diff options
| -rw-r--r-- | ChangeLog | 27 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_acct.c | 69 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_auth.c | 11 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 70 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_sess.c | 19 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 207 | ||||
| -rw-r--r-- | modules/pam_unix/support.h | 1 | ||||
| -rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 2 |
8 files changed, 169 insertions, 237 deletions
@@ -1,3 +1,30 @@ +2005-09-26 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): + _log_err() -> pam_syslog() + (pam_sm_acct_mgmt): _log_err() -> pam_syslog(), fix warning. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): + _log_err() -> pam_syslog() + * modules/pam_unix/pam_unix_passwd.c: removed obsolete ifdef + (getNISserver, _unix_run_shadow_binary, _update_passwd, + _update_shadow, _do_setpass, _pam_unix_approve_pass, + pam_sm_chauthtok): _log_err() -> pam_syslog() + * modules/pam_unix/pam_unix_sess.c: removed obsolete ifdef + (pam_sm_open_session, pam_sm_close_session): + _log_err() -> pam_syslog() + * modules/pam_unix/support.c (_log_err, converse): removed + (_make_remark): use pam_prompt() instead of converse() + (_set_ctrl, _cleanup_failures, _unix_run_helper_binary, + _unix_verify_password, _unix_read_password): + _log_err() -> pam_syslog() + _cleanup(), _unix_cleanup(): Silence unused param warnings. + (_cleanup_failures, _unix_verify_password, _unix_getpwnam, + _unix_run_helper_binary): Silence incorrect type warnings. + (_unix_read_password): Use multiple pam_prompt() and pam_info() calls + instead of converse(). + * modules/pam_unix/support.h (_log_err): removed + * modules/pam_unix/unix_chkpwd.c (_log_err): LOG_AUTH -> LOG_AUTHPRIV + 2005-09-26 Thorsten Kukuk <kukuk@suse.de> * configure.in: Add doc/specs/Makefile. diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 03143d96..324ab5ed 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -59,12 +59,9 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> +#include <security/pam_ext.h> #include <security/pam_modutil.h> -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - #include "support.h" #ifdef WITH_SELINUX @@ -80,7 +77,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons /* create a pipe for the messages */ if (pipe(fds) != 0) { D(("could not make pipe")); - _log_err(LOG_ERR, pamh, "Could not make pipe %s",strerror(errno)); + pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m"); return NULL; } D(("called.")); @@ -126,7 +123,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons execve(CHKPWD_HELPER, args, envp); - _log_err(LOG_ERR, pamh, "helper binary execve failed: %s",strerror(errno)); + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); /* should not get here: exit with error */ close (fds[1]); D(("helper binary is not available")); @@ -138,7 +135,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons int rc=0; rc=waitpid(child, &retval, 0); /* wait for helper to complete */ if (rc<0) { - _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno)); + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); retval = PAM_AUTH_ERR; } else { retval = WEXITSTATUS(retval); @@ -155,12 +152,12 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons &spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR; } else { - _log_err(LOG_ERR, pamh, " ERROR %d:%s \n",rc, strerror(errno)); retval = PAM_AUTH_ERR; + pam_syslog(pamh, LOG_ERR, " ERROR %d: %m", rc); retval = PAM_AUTH_ERR; } } } } else { - _log_err(LOG_ERR, pamh, "Fork failed %s \n",strerror(errno)); + pam_syslog(pamh, LOG_ERR, "Fork failed: %m"); D(("fork failed")); retval = PAM_AUTH_ERR; } @@ -188,7 +185,8 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv) { unsigned int ctrl; - const void *uname; + const void *void_uname; + const char *uname; int retval, daysleft; time_t curdays; struct spwd *spent; @@ -199,20 +197,21 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); - retval = pam_get_item(pamh, PAM_USER, &uname); + retval = pam_get_item(pamh, PAM_USER, &void_uname); + uname = void_uname; D(("user = `%s'", uname)); if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT, pamh - ,"could not identify user (from uid=%d)" - ,getuid()); + pam_syslog(pamh, LOG_ALERT, + "could not identify user (from uid=%d)", + getuid()); return PAM_USER_UNKNOWN; } pwent = pam_modutil_getpwnam(pamh, uname); if (!pwent) { - _log_err(LOG_ALERT, pamh - ,"could not identify user (from