diff options
Diffstat (limited to 'Linux-PAM/libpam')
-rw-r--r-- | Linux-PAM/libpam/Makefile.am | 4 | ||||
-rw-r--r-- | Linux-PAM/libpam/include/security/_pam_macros.h | 13 | ||||
-rw-r--r-- | Linux-PAM/libpam/include/security/_pam_types.h | 14 | ||||
-rw-r--r-- | Linux-PAM/libpam/include/security/pam_modutil.h | 3 | ||||
-rw-r--r-- | Linux-PAM/libpam/libpam.map | 5 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_audit.c | 54 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_dispatch.c | 66 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_end.c | 13 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_handlers.c | 210 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_item.c | 29 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_misc.c | 22 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_modutil_getgrgid.c | 2 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_modutil_getgrnam.c | 2 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_modutil_getpwnam.c | 2 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_modutil_getpwuid.c | 2 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_modutil_getspnam.c | 2 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_private.h | 22 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_start.c | 3 | ||||
-rw-r--r-- | Linux-PAM/libpam/pam_static_modules.h | 18 |
19 files changed, 358 insertions, 128 deletions
diff --git a/Linux-PAM/libpam/Makefile.am b/Linux-PAM/libpam/Makefile.am index a0955441..0daca423 100644 --- a/Linux-PAM/libpam/Makefile.am +++ b/Linux-PAM/libpam/Makefile.am @@ -20,11 +20,11 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 81:9:81 +libpam_la_LDFLAGS = -no-undefined -version-info 81:10:81 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES - libpam_la_LIBADD += `ls ../modules/pam_*/*.lo` \ + libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \ @LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil endif if HAVE_VERSIONING diff --git a/Linux-PAM/libpam/include/security/_pam_macros.h b/Linux-PAM/libpam/include/security/_pam_macros.h index f7da10a7..bd107cfb 100644 --- a/Linux-PAM/libpam/include/security/_pam_macros.h +++ b/Linux-PAM/libpam/include/security/_pam_macros.h @@ -25,6 +25,15 @@ do { \ *__xx__++ = '\0'; \ } while (0) +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register unsigned int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__<n; __i__++) \ + __xx__[__i__] = 0; \ +} while (0) + /* * Don't just free it, forget it too. */ @@ -85,7 +94,7 @@ static void _pam_output_debug_info(const char *file, const char *fn { FILE *logfile; int must_close = 1, fd; - + #ifdef O_NOFOLLOW if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { #else @@ -111,7 +120,7 @@ static void _pam_output_debug(const char *format, ...) va_list args; FILE *logfile; int must_close = 1, fd; - + va_start(args, format); #ifdef O_NOFOLLOW diff --git a/Linux-PAM/libpam/include/security/_pam_types.h b/Linux-PAM/libpam/include/security/_pam_types.h index 45bae97b..2f7e807f 100644 --- a/Linux-PAM/libpam/include/security/_pam_types.h +++ b/Linux-PAM/libpam/include/security/_pam_types.h @@ -138,8 +138,11 @@ typedef struct pam_handle pam_handle_t; #define PAM_OLDAUTHTOK 7 /* The old authentication token */ #define PAM_RUSER 8 /* The remote user name */ #define PAM_USER_PROMPT 9 /* the prompt for getting a username */ +/* Linux-PAM extensions */ #define PAM_FAIL_DELAY 10 /* app supplied function to override failure delays */ +#define PAM_XDISPLAY 11 /* X display name */ +#define PAM_XAUTHDATA 12 /* X server authentication data */ /* -------------- Special defines used by Linux-PAM -------------- */ @@ -279,6 +282,17 @@ struct pam_conv { void *appdata_ptr; }; +/* Used by the PAM_XAUTHDATA pam item. Contains X authentication + data used by modules to connect to the user's X display. Note: + this structure is intentionally compatible with xcb_auth_info_t. */ + +struct pam_xauth_data { + int namelen; + char *name; + int datalen; + char *data; +}; + /* ... adapted from the pam_appl.h file created by Theodore Ts'o and * * Copyright Theodore Ts'o, 1996. All rights reserved. diff --git a/Linux-PAM/libpam/include/security/pam_modutil.h b/Linux-PAM/libpam/include/security/pam_modutil.h index efb72436..ffdf5ad0 100644 --- a/Linux-PAM/libpam/include/security/pam_modutil.h +++ b/Linux-PAM/libpam/include/security/pam_modutil.h @@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count); extern int pam_modutil_write(int fd, const char *buffer, int count); +extern int PAM_NONNULL((1,3)) +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval); #ifdef __cplusplus } #endif diff --git a/Linux-PAM/libpam/libpam.map b/Linux-PAM/libpam/libpam.map index 1c2c4480..e37fc356 100644 --- a/Linux-PAM/libpam/libpam.map +++ b/Linux-PAM/libpam/libpam.map @@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 { pam_modutil_read; pam_modutil_write; }; + +LIBPAM_MODUTIL_1.1 { + global: + pam_modutil_audit_write; +} LIBPAM_MODUTIL_1.0; diff --git a/Linux-PAM/libpam/pam_audit.c b/Linux-PAM/libpam/pam_audit.c index 240d4a89..6fd6a0c1 100644 --- a/Linux-PAM/libpam/pam_audit.c +++ b/Linux-PAM/libpam/pam_audit.c @@ -6,9 +6,10 @@ Authors: Steve Grubb <sgrubb@redhat.com> */ -#include "pam_private.h" #include <stdio.h> #include <syslog.h> +#include "pam_private.h" +#include "pam_modutil_private.h" #ifdef HAVE_LIBAUDIT #include <libaudit.h> @@ -56,26 +57,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, return rc; } -int -_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +static int +_pam_audit_open(pam_handle_t *pamh) { - const char *message; - int type; int audit_fd; - audit_fd = audit_open(); if (audit_fd < 0) { /* You get these error codes only when the kernel doesn't have * audit compiled in. */ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) - return retval; + return -2; /* this should only fail in case of extreme resource shortage, * need to prevent login in that case for CAPP compliance. */ pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m"); + return -1; + } + + return audit_fd; +} + +int +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +{ + const char *message; + int type; + int audit_fd; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; } switch (action) { @@ -142,4 +156,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) return 0; } +int +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval) +{ + int audit_fd; + int rc; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; + } + + rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); + + audit_close(audit_fd); + + return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS; +} + +#else +int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED, + const char *message UNUSED, int retval UNUSED) +{ + return PAM_SUCCESS; +} #endif /* HAVE_LIBAUDIT */ diff --git a/Linux-PAM/libpam/pam_dispatch.c b/Linux-PAM/libpam/pam_dispatch.c index ab032d74..fa4e5ed4 100644 --- a/Linux-PAM/libpam/pam_dispatch.c +++ b/Linux-PAM/libpam/pam_dispatch.c @@ -34,7 +34,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, _pam_boolean resumed, int use_cached_chain) { - int depth, impression, status, skip_depth; + int depth, impression, status, skip_depth, prev_level, stack_level; + struct _pam_substack_state *substates = NULL; IF_NO_PAMH("_pam_dispatch_aux", pamh, PAM_SYSTEM_ERR); @@ -54,27 +55,51 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, skip_depth = pamh->former.depth; status = pamh->former.status; impression = pamh->former.impression; + substates = pamh->former.substates; /* forget all that */ pamh->former.impression = _PAM_UNDEF; pamh->former.status = PAM_MUST_FAIL_CODE; pamh->former.depth = 0; + pamh->former.substates = NULL; } else { skip_depth = 0; - impression = _PAM_UNDEF; - status = PAM_MUST_FAIL_CODE; + substates = malloc(PAM_SUBSTACK_MAX_LEVEL * sizeof(*substates)); + if (substates == NULL) { + pam_syslog(pamh, LOG_CRIT, + "_pam_dispatch_aux: no memory for substack states"); + return PAM_BUF_ERR; + } + substates[0].impression = impression = _PAM_UNDEF; + substates[0].status = status = PAM_MUST_FAIL_CODE; } + prev_level = 0; + /* Loop through module logic stack */ - for (depth=0 ; h != NULL ; h = h->next, ++depth) { + for (depth=0 ; h != NULL ; prev_level = stack_level, h = h->next, ++depth) { int retval, cached_retval, action; + stack_level = h->stack_level; + /* skip leading modules if they have already returned */ if (depth < skip_depth) { continue; } + /* remember state if we are entering a substack */ + if (prev_level < stack_level) { + substates[stack_level].impression = impression; + substates[stack_level].status = status; + } + /* attempt to call the module */ - if (h->func == NULL) { + if (h->handler_type == PAM_HT_MUST_FAIL) { + D(("module poorly listed in PAM config; forcing failure")); + retval = PAM_MUST_FAIL_CODE; + } else if (h->handler_type == PAM_HT_SUBSTACK) { + D(("skipping substack handler")); + continue; + } else if (h->func == NULL) { D(("module function is not defined, indicating failure")); retval = PAM_MODULE_UNKNOWN; } else { @@ -83,10 +108,6 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, retval = h->func(pamh, flags, h->argc, h->argv); pamh->mod_name=NULL; D(("module returned: %s", pam_strerror(pamh, retval))); - if (h->must_fail) { - D(("module poorly listed in PAM config; forcing failure")); - retval = PAM_MUST_FAIL_CODE; - } } /* @@ -100,6 +121,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, pamh->former.impression = impression; pamh->former.status = status; pamh->former.depth = depth; + pamh->former.substates = substates; D(("module %d returned PAM_INCOMPLETE", depth)); return retval; @@ -176,8 +198,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, switch (action) { case _PAM_ACTION_RESET: - impression = _PAM_UNDEF; - status = PAM_MUST_FAIL_CODE; + impression = substates[stack_level].impression; + status = substates[stack_level].status; break; case _PAM_ACTION_OK: @@ -244,9 +266,13 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* this means that we need to skip #action stacked modules */ - do { - h = h->next; - } while ( --action > 0 && h != NULL ); + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { + do { + h = h->next; + ++depth; + } while (h->next != NULL && h->next->stack_level > stack_level); + --action; + } /* note if we try to skip too many modules action is still non-zero and we snag the next if. */ @@ -254,14 +280,19 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, /* this case is a syntax error: we can't succeed */ if (action) { - D(("action syntax error")); + pam_syslog(pamh, LOG_ERR, "bad jump in stack"); impression = _PAM_NEGATIVE; status = PAM_MUST_FAIL_CODE; } } - } - + continue; + decision_made: /* by getting here we have made a decision */ + while (h->next != NULL && h->next->stack_level >= stack_level) { + h = h->next; + ++depth; + } + } /* Sanity check */ if ( status == PAM_SUCCESS && impression != _PAM_POSITIVE ) { @@ -269,6 +300,7 @@ decision_made: /* by getting here we have made a decision */ status = PAM_MUST_FAIL_CODE; } + free(substates); /* We have made a decision about the modules executed */ return status; } diff --git a/Linux-PAM/libpam/pam_end.c b/Linux-PAM/libpam/pam_end.c index 23a9dd5d..a2d94085 100644 --- a/Linux-PAM/libpam/pam_end.c +++ b/Linux-PAM/libpam/pam_end.c @@ -1,7 +1,7 @@ /* pam_end.c */ /* - * $Id: pam_end.c,v 1.4 2006/01/12 10:06:49 t8m Exp $ + * $Id: pam_end.c,v 1.7 2008/01/28 14:50:21 kukuk Exp $ */ #include "pam_private.h" @@ -71,6 +71,17 @@ int pam_end(pam_handle_t *pamh, int pam_status) _pam_drop(pamh->pam_conversation); pamh->fail_delay.delay_fn_ptr = NULL; + _pam_drop(pamh->former.substates); + + _pam_overwrite(pamh->xdisplay); + _pam_drop(pamh->xdisplay); + + _pam_overwrite(pamh->xauth.name); + _pam_drop(pamh->xauth.name); + _pam_overwrite_n(pamh->xauth.data, (unsigned int)pamh->xauth.datalen); + _pam_drop(pamh->xauth.data); + _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth)); + /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); diff --git a/Linux-PAM/libpam/pam_handlers.c b/Linux-PAM/libpam/pam_handlers.c index 87d781d2..11508145 100644 --- a/Linux-PAM/libpam/pam_handlers.c +++ b/Linux-PAM/libpam/pam_handlers.c @@ -18,7 +18,7 @@ #define BUF_SIZE 1024 #define MODULE_CHUNK 4 -#define UNKNOWN_MODULE_PATH "<*unknown module path*>" +#define UNKNOWN_MODULE "<*unknown module*>" #ifndef _PAM_ISA #define _PAM_ISA "." #endif @@ -28,7 +28,7 @@ static int _pam_assemble_line(FILE *f, char *buf, int buf_len); static void _pam_free_handlers_aux(struct handler **hp); static int _pam_add_handler(pam_handle_t *pamh - , int must_fail, int other, int type + , int must_fail, int other, int stack_level, int type , int *actions, const char *mod_path , int argc, char **argv, int argvlen); @@ -43,6 +43,7 @@ static int _pam_add_handler(pam_handle_t *pamh static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name , const char *service /* specific file */ , int module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -51,6 +52,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f , const char *known_service /* specific file */ , int requested_module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -68,7 +70,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f int module_type, actions[_PAM_RETURN_VALUES]; int other; /* set if module is for PAM_DEFAULT_SERVICE */ int res; /* module added successfully? */ - int must_fail=0; /* a badly formatted line must fail when used */ + int handler_type = PAM_HT_MODULE; /* regular handler from a module */ int argc; char **argv; int argvlen; @@ -92,6 +94,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f /* accept "service name" or PAM_DEFAULT_SERVICE modules */ if (!strcasecmp(this_service, pamh->service_name) || other) { int pam_include = 0; + int substack = 0; /* This is a service we are looking for */ D(("_pam_init_handlers: Found PAM config entry for: %s" @@ -105,7 +108,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f "(%s) empty module type", this_service); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ - must_fail = 1; /* install as normal but fail when dispatched */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ } else if (!strcasecmp("auth", tok)) { module_type = PAM_T_AUTH; } else if (!strcasecmp("session", tok)) { @@ -121,9 +124,9 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f this_service, tok); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ - must_fail = 1; /* install as normal