diff options
Diffstat (limited to 'Linux-PAM/libpam')
48 files changed, 3270 insertions, 1930 deletions
diff --git a/Linux-PAM/libpam/Makefile b/Linux-PAM/libpam/Makefile deleted file mode 100644 index 94d92de6..00000000 --- a/Linux-PAM/libpam/Makefile +++ /dev/null @@ -1,170 +0,0 @@ -# -# $Id: Makefile,v 1.12 2005/03/29 20:41:20 toady Exp $ -# -# - -include ../Make.Rules - -# need to tell libpam about the default directory for PAMs -MOREFLAGS=-D"DEFAULT_MODULE_PATH=\"$(SECUREDIR)/\"" - -ifeq ($(WITH_LIBDEBUG),yes) - LIBNAME=libpamd - CFLAGS += -D"DEBUG" - CFLAGS += -g -else - LIBNAME=libpam -endif -ifeq ($(WITH_PRELUDE),yes) - CFLAGS += -DPRELUDE -DLIBPRELUDE_CONFIG_PREFIX=\"`libprelude-config --prefix`\" - LINKLIBS += -lprelude -endif -VERSION=.$(MAJOR_REL) -MODIFICATION=.$(MINOR_REL) - -# --------------------------------------------- - -dummy: ../Make.Rules all - -# --------------------------------------------- - -CFLAGS += $(DYNAMIC) $(STATIC) $(MOREFLAGS) \ - -DLIBPAM_VERSION_MAJOR=$(MAJOR_REL) \ - -DLIBPAM_VERSION_MINOR=$(MINOR_REL) \ - -DLIBPAM_VERSION_STRING=\"$(MAJOR_REL).$(MINOR_REL)\" - -# dynamic library names - -LIBPAM = $(LIBNAME).$(DYNTYPE) -LIBPAMNAME = $(LIBPAM)$(VERSION) -LIBPAMFULL = $(LIBPAMNAME)$(MODIFICATION) - -# static library name - -LIBPAMSTATIC = $(LIBNAME).a - -ifdef STATIC -# @echo Did you mean to set STATIC\? -MODULES = $(shell cat ../modules/_static_module_objects) -STATICOBJ = pam_static.o -else -MODULES = -endif - -ifeq ($(WITH_MEMORY_DEBUG),yes) -EXTRAS += pam_malloc.o -endif - -LIBOBJECTS = pam_item.o pam_strerror.o pam_end.o pam_start.o pam_data.o \ - pam_delay.o pam_dispatch.o pam_handlers.o pam_misc.o \ - pam_account.o pam_auth.o pam_prelude.o pam_session.o pam_password.o \ - pam_env.o pam_log.o $(EXTRAS) - -ifeq ($(DYNAMIC_LIBPAM),yes) -# libpam.so needs -ldl, too. -DLIBOBJECTS = $(addprefix dynamic/,$(LIBOBJECTS) $(STATICOBJ)) -ifeq ($(STATICOBJ),yes) -dynamic/pam_static.o: pam_static.c ../modules/_static_module_objects - $(CC) $(CFLAGS) -c pam_static.c -o $@ -endif -endif - -ifeq ($(STATIC_LIBPAM),yes) -SLIBOBJECTS = $(addprefix static/,$(LIBOBJECTS) $(STATICOBJ)) -ifdef STATICOBJ -static/pam_static.o: pam_static.c ../modules/_static_module_objects - $(CC) $(CFLAGS) -c pam_static.c -o $@ -endif -endif - -# --------------------------------------------- -## rules - -all: dirs $(LIBPAM) $(LIBPAMSTATIC) ../Make.Rules - -dirs: -ifeq ($(DYNAMIC_LIBPAM),yes) - $(MKDIR) dynamic -endif -ifeq ($(STATIC_LIBPAM),yes) - $(MKDIR) static -endif - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ -bootstrap-libpam: bootdir $(LIBPAM) -bootdir: - test -d dynamic || mkdir dynamic - -$(LIBPAM): $(DLIBOBJECTS) -ifeq ($(DYNAMIC_LIBPAM),yes) - ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH)$(LIBPAMNAME) -o $@ $(DLIBOBJECTS) \ - $(MODULES) $(LINKLIBS) - else - $(LD_L) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) - endif - ifeq ($(NEEDSONAME),yes) - rm -f $(LIBPAMFULL) - ln -sf $(LIBPAM) $(LIBPAMFULL) - rm -f $(LIBPAMNAME) - ln -sf $(LIBPAM) $(LIBPAMNAME) - endif -endif - -$(LIBPAMSTATIC): $(SLIBOBJECTS) -ifeq ($(STATIC_LIBPAM),yes) - $(AR) cru $@ $(SLIBOBJECTS) $(MODULES) -ifdef RANLIB - $(RANLIB) $@ -endif -endif - -install: all - $(MKDIR) $(FAKEROOT)$(INCLUDED) $(FAKEROOT)$(libdir) - $(INSTALL) -m 644 include/security/pam_appl.h $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/security/pam_modules.h $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/security/_pam_macros.h $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/security/_pam_types.h $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/security/_pam_compat.h $(FAKEROOT)$(INCLUDED) -ifdef MEMORY_DEBUG - $(INSTALL) -m 644 include/security/pam_malloc.h $(FAKEROOT)$(INCLUDED) -endif -ifeq ($(DYNAMIC_LIBPAM),yes) - $(INSTALL) -m $(SHLIBMODE) $(LIBPAM) $(FAKEROOT)$(libdir)/$(LIBPAMFULL) -ifndef FAKEROOT - $(LDCONFIG) -else - $(LDCONFIG) -n $(FAKEROOT)$(libdir) -endif - ifneq ($(DYNTYPE),"sl") - ( cd $(FAKEROOT)$(libdir) ; rm -f $(LIBPAM) ; \ - ln -sf $(LIBPAMNAME) $(LIBPAM) ) - endif -endif -ifeq ($(STATIC_LIBPAM),yes) - $(INSTALL) -m 644 $(LIBPAMSTATIC) $(FAKEROOT)$(libdir) -endif - -remove: - rm -f $(FAKEROOT)$(INCLUDED)/_pam_types.h - rm -f $(FAKEROOT)$(INCLUDED)/_pam_macros.h - rm -f $(FAKEROOT)$(INCLUDED)/pam_appl.h - rm -f $(FAKEROOT)$(INCLUDED)/pam_modules.h - rm -f $(FAKEROOT)$(INCLUDED)/pam_malloc.h - rm -f $(FAKEROOT)$(libdir)/$(LIBPAM).* - rm -f $(FAKEROOT)$(libdir)/$(LIBPAM) -ifndef FAKEROOT - $(LDCONFIG) -endif - rm -f $(FAKEROOT)$(libdir)/$(LIBPAMSTATIC) - -clean: - rm -f a.out core *~ static/*.o dynamic/*.o - rm -f *.orig $(LIBPAMNAME) $(LIBPAMFULL) - rm -f *.a *.o *.so ./include/security/*~ - if [ -d dynamic ]; then rmdir dynamic ; fi - if [ -d static ]; then rmdir static ; fi diff --git a/Linux-PAM/libpam/Makefile.am b/Linux-PAM/libpam/Makefile.am new file mode 100644 index 00000000..e96d6df8 --- /dev/null +++ b/Linux-PAM/libpam/Makefile.am @@ -0,0 +1,42 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ + -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) -DPAM_VERSION=\"$(VERSION)\" +if HAVE_LIBSELINUX + AM_CFLAGS += -D"WITH_SELINUX" +endif + +CLEANFILES = *~ + +EXTRA_DIST = libpam.map + +include_HEADERS = include/security/_pam_compat.h \ + include/security/_pam_macros.h include/security/_pam_types.h \ + include/security/pam_appl.h include/security/pam_modules.h \ + include/security/pam_ext.h include/security/pam_modutil.h + +noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ + pam_modutil_private.h pam_static_modules.h + +libpam_la_LDFLAGS = -no-undefined -version-info 81:6:81 \ + @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ +if STATIC_MODULES + libpam_la_LDFLAGS += `ls ../modules/pam_*/*.lo` \ + @LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil +endif +if HAVE_VERSIONING + libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map +endif + +lib_LTLIBRARIES = libpam.la + +libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ + pam_dispatch.c pam_end.c pam_env.c pam_handlers.c pam_item.c \ + pam_misc.c pam_password.c pam_prelude.c \ + pam_session.c pam_start.c pam_static.c pam_strerror.c \ + pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ + pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ + pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ + pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c diff --git a/Linux-PAM/libpam/Makefile.in b/Linux-PAM/libpam/Makefile.in new file mode 100644 index 00000000..3220693b --- /dev/null +++ b/Linux-PAM/libpam/Makefile.in @@ -0,0 +1,614 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" +@STATIC_MODULES_TRUE@am__append_2 = `ls ../modules/pam_*/*.lo` \ +@STATIC_MODULES_TRUE@ @LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil + +@HAVE_VERSIONING_TRUE@am__append_3 = -Wl,--version-script=$(srcdir)/libpam.map +subdir = libpam +DIST_COMMON = $(include_HEADERS) $(noinst_HEADERS) \ + $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" +libLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(lib_LTLIBRARIES) +libpam_la_LIBADD = +am_libpam_la_OBJECTS = pam_account.lo pam_auth.lo pam_data.lo \ + pam_delay.lo pam_dispatch.lo pam_end.lo pam_env.lo \ + pam_handlers.lo pam_item.lo pam_misc.lo pam_password.lo \ + pam_prelude.lo pam_session.lo pam_start.lo pam_static.lo \ + pam_strerror.lo pam_vprompt.lo pam_syslog.lo pam_dynamic.lo \ + pam_audit.lo pam_modutil_cleanup.lo pam_modutil_getpwnam.lo \ + pam_modutil_ioloop.lo pam_modutil_getgrgid.lo \ + pam_modutil_getpwuid.lo pam_modutil_getgrnam.lo \ + pam_modutil_getspnam.lo pam_modutil_getlogin.lo \ + pam_modutil_ingroup.lo +libpam_la_OBJECTS = $(am_libpam_la_OBJECTS) +libpam_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libpam_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libpam_la_SOURCES) +DIST_SOURCES = $(libpam_la_SOURCES) +includeHEADERS_INSTALL = $(INSTALL_HEADER) +HEADERS = $(include_HEADERS) $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ + -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) \ + -DPAM_VERSION=\"$(VERSION)\" $(am__append_1) +CLEANFILES = *~ +EXTRA_DIST = libpam.map +include_HEADERS = include/security/_pam_compat.h \ + include/security/_pam_macros.h include/security/_pam_types.h \ + include/security/pam_appl.h include/security/pam_modules.h \ + include/security/pam_ext.h include/security/pam_modutil.h + +noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ + pam_modutil_private.h pam_static_modules.h + +libpam_la_LDFLAGS = -no-undefined -version-info 81:6:81 @LIBAUDIT@ \ + $(LIBPRELUDE_LIBS) @LIBDL@ $(am__append_2) $(am__append_3) +lib_LTLIBRARIES = libpam.la +libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ + pam_dispatch.c pam_end.c pam_env.c pam_handlers.c pam_item.c \ + pam_misc.c pam_password.c pam_prelude.c \ + pam_session.c pam_start.c pam_static.c pam_strerror.c \ + pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ + pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ + pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ + pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu libpam/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu libpam/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + else :; fi; \ + done + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libpam.la: $(libpam_la_OBJECTS) $(libpam_la_DEPENDENCIES) + $(libpam_la_LINK) -rpath $(libdir) $(libpam_la_OBJECTS) $(libpam_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_account.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_audit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_data.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_delay.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dispatch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dynamic.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_end.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_handlers.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_item.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_misc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_cleanup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrgid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrnam.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getlogin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwnam.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwuid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getspnam.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ingroup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ioloop.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_password.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_prelude.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_session.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_start.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_static.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_strerror.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_syslog.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_vprompt.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-includeHEADERS: $(include_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(include_HEADERS)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ + $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + done + +uninstall-includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(include_HEADERS)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ + rm -f "$(DESTDIR)$(includedir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-includeHEADERS + +install-dvi: install-dvi-am + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-info: install-info-am + +install-man: + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-includeHEADERS install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-includeHEADERS \ + uninstall-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/libpam/include/security/_pam_compat.h b/Linux-PAM/libpam/include/security/_pam_compat.h index 33520a6c..a5f58e42 100644 --- a/Linux-PAM/libpam/include/security/_pam_compat.h +++ b/Linux-PAM/libpam/include/security/_pam_compat.h @@ -2,8 +2,6 @@ #define _PAM_COMPAT_H /* - * $Id: _pam_compat.h,v 1.1.1.1 2000/06/20 22:11:21 agmorgan Exp $ - * * This file was contributed by Derrick J Brashear <shadow@dementia.org> * slight modification by Brad M. Garcia <bgarcia@fore.com> * @@ -15,108 +13,114 @@ /* Solaris uses different constants. We redefine to those here */ #if defined(solaris) || (defined(__SVR4) && defined(sun)) -#ifndef _SECURITY__PAM_TYPES_H - # ifdef _SECURITY_PAM_MODULES_H /* flags for pam_chauthtok() */ # undef PAM_PRELIM_CHECK -# define PAM_PRELIM_CHECK 0x1 +# define PAM_PRELIM_CHECK 0x1 # undef PAM_UPDATE_AUTHTOK -# define PAM_UPDATE_AUTHTOK 0x2 +# define PAM_UPDATE_AUTHTOK 0x2 # endif /* _SECURITY_PAM_MODULES_H */ -#else /* _SECURITY__PAM_TYPES_H */ +# ifdef _SECURITY__PAM_TYPES_H /* generic for pam_* functions */ # undef PAM_SILENT -# define PAM_SILENT 0x80000000 +# define PAM_SILENT 0x80000000 + +# undef PAM_CHANGE_EXPIRED_AUTHTOK +# define PAM_CHANGE_EXPIRED_AUTHTOK 0x4 /* flags for pam_setcred() */ # undef PAM_ESTABLISH_CRED -# define PAM_ESTABLISH_CRED 0x1 +# define PAM_ESTABLISH_CRED 0x1 # undef PAM_DELETE_CRED -# define PAM_DELETE_CRED 0x2 +# define PAM_DELETE_CRED 0x2 # undef PAM_REINITIALIZE_CRED -# define PAM_REINITIALIZE_CRED 0x4 +# define PAM_REINITIALIZE_CRED 0x4 # undef PAM_REFRESH_CRED -# define PAM_REFRESH_CRED 0x8 +# define PAM_REFRESH_CRED 0x8 /* another binary incompatibility comes from the return codes! */ # undef PAM_CONV_ERR -# define PAM_CONV_ERR 6 +# define PAM_CONV_ERR 6 # undef PAM_PERM_DENIED -# define PAM_PERM_DENIED 7 +# define PAM_PERM_DENIED 7 # undef PAM_MAXTRIES -# define PAM_MAXTRIES 8 +# define PAM_MAXTRIES 8 # undef PAM_AUTH_ERR -# define PAM_AUTH_ERR 9 +# define PAM_AUTH_ERR 9 # undef PAM_NEW_AUTHTOK_REQD -# define PAM_NEW_AUTHTOK_REQD 10 +# define PAM_NEW_AUTHTOK_REQD 10 # undef PAM_CRED_INSUFFICIENT -# define PAM_CRED_INSUFFICIENT 11 +# define PAM_CRED_INSUFFICIENT 11 # undef PAM_AUTHINFO_UNAVAIL -# define PAM_AUTHINFO_UNAVAIL 12 +# define PAM_AUTHINFO_UNAVAIL 12 # undef PAM_USER_UNKNOWN -# define PAM_USER_UNKNOWN 13 +# define PAM_USER_UNKNOWN 13 # undef PAM_CRED_UNAVAIL -# define PAM_CRED_UNAVAIL 14 +# define PAM_CRED_UNAVAIL 14 # undef PAM_CRED_EXPIRED -# define PAM_CRED_EXPIRED 15 +# define PAM_CRED_EXPIRED 15 # undef PAM_CRED_ERR -# define PAM_CRED_ERR 16 +# define PAM_CRED_ERR 16 # undef PAM_ACCT_EXPIRED -# define PAM_ACCT_EXPIRED 17 +# define PAM_ACCT_EXPIRED 17 # undef PAM_AUTHTOK_EXPIRED -# define PAM_AUTHTOK_EXPIRED 18 +# define PAM_AUTHTOK_EXPIRED 18 # undef PAM_SESSION_ERR -# define PAM_SESSION_ERR 19 +# define PAM_SESSION_ERR 19 # undef PAM_AUTHTOK_ERR -# define PAM_AUTHTOK_ERR 20 +# define PAM_AUTHTOK_ERR 20 # undef PAM_AUTHTOK_RECOVERY_ERR -# define PAM_AUTHTOK_RECOVERY_ERR 21 +# define PAM_AUTHTOK_RECOVERY_ERR 21 # undef PAM_AUTHTOK_LOCK_BUSY -# define PAM_AUTHTOK_LOCK_BUSY 22 +# define PAM_AUTHTOK_LOCK_BUSY 22 # undef PAM_AUTHTOK_DISABLE_AGING -# define PAM_AUTHTOK_DISABLE_AGING 23 +# define PAM_AUTHTOK_DISABLE_AGING 23 # undef PAM_NO_MODULE_DATA -# define PAM_NO_MODULE_DATA 24 +# define PAM_NO_MODULE_DATA 24 # undef PAM_IGNORE -# define PAM_IGNORE 25 +# define PAM_IGNORE 25 # undef PAM_ABORT -# define PAM_ABORT 26 +# define PAM_ABORT 26 # undef PAM_TRY_AGAIN -# define PAM_TRY_AGAIN 27 +# define PAM_TRY_AGAIN 27 #endif /* _SECURITY__PAM_TYPES_H */ +#else + +/* For compatibility with old Linux-PAM implementations. */ +#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR + #endif /* defined(solaris) || (defined(__SVR4) && defined(sun)) */ #endif /* _PAM_COMPAT_H */ diff --git a/Linux-PAM/libpam/include/security/_pam_macros.h b/Linux-PAM/libpam/include/security/_pam_macros.h index 2827fabf..f7da10a7 100644 --- a/Linux-PAM/libpam/include/security/_pam_macros.h +++ b/Linux-PAM/libpam/include/security/_pam_macros.h @@ -9,8 +9,8 @@ /* a 'safe' version of strdup */ -#include <string.h> #include <stdlib.h> +#include <string.h> #define x_strdup(s) ( (s) ? strdup(s):NULL ) @@ -73,11 +73,11 @@ do { \ * You have been warned :-) - CG * * to get automated debugging to the log file, it must be created manually. - * _PAM_LOGFILE must exist, mode 666 + * _PAM_LOGFILE must exist and be writable to the programs you debug. */ #ifndef _PAM_LOGFILE -#define _PAM_LOGFILE "/tmp/pam-debug.log" +#define _PAM_LOGFILE "/var/run/pam-debug.log" #endif static void _pam_output_debug_info(const char *file, const char *fn diff --git a/Linux-PAM/libpam/include/security/_pam_types.h b/Linux-PAM/libpam/include/security/_pam_types.h index b4413ee3..45bae97b 100644 --- a/Linux-PAM/libpam/include/security/_pam_types.h +++ b/Linux-PAM/libpam/include/security/_pam_types.h @@ -1,30 +1,15 @@ /* * <security/_pam_types.h> * - * $Id: _pam_types.h,v 1.6 2005/03/16 00:06:01 toady Exp $ - * * This file defines all of the types common to the Linux-PAM library * applications and modules. * * Note, the copyright+license information is at end of file. - * - * Created: 1996/3/5 by AGM */ #ifndef _SECURITY__PAM_TYPES_H #define _SECURITY__PAM_TYPES_H -#ifndef __LIBPAM_VERSION -# define __LIBPAM_VERSION __libpam_version -#endif -extern unsigned int __libpam_version; - -/* - * include local definition for POSIX - NULL - */ - -#include <locale.h> - /* This is a blind structure; users aren't allowed to see inside a * pam_handle_t, so we don't define struct pam_handle here. This is * defined in a file private to the PAM library. (i.e., it's private @@ -32,6 +17,13 @@ extern unsigned int __libpam_version; typedef struct pam_handle pam_handle_t; +/* ---------------- The Linux-PAM Version defines ----------------- */ + +/* Major and minor version number of the Linux-PAM package. Use + these macros to test for features in specific releases. */ +#define __LINUX_PAM__ 1 +#define __LINUX_PAM_MINOR__ 0 + /* ----------------- The Linux-PAM return values ------------------ */ #define PAM_SUCCESS 0 /* Successful function return */ @@ -71,8 +63,8 @@ typedef struct pam_handle pam_handle_t; #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */ #define PAM_CONV_ERR 19 /* Conversation error */ #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ -#define PAM_AUTHTOK_RECOVER_ERR 21 /* Authentication information */ - /* cannot be recovered */ +#define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */ + /* cannot be recovered */ #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */ #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */ #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */ @@ -133,31 +125,62 @@ typedef struct pam_handle pam_handle_t; /* ------------------ The Linux-PAM item types ------------------- */ -/* these defines are used by pam_set_item() and pam_get_item() */ +/* These defines are used by pam_set_item() and pam_get_item(). + Please check the spec which are allowed for use by applications + and which are only allowed for use by modules. */ #define PAM_SERVICE 1 /* The service name */ #define PAM_USER 2 /* The user name */ #define PAM_TTY 3 /* The tty name */ #define PAM_RHOST 4 /* The remote host name */ #define PAM_CONV 5 /* The pam_conv structure */ - -/* missing entries found in <security/pam_modules.h> for modules only! */ - +#define PAM_AUTHTOK 6 /* The authentication token (password) */ +#define PAM_OLDAUTHTOK 7 /* The old authentication token */ #define PAM_RUSER 8 /* The remote user name */ #define PAM_USER_PROMPT 9 /* the prompt for getting a username */ #define PAM_FAIL_DELAY 10 /* app supplied function to override failure delays */ +/* -------------- Special defines used by Linux-PAM -------------- */ + +#if defined(__GNUC__) && defined(__GNUC_MINOR__) +# define PAM_GNUC_PREREQ(maj, min) \ + ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) +#else +# define PAM_GNUC_PREREQ(maj, min) 0 +#endif + +#if PAM_GNUC_PREREQ(2,5) +# define PAM_FORMAT(params) __attribute__((__format__ params)) +#else +# define PAM_FORMAT(params) +#endif + +#if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE) +# define PAM_NONNULL(params) __attribute__((__nonnull__ params)) +#else +# define PAM_NONNULL(params) +#endif + /* ---------- Common Linux-PAM application/module PI ----------- */ -extern int pam_set_item(pam_handle_t *pamh, int item_type, const void *item); -extern int pam_get_item(const pam_handle_t *pamh, int item_type, - const void **item); -extern const char *pam_strerror(pam_handle_t *pamh, int errnum); +extern int PAM_NONNULL((1)) +pam_set_item(pam_handle_t *pamh, int item_type, const void *item); + +extern int PAM_NONNULL((1)) +pam_get_item(const pam_handle_t *pamh, int item_type, const void **item); + +extern const char * +pam_strerror(pam_handle_t *pamh, int errnum); + +extern int PAM_NONNULL((1,2)) +pam_putenv(pam_handle_t *pamh, const char *name_value); + +extern const char * PAM_NONNULL((1,2)) +pam_getenv(pam_handle_t *pamh, const char *name); -extern int pam_putenv(pam_handle_t *pamh, const char *name_value); -extern const char *pam_getenv(pam_handle_t *pamh, const char *name); -extern char **pam_getenvlist(pam_handle_t *pamh); +extern char ** PAM_NONNULL((1)) +pam_getenvlist(pam_handle_t *pamh); /* ---------- Common Linux-PAM application/module PI ----------- */ @@ -189,22 +212,6 @@ extern char **pam_getenvlist(pam_handle_t *pamh); #define HAVE_PAM_FAIL_DELAY extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay); -#include <syslog.h> -#ifndef LOG_AUTHPRIV -# ifdef LOG_PRIV -# define LOG_AUTHPRIV LOG_PRIV -# endif /* LOG_PRIV */ -#endif /* !LOG_AUTHPRIV */ - -#ifdef MEMORY_DEBUG -/* - * this defines some macros that keep track of what memory has been - * allocated and indicates leakage etc... It should not be included in - * production application/modules. - */ -#include <security/pam_malloc.h> -#endif - /* ------------ The Linux-PAM conversation structures ------------ */ /* Message styles */ @@ -272,18 +279,6 @@ struct pam_conv { void *appdata_ptr; }; -#ifndef LINUX_PAM -/* - * the following few lines represent a hack. They are there to make - * the Linux-PAM headers more compatible with the Sun ones, which have a - * less strictly separated notion of module specific and application - * specific definitions. - */ -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#endif - - /* ... adapted from the pam_appl.h file created by Theodore Ts'o and * * Copyright Theodore Ts'o, 1996. All rights reserved. @@ -301,13 +296,13 @@ struct pam_conv { * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -321,4 +316,3 @@ struct pam_conv { * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _SECURITY__PAM_TYPES_H */ - diff --git a/Linux-PAM/libpam/include/security/pam_appl.h b/Linux-PAM/libpam/include/security/pam_appl.h index 69ee544d..d4172c69 100644 --- a/Linux-PAM/libpam/include/security/pam_appl.h +++ b/Linux-PAM/libpam/include/security/pam_appl.h @@ -1,16 +1,11 @@ /* * <security/pam_appl.h> - * + * * This header file collects definitions for the PAM API --- that is, * public interface between the PAM library and an application program * that wishes to use it. * * Note, the copyright information is at end of file. - * - * Created: 15-Jan-96 by TYT - * Last modified: 1996/3/5 by AGM - * - * $Id: pam_appl.h,v 1.3 2000/11/19 23:54:02 agmorgan Exp $ */ #ifndef _SECURITY_PAM_APPL_H @@ -19,41 +14,53 @@ #ifdef __cplusplus extern "C" { #endif - + #include <security/_pam_types.h> /* Linux-PAM common defined types */ /* -------------- The Linux-PAM Framework layer API ------------- */ -extern int pam_start(const char *service_name, const char *user, - const struct pam_conv *pam_conversation, - pam_handle_t **pamh); -extern int pam_end(pam_handle_t *pamh, int pam_status); +extern int PAM_NONNULL((1,3,4)) +pam_start(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh); + +extern int PAM_NONNULL((1)) +pam_end(pam_handle_t *pamh, int pam_status); /* Authentication API's */ -extern int pam_authenticate(pam_handle_t *pamh, int flags); -extern int pam_setcred(pam_handle_t *pamh, int flags); +extern int PAM_NONNULL((1)) +pam_authenticate(pam_handle_t *pamh, int flags); + +extern int PAM_NONNULL((1)) +pam_setcred(pam_handle_t *pamh, int flags); /* Account Management API's */ -extern int pam_acct_mgmt(pam_handle_t *pamh, int flags); +extern int PAM_NONNULL((1)) +pam_acct_mgmt(pam_handle_t *pamh, int flags); /* Session Management API's */ -extern int pam_open_session(pam_handle_t *pamh, int flags); -extern int pam_close_session(pam_handle_t *pamh, int flags); +extern int PAM_NONNULL((1)) +pam_open_session(pam_handle_t *pamh, int flags); + +extern int PAM_NONNULL((1)) +pam_close_session(pam_handle_t *pamh, int flags); /* Password Management API's */ -extern int pam_chauthtok(pam_handle_t *pamh, int flags); +extern int PAM_NONNULL((1)) +pam_chauthtok(pam_handle_t *pamh, int flags); -#ifdef __cplusplus -} -#endif /* take care of any compatibility issues */ #include <security/_pam_compat.h> +#ifdef __cplusplus +} +#endif + /* * Copyright Theodore Ts'o, 1996. All rights reserved. * @@ -69,13 +76,13 @@ extern int pam_chauthtok(pam_handle_t *pamh, int flags); * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE diff --git a/Linux-PAM/libpam/include/security/pam_ext.h b/Linux-PAM/libpam/include/security/pam_ext.h new file mode 100644 index 00000000..111dd633 --- /dev/null +++ b/Linux-PAM/libpam/include/security/pam_ext.h @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2005, 2006 Thorsten Kukuk. + * + * <security/pam_ext.h> + * + * This header file collects definitions for the extended PAM API. + * This is a public interface of the PAM library for PAM modules, + * which makes the life of PAM developers easier, but are not documented + * in any standard and are not portable between different PAM + * implementations. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SECURITY__PAM_EXT_H_ +#define _SECURITY__PAM_EXT_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +#include <security/_pam_types.h> +#include <stdarg.h> + +extern void PAM_FORMAT((printf, 3, 0)) PAM_NONNULL((3)) +pam_vsyslog (const pam_handle_t *pamh, int priority, + const char *fmt, va_list args); + +extern void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) +pam_syslog (const pam_handle_t *pamh, int priority, const char *fmt, ...); + +extern int PAM_FORMAT((printf, 4, 0)) PAM_NONNULL((1,4)) +pam_vprompt (pam_handle_t *pamh, int style, char **response, + const char *fmt, va_list args); + +extern int PAM_FORMAT((printf, 4, 5)) PAM_NONNULL((1,4)) +pam_prompt (pam_handle_t *pamh, int style, char **response, + const char *fmt, ...); + +#define pam_error(pamh, fmt...) \ + pam_prompt(pamh, PAM_ERROR_MSG, NULL, fmt) +#define pam_verror(pamh, fmt, args) \ + pam_vprompt(pamh, PAM_ERROR_MSG, NULL, fmt, args) + +#define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt) +#define pam_vinfo(pamh, fmt, args) pam_vprompt(pamh, PAM_TEXT_INFO, NULL, fmt, args) + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/Linux-PAM/libpam/include/security/pam_malloc.h b/Linux-PAM/libpam/include/security/pam_malloc.h deleted file mode 100644 index bbf31338..00000000 --- a/Linux-PAM/libpam/include/security/pam_malloc.h +++ /dev/null @@ -1,71 +0,0 @@ -/* - * $Id: pam_malloc.h,v 1.3 2001/11/26 03:04:47 agmorgan Exp $ - */ - -/* - * This file (via the use of macros) defines a wrapper for the malloc - * family of calls. It logs where the memory was requested and also - * where it was free()'d and keeps a list of currently requested memory. - * - * It is hoped that it will provide some help in locating memory leaks. - */ - -#ifndef PAM_MALLOC_H -#define PAM_MALLOC_H - -/* these are the macro definitions for the stdlib.h memory functions */ - -#define malloc(s) pam_malloc(s,__FILE__,__FUNCTION__,__LINE__) -#define calloc(n,s) pam_calloc(n,s,__FILE__,__FUNCTION__,__LINE__) -#define free(x) pam_free(x,__FILE__,__FUNCTION__,__LINE__) -/* #define memalign(a,s) pam_memalign(a,s,__FILE__,__FUNCTION__,__LINE__) */ -#define realloc(x,s) pam_realloc(x,s,__FILE__,__FUNCTION__,__LINE__) -/* #define valloc(s) pam_valloc(s,__FILE__,__FUNCTION__,__LINE__) */ -/* #define alloca(s) pam_alloca(s,__FILE__,__FUNCTION__,__LINE__) */ -#define exit(i) pam_exit(i,__FILE__,__FUNCTION__,__LINE__) -#define strdup(s) pam_strdup(s,__FILE__,__FUNCTION__,__LINE__) - -/* these are the prototypes for the wrapper functions */ - -#include <sys/types.h> - -extern void *pam_malloc(size_t s,const char *,const char *, int); -extern void *pam_calloc(size_t n,size_t s,const char *,const char *, int); -extern void pam_free(void *x,const char *,const char *, int); -extern void *pam_memalign(size_t a,size_t s - ,const char *,const char *, int); -extern void *pam_realloc(void *x,size_t s,const char *,const char *, int); -extern void *pam_valloc(size_t s,const char *,const char *, int); -extern void *pam_alloca(size_t s,const char *,const char *, int); -extern void pam_exit(int i,const char *,const char *, int); -extern char *pam_strdup(const char *,const char *,const char *, int); - -/* these are the flags used to turn on and off diagnostics */ - -#define PAM_MALLOC_LEAKED 01 -#define PAM_MALLOC_REQUEST 02 -#define PAM_MALLOC_FREE 04 -#define PAM_MALLOC_EXCH (PAM_MALLOC_FREED|PAM_MALLOC_EXCH) -#define PAM_MALLOC_RESIZE 010 -#define PAM_MALLOC_FAIL 020 -#define PAM_MALLOC_NULL 040 -#define PAM_MALLOC_VERIFY 0100 -#define PAM_MALLOC_FUNC 0200 -#define PAM_MALLOC_PAUSE 0400 -#define PAM_MALLOC_STOP 01000 - -#define PAM_MALLOC_ALL 0777 - -#define PAM_MALLOC_DEFAULT \ - (PAM_MALLOC_LEAKED|PAM_MALLOC_PAUSE|PAM_MALLOC_FAIL) - -#include <stdio.h> - -extern FILE *pam_malloc_outfile; /* defaults to stdout */ - -/* how much output do you want? */ - -extern int pam_malloc_flags; -extern int pam_malloc_delay_length; /* how long to pause on errors */ - -#endif /* PAM_MALLOC_H */ diff --git a/Linux-PAM/libpam/include/security/pam_modules.h b/Linux-PAM/libpam/include/security/pam_modules.h index 1f20993f..5c516c4e 100644 --- a/Linux-PAM/libpam/include/security/pam_modules.h +++ b/Linux-PAM/libpam/include/security/pam_modules.h @@ -1,32 +1,34 @@ /* * <security/pam_modules.h> - * - * $Id: pam_modules.h,v 1.3 2001/02/05 06:50:41 agmorgan Exp $ * + * This header file collects definitions for the PAM API --- that is, + * public interface between the PAM library and PAM modules. + * + * Note, the copyright information is at end of file. */ #ifndef _SECURITY_PAM_MODULES_H #define _SECURITY_PAM_MODULES_H -#include <security/_pam_types.h> /* Linux-PAM common defined types */ - -/* these defines are used by pam_set_item() and pam_get_item() and are - * in addition to those found in <security/_pam_types.h> */ +#ifdef __cplusplus +extern "C" { +#endif -#define PAM_AUTHTOK 6 /* The authentication token (password) */ -#define PAM_OLDAUTHTOK 7 /* The old authentication token */ +#include <security/_pam_types.h> /* Linux-PAM common defined types */ /* -------------- The Linux-PAM Module PI ------------- */ -extern int pam_set_data(pam_handle_t *pamh, const char *module_data_name, - void *data, - void (*cleanup)(pam_handle_t *pamh, void *data, - int error_status)); -extern int pam_get_data(const pam_handle_t *pamh, - const char *module_data_name, const void **data); +extern int PAM_NONNULL((1,2)) +pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data, + void (*cleanup)(pam_handle_t *pamh, void *data, + int error_status)); + +extern int PAM_NONNULL((1,2,3)) +pam_get_data(const pam_handle_t *pamh, const char *module_data_name, + const void **data); -extern int pam_get_user(pam_handle_t *pamh, const char **user - , const char *prompt); +extern int PAM_NONNULL((1,2)) +pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt); #ifdef PAM_STATIC @@ -56,7 +58,7 @@ struct pam_module { #define PAM_EXTERN extern #endif /* PAM_STATIC */ - + /* Lots of files include pam_modules.h that don't need these * declared. However, when they are declared static, they * need to be defined later. So we have to protect C files @@ -127,9 +129,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, #define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */ + /* take care of any compatibility issues */ #include <security/_pam_compat.h> +#ifdef __cplusplus +} +#endif + /* Copyright (C) Theodore Ts'o, 1996. * Copyright (C) Andrew Morgan, 1996-8. * All rights reserved. @@ -146,13 +153,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU General Public License, in which case the provisions of the * GNU GPL are required INSTEAD OF the above restrictions. (This * clause is necessary due to a potential bad interaction between the * GNU GPL and the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -166,4 +173,3 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _SECURITY_PAM_MODULES_H */ - diff --git a/Linux-PAM/libpam/include/security/pam_modutil.h b/Linux-PAM/libpam/include/security/pam_modutil.h new file mode 100644 index 00000000..efb72436 --- /dev/null +++ b/Linux-PAM/libpam/include/security/pam_modutil.h @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2001-2002 Andrew Morgan <morgan@kernel.org> + * + * <security/pam_modutil.h> + * + * This file is a list of handy libc wrappers that attempt to provide some + * thread-safe and other convenient functionality to modules in a common form. + * + * A number of these functions reserve space in a pam_[sg]et_data item. + * In all cases, the name of the item is prefixed with "pam_modutil_*". + * + * On systems that simply can't support thread safe programming, these + * functions don't support it either - sorry. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SECURITY__PAM_MODUTIL_H +#define _SECURITY__PAM_MODUTIL_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include <security/_pam_types.h> + +extern struct passwd * PAM_NONNULL((1,2)) +pam_modutil_getpwnam(pam_handle_t *pamh, const char *user); + +extern struct passwd * PAM_NONNULL((1)) +pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid); + +extern struct group * PAM_NONNULL((1,2)) +pam_modutil_getgrnam(pam_handle_t *pamh, const char *group); + +extern struct group * PAM_NONNULL((1)) +pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid); + +extern struct spwd * PAM_NONNULL((1,2)) +pam_modutil_getspnam(pam_handle_t *pamh, const char *user); + +extern int PAM_NONNULL((1,2,3)) +pam_modutil_user_in_group_nam_nam(pam_handle_t *pamh, + const char *user, + const char *group); + +extern int PAM_NONNULL((1,2)) +pam_modutil_user_in_group_nam_gid(pam_handle_t *pamh, + const char *user, + gid_t group); + +extern int PAM_NONNULL((1,3)) +pam_modutil_user_in_group_uid_nam(pam_handle_t *pamh, + uid_t user, + const char *group); + +extern int PAM_NONNULL((1)) +pam_modutil_user_in_group_uid_gid(pam_handle_t *pamh, + uid_t user, + gid_t group); + +extern const char * PAM_NONNULL((1)) +pam_modutil_getlogin(pam_handle_t *pamh); + +extern int +pam_modutil_read(int fd, char *buffer, int count); + +extern int +pam_modutil_write(int fd, const char *buffer, int count); + +#ifdef __cplusplus +} +#endif + +#endif /* _SECURITY__PAM_MODUTIL_H */ diff --git a/Linux-PAM/libpam/libpam.map b/Linux-PAM/libpam/libpam.map new file mode 100644 index 00000000..1c2c4480 --- /dev/null +++ b/Linux-PAM/libpam/libpam.map @@ -0,0 +1,47 @@ +LIBPAM_1.0 { + global: + pam_acct_mgmt; + pam_authenticate; + pam_chauthtok; + pam_close_session; + pam_end; + pam_open_session; + pam_setcred; + pam_start; + pam_getenv; + pam_putenv; + pam_getenvlist; + pam_set_item; + pam_get_item; + pam_strerror; + pam_fail_delay; + pam_set_data; + pam_get_data; + pam_get_user; + + local: + *; +}; +LIBPAM_EXTENSION_1.0 { + global: + pam_prompt; + pam_vprompt; + pam_syslog; + pam_vsyslog; +}; + +LIBPAM_MODUTIL_1.0 { + global: + pam_modutil_getpwnam; + pam_modutil_getpwuid; + pam_modutil_getgrnam; + pam_modutil_getgrgid; + pam_modutil_getspnam; + pam_modutil_user_in_group_nam_nam; + pam_modutil_user_in_group_nam_gid; + pam_modutil_user_in_group_uid_nam; + pam_modutil_user_in_group_uid_gid; + pam_modutil_getlogin; + pam_modutil_read; + pam_modutil_write; +}; diff --git a/Linux-PAM/libpam/pam_account.c b/Linux-PAM/libpam/pam_account.c index 3a4fb1fc..572acc47 100644 --- a/Linux-PAM/libpam/pam_account.c +++ b/Linux-PAM/libpam/pam_account.c @@ -19,5 +19,9 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); +#endif + return retval; } diff --git a/Linux-PAM/libpam/pam_audit.c b/Linux-PAM/libpam/pam_audit.c new file mode 100644 index 00000000..ff1486aa --- /dev/null +++ b/Linux-PAM/libpam/pam_audit.c @@ -0,0 +1,134 @@ +/* pam_audit.c -- Instrumentation code for Linux Auditing System */ + +/* (C) 2005-2006 Red Hat, Inc. -- Licensing details are in the COPYING + file accompanying the Linux-PAM source distribution. + + Authors: + Steve Grubb <sgrubb@redhat.com> */ + +#include "pam_private.h" +#include <stdio.h> +#include <syslog.h> + +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include <pwd.h> +#include <netdb.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <arpa/inet.h> +#include <errno.h> + +#define PAMAUDIT_LOGGED 1 + +static int +_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, + const char *message, int retval) +{ + static int old_errno = -1; + int rc; + char buf[256]; + + snprintf(buf, sizeof(buf), "PAM: %s acct=%s ", message, + (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?"); + + rc = audit_log_user_message( audit_fd, type, buf, + pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); + + if (rc == -1 && errno != old_errno) + { + old_errno = errno; + pam_syslog(pamh, LOG_CRIT, "audit_log_user_message() failed: %m"); + } + + pamh->audit_state |= PAMAUDIT_LOGGED; + return rc; +} + +int +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +{ + const char *message; + int type; + int audit_fd; + + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return retval; + + /* this should only fail in case of extreme resource shortage, + * need to prevent login in that case for CAPP compliance. + */ + pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m"); + return PAM_SYSTEM_ERR; + } + + switch (action) { + case PAM_AUTHENTICATE: + message = "authentication"; + type = AUDIT_USER_AUTH; + break; + case PAM_OPEN_SESSION: + message = "session open"; + type = AUDIT_USER_START; + break; + case PAM_CLOSE_SESSION: + message = "session close"; + type = AUDIT_USER_END; + break; + case PAM_ACCOUNT: + message = "accounting"; + type = AUDIT_USER_ACCT; + break; + case PAM_CHAUTHTOK: + message = "chauthtok"; + type = AUDIT_USER_CHAUTHTOK; + break; + case PAM_SETCRED: + message = "setcred"; + if (flags & PAM_ESTABLISH_CRED) + type = AUDIT_CRED_ACQ; + else if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED)) + type = AUDIT_CRED_REFR; + else if (flags & PAM_DELETE_CRED) + type = AUDIT_CRED_DISP; + else + type = AUDIT_USER_ERR; + break; + case _PAM_ACTION_DONE: + message = "bad_ident"; + type = AUDIT_USER_ERR; + break; + default: + message = "UNKNOWN"; + type = AUDIT_USER_ERR; + pam_syslog(pamh, LOG_CRIT, "_pam_auditlog() should never get here"); + retval = PAM_SYSTEM_ERR; + } + + if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) + retval = PAM_SYSTEM_ERR; + + audit_close(audit_fd); + return retval; +} + +int +_pam_audit_end(pam_handle_t *pamh, int status UNUSED) +{ + if (! (pamh->audit_state & PAMAUDIT_LOGGED)) { + /* PAM library is being shut down without any of the auditted + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ + _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); + } + + return 0; +} + +#endif /* HAVE_LIBAUDIT */ diff --git a/Linux-PAM/libpam/pam_auth.c b/Linux-PAM/libpam/pam_auth.c index f2743624..5c272cfe 100644 --- a/Linux-PAM/libpam/pam_auth.c +++ b/Linux-PAM/libpam/pam_auth.c @@ -1,7 +1,7 @@ /* * pam_auth.c -- PAM authentication * - * $Id: pam_auth.c,v 1.5 2005/03/29 20:41:20 toady Exp $ + * $Id: pam_auth.c,v 1.7 2006/07/24 15:47:40 kukuk Exp $ * */ @@ -45,6 +45,10 @@ int pam_authenticate(pam_handle_t *pamh, int flags) prelude_send_alert(pamh, retval); #endif +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); +#endif + return retval; } @@ -67,6 +71,10 @@ int pam_setcred(pam_handle_t *pamh, int flags) retval = _pam_dispatch(pamh, flags, PAM_SETCRED); +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); +#endif + D(("pam_setcred exit")); return retval; diff --git a/Linux-PAM/libpam/pam_data.c b/Linux-PAM/libpam/pam_data.c index 6a90bd51..30570afb 100644 --- a/Linux-PAM/libpam/pam_data.c +++ b/Linux-PAM/libpam/pam_data.c @@ -1,9 +1,38 @@ -/* pam_data.c */ - /* - * $Id: pam_data.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "config.h" + #include "pam_private.h" #include <stdlib.h> @@ -19,7 +48,7 @@ static struct pam_data *_pam_locate_data(const pam_handle_t *pamh, IF_NO_PAMH("_pam_locate_data", pamh, NULL); data = pamh->data; - + while (data) { if (!strcmp(data->name, name)) { return data; @@ -37,7 +66,7 @@ int pam_set_data( void (*cleanup)(pam_handle_t *pamh, void *data, int error_status)) { struct pam_data *data_entry; - + D(("called")); IF_NO_PAMH("pam_set_data", pamh, PAM_SYSTEM_ERR); @@ -47,6 +76,12 @@ int pam_set_data( return PAM_SYSTEM_ERR; } + /* module_data_name should not be NULL */ + if (module_data_name == NULL) { + D(("called with NULL as module_data_name")); + return PAM_SYSTEM_ERR; + } + /* first check if there is some data already. If so clean it up */ if ((data_entry = _pam_locate_data(pamh, module_data_name))) { @@ -58,7 +93,8 @@ int pam_set_data( char *tname; if ((tname = _pam_strdup(module_data_name)) == NULL) { - _pam_system_log(LOG_CRIT, "pam_set_data: no memory for data name"); + pam_syslog(pamh, LOG_CRIT, + "pam_set_data: no memory for data name"); _pam_drop(data_entry); return PAM_BUF_ERR; } @@ -66,7 +102,8 @@ int pam_set_data( pamh->data = data_entry; data_entry->name = tname; } else { - _pam_system_log(LOG_CRIT, "pam_set_data: cannot allocate data entry"); + pam_syslog(pamh, LOG_CRIT, + "pam_set_data: cannot allocate data entry"); return PAM_BUF_ERR; } @@ -92,6 +129,12 @@ int pam_get_data( return PAM_SYSTEM_ERR; } + /* module_data_name should not be NULL */ + if (module_data_name == NULL) { + D(("called with NULL as module_data_name")); + return PAM_SYSTEM_ERR; + } + data = _pam_locate_data(pamh, module_data_name); if (data) { *datap = data->data; diff --git a/Linux-PAM/libpam/pam_dispatch.c b/Linux-PAM/libpam/pam_dispatch.c index 4af29f69..ab032d74 100644 --- a/Linux-PAM/libpam/pam_dispatch.c +++ b/Linux-PAM/libpam/pam_dispatch.c @@ -1,9 +1,8 @@ /* pam_dispatch.c - handles module function dispatch */ /* - * Copyright (c) 1998 Andrew G. Morgan <morgan@kernel.org> + * Copyright (c) 1998, 2005 Andrew G. Morgan <morgan@kernel.org> * - * $Id: pam_dispatch.c,v 1.7 2005/01/07 15:31:26 t8m Exp $ */ #include "pam_private.h" @@ -40,11 +39,11 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, IF_NO_PAMH("_pam_dispatch_aux", pamh, PAM_SYSTEM_ERR); if (h == NULL) { - const char *service=NULL; + const void *service=NULL; - (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); - _pam_system_log(LOG_ERR, "no modules loaded for `%s' service", - service ? service:"<unknown>" ); + (void) pam_get_item(pamh, PAM_SERVICE, &service); + pam_syslog(pamh, LOG_ERR, "no modules loaded for `%s' service", + service ? (const char *)service:"<unknown>" ); service = NULL; return PAM_MUST_FAIL_CODE; } @@ -80,7 +79,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, retval = PAM_MODULE_UNKNOWN; } else { D(("passing control to module...")); + pamh->mod_name=h->mod_name; retval = h->func(pamh, flags, h->argc, h->argv); + pamh->mod_name=NULL; D(("module returned: %s", pam_strerror(pamh, retval))); if (h->must_fail) { D(("module poorly listed in PAM config; forcing failure")); @@ -207,7 +208,11 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, #endif /* PAM_FAIL_NOW_ON */ if ( impression != _PAM_NEGATIVE ) { impression = _PAM_NEGATIVE; - status = retval; + /* Don't return with PAM_IGNORE as status */ + if ( retval == PAM_IGNORE ) + status = PAM_MUST_FAIL_CODE; + else + status = retval; } if ( action == _PAM_ACTION_DIE ) { goto decision_made; @@ -237,7 +242,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } } } - + /* this means that we need to skip #action stacked modules */ do { h = h->next; @@ -291,7 +296,7 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) /* Load all modules, resolve all symbols */ if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { - _pam_system_log(LOG_ERR, "unable to dispatch function"); + pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); return retval; } @@ -322,7 +327,7 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) } break; default: - _pam_system_log(LOG_ERR, "undefined fn choice; %d", choice); + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); return PAM_ABORT; } @@ -353,7 +358,7 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) /* Did a module return an "incomplete state" last time? */ if (pamh->former.choice != PAM_NOT_STACKED) { if (pamh->former.choice != choice) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "application failed to re-exec stack [%d:%d]", pamh->former.choice, choice); return PAM_ABORT; @@ -366,6 +371,7 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) __PAM_TO_MODULE(pamh); /* call the list of module functions */ + pamh->choice = choice; retval = _pam_dispatch_aux(pamh, flags, h, resumed, use_cached_chain); resumed = PAM_FALSE; @@ -381,4 +387,3 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) return retval; } - diff --git a/Linux-PAM/libpam/pam_dynamic.c b/Linux-PAM/libpam/pam_dynamic.c new file mode 100644 index 00000000..5be33c36 --- /dev/null +++ b/Linux-PAM/libpam/pam_dynamic.c @@ -0,0 +1,142 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pam_private.h" + +#ifndef PAM_STATIC + +#ifdef PAM_SHL +# include <dl.h> +#elif defined(PAM_DYLD) +# include <mach-o/dyld.h> +#else /* PAM_SHL */ +# include <dlfcn.h> +#endif /* PAM_SHL */ + +#ifndef SHLIB_SYM_PREFIX +#define SHLIB_SYM_PREFIX "_" +#endif + +void *_pam_dlopen(const char *mod_path) +{ +#ifdef PAM_SHL + return shl_load(mod_path, BIND_IMMEDIATE, 0L); +#elif defined(PAM_DYLD) + NSObjectFileImage ofile; + void *ret = NULL; + + if (NSCreateObjectFileImageFromFile(mod_path, &ofile) != + NSObjectFileImageSuccess ) + return NULL; + + ret = NSLinkModule(ofile, mod_path, NSLINKMODULE_OPTION_PRIVATE | NSLINKMODULE_OPTION_BINDNOW); + NSDestroyObjectFileImage(ofile); + + return ret; +#else + return dlopen(mod_path, RTLD_NOW); +#endif +} + +servicefn _pam_dlsym(void *handle, const char *symbol) +{ +#ifdef PAM_SHL + char *_symbol = NULL; + servicefn ret; + + if( symbol == NULL ) + return NULL; + + if( shl_findsym(&handle, symbol, (short) TYPE_PROCEDURE, &ret ){ + _symbol = malloc( strlen(symbol) + sizeof(SHLIB_SYM_PREFIX) + 1 ); + if( _symbol == NULL ) + return NULL; + strcpy(_symbol, SHLIB_SYM_PREFIX); + strcat(_symbol, symbol); + if( shl_findsym(&handle, _symbol, + (short) TYPE_PROCEDURE, &ret ){ + free(_symbol); + return NULL; + } + free(_symbol); + } + + return ret; + +#elif defined(PAM_DYLD) + NSSymbol nsSymbol; + char *_symbol; + + if( symbol == NULL ) + return NULL; + _symbol = malloc( strlen(symbol) + 2 ); + if( _symbol == NULL ) + return NULL; + strcpy(_symbol, SHLIB_SYM_PREFIX); + strcat(_symbol, symbol); + + nsSymbol = NSLookupSymbolInModule(handle, _symbol); + if( nsSymbol == NULL ) + return NULL; + free(_symbol); + + return (servicefn)NSAddressOfSymbol(nsSymbol); +#else + return (servicefn) dlsym(handle, symbol); +#endif +} + +void _pam_dlclose(void *handle) +{ +#ifdef PAM_SHL + shl_unload(handle); +#elif defined(PAM_DYLD) + NSUnLinkModule((NSModule)handle, NSUNLINKMODULE_OPTION_NONE); +#else + dlclose(handle); +#endif + + return; +} + +const char * +_pam_dlerror (void) +{ +#if defined(PAM_SHL) || defined(PAM_DYLD) + return "unknown"; +#else + return dlerror (); +#endif +} + +#endif diff --git a/Linux-PAM/libpam/pam_end.c b/Linux-PAM/libpam/pam_end.c index a0716175..23a9dd5d 100644 --- a/Linux-PAM/libpam/pam_end.c +++ b/Linux-PAM/libpam/pam_end.c @@ -1,7 +1,7 @@ /* pam_end.c */ /* - * $Id: pam_end.