getpwnam(%s))" - ,uname); + pam_syslog(pamh, LOG_ALERT, + "could not identify user (from getpwnam(%s))", + uname); return PAM_USER_UNKNOWN; } @@ -261,45 +260,45 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, curdays = time(NULL) / (60 * 60 * 24); D(("today is %d, last change %d", curdays, spent->sp_lstchg)); if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { - _log_err(LOG_NOTICE, pamh - ,"account %s has expired (account expired)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (account expired)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Your account has expired; please contact your system administrator")); D(("account expired")); return PAM_ACCT_EXPIRED; } if (spent->sp_lstchg == 0) { - _log_err(LOG_NOTICE, pamh - ,"expired password for user %s (root enforced)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "expired password for user %s (root enforced)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("You are required to change your password immediately (root enforced)")); D(("need a new password")); return PAM_NEW_AUTHTOK_REQD; } if (curdays < spent->sp_lstchg) { - _log_err(LOG_DEBUG, pamh - ,"account %s has password changed in future" - ,uname); + pam_syslog(pamh, LOG_DEBUG, + "account %s has password changed in future", + uname); return PAM_SUCCESS; } if ((curdays - spent->sp_lstchg > spent->sp_max) && (curdays - spent->sp_lstchg > spent->sp_inact) && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) && (spent->sp_max != -1) && (spent->sp_inact != -1)) { - _log_err(LOG_NOTICE, pamh - ,"account %s has expired (failed to change password)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (failed to change password)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("Your account has expired; please contact your system administrator")); D(("account expired 2")); return PAM_ACCT_EXPIRED; } if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { - _log_err(LOG_DEBUG, pamh - ,"expired password for user %s (password aged)" - ,uname); + pam_syslog(pamh, LOG_DEBUG, + "expired password for user %s (password aged)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, _("You are required to change your password immediately (password aged)")); D(("need a new password 2")); @@ -308,9 +307,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) && (spent->sp_max != -1) && (spent->sp_warn != -1)) { daysleft = (spent->sp_lstchg + spent->sp_max) - curdays; - _log_err(LOG_DEBUG, pamh - ,"password for user %s will expire in %d days" - ,uname, daysleft); + pam_syslog(pamh, LOG_DEBUG, + "password for user %s will expire in %d days", + uname, daysleft); snprintf(buf, sizeof (buf), _("Warning: your password will expire in %d day%.2s"), daysleft, daysleft == 1 ? "" : "s"); _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 2412b68a..5cdec27f 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -57,10 +57,7 @@ #define _PAM_EXTERN_FUNCTIONS #include <security/_pam_macros.h> #include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ +#include <security/pam_ext.h> #include "support.h" @@ -132,7 +129,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags * alphanumeric character. */ if (name == NULL || !isalnum(*name)) { - _log_err(LOG_ERR, pamh, "bad username [%s]", name); + pam_syslog(pamh, LOG_ERR, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; } @@ -164,8 +161,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags ,_UNIX_AUTHTOK, &p); if (retval != PAM_SUCCESS) { if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]" - ,name); + pam_syslog(pamh, LOG_CRIT, + "auth could not identify password for [%s]", name); } else { D(("conversation function is not ready yet")); /* diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 7212952e..50a81e38 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -78,11 +78,7 @@ static security_context_t prev_context=NULL; #define PAM_SM_PASSWORD #include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - +#include <security/pam_ext.h> #include <security/pam_modutil.h> #include "yppasswd.h" @@ -197,24 +193,24 @@ static char *getNISserver(pam_handle_t *pamh) int port, err; if ((err = yp_get_default_domain(&domainname)) != 0) { - _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n", + pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s", yperr_string(err)); return NULL; } if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { - _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n", + pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s", yperr_string(err)); return NULL; } port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); if (port == 0) { - _log_err(LOG_WARNING, pamh, - "yppasswdd not running on NIS master host\n"); + pam_syslog(pamh, LOG_WARNING, + "yppasswdd not running on NIS master host"); return NULL; } if (port >= IPPORT_RESERVED) { - _log_err(LOG_WARNING, pamh, - "yppasswd daemon running on illegal port.