but fail when dispatched */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ } - D(("Using %s config entry: %s", must_fail?"BAD ":"", tok)); + D(("Using %s config entry: %s", handler_type?"BAD ":"", tok)); if (requested_module_type != PAM_T_ANY && module_type != requested_module_type) { D(("Skipping config entry: %s (requested=%d, found=%d)", @@ -145,7 +148,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f pam_syslog(pamh, LOG_ERR, "(%s) no control flag supplied", this_service); _pam_set_default_control(actions, _PAM_ACTION_BAD); - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; } else if (!strcasecmp("required", tok)) { D(("*PAM_F_REQUIRED*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; @@ -171,6 +174,11 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } else if (!strcasecmp("include", tok)) { D(("*PAM_F_INCLUDE*")); pam_include = 1; + substack = 0; + } else if (!strcasecmp("substack", tok)) { + D(("*PAM_F_SUBSTACK*")); + pam_include = 1; + substack = 1; } else { D(("will need to parse %s", tok)); _pam_parse_control(actions, tok); @@ -180,7 +188,18 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f tok = _pam_StrTok(NULL, " \n\t", &nexttok); if (pam_include) { - if (_pam_load_conf_file(pamh, tok, this_service, module_type + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, + 0, NULL, 0); + if (res != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "error adding substack %s", tok); + D(("failed to load module - aborting")); + return PAM_ABORT; + } + } + if (_pam_load_conf_file(pamh, tok, this_service, module_type, + stack_level + substack #ifdef PAM_READ_BOTH_CONFS , !other #endif /* PAM_READ_BOTH_CONFS */ @@ -188,7 +207,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f continue; _pam_set_default_control(actions, _PAM_ACTION_BAD); mod_path = NULL; - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; nexttok = NULL; } else if (tok != NULL) { mod_path = tok; @@ -199,7 +218,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f pam_syslog(pamh, LOG_ERR, "(%s) no module name supplied", this_service); mod_path = NULL; - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; } /* nexttok points to remaining arguments... */ @@ -219,7 +238,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f int y; D(("CONF%s: %s%s %d %s %d" - , must_fail?"<*will fail*>":"" + , handler_type==PAM_HT_MUST_FAIL?"<*will fail*>":"" , this_service, other ? "(backup)":"" , module_type , mod_path, argc)); @@ -235,7 +254,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } #endif - res = _pam_add_handler(pamh, must_fail, other + res = _pam_add_handler(pamh, handler_type, other, stack_level , module_type, actions, mod_path , argc, argv, argvlen); if (res != PAM_SUCCESS) { @@ -252,6 +271,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name , const char *service /* specific file */ , int module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -263,6 +283,12 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name D(("_pam_load_conf_file called")); + if (stack_level >= PAM_SUBSTACK_MAX_LEVEL) { + D(("maximum level of substacks reached")); + pam_syslog(pamh, LOG_ERR, "maximum level of substacks reached"); + return PAM_ABORT; + } + if (config_name == NULL) { D(("no config file supplied")); pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service); @@ -280,7 +306,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name D(("opening %s", config_name)); f = fopen(config_name, "r"); if (f != NULL) { - retval = _pam_parse_conf_file(pamh, f, service, module_type + retval = _pam_parse_conf_file(pamh, f, service, module_type, stack_level #ifdef PAM_READ_BOTH_CONFS , not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -379,7 +405,8 @@ int _pam_init_handlers(pam_handle_t *pamh) f = fopen(filename, "r"); if (f != NULL) { /* would test magic here? */ - retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, pamh->service_name, + PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -400,7 +427,7 @@ int _pam_init_handlers(pam_handle_t *pamh) D(("checking %s", PAM_CONFIG)); if ((f = fopen(PAM_CONFIG,"r")) != NULL) { - retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 1); + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1); fclose(f); } else #endif /* PAM_READ_BOTH_CONFS */ @@ -419,9 +446,8 @@ int _pam_init_handlers(pam_handle_t *pamh) f = fopen(PAM_DEFAULT_SERVICE_FILE, "r"); if (f != NULL) { /* would test magic here? */ - retval = _pam_parse_conf_file(pamh, f - , PAM_DEFAULT_SERVICE - , PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, PAM_DEFAULT_SERVICE, + PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -454,7 +480,7 @@ int _pam_init_handlers(pam_handle_t *pamh) return PAM_ABORT; } - retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -581,46 +607,19 @@ extract_modulename(const char *mod_path) return