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ + * $Id: pam_end.c,v 1.4 2006/01/12 10:06:49 t8m Exp $ */ #include "pam_private.h" @@ -21,6 +21,10 @@ int pam_end(pam_handle_t *pamh, int pam_status) return PAM_SYSTEM_ERR; } +#ifdef HAVE_LIBAUDIT + _pam_audit_end(pamh, pam_status); +#endif + /* first liberate the modules (it is not inconcevible that the modules may need to use the service_name etc. to clean up) */ diff --git a/Linux-PAM/libpam/pam_env.c b/Linux-PAM/libpam/pam_env.c index 9027bc79..0f022f9f 100644 --- a/Linux-PAM/libpam/pam_env.c +++ b/Linux-PAM/libpam/pam_env.c @@ -7,7 +7,7 @@ * This file was written from a "hint" provided by the people at SUN. * and the X/Open XSSO draft of March 1997. * - * $Id: pam_env.c,v 1.5 2004/09/22 09:37:47 kukuk Exp $ + * $Id: pam_env.c,v 1.6 2005/09/04 20:32:25 kukuk Exp $ */ #include "pam_private.h" @@ -57,7 +57,7 @@ int _pam_make_env(pam_handle_t *pamh) pamh->env = (struct pam_environ *) malloc(sizeof(struct pam_environ)); if (pamh->env == NULL) { - _pam_system_log(LOG_CRIT, "_pam_make_env: out of memory"); + pam_syslog(pamh, LOG_CRIT, "_pam_make_env: out of memory"); return PAM_BUF_ERR; } @@ -67,7 +67,7 @@ int _pam_make_env(pam_handle_t *pamh) pamh->env->list = (char **)calloc( PAM_ENV_CHUNK, sizeof(char *) ); if (pamh->env->list == NULL) { - _pam_system_log(LOG_CRIT, "_pam_make_env: no memory for list"); + pam_syslog(pamh, LOG_CRIT, "_pam_make_env: no memory for list"); _pam_drop(pamh->env); return PAM_BUF_ERR; } @@ -157,7 +157,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) IF_NO_PAMH("pam_putenv", pamh, PAM_ABORT); if (name_value == NULL) { - _pam_system_log(LOG_ERR, "pam_putenv: no variable indicated"); + pam_syslog(pamh, LOG_ERR, "pam_putenv: no variable indicated"); return PAM_PERM_DENIED; } @@ -167,7 +167,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) for (l2eq=0; name_value[l2eq] && name_value[l2eq] != '='; ++l2eq); if (l2eq <= 0) { - _pam_system_log(LOG_ERR, "pam_putenv: bad variable"); + pam_syslog(pamh, LOG_ERR, "pam_putenv: bad variable"); return PAM_BAD_ITEM; } @@ -176,7 +176,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) */ if (pamh->env == NULL || pamh->env->list == NULL) { - _pam_system_log(LOG_ERR, "pam_putenv: no env%s found", + pam_syslog(pamh, LOG_ERR, "pam_putenv: no env%s found", pamh->env == NULL ? "":"-list"); return PAM_ABORT; } @@ -199,8 +199,8 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) , sizeof(char *) ); if (tmp == NULL) { /* nothing has changed - old env intact */ - _pam_system_log(LOG_CRIT, - "pam_putenv: cannot grow environment"); + pam_syslog(pamh, LOG_CRIT, + "pam_putenv: cannot grow environment"); return PAM_BUF_ERR; } @@ -251,8 +251,8 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) /* getting to here implies we are deleting an item */ if (item < 0) { - _pam_system_log(LOG_ERR, "pam_putenv: delete non-existent entry; %s", - name_value); + pam_syslog(pamh, LOG_ERR, + "pam_putenv: delete non-existent entry; %s", name_value); return PAM_BAD_ITEM; } @@ -290,13 +290,13 @@ const char *pam_getenv(pam_handle_t *pamh, const char *name) IF_NO_PAMH("pam_getenv", pamh, NULL); if (name == NULL) { - _pam_system_log(LOG_ERR, "pam_getenv: no variable indicated"); + pam_syslog(pamh, LOG_ERR, "pam_getenv: no variable indicated"); return NULL; } if (pamh->env == NULL || pamh->env->list == NULL) { - _pam_system_log(LOG_ERR, "pam_getenv: no env%s found", - pamh->env == NULL ? "":"-list" ); + pam_syslog(pamh, LOG_ERR, "pam_getenv: no env%s found", + pamh->env == NULL ? "":"-list" ); return NULL; } @@ -363,22 +363,22 @@ char **pam_getenvlist(pam_handle_t *pamh) IF_NO_PAMH("pam_getenvlist", pamh, NULL); if (pamh->env == NULL || pamh->env->list == NULL) { - _pam_system_log(LOG_ERR, "pam_getenvlist: no env%s found", - pamh->env == NULL ? "":"-list" ); + pam_syslog(pamh, LOG_ERR, "pam_getenvlist: no env%s found", + pamh->env == NULL ? "":"-list" ); return NULL; } /* some quick checks */ if (pamh->env->requested > pamh->env->entries) { - _pam_system_log(LOG_ERR, "pam_getenvlist: environment corruption"); + pam_syslog(pamh, LOG_ERR, "pam_getenvlist: environment corruption"); _pam_dump_env(pamh); /* only active when debugging */ return NULL; } for (i=pamh->env->requested-1; i-- > 0; ) { if (pamh->env->list[i] == NULL) { - _pam_system_log(LOG_ERR, "pam_getenvlist: environment broken"); + pam_syslog(pamh, LOG_ERR, "pam_getenvlist: environment broken"); _pam_dump_env(pamh); /* only active when debugging */ return NULL; /* somehow we've broken the environment!? */ } diff --git a/Linux-PAM/libpam/pam_handlers.c b/Linux-PAM/libpam/pam_handlers.c index ed03eda8..87d781d2 100644 --- a/Linux-PAM/libpam/pam_handlers.c +++ b/Linux-PAM/libpam/pam_handlers.c @@ -4,8 +4,6 @@ * created by Marc Ewing. * Currently maintained by Andrew G. Morgan <morgan@kernel.org> * - * $Id: pam_handlers.c,v 1.12 2005/02/07 08:18:53 kukuk Exp $ - * */ #include "pam_private.h" @@ -18,19 +16,6 @@ #include <fcntl.h> #include <unistd.h> -#ifdef PAM_DYNAMIC -# ifdef PAM_SHL -# include <dl.h> -# else /* PAM_SHL */ -# include <dlfcn.h> -# endif /* PAM_SHL */ -#endif /* PAM_DYNAMIC */ - -/* If not required, define as nothing */ -#ifndef SHLIB_SYM_PREFIX -# define SHLIB_SYM_PREFIX "" -#endif - #define BUF_SIZE 1024 #define MODULE_CHUNK 4 #define UNKNOWN_MODULE_PATH "<*unknown module path*>" @@ -102,10 +87,10 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f other = 0; else #endif /* PAM_READ_BOTH_CONFS */ - other = !_pam_strCMP(this_service, PAM_DEFAULT_SERVICE); + other = !strcasecmp(this_service, PAM_DEFAULT_SERVICE); /* accept "service name" or PAM_DEFAULT_SERVICE modules */ - if (!_pam_strCMP(this_service, pamh->service_name) || other) { + if (!strcasecmp(this_service, pamh->service_name) || other) { int pam_include = 0; /* This is a service we are looking for */ @@ -116,23 +101,24 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f if (tok == NULL) { /* module type does not exist */ D(("_pam_init_handlers: empty module type for %s", this_service)); - _pam_system_log(LOG_ERR, "(%s) empty module type", this_service); + pam_syslog(pamh, LOG_ERR, + "(%s) empty module type", this_service); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ must_fail = 1; /* install as normal but fail when dispatched */ - } else if (!_pam_strCMP("auth", tok)) { + } else if (!strcasecmp("auth", tok)) { module_type = PAM_T_AUTH; - } else if (!_pam_strCMP("session", tok)) { + } else if (!strcasecmp("session", tok)) { module_type = PAM_T_SESS; - } else if (!_pam_strCMP("account", tok)) { + } else if (!strcasecmp("account", tok)) { module_type = PAM_T_ACCT; - } else if (!_pam_strCMP("password", tok)) { + } else if (!strcasecmp("password", tok)) { module_type = PAM_T_PASS; } else { /* Illegal module type */ D(("_pam_init_handlers: bad module type: %s", tok)); - _pam_system_log(LOG_ERR, "(%s) illegal module type: %s", - this_service, tok); + pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s", + this_service, tok); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ must_fail = 1; /* install as normal but fail when dispatched */ @@ -156,33 +142,33 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f if (tok == NULL) { /* no module name given */ D(("_pam_init_handlers: no control flag supplied")); - _pam_system_log(LOG_ERR, - "(%s) no control flag supplied", this_service); + pam_syslog(pamh, LOG_ERR, + "(%s) no control flag supplied", this_service); _pam_set_default_control(actions, _PAM_ACTION_BAD); must_fail = 1; - } else if (!_pam_strCMP("required", tok)) { + } else if (!strcasecmp("required", tok)) { D(("*PAM_F_REQUIRED*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_OK; actions[PAM_IGNORE] = _PAM_ACTION_IGNORE; _pam_set_default_control(actions, _PAM_ACTION_BAD); - } else if (!_pam_strCMP("requisite", tok)) { + } else if (!strcasecmp("requisite", tok)) { D(("*PAM_F_REQUISITE*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_OK; actions[PAM_IGNORE] = _PAM_ACTION_IGNORE; _pam_set_default_control(actions, _PAM_ACTION_DIE); - } else if (!_pam_strCMP("optional", tok)) { + } else if (!strcasecmp("optional", tok)) { D(("*PAM_F_OPTIONAL*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_OK; _pam_set_default_control(actions, _PAM_ACTION_IGNORE); - } else if (!_pam_strCMP("sufficient", tok)) { + } else if (!strcasecmp("sufficient", tok)) { D(("*PAM_F_SUFFICIENT*")); actions[PAM_SUCCESS] = _PAM_ACTION_DONE; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_DONE; _pam_set_default_control(actions, _PAM_ACTION_IGNORE); - } else if (!_pam_strCMP("include", tok)) { + } else if (!strcasecmp("include", tok)) { D(("*PAM_F_INCLUDE*")); pam_include = 1; } else { @@ -210,8 +196,8 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } else { /* no module name given */ D(("_pam_init_handlers: no module name supplied")); - _pam_system_log(LOG_ERR, - "(%s) no module name supplied", this_service); + pam_syslog(pamh, LOG_ERR, + "(%s) no module name supplied", this_service); mod_path = NULL; must_fail = 1; } @@ -253,7 +239,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f , module_type, actions, mod_path , argc, argv, argvlen); if (res != PAM_SUCCESS) { - _pam_system_log(LOG_ERR, "error loading %s", mod_path); + pam_syslog(pamh, LOG_ERR, "error loading %s", mod_path); D(("failed to load module - aborting")); return PAM_ABORT; } @@ -279,13 +265,13 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name if (config_name == NULL) { D(("no config file supplied")); - _pam_system_log(LOG_ERR, "(%s) no config file supplied", service); + pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service); return PAM_ABORT; } if (config_name[0] != '/') { if (asprintf (&config_path, PAM_CONFIG_DF, config_name) < 0) { - _pam_system_log(LOG_CRIT, "asprintf failed"); + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); return PAM_BUF_ERR; } config_name = config_path; @@ -301,14 +287,14 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name ); fclose(f); if (retval != PAM_SUCCESS) - _pam_system_log(LOG_ERR, - "_pam_load_conf_file: error reading %s: %s", - config_name, pam_strerror(pamh, retval)); + pam_syslog(pamh, LOG_ERR, + "_pam_load_conf_file: error reading %s: %s", + config_name, pam_strerror(pamh, retval)); } else { D(("unable to open %s", config_name)); - _pam_system_log(LOG_ERR, - "_pam_load_conf_file: unable to open %s", - config_name); + pam_syslog(pamh, LOG_ERR, + "_pam_load_conf_file: unable to open %s", + config_name); } _pam_drop(config_path); @@ -337,8 +323,8 @@ int _pam_init_handlers(pam_handle_t *pamh) if (! pamh->handlers.module) { if ((pamh->handlers.module = malloc(MODULE_CHUNK * sizeof(struct loaded_module))) == NULL) { - _pam_system_log(LOG_CRIT, - "_pam_init_handlers: no memory loading module"); + pam_syslog(pamh, LOG_CRIT, + "_pam_init_handlers: no memory loading module"); return PAM_BUF_ERR; } pamh->handlers.modules_allocated = MODULE_CHUNK; @@ -355,8 +341,9 @@ int _pam_init_handlers(pam_handle_t *pamh) int fd_tmp; if ((fd_tmp = open( PAM_LOCK_FILE, O_RDONLY )) != -1) { - _pam_system_log(LOG_ERR, "_pam_init_handlers: PAM lockfile (" - PAM_LOCK_FILE ") exists - aborting"); + pam_syslog(pamh, LOG_ERR, + "_pam_init_handlers: PAM lockfile (" + PAM_LOCK_FILE ") exists - aborting"); (void) close(fd_tmp); /* * to avoid swamping the system with requests @@ -382,15 +369,12 @@ int _pam_init_handlers(pam_handle_t *pamh) int read_something=0; D(("searching " PAM_CONFIG_D " for config files")); - filename = malloc(sizeof(PAM_CONFIG_DF) - +strlen(pamh->service_name)); - if (filename == NULL) { - _pam_system_log(LOG_ERR, + if (asprintf(&filename, PAM_CONFIG_DF, pamh->service_name) < 0) { + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: no memory; service %s", pamh->service_name); return PAM_BUF_ERR; } - sprintf(filename, PAM_CONFIG_DF, pamh->service_name); D(("opening %s", filename)); f = fopen(filename, "r"); if (f != NULL) { @@ -402,10 +386,10 @@ int _pam_init_handlers(pam_handle_t *pamh) ); fclose(f); if (retval != PAM_SUCCESS) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: error reading %s", filename); - _pam_system_log(LOG_ERR, "_pam_init_handlers: [%s]", + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: [%s]", pam_strerror(pamh, retval)); } else { read_something = 1; @@ -444,10 +428,10 @@ int _pam_init_handlers(pam_handle_t *pamh) ); fclose(f); if (retval != PAM_SUCCESS) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: error reading %s", PAM_DEFAULT_SERVICE_FILE); - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: [%s]", pam_strerror(pamh, retval)); } else { @@ -455,7 +439,7 @@ int _pam_init_handlers(pam_handle_t *pamh) } } else { D(("unable to open %s", PAM_DEFAULT_SERVICE_FILE)); - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: no default config %s", PAM_DEFAULT_SERVICE_FILE); } @@ -465,7 +449,7 @@ int _pam_init_handlers(pam_handle_t *pamh) } } else { if ((f = fopen(PAM_CONFIG, "r")) == NULL) { - _pam_system_log(LOG_ERR, "_pam_init_handlers: could not open " + pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: could not open " PAM_CONFIG ); return PAM_ABORT; } @@ -483,7 +467,7 @@ int _pam_init_handlers(pam_handle_t *pamh) if (retval != PAM_SUCCESS) { /* Read error */ - _pam_system_log(LOG_ERR, "error reading PAM configuration file"); + pam_syslog(pamh, LOG_ERR, "error reading PAM configuration file"); return PAM_ABORT; } @@ -576,7 +560,26 @@ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len) return used; } -typedef int (*servicefn)(pam_handle_t *, int, int, char **); +static char * +extract_modulename(const char *mod_path) +{ + const char *p = strrchr (mod_path, '/'); + char *dot, *retval; + + if (p == NULL) + p = mod_path; + else + p++; + + if ((retval = _pam_strdup (p)) == NULL) + return NULL; + + dot = strrchr (retval, '.'); + if (dot) + *dot = '\0'; + + return retval; +} int _pam_add_handler(pam_handle_t *pamh , int must_fail, int other, int type @@ -589,10 +592,10 @@ int _pam_add_handler(pam_handle_t *pamh struct handler **handler_p2; struct handlers *the_handlers; const char *sym, *sym2; -#ifdef PAM_SHL - const char *_sym, *_sym2; + char *mod_full_path=NULL; +#ifndef PAM_STATIC + char *mod_full_isa_path=NULL, *isa=NULL; #endif - char *mod_full_path=NULL, *mod_full_isa_path=NULL, *isa=NULL; servicefn func, func2; int success; @@ -605,13 +608,13 @@ int _pam_add_handler(pam_handle_t *pamh if (mod_path[0] == '/') { break; } - mod_full_path = malloc(sizeof(DEFAULT_MODULE_PATH)+strlen(mod_path)); - if (mod_full_path) { - sprintf(mod_full_path, DEFAULT_MODULE_PATH "%s", mod_path); + if (asprintf(&mod_full_path, "%s%s", + DEFAULT_MODULE_PATH, mod_path) >= 0) { mod_path = mod_full_path; break; } - _pam_system_log(LOG_CRIT, "cannot malloc full mod path"); + mod_full_path = NULL; + pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); case 0: mod_path = UNKNOWN_MODULE_PATH; } @@ -635,7 +638,7 @@ int _pam_add_handler(pam_handle_t *pamh *sizeof(struct loaded_module)); if (tmp == NULL) { D(("cannot enlarge module pointer memory")); - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "realloc returned NULL in _pam_add_handler"); _pam_drop(mod_full_path); return PAM_ABORT; @@ -647,21 +650,36 @@ int _pam_add_handler(pam_handle_t *pamh /* Be pessimistic... */ success = PAM_ABORT; -#ifdef PAM_DYNAMIC - D(("_pam_add_handler: dlopen(%s) -> %lx", mod_path, &mod->dl_handle)); - mod->dl_handle = -# ifdef PAM_SHL - shl_load(mod_path, BIND_IMMEDIATE, 0L); -# else /* PAM_SHL */ - dlopen(mod_path, RTLD_NOW); -# endif /* PAM_SHL */ +#ifdef PAM_STATIC + /* Only load static function if function was not found dynamically. + * This code should work even if no dynamic loading is available. */ + if (success != PAM_SUCCESS) { + D(("_pam_add_handler: open static handler %s", mod_path)); + mod->dl_handle = _pam_open_static_handler(pamh, mod_path); + if (mod->dl_handle == NULL) { + D(("_pam_add_handler: unable to find static handler %s", + mod_path)); + pam_syslog(pamh, LOG_ERR, + "unable to open static handler %s", mod_path); + /* Didn't find module in dynamic or static..will mark bad */ + } else { + D(("static module added successfully")); + success = PAM_SUCCESS; + mod->type = PAM_MT_STATIC_MOD; + pamh->handlers.modules_used++; + } + } +#else + D(("_pam_add_handler: _pam_dlopen(%s)", mod_path)); + mod->dl_handle = _pam_dlopen(mod_path); + D(("_pam_add_handler: _pam_dlopen'ed")); D(("_pam_add_handler: dlopen'ed")); if (mod->dl_handle == NULL) { if (strstr(mod_path, "$ISA")) { mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1); if (mod_full_isa_path == NULL) { D(("_pam_handler: couldn't get memory for mod_path")); - _pam_system_log(LOG_ERR, "no memory for module path"); + pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } else { strcpy(mod_full_isa_path, mod_path); @@ -670,22 +688,15 @@ int _pam_add_handler(pam_handle_t *pamh memmove(isa + strlen(_PAM_ISA), isa + 4, strlen(isa + 4) + 1); memmove(isa, _PAM_ISA, strlen(_PAM_ISA)); } - mod->dl_handle = -# ifdef PAM_SHL - shl_load(mod_full_isa_path, BIND_IMMEDIATE, 0L); -# else /* PAM_SHL */ - dlopen(mod_full_isa_path, RTLD_NOW); -# endif /* PAM_SHL */ + mod->dl_handle = _pam_dlopen(mod_full_isa_path); _pam_drop(mod_full_isa_path); } } } if (mod->dl_handle == NULL) { - D(("_pam_add_handler: dlopen(%s) failed", mod_path)); - _pam_system_log(LOG_ERR, "unable to dlopen(%s)", mod_path); -# ifndef PAM_SHL - _pam_system_log(LOG_ERR, "[dlerror: %s]", dlerror()); -# endif /* PAM_SHL */ + D(("_pam_add_handler: _pam_dlopen(%s) failed", mod_path)); + pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s)", mod_path); + pam_syslog(pamh, LOG_ERR, "[error: %s]", _pam_dlerror()); /* Don't abort yet; static code may be able to find function. * But defaults to abort if nothing found below... */ } else { @@ -695,39 +706,19 @@ int _pam_add_handler(pam_handle_t *pamh pamh->handlers.modules_used++; } #endif -#ifdef PAM_STATIC - /* Only load static function if function was not found dynamically. - * This code should work even if no dynamic loading is available. */ - if (success != PAM_SUCCESS) { - D(("_pam_add_handler: open static handler %s", mod_path)); - mod->dl_handle = _pam_open_static_handler(mod_path); - if (mod->dl_handle == NULL) { - D(("_pam_add_handler: unable to find static handler %s", - mod_path)); - _pam_system_log(LOG_ERR, - "unable to open static handler %s", mod_path); - /* Didn't find module in dynamic or static..will mark bad */ - } else { - D(("static module added successfully")); - success = PAM_SUCCESS; - mod->type = PAM_MT_STATIC_MOD; - pamh->handlers.modules_used++; - } - } -#endif if (success != PAM_SUCCESS) { /* add a malformed module */ mod->dl_handle = NULL; mod->type = PAM_MT_FAULTY_MOD; pamh->handlers.modules_used++; - _pam_system_log(LOG_ERR, "adding faulty module: %s", mod_path); + pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); success = PAM_SUCCESS; /* We have successfully added a module */ } /* indicate its name - later we will search for it by this */ if ((mod->name = _pam_strdup(mod_path)) == NULL) { D(("_pam_handler: couldn't get memory for mod_path")); - _pam_system_log(LOG_ERR, "no memory for module path"); + pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } @@ -756,46 +747,29 @@ int _pam_add_handler(pam_handle_t *pamh handler_p = handler_p2 = NULL; func = func2 = NULL; -#ifdef PAM_SHL - _sym2 = -#endif /* PAM_SHL */ sym2 = NULL; /* point handler_p's at the root addresses of the function stacks */ switch (type) { case PAM_T_AUTH: handler_p = &the_handlers->authenticate; - sym = SHLIB_SYM_PREFIX "pam_sm_authenticate"; + sym = "pam_sm_authenticate"; handler_p2 = &the_handlers->setcred; - sym2 = SHLIB_SYM_PREFIX "pam_sm_setcred"; -#ifdef PAM_SHL - _sym = "_pam_sm_authenticate"; - _sym2 = "_pam_sm_setcred"; -#endif + sym2 = "pam_sm_setcred"; break; case PAM_T_SESS: handler_p = &the_handlers->open_session; - sym = SHLIB_SYM_PREFIX "pam_sm_open_session"; + sym = "pam_sm_open_session"; handler_p2 = &the_handlers->close_session; - sym2 = SHLIB_SYM_PREFIX "pam_sm_close_session"; -#ifdef PAM_SHL - _sym = "_pam_sm_open_session"; - _sym2 = "_pam_sm_close_session"; -#endif + sym2 = "pam_sm_close_session"; break; case PAM_T_ACCT: handler_p = &the_handlers->acct_mgmt; - sym = SHLIB_SYM_PREFIX "pam_sm_acct_mgmt"; -#ifdef PAM_SHL - _sym = "_pam_sm_acct_mgmt"; -#endif + sym = "pam_sm_acct_mgmt"; break; case PAM_T_PASS: handler_p = &the_handlers->chauthtok; - sym = SHLIB_SYM_PREFIX "pam_sm_chauthtok"; -#ifdef PAM_SHL - _sym = "_pam_sm_chauthtok"; -#endif + sym = "pam_sm_chauthtok"; break; default: /* Illegal module type */ @@ -805,18 +779,17 @@ int _pam_add_handler(pam_handle_t *pamh /* are the modules reliable? */ if ( -#ifdef PAM_DYNAMIC - mod->type != PAM_MT_DYNAMIC_MOD - && -#endif /* PAM_DYNAMIC */ #ifdef PAM_STATIC mod->type != PAM_MT_STATIC_MOD && -#endif /* PAM_STATIC */ +#else + mod->type != PAM_MT_DYNAMIC_MOD + && +#endif mod->type != PAM_MT_FAULTY_MOD ) { D(("_pam_add_handlers: illegal module library type; %d", mod->type)); - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "internal error: module library type not known: %s;%d", sym, mod->type); return PAM_ABORT; @@ -824,42 +797,28 @@ int _pam_add_handler(pam_handle_t *pamh /* now identify this module's functions - for non-faulty modules */ -#ifdef PAM_DYNAMIC - if ((mod->type == PAM_MT_DYNAMIC_MOD) && -# ifdef PAM_SHL - (shl_findsym(&mod->dl_handle, sym, (short) TYPE_PROCEDURE, &func) && - shl_findsym(&mod->dl_handle, _sym, (short) TYPE_PROCEDURE, &func)) -# else /* PAM_SHL */ - (func = (servicefn) dlsym(mod->dl_handle, sym)) == NULL -# endif /* PAM_SHL */ - ) { - _pam_system_log(LOG_ERR, "unable to resolve symbol: %s", sym); - } -#endif #ifdef PAM_STATIC if ((mod->type == PAM_MT_STATIC_MOD) && (func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) { - _pam_system_log(LOG_ERR, "unable to resolve static symbol: %s", sym); + pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym); + } +#else + if ((mod->type == PAM_MT_DYNAMIC_MOD) && + !(func = _pam_dlsym(mod->dl_handle, sym)) ) { + pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym); } #endif if (sym2) { -#ifdef PAM_DYNAMIC - if ((mod->type == PAM_MT_DYNAMIC_MOD) && -# ifdef PAM_SHL - (shl_findsym(&mod->dl_handle,sym2,(short)TYPE_PROCEDURE, &func2)&& - shl_findsym(&mod->dl_handle,_sym2,(short)TYPE_PROCEDURE, &func2)) -# else /* PAM_SHL */ - (func2 = (servicefn) dlsym(mod->dl_handle, sym2)) == NULL -# endif /* PAM_SHL */ - ) { - _pam_system_log(LOG_ERR, "unable to resolve symbol: %s", sym2); - } -#endif #ifdef PAM_STATIC if ((mod->type == PAM_MT_STATIC_MOD) && (func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2)) == NULL) { - _pam_system_log(LOG_ERR, "unable to resolve symbol: %s", sym2); + pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); + } +#else + if ((mod->type == PAM_MT_DYNAMIC_MOD) && + !(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) { + pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } #endif } @@ -872,7 +831,7 @@ int _pam_add_handler(pam_handle_t *pamh } if ((*handler_p = malloc(sizeof(struct handler))) == NULL) { - _pam_system_log(LOG_CRIT, "cannot malloc struct handler #1"); + pam_syslog(pamh, LOG_CRIT, "cannot malloc struct handler #1"); return (PAM_ABORT); } @@ -883,6 +842,7 @@ int _pam_add_handler(pam_handle_t *pamh (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); (*handler_p)->argc = argc; (*handler_p)->argv = argv; /* not a copy */ + (*handler_p)->mod_name = extract_modulename(mod->name); (*handler_p)->next = NULL; /* some of the modules have a second calling function */ @@ -893,7 +853,7 @@ int _pam_add_handler(pam_handle_t *pamh } if ((*handler_p2 = malloc(sizeof(struct handler))) == NULL) { - _pam_system_log(LOG_CRIT, "cannot malloc struct handler #2"); + pam_syslog(pamh, LOG_CRIT, "cannot malloc struct handler #2"); return (PAM_ABORT); } @@ -906,13 +866,14 @@ int _pam_add_handler(pam_handle_t *pamh (*handler_p2)->argc = argc; if (argv) { if (((*handler_p2)->argv = malloc(argvlen)) == NULL) { - _pam_system_log(LOG_CRIT, "cannot malloc argv for handler #2"); + pam_syslog(pamh, LOG_CRIT, "cannot malloc argv for handler #2"); return (PAM_ABORT); } memcpy((*handler_p2)->argv, argv, argvlen); } else { (*handler_p2)->argv = NULL; /* no arguments */ } + (*handler_p2)->mod_name = extract_modulename(mod->name); (*handler_p2)->next = NULL; } @@ -936,13 +897,9 @@ int _pam_free_handlers(pam_handle_t *pamh) while (pamh->handlers.modules_used) { D(("_pam_free_handlers: dlclose(%s)", mod->name)); free(mod->name); -#ifdef PAM_DYNAMIC +#ifndef PAM_STATIC if (mod->type == PAM_MT_DYNAMIC_MOD) { -# ifdef PAM_SHL - shl_unload(mod->dl_handle); -# else - dlclose(mod->dl_handle); -# endif + _pam_dlclose(mod->dl_handle); } #endif mod++; @@ -1015,6 +972,7 @@ void _pam_free_handlers_aux(struct handler **hp) while (h) { last = h; _pam_drop(h->argv); /* This is all alocated in a single chunk */ + _pam_drop(h->mod_name); h = h->next; memset(last, 0, sizeof(*last)); free(last); diff --git a/Linux-PAM/libpam/pam_item.c b/Linux-PAM/libpam/pam_item.c index 1425c600..41d5b816 100644 --- a/Linux-PAM/libpam/pam_item.c +++ b/Linux-PAM/libpam/pam_item.c @@ -1,7 +1,7 @@ /* pam_item.c */ /* - * $Id: pam_item.c,v 1.5 2004/09/22 09:37:47 kukuk Exp $ + * $Id: pam_item.c,v 1.13 2006/03/12 10:26:30 kukuk Exp $ */ #include "pam_private.h" @@ -21,10 +21,6 @@ } \ } -/* handy version id */ - -unsigned int __libpam_version = LIBPAM_VERSION; - /* functions */ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) @@ -34,7 +30,7 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) D(("called")); IF_NO_PAMH("pam_set_item", pamh, PAM_SYSTEM_ERR); - + retval = PAM_SUCCESS; switch (item_type) { @@ -54,10 +50,12 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) case PAM_USER: RESET(pamh->user, item); + pamh->former.fail_user = PAM_SUCCESS; break; case PAM_USER_PROMPT: RESET(pamh->prompt, item); + pamh->former.fail_user = PAM_SUCCESS; break; case PAM_TTY: @@ -115,22 +113,23 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) case PAM_CONV: /* want to change the conversation function */ if (item == NULL) { - _pam_system_log(LOG_ERR, - "pam_set_item: attempt to set conv() to NULL"); + pam_syslog(pamh, LOG_ERR, + "pam_set_item: attempt to set conv() to NULL"); retval = PAM_PERM_DENIED; } else { struct pam_conv *tconv; - + if ((tconv= (struct pam_conv *) malloc(sizeof(struct pam_conv)) ) == NULL) { - _pam_system_log(LOG_CRIT, + pam_syslog(pamh, LOG_CRIT, "pam_set_item: malloc failed for pam_conv"); retval = PAM_BUF_ERR; } else { memcpy(tconv, item, sizeof(struct pam_conv)); _pam_drop(pamh->pam_conversation); pamh->pam_conversation = tconv; + pamh->former.fail_user = PAM_SUCCESS; } } break; @@ -154,7 +153,7 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) IF_NO_PAMH("pam_get_item", pamh, PAM_SYSTEM_ERR); if (item == NULL) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "pam_get_item: nowhere to place requested item"); return PAM_PERM_DENIED; } @@ -224,7 +223,7 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) default: retval = PAM_BAD_ITEM; } - + return retval; } @@ -240,16 +239,18 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) struct pam_response *resp; D(("called.")); - if (user == NULL) { /* ensure that the module has supplied a destination */ - _pam_system_log(LOG_ERR, "pam_get_user: nowhere to record username"); + + IF_NO_PAMH("pam_get_user", pamh, PAM_SYSTEM_ERR); + + if (user == NULL) { + /* ensure that the module has supplied a destination */ + pam_syslog(pamh, LOG_ERR, "pam_get_user: nowhere to record username"); return PAM_PERM_DENIED; } else *user = NULL; - - IF_NO_PAMH("pam_get_user", pamh, PAM_SYSTEM_ERR); if (pamh->pam_conversation == NULL) { - _pam_system_log(LOG_ERR, "pam_get_user: no conv element in pamh"); + pam_syslog(pamh, LOG_ERR, "pam_get_user: no conv element in pamh"); return PAM_SERVICE_ERR; } @@ -258,21 +259,23 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) return PAM_SUCCESS; } + if (pamh->former.fail_user != PAM_SUCCESS) + return pamh->former.fail_user; + /* will need a prompt */ - use_prompt = prompt; - if (use_prompt == NULL) { - use_prompt = pamh->prompt; - if (use_prompt == NULL) { - use_prompt = PAM_DEFAULT_PROMPT; - } - } + if (prompt != NULL) + use_prompt = prompt; + else if (pamh->prompt != NULL) + use_prompt = pamh->prompt; + else + use_prompt = _("login:"); /* If we are resuming an old conversation, we verify that the prompt is the same. Anything else is an error. */ if (pamh->former.want_user) { /* must have a prompt to resume with */ if (! pamh->former.prompt) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "pam_get_user: failed to resume with prompt" ); return PAM_ABORT; @@ -280,7 +283,7 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) /* must be the same prompt as last time */ if (strcmp(pamh->former.prompt, use_prompt)) { - _pam_system_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "pam_get_user: resumed with different prompt"); return PAM_ABORT; } @@ -312,6 +315,7 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) */ D(("pam_get_user: no response provided")); retval = PAM_CONV_ERR; + pamh->former.fail_user = retval; } else if (retval == PAM_SUCCESS) { /* copy the username */ /* * now we set the PAM_USER item -- this was missing from pre.53 @@ -320,9 +324,13 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) */ RESET(pamh->user, resp->resp); *user = pamh->user; - } + } else + pamh->former.fail_user = retval; if (resp) { + if (retval != PAM_SUCCESS) + pam_syslog(pamh, LOG_WARNING, + "unexpected response from failed conversation function"); /* * note 'resp' is allocated by the application and is * correctly free()'d here diff --git a/Linux-PAM/libpam/pam_log.c b/Linux-PAM/libpam/pam_log.c deleted file mode 100644 index c42fe015..00000000 --- a/Linux-PAM/libpam/pam_log.c +++ /dev/null @@ -1,375 +0,0 @@ -/* - * pam_log.c -- PAM system logging - * - * $Id: pam_log.c,v 1.2 2000/11/19 23:54:02 agmorgan Exp $ - * - */ - -#include "pam_private.h" - -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> - -#ifdef __hpux -# include <stdio.h> -# include <syslog.h> -# ifdef __STDC__ -# ifndef __P -# define __P(p) p -# endif /* __P */ -# include <stdarg.h> -# define VA_LOCAL_DECL va_list ap; -# define VA_START(f) va_start(ap, f) -# define VA_END va_end(ap) -# else /* __STDC__ */ -# ifndef __P -# define __P(p) () -# endif /* __P */ -# include <varargs.h> -# define VA_LOCAL_DECL va_list ap; -# define VA_START(f) va_start(ap) -# define VA_END va_end(ap) -# endif /* __STDC__ */ -/************************************************************** - * Patrick Powell Tue Apr 11 09:48:21 PDT 1995 - * A bombproof version of doprnt (dopr) included. - * Sigh. This sort of thing is always nasty do deal with. Note that - * the version here does not include floating point... - * - * snprintf() is used instead of sprintf() as it does limit checks - * for string length. This covers a nasty loophole. - * - * The other functions are there to prevent NULL pointers from - * causing nast effects. - **************************************************************/ - -static void dopr(); -static char *end; -# ifndef _SCO_DS -/* VARARGS3 */ -int -# ifdef __STDC__ -snprintf(char *str, size_t count, const char *fmt, ...) -# else /* __STDC__ */ -snprintf(str, count, fmt, va_alist) - char *str; - size_t count; - const char *fmt; - va_dcl -# endif /* __STDC__ */ -{ - int len; - VA_LOCAL_DECL - - VA_START(fmt); - len = vsnprintf(str, count, fmt, ap); - VA_END; - return len; -} -# endif /* _SCO_DS */ - -int -# ifdef __STDC__ -vsnprintf(char *str, size_t count, const char *fmt, va_list args) -# else /* __STDC__ */ -vsnprintf(str, count, fmt, args) - char *str; - int count; - char *fmt; - va_list args; -# endif /* __STDC__ */ -{ - str[0] = 0; - end = str + count - 1; - dopr( str, fmt, args ); - if (count > 0) - end[0] = 0; - return strlen(str); -} - -/* - * dopr(): poor man's version of doprintf - */ - -static void fmtstr __P((char *value, int ljust, int len, int zpad, - int maxwidth)); -static void fmtnum __P((long value, int base, int dosign, int ljust, int len, - int zpad)); -static void dostr __P(( char * , int )); -static char *output; -static void dopr_outch __P(( int c )); - -static void -# ifdef __STDC__ -dopr(char * buffer, const char * format, va_list args ) -# else /* __STDC__ */ -dopr( buffer, format, args ) - char *buffer; - char *format; - va_list args; -# endif /* __STDC__ */ -{ - int ch; - long value; - int longflag = 0; - int pointflag = 0; - int maxwidth = 0; - char *strvalue; - int ljust; - int len; - int zpad; - - output = buffer; - while( (ch = *format++) ){ - switch( ch ){ - case '%': - ljust = len = zpad = maxwidth = 0; - longflag = pointflag = 0; - nextch: - ch = *format++; - switch( ch ){ - case 0: - dostr( "**end of format**" , 0); - return; - case '-': ljust = 1; goto nextch; - case '0': /* set zero padding if len not set */ - if(len==0 && !pointflag) zpad = '0'; - case '1': case '2': case '3': - case '4': case '5': case '6': - case '7': case '8': case '9': - if (pointflag) - maxwidth = maxwidth*10 + ch - '0'; - else - len = len*10 + ch - '0'; - goto nextch; - case '*': - if (pointflag) - maxwidth = va_arg( args, int ); - else - len = va_arg( args, int ); - goto nextch; - case '.': pointflag = 1; goto nextch; - case 'l': longflag = 1; goto nextch; - case 