\n"); + pam_syslog(pamh, LOG_WARNING, + "yppasswd daemon running on illegal port"); return NULL; } return master; @@ -295,7 +291,7 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const close(fds[1]); rc=waitpid(child, &retval, 0); /* wait for helper to complete */ if (rc<0) { - _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno)); + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); retval = PAM_AUTH_ERR; } else { retval = WEXITSTATUS(retval); @@ -598,7 +594,7 @@ static int _update_passwd(pam_handle_t *pamh, done: if (!err) { if (!rename(PW_TMPFILE, "/etc/passwd")) - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); + pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); else err = 1; } @@ -714,7 +710,7 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) done: if (!err) { if (!rename(SH_TMPFILE, "/etc/shadow")) - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); + pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); else err = 1; } @@ -808,7 +804,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, } D(("The password has%s been changed on %s.", (err || status) ? " not" : "", master)); - _log_err(LOG_NOTICE, pamh, "password%s changed for %s on %s", + pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s", (err || status) ? " not" : "", pwd->pw_name, master); auth_destroy(clnt->cl_auth); @@ -956,7 +952,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, pamh, "bad authentication token"); + pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); } _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? _("No password supplied") : _("Password unchanged")); @@ -970,7 +966,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh retval = pam_get_item(pamh, PAM_USER, &user); if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ERR, pamh, "Can not get username"); + pam_syslog(pamh, LOG_ERR, "Can not get username"); return PAM_AUTHTOK_ERR; } } @@ -987,7 +983,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) remark = _("Password has been already used. Choose another."); if (retval == PAM_ABORT) { - _log_err(LOG_ERR, pamh, "can't open %s file to check old passwords", + pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords", OLD_PASSWORDS_FILE); return retval; } @@ -1029,15 +1025,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * alphanumeric character. */ if (user == NULL || !isalnum(*user)) { - _log_err(LOG_ERR, pamh, "bad username [%s]", user); + pam_syslog(pamh, LOG_ERR, "bad username [%s]", user); return PAM_USER_UNKNOWN; } if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, "username [%s] obtained", + pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", user); } else { if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "password - could not identify user"); return retval; } @@ -1052,7 +1048,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * came from, nor should it. That's our job. */ if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) { - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "user \"%s\" does not exist in /etc/passwd%s", user, on(UNIX_NIS, ctrl) ? " or NIS" : ""); return PAM_USER_UNKNOWN; @@ -1060,14 +1056,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, struct passwd *pwd; _unix_getpwnam(pamh, user, 1, 1, &pwd); if (pwd == NULL) { - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "user \"%s\" has corrupted passwd entry", user); return PAM_USER_UNKNOWN; } if (!_unix_shadowed(pwd) && (strchr(pwd->pw_passwd, '*') != NULL)) { - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "user \"%s\" does not have modifiable password", user); return PAM_USER_UNKNOWN; @@ -1097,7 +1093,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, #define greeting "Changing password for " Announce = (char *) malloc(sizeof(greeting) + strlen(user)); if (Announce == NULL) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "password - out of memory"); return PAM_BUF_ERR; } @@ -1116,8 +1112,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, free(Announce); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh - ,"password - (old) token not obtained"); + pam_syslog(pamh, LOG_NOTICE, + "password - (old) token not obtained"); return retval; } /* verify that this is the password for this user */ @@ -1137,7 +1133,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); pass_old = NULL; if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); } retval = _unix_verify_shadow(pamh,user, ctrl); @@ -1183,7 +1179,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, D(("pass_old [%s]", pass_old)); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user not authenticated"); + pam_syslog(pamh, LOG_NOTICE, "user not authenticated"); return retval; } @@ -1211,8 +1207,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ALERT, pamh - ,"password - new password not obtained"); + pam_syslog(pamh, LOG_ALERT, + "password - new password not obtained"); } pass_old = NULL; /* tidy up */ return retval; @@ -1232,7 +1228,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, } if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "new password not acceptable"); pass_new = pass_old = NULL; /* tidy up */ return retval; @@ -1257,7 +1253,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (pass_old) { retval = _unix_verify_password(pamh, user, pass_old, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user password changed by another process"); + pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -1267,7 +1263,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _unix_verify_shadow(pamh, user, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user not authenticated 2"); + pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -1276,7 +1272,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "new password not acceptable 2"); pass_new = pass_old = NULL; /* tidy up */ #ifdef USE_LCKPWDF @@ -1320,7 +1316,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, char *temp = malloc(9); if (temp == NULL) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "out of memory for password"); pass_new = pass_old = NULL; /* tidy up */ #ifdef USE_LCKPWDF @@ -1352,7 +1348,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, _pam_delete(tpass); pass_old = pass_new = NULL; } else { /* something has broken with the module */ - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "password received unknown request"); retval = PAM_ABORT; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index 49aa29aa..b0e40384 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -53,12 +53,9 @@ #include <security/_pam_macros.h> #include <security/pam_modules.h> +#include <security/pam_ext.h> #include <security/pam_modutil.h> -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - #include "support.h" /* @@ -80,14 +77,14 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "open_session - error recovering service"); return PAM_SESSION_ERR; } @@ -95,7 +92,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, if (login_name == NULL) { login_name = ""; } - _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)", + pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%d)", user_name, login_name, getuid()); return PAM_SUCCESS; @@ -114,19 +111,19 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "close_session - error recovering service"); return PAM_SESSION_ERR; } - _log_err(LOG_INFO, pamh, "session closed for user %s" - ,user_name); + pam_syslog(pamh, LOG_INFO, "session closed for user %s", + user_name); return PAM_SUCCESS; } diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index f9b84da5..3ed4b1f3 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -25,6 +25,7 @@ #include <security/_pam_macros.h> #include <security/pam_modules.h> +#include <security/pam_ext.h> #include <security/pam_modutil.h> #include "md5.h" @@ -38,84 +39,15 @@ extern char *crypt(const char *key, const char *salt); extern char *bigcrypt(const char *key, const char *salt); -/* syslogging function for errors and other information */ - -void _log_err(int err, pam_handle_t *pamh, const char *format,...) -{ - const void *service = NULL; - char logname[256]; - va_list args; - - pam_get_item(pamh, PAM_SERVICE, &service); - if (service) { - strncpy(logname, service, sizeof(logname)); - logname[sizeof(logname) - 1 - strlen("(pam_unix)")] = '\0'; - strncat(logname, "(pam_unix)", strlen("(pam_unix)")); - } else { - strncpy(logname, "pam_unix", sizeof(logname) - 1); - } - - va_start(args, format); - openlog(logname, LOG_CONS | LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - /* this is a front-end for module-application conversations */ -static int converse(pam_handle_t * pamh, int ctrl, int nargs - ,struct pam_message **message - ,struct pam_response **response) -{ - int retval; - const void *void_conv; - const struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item(pamh, PAM_CONV, &void_conv); - conv = void_conv; - if (retval == PAM_SUCCESS) { - - retval = conv->conv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, pamh, "conversation failure [%s]" - ,pam_strerror(pamh, retval)); - } - } else if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_ERR, pamh - ,"couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - } - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -int _make_remark(pam_handle_t * pamh, unsigned int ctrl - ,int type, const char *text) +int _make_remark(pam_handle_t * pamh, unsigned int ctrl, + int type, const char *text) { int retval = PAM_SUCCESS; if (off(UNIX__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - - if (resp) { - _pam_drop_reply(resp, 1); - } + retval = pam_prompt(pamh, type, NULL, "%s", text); } return retval; } @@ -166,7 +98,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, } if (j >= UNIX_CTRLS_) { - _log_err(LOG_ERR, pamh, + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", *argv); } else { ctrl &= unix_args[j].mask; /* for turning things off */ @@ -202,7 +134,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, return ctrl; } -static void _cleanup(pam_handle_t * pamh, void *x, int error_status) +static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED) { _pam_delete(x); } @@ -260,25 +192,25 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) &rhost); (void) pam_get_item(pamh, PAM_TTY, &tty); - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "%d more authentication failure%s; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " "%s%s", failure->count - 1, failure->count == 2 ? "" : "s", failure->name, failure->uid, failure->euid, - tty ? tty : "", ruser ? ruser : "", - rhost ? rhost : "", + tty ? (const char *)tty : "", ruser ? (const char *)ruser : "", + rhost ? (const char *)rhost : "", (failure->user && failure->user[0] != '\0') ? " user=" : "", failure->user ); if (failure->count > UNIX_MAX_RETRIES) { - _log_err(LOG_ALERT, pamh - ,"service(%s) ignoring max retries; %d > %d" - ,service == NULL ? "**unknown**" : service - ,failure->count - ,UNIX_MAX_RETRIES); + pam_syslog(pamh, LOG_ALERT, + "service(%s) ignoring max retries; %d > %d", + service == NULL ? "**unknown**" : (const char *)service, + failure->count, + UNIX_MAX_RETRIES); } } } @@ -291,7 +223,7 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) /* * _unix_getpwnam() searches only /etc/passwd and NIS to find user information */ -static void _unix_cleanup(pam_handle_t *pamh, void *data, int error_status) +static void _unix_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) { free(data); } @@ -336,7 +268,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, i = yp_match(domain, "passwd.byname", name, strlen(name), &userinfo, &len); yp_unbind(domain); - if ((i == YPERR_SUCCESS) && (len < sizeof(buf))) { + if ((i == YPERR_SUCCESS) && ((size_t)len < sizeof(buf))) { strncpy(buf, userinfo, sizeof(buf) - 1); buf[sizeof(buf) - 1] = '\0'; matched = 1; @@ -584,7 +516,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, dup2(fds[0], STDIN_FILENO); if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - for (i=2; i < rlim.rlim_max; i++) { + for (i=2; i < (int)rlim.rlim_max; i++) { if (fds[0] != i) close(i); } @@ -617,7 +549,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, close(fds[1]); rc=waitpid(child, &retval, 0); /* wait for helper to complete */ if (rc<0) { - _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno)); + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno)); retval = PAM_AUTH_ERR; } else { retval = WEXITSTATUS(retval); @@ -706,7 +638,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name)); if (data_name == NULL) { - _log_err(LOG_CRIT, pamh, "no memory for data-name"); + pam_syslog(pamh, LOG_CRIT, "no memory for data-name"); } else { strcpy(data_name, FAIL_PREFIX); strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); @@ -729,12 +661,12 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "check pass; user (%s) unknown", name); } else { name = NULL; if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "check pass; user unknown"); } else { /* don't log failure as another pam module can succeed */ @@ -843,15 +775,15 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name (void) pam_get_item(pamh, PAM_TTY, &tty); - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "authentication