retval; } -int _pam_add_handler(pam_handle_t *pamh - , int must_fail, int other, int type - , int *actions, const char *mod_path - , int argc, char **argv, int argvlen) +static struct loaded_module * +_pam_load_module(pam_handle_t *pamh, const char *mod_path) { - struct loaded_module *mod; int x = 0; - struct handler **handler_p; - struct handler **handler_p2; - struct handlers *the_handlers; - const char *sym, *sym2; - char *mod_full_path=NULL; + int success; #ifndef PAM_STATIC char *mod_full_isa_path=NULL, *isa=NULL; #endif - servicefn func, func2; - int success; - - D(("called.")); - IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR); - - /* if NULL set to something that can be searched for */ - switch (mod_path != NULL) { - default: - if (mod_path[0] == '/') { - break; - } - if (asprintf(&mod_full_path, "%s%s", - DEFAULT_MODULE_PATH, mod_path) >= 0) { - mod_path = mod_full_path; - break; - } - mod_full_path = NULL; - pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); - case 0: - mod_path = UNKNOWN_MODULE_PATH; - } + struct loaded_module *mod; - D(("_pam_add_handler: adding type %d, module `%s'",type,mod_path)); - mod = pamh->handlers.module; + D(("_pam_load_module: loading module `%s'", mod_path)); + + mod = pamh->handlers.module; /* First, ensure the module is loaded */ while (x < pamh->handlers.modules_used) { @@ -639,9 +638,8 @@ int _pam_add_handler(pam_handle_t *pamh if (tmp == NULL) { D(("cannot enlarge module pointer memory")); pam_syslog(pamh, LOG_ERR, - "realloc returned NULL in _pam_add_handler"); - _pam_drop(mod_full_path); - return PAM_ABORT; + "realloc returned NULL in _pam_load_module"); + return NULL; } pamh->handlers.module = tmp; pamh->handlers.modules_allocated += MODULE_CHUNK; @@ -654,10 +652,10 @@ int _pam_add_handler(pam_handle_t *pamh /* Only load static function if function was not found dynamically. * This code should work even if no dynamic loading is available. */ if (success != PAM_SUCCESS) { - D(("_pam_add_handler: open static handler %s", mod_path)); + D(("_pam_load_module: open static handler %s", mod_path)); mod->dl_handle = _pam_open_static_handler(pamh, mod_path); if (mod->dl_handle == NULL) { - D(("_pam_add_handler: unable to find static handler %s", + D(("_pam_load_module: unable to find static handler %s", mod_path)); pam_syslog(pamh, LOG_ERR, "unable to open static handler %s", mod_path); @@ -670,15 +668,15 @@ int _pam_add_handler(pam_handle_t *pamh } } #else - D(("_pam_add_handler: _pam_dlopen(%s)", mod_path)); + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); mod->dl_handle = _pam_dlopen(mod_path); - D(("_pam_add_handler: _pam_dlopen'ed")); - D(("_pam_add_handler: dlopen'ed")); + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); if (mod->dl_handle == NULL) { if (strstr(mod_path, "$ISA")) { mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1); if (mod_full_isa_path == NULL) { - D(("_pam_handler: couldn't get memory for mod_path")); + D(("_pam_load_module: couldn't get memory for mod_path")); pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } else { @@ -694,9 +692,9 @@ int _pam_add_handler(pam_handle_t *pamh } } if (mod->dl_handle == NULL) { - D(("_pam_add_handler: _pam_dlopen(%s) failed", mod_path)); - pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s)", mod_path); - pam_syslog(pamh, LOG_ERR, "[error: %s]", _pam_dlerror()); + D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path)); + pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, + _pam_dlerror()); /* Don't abort yet; static code may be able to find function. * But defaults to abort if nothing found below... */ } else { @@ -717,7 +715,7 @@ int _pam_add_handler(pam_handle_t *pamh /* indicate its name - later we will search for it by this */ if ((mod->name = _pam_strdup(mod_path)) == NULL) { - D(("_pam_handler: couldn't get memory for mod_path")); + D(("_pam_load_module: couldn't get memory for mod_path")); pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } @@ -726,18 +724,54 @@ int _pam_add_handler(pam_handle_t *pamh mod += x; /* the located module */ success = PAM_SUCCESS; } + return success == PAM_SUCCESS ? mod : NULL; +} + +int _pam_add_handler(pam_handle_t *pamh + , int handler_type, int other, int stack_level, int type + , int *actions, const char *mod_path + , int argc, char **argv, int argvlen) +{ + struct loaded_module *mod = NULL; + struct handler **handler_p; + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; + char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + + D(("called.")); + IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR); - _pam_drop(mod_full_path); - mod_path = NULL; /* no longer needed or trusted */ + D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'", + type, handler_type, mod_path)); - /* Now return error if necessary after trying all possible ways... */ - if (success != PAM_SUCCESS) - return(success); + if (handler_type == PAM_HT_MODULE && mod_path != NULL) { + if (mod_path[0] == '/') { + mod = _pam_load_module(pamh, mod_path); + } else if (asprintf(&mod_full_path, "%s%s", + DEFAULT_MODULE_PATH, mod_path) >= 0) { + mod = _pam_load_module(pamh, mod_full_path); + _pam_drop(mod_full_path); + } else { + pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); + return PAM_ABORT; + } + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ + return PAM_ABORT; + } + + mod_type = mod->type; + } + + if (mod_path == NULL) + mod_path = UNKNOWN_MODULE; /* - * At this point 'mod' points to the stored/loaded module. If its - * dl_handle is unknown, then we must be able to indicate dispatch - * failure with 'must_fail' + * At this point 'mod' points to the stored/loaded module. */ /* Now define the handler(s) based on mod->dlhandle and type */ @@ -780,43 +814,43 @@ int _pam_add_handler(pam_handle_t *pamh /* are the modules reliable? */ if ( #ifdef PAM_STATIC - mod->type != PAM_MT_STATIC_MOD + mod_type != PAM_MT_STATIC_MOD && #else - mod->type != PAM_MT_DYNAMIC_MOD + mod_type != PAM_MT_DYNAMIC_MOD && #endif - mod->type != PAM_MT_FAULTY_MOD + mod_type != PAM_MT_FAULTY_MOD ) { - D(("_pam_add_handlers: illegal module library type; %d", mod->type)); + D(("_pam_add_handlers: illegal module library type; %d", mod_type)); pam_syslog(pamh, LOG_ERR, "internal error: module library type not known: %s;%d", - sym, mod->type); + sym, mod_type); return PAM_ABORT; } /* now identify this module's functions - for non-faulty modules */ #ifdef PAM_STATIC - if ((mod->type == PAM_MT_STATIC_MOD) && + if ((mod_type == PAM_MT_STATIC_MOD) && (func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) { pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym); } #else - if ((mod->type == PAM_MT_DYNAMIC_MOD) && + if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func = _pam_dlsym(mod->dl_handle, sym)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym); } #endif if (sym2) { #ifdef PAM_STATIC - if ((mod->type == PAM_MT_STATIC_MOD) && + if ((mod_type == PAM_MT_STATIC_MOD) && (func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2)) == NULL) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } #else - if ((mod->type == PAM_MT_DYNAMIC_MOD) && + if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } @@ -835,14 +869,15 @@ int _pam_add_handler(pam_handle_t *pamh return (PAM_ABORT); } - (*handler_p)->must_fail = must_fail; /* failure forced? */ + (*handler_p)->handler_type = handler_type; + (*handler_p)->stack_level = stack_level; (*handler_p)->func = func; memcpy((*handler_p)->actions,actions,sizeof((*handler_p)->actions)); (*handler_p)->cached_retval = _PAM_INVALID_RETVAL; (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); (*handler_p)->argc = argc; (*handler_p)->argv = argv; /* not a copy */ - (*handler_p)->mod_name = extract_modulename(mod->name); + (*handler_p)->mod_name = extract_modulename(mod_path); (*handler_p)->next = NULL; /* some of the modules have a second calling function */ @@ -857,7 +892,8 @@ int _pam_add_handler(pam_handle_t *pamh return (PAM_ABORT); } - (*handler_p2)->must_fail = must_fail; /* failure forced? */ + (*handler_p2)->handler_type = handler_type; + (*handler_p2)->stack_level = stack_level; (*handler_p2)->func = func2; memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions)); (*handler_p2)->cached_retval = _PAM_INVALID_RETVAL; /* ignored */ @@ -873,7 +909,7 @@ int _pam_add_handler(pam_handle_t *pamh } else { (*handler_p2)->argv = NULL; /* no arguments */ } - (*handler_p2)->mod_name = extract_modulename(mod->name); + (*handler_p2)->mod_name = extract_modulename(mod_path); (*handler_p2)->next = NULL; } diff --git a/Linux-PAM/libpam/pam_item.c b/Linux-PAM/libpam/pam_item.c index 41d5b816..2d7985c8 100644 --- a/Linux-PAM/libpam/pam_item.c +++ b/Linux-PAM/libpam/pam_item.c @@ -1,7 +1,7 @@ /* pam_item.c */ /* - * $Id: pam_item.c,v 1.13 2006/03/12 10:26:30 kukuk Exp $ + * $Id: pam_item.c,v 1.15 2008/01/28 14:50:21 kukuk Exp $ */ #include "pam_private.h" @@ -138,6 +138,25 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) pamh->fail_delay.delay_fn_ptr = item; break; + case PAM_XDISPLAY: + RESET(pamh->xdisplay, item); + break; + + case PAM_XAUTHDATA: + if (pamh->xauth.namelen) { + _pam_overwrite(pamh->xauth.name); + free(pamh->xauth.name); + } + if (pamh->xauth.datalen) { + _pam_overwrite_n(pamh->xauth.data, + (unsigned int) pamh->xauth.datalen); + free(pamh->xauth.data); + } + pamh->xauth = *((const struct pam_xauth_data *) item); + pamh->xauth.name = _pam_strdup(pamh->xauth.name); + pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen); + break; + default: retval = PAM_BAD_ITEM; } @@ -220,6 +239,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) *item = pamh->fail_delay.delay_fn_ptr; break; + case