'u': case 'U': - /*fmtnum(value,base,dosign,ljust,len,zpad) */ - if( longflag ){ - value = va_arg( args, long ); - } else { - value = va_arg( args, int ); - } - fmtnum( value, 10,0, ljust, len, zpad ); break; - case 'o': case 'O': - /*fmtnum(value,base,dosign,ljust,len,zpad) */ - if( longflag ){ - value = va_arg( args, long ); - } else { - value = va_arg( args, int ); - } - fmtnum( value, 8,0, ljust, len, zpad ); break; - case 'd': case 'D': - if( longflag ){ - value = va_arg( args, long ); - } else { - value = va_arg( args, int ); - } - fmtnum( value, 10,1, ljust, len, zpad ); break; - case 'x': - if( longflag ){ - value = va_arg( args, long ); - } else { - value = va_arg( args, int ); - } - fmtnum( value, 16,0, ljust, len, zpad ); break; - case 'X': - if( longflag ){ - value = va_arg( args, long ); - } else { - value = va_arg( args, int ); - } - fmtnum( value,-16,0, ljust, len, zpad ); break; - case 's': - strvalue = va_arg( args, char *); - if (maxwidth > 0 || !pointflag) { - if (pointflag && len > maxwidth) - len = maxwidth; /* Adjust padding */ - fmtstr( strvalue,ljust,len,zpad, maxwidth); - } - break; - case 'c': - ch = va_arg( args, int ); - dopr_outch( ch ); break; - case '%': dopr_outch( ch ); continue; - default: - dostr( "???????" , 0); - } - break; - default: - dopr_outch( ch ); - break; - } - } - *output = 0; -} - -static void -fmtstr( value, ljust, len, zpad, maxwidth ) - char *value; - int ljust, len, zpad, maxwidth; -{ - int padlen, strlen; /* amount to pad */ - - if( value == 0 ){ - value = "<NULL>"; - } - for( strlen = 0; value[strlen]; ++ strlen ); /* strlen */ - if (strlen > maxwidth && maxwidth) - strlen = maxwidth; - padlen = len - strlen; - if( padlen < 0 ) padlen = 0; - if( ljust ) padlen = -padlen; - while( padlen > 0 ) { - dopr_outch( ' ' ); - --padlen; - } - dostr( value, maxwidth ); - while( padlen < 0 ) { - dopr_outch( ' ' ); - ++padlen; - } -} - -static void -fmtnum( value, base, dosign, ljust, len, zpad ) - long value; - int base, dosign, ljust, len, zpad; -{ - int signvalue = 0; - unsigned long uvalue; - char convert[20]; - int place = 0; - int padlen = 0; /* amount to pad */ - int caps = 0; - - /* DEBUGP(("value 0x%x, base %d, dosign %d, ljust %d, len %d, zpad %d\n", - value, base, dosign, ljust, len, zpad )); */ - uvalue = value; - if( dosign ){ - if( value < 0 ) { - signvalue = '-'; - uvalue = -value; - } - } - if( base < 0 ){ - caps = 1; - base = -base; - } - do{ - convert[place++] = - (caps? "0123456789ABCDEF":"0123456789abcdef") - [uvalue % (unsigned)base ]; - uvalue = (uvalue / (unsigned)base ); - }while(uvalue); - convert[place] = 0; - padlen = len - place; - if( padlen < 0 ) padlen = 0; - if( ljust ) padlen = -padlen; - /* DEBUGP(( "str '%s', place %d, sign %c, padlen %d\n", - convert,place,signvalue,padlen)); */ - if( zpad && padlen > 0 ){ - if( signvalue ){ - dopr_outch( signvalue ); - --padlen; - signvalue = 0; - } - while( padlen > 0 ){ - dopr_outch( zpad ); - --padlen; - } - } - while( padlen > 0 ) { - dopr_outch( ' ' ); - --padlen; - } - if( signvalue ) dopr_outch( signvalue ); - while( place > 0 ) dopr_outch( convert[--place] ); - while( padlen < 0 ){ - dopr_outch( ' ' ); - ++padlen; - } -} - -static void -dostr( str , cut) - char *str; - int cut; -{ - if (cut) { - while(*str && cut-- > 0) dopr_outch(*str++); - } else { - while(*str) dopr_outch(*str++); - } -} - -static void -dopr_outch( c ) - int c; -{ - if( end == 0 || output < end ) - *output++ = c; -} - -int -# ifdef __STDC__ -vsyslog(int priority, const char *fmt, ...) -# else /* __STDC__ */ -vsyslog(priority, fmt, va_alist) - int priority; - const char *fmt; - va_dcl -# endif /* __STDC__ */ -{ - VA_LOCAL_DECL - char logbuf[BUFSIZ]; - - VA_START(fmt); - - vsnprintf(logbuf, BUFSIZ, fmt, ap); - syslog(priority, "%s", logbuf); - - VA_END; -} -#endif /* __hpux */ - -/* internal logging function */ - -void _pam_system_log(int priority, const char *format, ... ) -{ - va_list args; - char *eformat; - - D(("pam_system_log called")); - - if (format == NULL) { - D(("NULL format to _pam_system_log() call")); - return; - } - - va_start(args, format); - - eformat = malloc(sizeof(_PAM_SYSTEM_LOG_PREFIX)+strlen(format)); - if (eformat != NULL) { - strcpy(eformat, _PAM_SYSTEM_LOG_PREFIX); - strcpy(eformat + sizeof(_PAM_SYSTEM_LOG_PREFIX) - 1, format); - vsyslog(priority, eformat, args); - _pam_overwrite(eformat); - _pam_drop(eformat); - } else { - vsyslog(priority, format, args); - } - - va_end(args); - - D(("done.")); -} - diff --git a/Linux-PAM/libpam/pam_malloc.c b/Linux-PAM/libpam/pam_malloc.c deleted file mode 100644 index 98b35f62..00000000 --- a/Linux-PAM/libpam/pam_malloc.c +++ /dev/null @@ -1,418 +0,0 @@ -/* - * $Id: pam_malloc.c,v 1.5 2001/12/09 21:44:58 agmorgan Exp $ - */ - -/* - * This pair of files helps to locate memory leaks. It is a wrapper for - * the malloc family of calls. (Actutally, it currently only deals - * with calloc, malloc, realloc, free, strdup and exit) - * - * To use these functions the header "pam_malloc.h" must be included - * in all parts of the code (that use the malloc functions) and this - * file must be linked with the result. The pam_malloc_flags can be - * set from another function and determine the level of logging. - * - * The output is via the macros defined in _pam_macros.h - * - * It is a debugging tool and should be turned off in released code. - * - * This suite was written by Andrew Morgan <morgan@kernel.org> for - * Linux-PAM. - */ - -#ifndef DEBUG -#define DEBUG -#endif -#include "pam_private.h" - -#include <security/pam_malloc.h> -#include <security/_pam_macros.h> - -/* this must be done to stop infinite recursion! */ -#undef malloc -#undef calloc -#undef free -#undef realloc -#undef exit -#undef strdup - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> - -/* - * default debugging level - */ - -int pam_malloc_flags = PAM_MALLOC_ALL; -int pam_malloc_delay_length = 4; - -#define on(x) ((pam_malloc_flags&(x))==(x)) - -/* - * the implementation - */ - -static const char *last_fn=NULL; -static const char *last_file=NULL; -static const char *last_call=NULL; -static int last_line = 1; - -#define err(x) { _pam_output_xdebug_info(); _pam_output_debug x ; } - -static void set_last_(const char *x, const char *f - , const char *fn, const int l) -{ - last_fn = x ? x : "error-in-pam_malloc.."; - last_file = f ? f : "*bad-file*"; - last_call = fn ? fn: "*bad-fn*"; - last_line = l; -} - -static void _pam_output_xdebug_info(void) -{ - FILE *logfile; - int must_close = 1, fd; - -#ifdef O_NOFOLLOW - if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { -#else - if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { -#endif - if (!(logfile = fdopen(fd,"a"))) { - logfile = stderr; - must_close = 0; - close(fd); - } - } else { - logfile = stderr; - must_close = 0; - } - fprintf(logfile, "[%s:%s(%d)->%s()] ", - last_file, last_call, last_line, last_fn); - fflush(logfile); - if (must_close) - fclose(logfile); -} - -static void hinder(void) -{ - if (on(PAM_MALLOC_PAUSE)) { - if (on(0)) err(("pause requested")); - sleep(pam_malloc_delay_length); - } - - if (on(PAM_MALLOC_STOP)) { - if (on(0)) err(("stop requested")); - exit(1); - } -} - -/* - * here are the memory pointer registering functions.. these actually - * use malloc(!) but that's ok! ;^) - */ - -struct reference { - void *ptr; /* pointer */ - int nelements; /* number of elements */ - int size; /* - each of this size */ - char *file; /* where it was requested - filename */ - char *function; /* - function */ - int line; /* - line number */ -/* - * linking info - */ - struct reference *next; -}; - -static void _dump(const char *say, const struct reference *ref) -{ - _pam_output_debug(" <%s: %p (#%d of %d) req. by %s(); %s line %d>" - , say - , ref->ptr,ref->nelements,ref->size - , ref->function,ref->file,ref->line); -} - -static struct reference *root=NULL; - -static char *_strdup(const char *x) -{ - char *s; - - s = (char *)malloc(strlen(x)+1); - if (s == NULL) { - if (on(0)) err(("_strdup failed")); - exit(1); - } - - strcpy(s,x); - return s; -} - -static void add_new_ref(void *new, int n, int size) -{ - struct reference *ref=NULL; - - ref = (struct reference *) malloc( sizeof(struct reference) ); - if (new == NULL || ref == NULL) { - if (on(0)) err(("internal error {add_new_ref}")); - exit(1); - } - - ref->ptr = new; - ref->nelements = n; - ref->size = size; - - ref->file = _strdup(last_file); - ref->function = _strdup(last_call); - ref->line = last_line; - - ref->next = root; - - if (on(PAM_MALLOC_REQUEST)) { - _dump("new_ptr", ref); - } - - root = ref; -} - -static void del_old_ref(void *old) -{ - struct reference *this,*last; - - if (old == NULL) { - if (on(0)) err(("internal error {del_old_ref}")); - exit(1); - } - - /* locate old pointer */ - - last = NULL; - this = root; - while (this) { - if (this->ptr == old) - break; - last = this; - this = this->next; - } - - /* Did we find a reference ? */ - - if (this) { - if (on(PAM_MALLOC_FREE)) { - _dump("free old_ptr", this); - } - if (last == NULL) { - root = this->next; - } else { - last->next = this->next; - } - free(this->file); - free(this->function); - free(this); - } else { - if (on(0)) err(("ERROR!: bad memory")); - hinder(); - } -} - -static void verify_old_ref(void *old) -{ - struct reference *this; - - if (old == NULL) { - if (on(0)) err(("internal error {verify_old_ref}")); - exit(1); - } - - /* locate old pointer */ - - this = root; - while (this) { - if (this->ptr == old) - break; - this = this->next; - } - - /* Did we find a reference ? */ - - if (this) { - if (on(PAM_MALLOC_VERIFY)) { - _dump("verify_ptr", this); - } - } else { - if (on(0)) err(("ERROR!: bad request")); - hinder(); - } -} - -static void dump_memory_list(const char *dump) -{ - struct reference *this; - - this = root; - if (this) { - if (on(0)) err(("un-free()'d memory")); - while (this) { - _dump(dump, this); - this = this->next; - } - } else { - if (on(0)) err(("no memory allocated")); - } -} - -/* now for the wrappers */ - -#define _fn(x) set_last_(x,file,fn,line) - -void *pam_malloc(size_t size, const char *file, const char *fn, const int line) -{ - void *new; - - _fn("malloc"); - - if (on(PAM_MALLOC_FUNC)) err(("request for %d", size)); - - new = malloc(size); - if (new == NULL) { - if (on(PAM_MALLOC_FAIL)) err(("returned NULL")); - } else { - if (on(PAM_MALLOC_REQUEST)) err(("request new")); - add_new_ref(new, 1, size); - } - - return new; -} - -void *pam_calloc(size_t nelm, size_t size - , const char *file, const char *fn, const int line) -{ - void *new; - - _fn("calloc"); - - if (on(PAM_MALLOC_FUNC)) err(("request for %d of %d", nelm, size)); - - new = calloc(nelm,size); - if (new == NULL) { - if (on(PAM_MALLOC_FAIL)) err(("returned NULL")); - } else { - if (on(PAM_MALLOC_REQUEST)) err(("request new")); - add_new_ref(new, nelm, size); - } - - return new; -} - -void pam_free(void *ptr - , const char *file, const char *fn, const int line) -{ - _fn("free"); - - if (on(PAM_MALLOC_FUNC)) - err(("request (%s:%s():%d) to free %p", file, fn, line, ptr)); - - if (ptr == NULL) { - if (on(PAM_MALLOC_NULL)) err(("passed NULL pointer")); - } else { - if (on(PAM_MALLOC_FREE)) err(("deleted old")); - del_old_ref(ptr); - free(ptr); - } -} - -void *pam_memalign(size_t ali, size_t size - , const char *file, const char *fn, const int line) -{ - _fn("memalign"); - if (on(0)) err(("not implemented currently (Sorry)")); - exit(1); -} - -void *pam_realloc(void *ptr, size_t size - , const char *file, const char *fn, const int line) -{ - void *new; - - _fn("realloc"); - - if (on(PAM_MALLOC_FUNC)) err(("resize %p to %d", ptr, size)); - - if (ptr == NULL) { - if (on(PAM_MALLOC_NULL)) err(("passed NULL pointer")); - } else { - verify_old_ref(ptr); - } - - new = realloc(ptr, size); - if (new == NULL) { - if (on(PAM_MALLOC_FAIL)) err(("returned NULL")); - } else { - if (ptr) { - if (on(PAM_MALLOC_FREE)) err(("deleted old")); - del_old_ref(ptr); - } else { - if (on(PAM_MALLOC_NULL)) err(("old is NULL")); - } - if (on(PAM_MALLOC_REQUEST)) err(("request new")); - add_new_ref(new, 1, size); - } - - return new; -} - -void *pam_valloc(size_t size - , const char *file, const char *fn, const int line) -{ - _fn("valloc"); - if (on(0)) err(("not implemented currently (Sorry)")); - exit(1); -} - -#include <alloca.h> - -void *pam_alloca(size_t size - , const char *file, const char *fn, const int line) -{ - _fn("alloca"); - if (on(0)) err(("not implemented currently (Sorry)")); - exit(1); -} - -void pam_exit(int i - , const char *file, const char *fn, const int line) -{ - D(("time to exit")); - - _fn("exit"); - - if (on(0)) err(("passed (%d)", i)); - if (on(PAM_MALLOC_LEAKED)) { - dump_memory_list("leaked"); - } - exit(i); -} - -char *pam_strdup(const char *orig, - const char *file, const char *fn, const int line) -{ - char *new; - - _fn("strdup"); - - if (on(PAM_MALLOC_FUNC)) err(("request for dup of [%s]", orig)); - - new = strdup(orig); - if (new == NULL) { - if (on(PAM_MALLOC_FAIL)) err(("returned NULL")); - } else { - if (on(PAM_MALLOC_REQUEST)) err(("request dup of [%s]", orig)); - add_new_ref(new, 1, strlen(new)+1); - } - - return new; -} - -/* end of file */ diff --git a/Linux-PAM/libpam/pam_map.c b/Linux-PAM/libpam/pam_map.c deleted file mode 100644 index 86b16577..00000000 --- a/Linux-PAM/libpam/pam_map.c +++ /dev/null @@ -1,78 +0,0 @@ -/* pam_map.c - PAM mapping interface - * - * $Id: pam_map.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ - * - * This is based on the X/Open XSSO specification of March 1997. - * It is not implemented as it is going to change... after 1997/9/25. - * - */ - -#include <stdio.h> - -#include "pam_private.h" - -/* p 54 */ - -int pam_get_mapped_authtok(pam_handle_t *pamh, - const char *target_module_username, - const char *target_module_type, - const char *target_authn_domain, - size_t *target_authtok_len - unsigned char **target_module_authtok); -{ - D(("called")); - - IF_NO_PAMH("pam_get_mapped_authtok",pamh,PAM_SYSTEM_ERR); - - return PAM_SYSTEM_ERROR; -} - -/* p 68 */ - -int pam_set_mapped_authtok(pam_handle_t *pamh, - char *target_module_username, - size_t *target_authtok_len, - unsigned char *target_module_authtok, - char *target_module_type, - char *target_authn_domain) -{ - D(("called")); - - IF_NO_PAMH("pam_set_mapped_authtok",pamh,PAM_SYSTEM_ERR); - - return PAM_SYSTEM_ERROR; -} - -/* p 56 */ - -int pam_get_mapped_username(pam_handle_t *pamh, - const char *src_username, - const char *src_module_type, - const char *src_authn_domain, - const char *target_module_type, - const char *target_authn_domain, - char **target_module_username) -{ - D(("called")); - - IF_NO_PAMH("pam_get_mapped_username",pamh,PAM_SYSTEM_ERR); - - return PAM_SYSTEM_ERROR; -} - -/* p 70 */ - -int pam_set_mapped_username(pam_handle_t *pamh, - char *src_username, - char *src_module_type, - char *src_authn_domain, - char *target_module_username, - char *target_module_type, - char *target_authn_domain) -{ - D(("called")); - - IF_NO_PAMH("pam_set_mapped_username",pamh,PAM_SYSTEM_ERR); - - return PAM_SYSTEM_ERROR; -} diff --git a/Linux-PAM/libpam/pam_misc.c b/Linux-PAM/libpam/pam_misc.c index cb0572b1..770c9cce 100644 --- a/Linux-PAM/libpam/pam_misc.c +++ b/Linux-PAM/libpam/pam_misc.c @@ -1,7 +1,38 @@ -/* pam_misc.c -- This is random stuff */ - -/* - * $Id: pam_misc.c,v 1.4 2003/07/13 20:01:44 vorlon Exp $ +/* pam_misc.c -- This is random stuff + * + * Copyright (c) Andrew G. Morgan <morgan@kernel.org> 2000-2003 + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "pam_private.h" @@ -13,19 +44,6 @@ #include <syslog.h> #include <ctype.h> -/* caseless string comparison: POSIX does not define this.. */ -int _pam_strCMP(const char *s, const char *t) -{ - int cf; - - do { - cf = tolower(*s) - tolower(*t); - ++t; - } while (!cf && *s++); - - return cf; -} - char *_pam_StrTok(char *from, const char *format, char **next) /* * this function is a variant of the standard strtok, it differs in that @@ -104,16 +122,14 @@ char *_pam_strdup(const char *x) register char *new=NULL; if (x != NULL) { - register int i; + register int len; - for (i=0; x[i]; ++i); /* length of string */ - if ((new = malloc(++i)) == NULL) { - i = 0; - _pam_system_log(LOG_CRIT, "_pam_strdup: failed to get memory"); + len = strlen (x) + 1; /* length of string including NUL */ + if ((new = malloc(len)) == NULL) { + len = 0; + pam_syslog(NULL, LOG_CRIT, "_pam_strdup: failed to get memory"); } else { - while (i-- > 0) { - new[i] = x[i]; - } + strcpy (new, x); } x = NULL; } @@ -143,15 +159,15 @@ int _pam_mkargv(char *s, char ***argv, int *argc) l = strlen(s); if (l) { if ((sbuf = sbuf_start = _pam_strdup(s)) == NULL) { - _pam_system_log(LOG_CRIT, - "pam_mkargv: null returned by _pam_strdup"); + pam_syslog(NULL, LOG_CRIT, + "pam_mkargv: null returned by _pam_strdup"); D(("arg NULL")); } else { /* Overkill on the malloc, but not large */ argvlen = (l + 1) * ((sizeof(char)) + sizeof(char *)); if ((our_argv = argvbuf = malloc(argvlen)) == NULL) { - _pam_system_log(LOG_CRIT, - "pam_mkargv: null returned by malloc"); + pam_syslog(NULL, LOG_CRIT, + "pam_mkargv: null returned by malloc"); } else { char *tmp=NULL; @@ -170,11 +186,11 @@ int _pam_mkargv(char *s, char ***argv, int *argc) sbuf = NULL; D(("loop again?")); } - _pam_drop(sbuf_start); } + _pam_drop(sbuf_start); } } - + *argv = our_argv; D(("_pam_mkargv returned")); @@ -256,7 +272,7 @@ void _pam_parse_control(int *control_array, char *tok) error = "expecting '='"; goto parse_error; } - + /* skip leading space */ while (isspace((int)*tok) && *++tok); if (!