failure; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " "%s%s", new->name, new->uid, new->euid, - tty ? tty : "", - ruser ? ruser : "", - rhost ? rhost : "", + tty ? (const char *)tty : "", + ruser ? (const char *)ruser : "", + rhost ? (const char *)rhost : "", (new->user && new->user[0] != '\0') ? " user=" : "", new->user @@ -862,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name pam_set_data(pamh, data_name, new, _cleanup_failures); } else { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "no memory for failure recorder"); } } @@ -894,7 +826,7 @@ int _unix_read_password(pam_handle_t * pamh ,const void **pass) { int authtok_flag; - int retval; + int retval = PAM_SUCCESS; char *token; D(("called")); @@ -919,8 +851,8 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_get_item(pamh, authtok_flag, pass); if (retval != PAM_SUCCESS) { /* very strange. */ - _log_err(LOG_ALERT, pamh - ,"pam_get_item returned error to unix-read-password" + pam_syslog(pamh, LOG_ALERT, + "pam_get_item returned error to unix-read-password" ); return retval; } else if (*pass != NULL) { /* we have a password! */ @@ -938,77 +870,62 @@ int _unix_read_password(pam_handle_t * pamh */ { - struct pam_message msg[3], *pmsg[3]; - struct pam_response *resp; - int i, replies; - - /* prepare to converse */ + int replies=1; + char *resp[2] = { NULL, NULL }; if (comment != NULL && off(UNIX__QUIET, ctrl)) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - replies = 1; - - if (prompt2 != NULL) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - ++replies; + retval = pam_info(pamh, "%s", comment); + } + + if (retval == PAM_SUCCESS) { + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, + &resp[0], "%s", prompt1); + + if (retval == PAM_SUCCESS && prompt2 != NULL) { + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, + &resp[1], "%s", prompt2); + ++replies; + } } - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, ctrl, i, pmsg, &resp); - - if (resp != NULL) { + if (resp[0] != NULL && resp[replies-1] != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ - token = x_strdup(resp[i - replies].resp); + token = resp[0]; if (token != NULL) { if (replies == 2) { - /* verify that password entered correctly */ - if (!resp[i - 1].resp - || strcmp(token, resp[i - 1].resp)) { - _pam_delete(token); /* mistyped */ + if (strcmp(token, resp[replies - 1])) { + /* mistyped */ retval = PAM_AUTHTOK_RECOVER_ERR; - _make_remark(pamh, ctrl - ,PAM_ERROR_MSG, MISTYPED_PASS); + _make_remark(pamh, ctrl, + PAM_ERROR_MSG, MISTYPED_PASS); } } } else { - _log_err(LOG_NOTICE, pamh - ,"could not recover authentication token"); + pam_syslog(pamh, LOG_NOTICE, + "could not recover authentication token"); } } - /* - * tidy up the conversation (resp_retcode) is ignored - * -- what is it for anyway? AGM - */ - - _pam_drop_reply(resp, i); } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; } + + resp[0] = NULL; + if (replies > 1) + _pam_delete(resp[1]); } if (retval != PAM_SUCCESS) { + _pam_delete(token); + if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "unable to obtain a password"); return retval; } @@ -1025,7 +942,7 @@ int _unix_read_password(pam_handle_t * pamh != PAM_SUCCESS) { *pass = NULL; - _log_err(LOG_CRIT, pamh, "error manipulating password"); + pam_syslog(pamh, LOG_CRIT, "error manipulating password"); return retval; } @@ -1037,9 +954,9 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh - ,"error manipulating password data [%s]" - ,pam_strerror(pamh, retval)); + pam_syslog(pamh, LOG_CRIT, + "error manipulating password data [%s]", + pam_strerror(pamh, retval)); _pam_delete(token); return retval; } diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 9cf21136..9873b161 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -129,7 +129,6 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = _pam_drop(xx); \ } -extern void _log_err(int err, pam_handle_t *pamh, const char *format,...); extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text); extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc, diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 5e4b0eae..cc42c4df 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -59,7 +59,7 @@ static void _log_err(int err, const char *format,...) va_list args; va_start(args, format); - openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTH); + openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTHPRIV); vsyslog(err, format, args); va_end(args); closelog(); |