PAM_XDISPLAY: + *item = pamh->xdisplay; + break; + + case PAM_XAUTHDATA: + *item = &pamh->xauth; + break; + default: retval = PAM_BAD_ITEM; } diff --git a/Linux-PAM/libpam/pam_misc.c b/Linux-PAM/libpam/pam_misc.c index 770c9cce..574a570e 100644 --- a/Linux-PAM/libpam/pam_misc.c +++ b/Linux-PAM/libpam/pam_misc.c @@ -137,6 +137,28 @@ char *_pam_strdup(const char *x) return new; /* return the duplicate or NULL on error */ } +/* + * Safe duplication of memory buffers. "Paranoid"; don't leave + * evidence of old token around for later stack analysis. + */ + +char *_pam_memdup(const char *x, int len) +{ + register char *new=NULL; + + if (x != NULL) { + if ((new = malloc(len)) == NULL) { + len = 0; + pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory"); + } else { + memcpy (new, x, len); + } + x = NULL; + } + + return new; /* return the duplicate or NULL on error */ +} + /* Generate argv, argc from s */ /* caller must free(argv) */ diff --git a/Linux-PAM/libpam/pam_modutil_getgrgid.c b/Linux-PAM/libpam/pam_modutil_getgrgid.c index 420068f7..5b862872 100644 --- a/Linux-PAM/libpam/pam_modutil_getgrgid.c +++ b/Linux-PAM/libpam/pam_modutil_getgrgid.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getgrgid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_getgrgid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ * * This function provides a thread safer version of getgrgid() for use * with PAM modules that care about this sort of thing. diff --git a/Linux-PAM/libpam/pam_modutil_getgrnam.c b/Linux-PAM/libpam/pam_modutil_getgrnam.c index 908f816d..99c90800 100644 --- a/Linux-PAM/libpam/pam_modutil_getgrnam.c +++ b/Linux-PAM/libpam/pam_modutil_getgrnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getgrnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_getgrnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ * * This function provides a thread safer version of getgrnam() for use * with PAM modules that care about this sort of thing. diff --git a/Linux-PAM/libpam/pam_modutil_getpwnam.c b/Linux-PAM/libpam/pam_modutil_getpwnam.c index 6bb7d195..b81617d5 100644 --- a/Linux-PAM/libpam/pam_modutil_getpwnam.c +++ b/Linux-PAM/libpam/pam_modutil_getpwnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getpwnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_getpwnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ * * This function provides a thread safer version of getpwnam() for use * with PAM modules that care about this sort of thing. diff --git a/Linux-PAM/libpam/pam_modutil_getpwuid.c b/Linux-PAM/libpam/pam_modutil_getpwuid.c index 15fe077c..3ea02488 100644 --- a/Linux-PAM/libpam/pam_modutil_getpwuid.c +++ b/Linux-PAM/libpam/pam_modutil_getpwuid.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getpwuid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_getpwuid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ * * This function provides a thread safer version of getpwuid() for use * with PAM modules that care about this sort of thing. diff --git a/Linux-PAM/libpam/pam_modutil_getspnam.c b/Linux-PAM/libpam/pam_modutil_getspnam.c index 1c926063..6c02e9c2 100644 --- a/Linux-PAM/libpam/pam_modutil_getspnam.c +++ b/Linux-PAM/libpam/pam_modutil_getspnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getspnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_getspnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ * * This function provides a thread safer version of getspnam() for use * with PAM modules that care about this sort of thing. diff --git a/Linux-PAM/libpam/pam_private.h b/Linux-PAM/libpam/pam_private.h index 8b7d9146..333f4d0f 100644 --- a/Linux-PAM/libpam/pam_private.h +++ b/Linux-PAM/libpam/pam_private.h @@ -44,7 +44,7 @@ #define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */ struct handler { - int must_fail; + int handler_type; int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv); int actions[_PAM_RETURN_VALUES]; /* set by authenticate, open_session, chauthtok(1st) @@ -54,8 +54,13 @@ struct handler { char **argv; struct handler *next; char *mod_name; + int stack_level; }; +#define PAM_HT_MODULE 0 +#define PAM_HT_MUST_FAIL 1 +#define PAM_HT_SUBSTACK 2 + struct loaded_module { char *name; int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */ @@ -76,7 +81,7 @@ struct handlers { }; struct service { - struct loaded_module *module; /* Only used for dynamic loading */ + struct loaded_module *module; /* Array of modules */ int modules_allocated; int modules_used; int handlers_loaded; @@ -111,6 +116,12 @@ struct _pam_fail_delay { const void *delay_fn_ptr; }; +/* initial state in substack */ +struct _pam_substack_state { + int impression; + int status; +}; + struct _pam_former_state { /* this is known and set by _pam_dispatch() */ int choice; /* which flavor of module function did we