*tok) { @@ -315,7 +331,7 @@ void _pam_parse_control(int *control_array, char *tok) parse_error: /* treat everything as bad */ - _pam_system_log(LOG_ERR, "pam_parse: %s; [...%s]", error, tok); + pam_syslog(NULL, LOG_ERR, "pam_parse: %s; [...%s]", error, tok); for (ret=0; ret<_PAM_RETURN_VALUES; control_array[ret++]=_PAM_ACTION_BAD); } diff --git a/Linux-PAM/libpam/pam_modutil_cleanup.c b/Linux-PAM/libpam/pam_modutil_cleanup.c new file mode 100644 index 00000000..017b36cf --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_cleanup.c @@ -0,0 +1,19 @@ +/* + * $Id: pam_modutil_cleanup.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a common pam_set_data() friendly version of free(). + */ + +#include "pam_modutil_private.h" + +#include <stdlib.h> + +void +pam_modutil_cleanup (pam_handle_t *pamh UNUSED, void *data, + int error_status UNUSED) +{ + if (data) { + /* junk it */ + (void) free(data); + } +} diff --git a/Linux-PAM/libpam/pam_modutil_getgrgid.c b/Linux-PAM/libpam/pam_modutil_getgrgid.c new file mode 100644 index 00000000..ace5c9a6 --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getgrgid.c @@ -0,0 +1,151 @@ +/* + * $Id: pam_modutil_getgrgid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a thread safer version of getgrgid() for use + * with PAM modules that care about this sort of thing. + * + * XXX - or at least it should provide a thread-safe alternative. + */ + +#include "pam_modutil_private.h" + +#include <errno.h> +#include <limits.h> +#include <grp.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +static void _pammodutil_lock(void) +{ + pthread_mutex_lock(&_pammodutil_mutex); +} +static void _pammodutil_unlock(void) +{ + pthread_mutex_unlock(&_pammodutil_mutex); +} + +static int intlen(int number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +static int longlen(long number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +struct group * +pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid) +{ +#ifdef HAVE_GETGRGID_R + + void *buffer=NULL; + size_t length = PWD_INITIAL_LENGTH; + + do { + int status; + void *new_buffer; + struct group *result = NULL; + + new_buffer = realloc(buffer, sizeof(struct group) + length); + if (new_buffer == NULL) { + + D(("out of memory")); + + /* no memory for the user - so delete the memory */ + if (buffer) { + free(buffer); + } + return NULL; + } + buffer = new_buffer; + + /* make the re-entrant call to get the grp structure */ + errno = 0; + status = getgrgid_r(gid, buffer, + sizeof(struct group) + (char *) buffer, + length, &result); + if (!status && (result == buffer)) { + char *data_name; + const void *ignore; + int i; + + data_name = malloc(strlen("_pammodutil_getgrgid") + 1 + + longlen((long)gid) + 1 + intlen(INT_MAX) + 1); + if ((pamh != NULL) && (data_name == NULL)) { + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + free(buffer); + return NULL; + } + + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getgrgid_%ld_%d", + (long) gid, i); + _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } + _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } + } + } else { + status = PAM_SUCCESS; + } + + free(data_name); + + if (status == PAM_SUCCESS) { + D(("success")); + return result; + } + + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + + free(buffer); + return NULL; + + } else if (errno != ERANGE && errno != EINTR) { + /* no sense in repeating the call */ + break; + } + + length <<= 2; + + } while (length < PWD_ABSURD_PWD_LENGTH); + + D(("grp structure took %u bytes or so of memory", + length+sizeof(struct group))); + + free(buffer); + return NULL; + +#else /* ie. ifndef HAVE_GETGRGID_R */ + + /* + * Sorry, there does not appear to be a reentrant version of + * getgrgid(). So, we use the standard libc function. + */ + + return getgrgid(gid); + +#endif /* def HAVE_GETGRGID_R */ +} diff --git a/Linux-PAM/libpam/pam_modutil_getgrnam.c b/Linux-PAM/libpam/pam_modutil_getgrnam.c new file mode 100644 index 00000000..85103a1c --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getgrnam.c @@ -0,0 +1,140 @@ +/* + * $Id: pam_modutil_getgrnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a thread safer version of getgrnam() for use + * with PAM modules that care about this sort of thing. + * + * XXX - or at least it should provide a thread-safe alternative. + */ + +#include "pam_modutil_private.h" + +#include <errno.h> +#include <limits.h> +#include <grp.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +static void _pammodutil_lock(void) +{ + pthread_mutex_lock(&_pammodutil_mutex); +} +static void _pammodutil_unlock(void) +{ + pthread_mutex_unlock(&_pammodutil_mutex); +} + +static int intlen(int number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +struct group * +pam_modutil_getgrnam(pam_handle_t *pamh, const char *group) +{ +#ifdef HAVE_GETGRNAM_R + + void *buffer=NULL; + size_t length = PWD_INITIAL_LENGTH; + + do { + int status; + void *new_buffer; + struct group *result = NULL; + + new_buffer = realloc(buffer, sizeof(struct group) + length); + if (new_buffer == NULL) { + + D(("out of memory")); + + /* no memory for the group - so delete the memory */ + if (buffer) { + free(buffer); + } + return NULL; + } + buffer = new_buffer; + + /* make the re-entrant call to get the grp structure */ + errno = 0; + status = getgrnam_r(group, buffer, + sizeof(struct group) + (char *) buffer, + length, &result); + if (!status && (result == buffer)) { + char *data_name; + const void *ignore; + int i; + + data_name = malloc(strlen("_pammodutil_getgrnam") + 1 + + strlen(group) + 1 + intlen(INT_MAX) + 1); + if ((pamh != NULL) && (data_name == NULL)) { + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + free(buffer); + return NULL; + } + + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getgrnam_%s_%d", group, i); + _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } + _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } + } + } else { + status = PAM_SUCCESS; + } + + free(data_name); + + if (status == PAM_SUCCESS) { + D(("success")); + return result; + } + + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + + free(buffer); + return NULL; + + } else if (errno != ERANGE && errno != EINTR) { + /* no sense in repeating the call */ + break; + } + + length <<= 2; + + } while (length < PWD_ABSURD_PWD_LENGTH); + + D(("grp structure took %u bytes or so of memory", + length+sizeof(struct group))); + + free(buffer); + return NULL; + +#else /* ie. ifndef HAVE_GETGRNAM_R */ + + /* + * Sorry, there does not appear to be a reentrant version of + * getgrnam(). So, we use the standard libc function. + */ + + return getgrnam(group); + +#endif /* def HAVE_GETGRNAM_R */ +} diff --git a/Linux-PAM/libpam/pam_modutil_getlogin.c b/Linux-PAM/libpam/pam_modutil_getlogin.c new file mode 100644 index 00000000..dcd28a13 --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getlogin.c @@ -0,0 +1,80 @@ +/* + * $Id: pam_modutil_getlogin.c,v 1.2 2005/11/23 16:42:40 kukuk Exp $ + * + * A central point for invoking getlogin(). Hopefully, this is a + * little harder to spoof than all the other versions that are out + * there. + */ + +#include "pam_modutil_private.h" + +#include <stdlib.h> +#include <unistd.h> +#include <utmp.h> + +#define _PAMMODUTIL_GETLOGIN "_pammodutil_getlogin" + +const char * +pam_modutil_getlogin(pam_handle_t *pamh) +{ + int status; + const void *logname; + const void *void_curr_tty; + const char *curr_tty; + char *curr_user; + struct utmp *ut, line; + + status = pam_get_data(pamh, _PAMMODUTIL_GETLOGIN, &logname); + if (status == PAM_SUCCESS) { + return logname; + } + + status = pam_get_item(pamh, PAM_TTY, &void_curr_tty); + if ((status != PAM_SUCCESS) || (void_curr_tty == NULL)) + curr_tty = ttyname(0); + else + curr_tty = (const char*)void_curr_tty; + + if (curr_tty == NULL) { + return NULL; + } + + if (curr_tty[0] == '/') { /* full path */ + const char *t; + curr_tty++; + if ((t = strchr(curr_tty, '/')) != NULL) { + curr_tty = t + 1; + } + } + logname = NULL; + + setutent(); + strncpy(line.ut_line, curr_tty, sizeof(line.ut_line)); + + if ((ut = getutline(&line)) == NULL) { + goto clean_up_and_go_home; + } + + curr_user = calloc(sizeof(line.ut_user)+1, 1); + if (curr_user == NULL) { + goto clean_up_and_go_home; + } + + strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user)); + /* calloc already zeroed the memory */ + + status = pam_set_data(pamh, _PAMMODUTIL_GETLOGIN, curr_user, + pam_modutil_cleanup); + if (status != PAM_SUCCESS) { + free(curr_user); + goto clean_up_and_go_home; + } + + logname = curr_user; + +clean_up_and_go_home: + + endutent(); + + return logname; +} diff --git a/Linux-PAM/libpam/pam_modutil_getpwnam.c b/Linux-PAM/libpam/pam_modutil_getpwnam.c new file mode 100644 index 00000000..61aafef0 --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getpwnam.c @@ -0,0 +1,140 @@ +/* + * $Id: pam_modutil_getpwnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a thread safer version of getpwnam() for use + * with PAM modules that care about this sort of thing. + * + * XXX - or at least it should provide a thread-safe alternative. + */ + +#include "pam_modutil_private.h" + +#include <errno.h> +#include <limits.h> +#include <pthread.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> + +static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +static void _pammodutil_lock(void) +{ + pthread_mutex_lock(&_pammodutil_mutex); +} +static void _pammodutil_unlock(void) +{ + pthread_mutex_unlock(&_pammodutil_mutex); +} + +static int intlen(int number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +struct passwd * +pam_modutil_getpwnam(pam_handle_t *pamh, const char *user) +{ +#ifdef HAVE_GETPWNAM_R + + void *buffer=NULL; + size_t length = PWD_INITIAL_LENGTH; + + do { + int status; + void *new_buffer; + struct passwd *result = NULL; + + new_buffer = realloc(buffer, sizeof(struct passwd) + length); + if (new_buffer == NULL) { + + D(("out of memory")); + + /* no memory for the user - so delete the memory */ + if (buffer) { + free(buffer); + } + return NULL; + } + buffer = new_buffer; + + /* make the re-entrant call to get the pwd structure */ + errno = 0; + status = getpwnam_r(user, buffer, + sizeof(struct passwd) + (char *) buffer, + length, &result); + if (!status && (result == buffer)) { + char *data_name; + const void *ignore; + int i; + + data_name = malloc(strlen("_pammodutil_getpwnam") + 1 + + strlen(user) + 1 + intlen(INT_MAX) + 1); + if ((pamh != NULL) && (data_name == NULL)) { + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + free(buffer); + return NULL; + } + + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getpwnam_%s_%d", user, i); + _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } + _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } + } + } else { + status = PAM_SUCCESS; + } + + free(data_name); + + if (status == PAM_SUCCESS) { + D(("success")); + return result; + } + + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + + free(buffer); + return NULL; + + } else if (errno != ERANGE && errno != EINTR) { + /* no sense in repeating the call */ + break; + } + + length <<= 2; + + } while (length < PWD_ABSURD_PWD_LENGTH); + + D(("pwd structure took %u bytes or so of memory", + length+sizeof(struct passwd))); + + free(buffer); + return NULL; + +#else /* ie. ifndef HAVE_GETPWNAM_R */ + + /* + * Sorry, there does not appear to be a reentrant version of + * getpwnam(). So, we use the standard libc function. + */ + + return getpwnam(user); + +#endif /* def HAVE_GETPWNAM_R */ +} diff --git a/Linux-PAM/libpam/pam_modutil_getpwuid.c b/Linux-PAM/libpam/pam_modutil_getpwuid.c new file mode 100644 index 00000000..01bca564 --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getpwuid.c @@ -0,0 +1,151 @@ +/* + * $Id: pam_modutil_getpwuid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a thread safer version of getpwuid() for use + * with PAM modules that care about this sort of thing. + * + * XXX - or at least it should provide a thread-safe alternative. + */ + +#include "pam_modutil_private.h" + +#include <errno.h> +#include <limits.h> +#include <pthread.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> + +static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +static void _pammodutil_lock(void) +{ + pthread_mutex_lock(&_pammodutil_mutex); +} +static void _pammodutil_unlock(void) +{ + pthread_mutex_unlock(&_pammodutil_mutex); +} + +static int intlen(int number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +static int longlen(long number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +struct passwd * +pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid) +{ +#ifdef HAVE_GETPWUID_R + + void *buffer=NULL; + size_t length = PWD_INITIAL_LENGTH; + + do { + int status; + void *new_buffer; + struct passwd *result = NULL; + + new_buffer = realloc(buffer, sizeof(struct passwd) + length); + if (new_buffer == NULL) { + + D(("out of memory")); + + /* no memory for the user - so delete the memory */ + if (buffer) { + free(buffer); + } + return NULL; + } + buffer = new_buffer; + + /* make the re-entrant call to get the pwd structure */ + errno = 0; + status = getpwuid_r(uid, buffer, + sizeof(struct passwd) + (char *) buffer, + length, &result); + if (!status && (result == buffer)) { + char *data_name; + const void *ignore; + int i; + + data_name = malloc(strlen("_pammodutil_getpwuid") + 1 + + longlen((long) uid) + 1 + intlen(INT_MAX) + 1); + if ((pamh != NULL) && (data_name == NULL)) { + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + free(buffer); + return NULL; + } + + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getpwuid_%ld_%d", + (long) uid, i); + _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } + _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } + } + } else { + status = PAM_SUCCESS; + } + + free(data_name); + + if (status == PAM_SUCCESS) { + D(("success")); + return result; + } + + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + + free(buffer); + return NULL; + + } else if (errno != ERANGE && errno != EINTR) { + /* no sense in repeating the call */ + break; + } + + length <<= 2; + + } while (length < PWD_ABSURD_PWD_LENGTH); + + D(("pwd structure took %u bytes or so of memory", + length+sizeof(struct passwd))); + + free(buffer); + return NULL; + +#else /* ie. ifndef HAVE_GETPWUID_R */ + + /* + * Sorry, there does not appear to be a reentrant version of + * getpwuid(). So, we use the standard libc function. + */ + + return getpwuid(uid); + +#endif /* def HAVE_GETPWUID_R */ +} diff --git a/Linux-PAM/libpam/pam_modutil_getspnam.c b/Linux-PAM/libpam/pam_modutil_getspnam.c new file mode 100644 index 00000000..2433795e --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_getspnam.c @@ -0,0 +1,140 @@ +/* + * $Id: pam_modutil_getspnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides a thread safer version of getspnam() for use + * with PAM modules that care about this sort of thing. + * + * XXX - or at