fill in message buffer with contents of motd */ + if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) + break; + + if (!(message.msg = mtmp = malloc(st.st_size+1))) + break; + + if (_pammodutil_read(fd, mtmp, st.st_size) != st.st_size) + break; + + if (mtmp[st.st_size-1] == '\n') + mtmp[st.st_size-1] = '\0'; + else + mtmp[st.st_size] = '\0'; + + message.msg_style = PAM_TEXT_INFO; + + /* Use conversation function to give user contents of motd */ + if (pam_get_item(pamh, PAM_CONV, &void_conv) == PAM_SUCCESS + && void_conv) { + const struct pam_conv *conversation = void_conv; + conversation->conv(1, (const struct pam_message **)&pmessage, + &resp, conversation->appdata_ptr); + if (resp) + _pam_drop_reply(resp, 1); + } + + break; + } + + free(mtmp); + + if (fd >= 0) + close(fd); + + if (motd_path != default_motd) + free(motd_path); return retval; } @@ -258,7 +258,7 @@ msgstr "Kommunikationsfehler" #: libpam/pam_strerror.c:57 msgid "Authentication token manipulation error" -msgstr "Fehler aufgrund von Manipulationen am Authentifizierungs-Token" +msgstr "Fehler beim Ă„ndern des Authentifizierungs-Token" #: libpam/pam_strerror.c:59 msgid "Authentication information cannot be recovered" |