call? */ @@ -119,6 +130,7 @@ struct _pam_former_state { int depth; /* how deep in the stack were we? */ int impression; /* the impression at that time */ int status; /* the status before returning incomplete */ + struct _pam_substack_state *substates; /* array of initial substack states */ /* state info used by pam_get_user() function */ int fail_user; @@ -140,9 +152,11 @@ struct pam_handle { char *rhost; char *ruser; char *tty; + char *xdisplay; struct pam_data *data; struct pam_environ *env; /* structure to maintain environment list */ struct _pam_fail_delay fail_delay; /* helper function for easy delays */ + struct pam_xauth_data xauth; /* auth info for X display */ struct service handlers; struct _pam_former_state former; /* library state - support for event driven applications */ @@ -175,6 +189,8 @@ struct pam_handle { #define _PAM_ACTION_UNDEF -6 /* this is treated as an error ( = _PAM_ACTION_BAD) */ +#define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */ + /* character tables for parsing config files */ extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF]; extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1]; @@ -253,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next); char *_pam_strdup(const char *s); +char *_pam_memdup(const char *s, int len); + int _pam_mkargv(char *s, char ***argv, int *argc); void _pam_sanitize(pam_handle_t *pamh); diff --git a/Linux-PAM/libpam/pam_start.c b/Linux-PAM/libpam/pam_start.c index b2c62e54..d7198323 100644 --- a/Linux-PAM/libpam/pam_start.c +++ b/Linux-PAM/libpam/pam_start.c @@ -3,7 +3,7 @@ /* Creator Marc Ewing * Maintained by AGM * - * $Id: pam_start.c,v 1.9 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_start.c,v 1.10 2007/10/19 17:06:30 t8m Exp $ * */ @@ -88,6 +88,7 @@ int pam_start ( (*pamh)->oldauthtok = NULL; (*pamh)->fail_delay.delay_fn_ptr = NULL; (*pamh)->former.choice = PAM_NOT_STACKED; + (*pamh)->former.substates = NULL; #ifdef HAVE_LIBAUDIT (*pamh)->audit_state = 0; #endif diff --git a/Linux-PAM/libpam/pam_static_modules.h b/Linux-PAM/libpam/pam_static_modules.h index 27b70826..a66b486d 100644 --- a/Linux-PAM/libpam/pam_static_modules.h +++ b/Linux-PAM/libpam/pam_static_modules.h @@ -45,7 +45,9 @@ extern struct pam_module _pam_filter_modstruct; extern struct pam_module _pam_ftp_modstruct; extern struct pam_module _pam_group_modstruct; extern struct pam_module _pam_issue_modstruct; +#ifdef HAVE_KEY_MANAGEMENT extern struct pam_module _pam_keyinit_modstruct; +#endif extern struct pam_module _pam_lastlog_modstruct; extern struct pam_module _pam_limits_modstruct; extern struct pam_module _pam_listfile_modstruct; @@ -55,7 +57,7 @@ extern struct pam_module _pam_mail_modstruct; extern struct pam_module _pam_mkhomedir_modstruct; extern struct pam_module _pam_motd_modstruct; #ifdef HAVE_UNSHARE -extern struct pam_module _pam_namespace; +extern struct pam_module _pam_namespace_modstruct; #endif extern struct pam_module _pam_nologin_modstruct; extern struct pam_module _pam_permit_modstruct; @@ -65,12 +67,16 @@ extern struct pam_module _pam_rootok_modstruct; extern struct pam_module _pam_securetty_modstruct; #ifdef WITH_SELINUX extern struct pam_module _pam_selinux_modstruct; +extern struct pam_module _pam_sepermit_modstruct; #endif extern struct pam_module _pam_shells_modstruct; extern struct pam_module _pam_stress_modstruct; extern struct pam_module _pam_succeed_if_modstruct; extern struct pam_module _pam_tally_modstruct; extern struct pam_module _pam_time_modstruct; +#ifdef HAVE_AUDIT_TTY_STATUS +extern struct pam_module _pam_tty_audit_modstruct; +#endif extern struct pam_module _pam_umask_modstruct; extern struct pam_module _pam_unix_acct_modstruct; extern struct pam_module _pam_unix_auth_modstruct; @@ -92,12 +98,14 @@ static struct pam_module *static_modules[] = { &_pam_echo_modstruct, &_pam_env_modstruct, &_pam_exec_modstruct, - &_pam_faildelay, + &_pam_faildelay_modstruct, &_pam_filter_modstruct, &_pam_ftp_modstruct, &_pam_group_modstruct, &_pam_issue_modstruct, +#ifdef HAVE_KEY_MANAGEMENT &_pam_keyinit_modstruct, +#endif &_pam_lastlog_modstruct, &_pam_limits_modstruct, &_pam_listfile_modstruct, @@ -107,7 +115,7 @@ static struct pam_module *static_modules[] = { &_pam_mkhomedir_modstruct, &_pam_motd_modstruct, #ifdef HAVE_UNSHARE - &_pam_namespace, + &_pam_namespace_modstruct, #endif &_pam_nologin_modstruct, &_pam_permit_modstruct, @@ -117,12 +125,16 @@ static struct pam_module *static_modules[] = { &_pam_securetty_modstruct, #ifdef WITH_SELINUX &_pam_selinux_modstruct, + &_pam_sepermit_modstruct, #endif &_pam_shells_modstruct, &_pam_stress_modstruct, &_pam_succeed_if_modstruct, &_pam_tally_modstruct, &_pam_time_modstruct, +#ifdef HAVE_AUDIT_TTY_STATUS + &_pam_tty_audit_modstruct, +#endif &_pam_umask_modstruct, &_pam_unix_acct_modstruct, &_pam_unix_auth_modstruct, |