least it should provide a thread-safe alternative. + */ + +#include "pam_modutil_private.h" + +#include <errno.h> +#include <limits.h> +#include <pthread.h> +#include <shadow.h> +#include <stdio.h> +#include <stdlib.h> + +static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +static void _pammodutil_lock(void) +{ + pthread_mutex_lock(&_pammodutil_mutex); +} +static void _pammodutil_unlock(void) +{ + pthread_mutex_unlock(&_pammodutil_mutex); +} + +static int intlen(int number) +{ + int len = 2; + while (number != 0) { + number /= 10; + len++; + } + return len; +} + +struct spwd * +pam_modutil_getspnam(pam_handle_t *pamh, const char *user) +{ +#ifdef HAVE_GETSPNAM_R + + void *buffer=NULL; + size_t length = PWD_INITIAL_LENGTH; + + do { + int status; + void *new_buffer; + struct spwd *result = NULL; + + new_buffer = realloc(buffer, sizeof(struct spwd) + length); + if (new_buffer == NULL) { + + D(("out of memory")); + + /* no memory for the user - so delete the memory */ + if (buffer) { + free(buffer); + } + return NULL; + } + buffer = new_buffer; + + /* make the re-entrant call to get the spwd structure */ + errno = 0; + status = getspnam_r(user, buffer, + sizeof(struct spwd) + (char *) buffer, + length, &result); + if (!status && (result == buffer)) { + char *data_name; + const void *ignore; + int i; + + data_name = malloc(strlen("_pammodutil_getspnam") + 1 + + strlen(user) + 1 + intlen(INT_MAX) + 1); + if ((pamh != NULL) && (data_name == NULL)) { + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + free(buffer); + return NULL; + } + + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getspnam_%s_%d", user, i); + _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } + _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } + } + } else { + status = PAM_SUCCESS; + } + + free(data_name); + + if (status == PAM_SUCCESS) { + D(("success")); + return result; + } + + D(("was unable to register the data item [%s]", + pam_strerror(pamh, status))); + + free(buffer); + return NULL; + + } else if (errno != ERANGE && errno != EINTR) { + /* no sense in repeating the call */ + break; + } + + length <<= 2; + + } while (length < PWD_ABSURD_PWD_LENGTH); + + D(("spwd structure took %u bytes or so of memory", + length+sizeof(struct spwd))); + + free(buffer); + return NULL; + +#else /* ie. ifndef HAVE_GETSPNAM_R */ + + /* + * Sorry, there does not appear to be a reentrant version of + * getspnam(). So, we use the standard libc function. + */ + + return getspnam(user); + +#endif /* def HAVE_GETSPNAM_R */ +} diff --git a/Linux-PAM/libpam/pam_modutil_ingroup.c b/Linux-PAM/libpam/pam_modutil_ingroup.c new file mode 100644 index 00000000..adb9dadb --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_ingroup.c @@ -0,0 +1,127 @@ +/* + * $Id: pam_modutil_ingroup.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * This function provides common methods for checking if a user is in a + * specified group. + */ + +#include "pam_modutil_private.h" + +#include <stdlib.h> +#include <pwd.h> +#include <grp.h> + +#ifdef HAVE_GETGROUPLIST +static int checkgrouplist(const char *user, gid_t primary, gid_t target) +{ + gid_t *grouplist = NULL; + int agroups, ngroups, i; + ngroups = agroups = 3; + do { + grouplist = malloc(sizeof(gid_t) * agroups); + if (grouplist == NULL) { + return 0; + } + ngroups = agroups; + i = getgrouplist(user, primary, grouplist, &ngroups); + if ((i < 0) || (ngroups < 1)) { + agroups *= 2; + free(grouplist); + } else { + for (i = 0; i < ngroups; i++) { + if (grouplist[i] == target) { + free(grouplist); + return 1; + } + } + free(grouplist); + } + } while (((i < 0) || (ngroups < 1)) && (agroups < 10000)); + return 0; +} +#endif + +static int +pam_modutil_user_in_group_common(pam_handle_t *pamh UNUSED, + struct passwd *pwd, + struct group *grp) +{ + int i; + + if (pwd == NULL) { + return 0; + } + if (grp == NULL) { + return 0; + } + + if (pwd->pw_gid == grp->gr_gid) { + return 1; + } + + for (i = 0; (grp->gr_mem != NULL) && (grp->gr_mem[i] != NULL); i++) { + if (strcmp(pwd->pw_name, grp->gr_mem[i]) == 0) { + return 1; + } + } + +#ifdef HAVE_GETGROUPLIST + if (checkgrouplist(pwd->pw_name, pwd->pw_gid, grp->gr_gid)) { + return 1; + } +#endif + + return 0; +} + +int +pam_modutil_user_in_group_nam_nam(pam_handle_t *pamh, + const char *user, const char *group) +{ + struct passwd *pwd; + struct group *grp; + + pwd = pam_modutil_getpwnam(pamh, user); + grp = pam_modutil_getgrnam(pamh, group); + + return pam_modutil_user_in_group_common(pamh, pwd, grp); +} + +int +pam_modutil_user_in_group_nam_gid(pam_handle_t *pamh, + const char *user, gid_t group) +{ + struct passwd *pwd; + struct group *grp; + + pwd = pam_modutil_getpwnam(pamh, user); + grp = pam_modutil_getgrgid(pamh, group); + + return pam_modutil_user_in_group_common(pamh, pwd, grp); +} + +int +pam_modutil_user_in_group_uid_nam(pam_handle_t *pamh, + uid_t user, const char *group) +{ + struct passwd *pwd; + struct group *grp; + + pwd = pam_modutil_getpwuid(pamh, user); + grp = pam_modutil_getgrnam(pamh, group); + + return pam_modutil_user_in_group_common(pamh, pwd, grp); +} + +int +pam_modutil_user_in_group_uid_gid(pam_handle_t *pamh, + uid_t user, gid_t group) +{ + struct passwd *pwd; + struct group *grp; + + pwd = pam_modutil_getpwuid(pamh, user); + grp = pam_modutil_getgrgid(pamh, group); + + return pam_modutil_user_in_group_common(pamh, pwd, grp); +} diff --git a/Linux-PAM/libpam/pam_modutil_ioloop.c b/Linux-PAM/libpam/pam_modutil_ioloop.c new file mode 100644 index 00000000..d23f007a --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_ioloop.c @@ -0,0 +1,53 @@ +/* + * $Id: pam_modutil_ioloop.c,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * These functions provides common methods for ensure a complete read or + * write occurs. It handles EINTR and partial read/write returns. + */ + +#include "pam_modutil_private.h" + +#include <unistd.h> +#include <errno.h> + +int +pam_modutil_read(int fd, char *buffer, int count) +{ + int block, offset = 0; + + while (count > 0) { + block = read(fd, &buffer[offset], count); + + if (block < 0) { + if (errno == EINTR) continue; + return block; + } + if (block == 0) return offset; + + offset += block; + count -= block; + } + + return offset; +} + +int +pam_modutil_write(int fd, const char *buffer, int count) +{ + int block, offset = 0; + + while (count > 0) { + block = write(fd, &buffer[offset], count); + + if (block < 0) { + if (errno == EINTR) continue; + return block; + } + if (block == 0) return offset; + + offset += block; + count -= block; + } + + return offset; +} diff --git a/Linux-PAM/libpam/pam_modutil_private.h b/Linux-PAM/libpam/pam_modutil_private.h new file mode 100644 index 00000000..e118f599 --- /dev/null +++ b/Linux-PAM/libpam/pam_modutil_private.h @@ -0,0 +1,23 @@ +#ifndef PAMMODUTIL_PRIVATE_H +#define PAMMODUTIL_PRIVATE_H + +/* + * $Id: pam_modutil_private.h,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * + * Copyright (c) 2001 Andrew Morgan <morgan@kernel.org> + */ + +#include "config.h" + +#include <security/_pam_macros.h> +#include <security/pam_modules.h> +#include <security/pam_modutil.h> + +#define PWD_INITIAL_LENGTH 0x100 +#define PWD_ABSURD_PWD_LENGTH 0x8000 + +extern void +pam_modutil_cleanup(pam_handle_t *pamh, void *data, + int error_status); + +#endif /* PAMMODUTIL_PRIVATE_H */ diff --git a/Linux-PAM/libpam/pam_password.c b/Linux-PAM/libpam/pam_password.c index 50c12adf..cd57f20b 100644 --- a/Linux-PAM/libpam/pam_password.c +++ b/Linux-PAM/libpam/pam_password.c @@ -1,7 +1,7 @@ /* pam_password.c - PAM Password Management */ /* - * $Id: pam_password.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ + * $Id: pam_password.c,v 1.5 2006/07/24 15:47:40 kukuk Exp $ */ /* #define DEBUG */ @@ -52,6 +52,10 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) D(("will resume when ready", retval)); } +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); +#endif + return retval; } diff --git a/Linux-PAM/libpam/pam_prelude.c b/Linux-PAM/libpam/pam_prelude.c index 656376f5..6c73bf5d 100644 --- a/Linux-PAM/libpam/pam_prelude.c +++ b/Linux-PAM/libpam/pam_prelude.c @@ -23,220 +23,71 @@ #define ANALYZER_MANUFACTURER "Sebastien Tricaud, http://www.kernel.org/pub/linux/libs/pam/" #define DEFAULT_ANALYZER_NAME "PAM" -#define DEFAULT_ANALYZER_CONFIG LIBPRELUDE_CONFIG_PREFIX "/etc/prelude/default/idmef-client.conf" - -#define PAM_VERSION LIBPAM_VERSION_STRING - -static const char *pam_get_item_service(pam_handle_t *pamh); -static const char *pam_get_item_user(pam_handle_t *pamh); -static const char *pam_get_item_user_prompt(pam_handle_t *pamh); -static const char *pam_get_item_tty(pam_handle_t *pamh); -static const char *pam_get_item_ruser(pam_handle_t *pamh); -static const char *pam_get_item_rhost(pam_handle_t *pamh); - -static int setup_analyzer(idmef_analyzer_t *analyzer); -static void pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval); -static int pam_alert_prelude_init(pam_handle_t *pamh, int authval); -static int generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data); - - -/******************* - * some syslogging * - *******************/ -static void -_pam_log(int err, const char *format, ...) -{ - va_list args; - va_start(args, format); - -#ifdef MAIN - vfprintf(stderr,format,args); - fprintf(stderr,"\n"); -#else - openlog("libpam", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - closelog(); -#endif - va_end(args); -} static const char * -pam_get_item_service(pam_handle_t *pamh) +pam_get_item_service(const pam_handle_t *pamh) { - const char *service = NULL; + const void *service = NULL; - pam_get_item(pamh, PAM_SERVICE, (const void **)&service); + pam_get_item(pamh, PAM_SERVICE, &service); - return (const char *)service; + return service; } static const char * -pam_get_item_user(pam_handle_t *pamh) +pam_get_item_user(const pam_handle_t *pamh) { - const char *user = NULL; + const void *user = NULL; - pam_get_item(pamh, PAM_USER, (const void **)&user); + pam_get_item(pamh, PAM_USER, &user); - return (const char *)user; + return user; } static const char * -pam_get_item_user_prompt(pam_handle_t *pamh) +pam_get_item_user_prompt(const pam_handle_t *pamh) { - const char *user_prompt = NULL; + const void *user_prompt = NULL; - pam_get_item(pamh, PAM_USER_PROMPT, (const void **)&user_prompt); + pam_get_item(pamh, PAM_USER_PROMPT, &user_prompt); - return (const char *)user_prompt; + return user_prompt; } static const char * -pam_get_item_tty(pam_handle_t *pamh) +pam_get_item_tty(const pam_handle_t *pamh) { - const char *tty = NULL; + const void *tty = NULL; - pam_get_item(pamh, PAM_TTY, (const void **)&tty); + pam_get_item(pamh, PAM_TTY, &tty); - return (const char *)tty; + return tty; } static const char * -pam_get_item_ruser(pam_handle_t *pamh) +pam_get_item_ruser(const pam_handle_t *pamh) { - const char *ruser = NULL; + const void *ruser = NULL; - pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); + pam_get_item(pamh, PAM_RUSER, &ruser); - return (const char *)ruser; + return ruser; } static const char * -pam_get_item_rhost(pam_handle_t *pamh) +pam_get_item_rhost(const pam_handle_t *pamh) { - const char *rhost = NULL; - - pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - - return (const char *)rhost; -} - -/***************************************************************** - * Returns a string concerning the authentication value provided * - *****************************************************************/ -static const char * -pam_get_alert_description(int authval) -{ - const char *retstring = NULL; - - switch(authval) { - case PAM_SUCCESS: - retstring = "Authentication success"; - break; - case PAM_OPEN_ERR: - retstring = "dlopen() failure when dynamically loading a service module"; - break; - case PAM_SYMBOL_ERR: - retstring = "Symbol not found"; - break; - case PAM_SERVICE_ERR: - retstring = "Error in service module"; - break; - case PAM_SYSTEM_ERR: - retstring = "System error"; - break; - case PAM_BUF_ERR: - retstring = "Memory buffer error"; - break; - case PAM_PERM_DENIED: - retstring = "Permission denied"; - break; - case PAM_AUTH_ERR: - retstring = "Authentication failure"; - break; - case PAM_CRED_INSUFFICIENT: - retstring = "Can not access authentication data due to insufficient credentials"; - break; - case PAM_AUTHINFO_UNAVAIL: - retstring = "Underlying authentication service can not retrieve authenticaiton information"; - break; - case PAM_USER_UNKNOWN: - retstring = "User not known to the underlying authentication module"; - break; - case PAM_MAXTRIES: - retstring = "An authentication service has maintained a retry count which has been reached. No further retries should be attempted"; - break; - case PAM_NEW_AUTHTOK_REQD: - retstring = "New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged"; - break; - case PAM_ACCT_EXPIRED: - retstring = "User account has expired"; - break; - case PAM_SESSION_ERR: - retstring = "Can not make/remove an entry for the specified session"; - break; - case PAM_CRED_UNAVAIL: - retstring = "Underlying authentication service can not retrieve user credentials unavailable"; - break; - case PAM_CRED_EXPIRED: - retstring = "User credentials expired"; - break; - case PAM_CRED_ERR: - retstring = "Failure setting user credentials"; - break; - case PAM_NO_MODULE_DATA: - retstring = "No module specific data is present"; - break; - case PAM_CONV_ERR: - retstring = "Conversation error"; - break; - case PAM_AUTHTOK_ERR: - retstring = "Authentication token manipulation error"; - break; - case PAM_AUTHTOK_RECOVER_ERR: - retstring = "Authentication information cannot be recovered"; - break; - case PAM_AUTHTOK_LOCK_BUSY: - retstring = "Authentication token lock busy"; - break; - case PAM_AUTHTOK_DISABLE_AGING: - retstring = "Authentication token aging disabled"; - break; - case PAM_TRY_AGAIN: - retstring = "Preliminary check by password service"; - break; - case PAM_IGNORE: - retstring = "Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient"; - break; - case PAM_ABORT: - retstring = "Critical error (?module fail now request)"; - break; - case PAM_AUTHTOK_EXPIRED: - retstring = "User's authentication token has expired"; - break; - case PAM_MODULE_UNKNOWN: - retstring = "Module is not known"; - break; - case PAM_BAD_ITEM: - retstring = "Bad item passed to pam_*_item()"; - break; - case PAM_CONV_AGAIN: - retstring = "Conversation function is event driven and data is not available yet"; - break; - case PAM_INCOMPLETE: - retstring = "Please call this function again to complete authentication stack. Before calling again, verify that conversation is completed"; - break; - - default: - retstring = "Authentication Failure!. You should not see this message."; - } + const void *rhost = NULL; - return retstring; + pam_get_item(pamh, PAM_RHOST, &rhost); + return rhost; } /* Courteously stolen from prelude-lml */ static int -generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data) +generate_additional_data(idmef_alert_t *alert, const char *meaning, + const char *data) { int ret; prelude_string_t *str; @@ -249,7 +100,7 @@ generate_additional_data(idmef_alert_t *alert, const char *meaning, const char * ret = idmef_additional_data_new_meaning(adata, &str); if ( ret < 0 ) return ret; - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) return ret; @@ -257,29 +108,12 @@ generate_additional_data(idmef_alert_t *alert, const char *meaning, const char * return idmef_additional_data_set_string_ref(adata, data); } -extern void -prelude_send_alert(pam_handle_t *pamh, int authval) -{ - - int ret; - - prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG); - - ret = pam_alert_prelude_init(pamh, authval); - if ( ret < 0 ) - _pam_log(LOG_WARNING, - "No prelude alert sent"); - - prelude_deinit(); - -} - -static int -setup_analyzer(idmef_analyzer_t *analyzer) +static int +setup_analyzer(const pam_handle_t *pamh, idmef_analyzer_t *analyzer) { int ret; prelude_string_t *string; - + ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) goto err; @@ -300,19 +134,20 @@ setup_analyzer(idmef_analyzer_t *analyzer) goto err; prelude_string_set_constant(string, PAM_VERSION); - + return 0; err: - _pam_log(LOG_WARNING, - "%s: IDMEF error: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); + pam_syslog(pamh, LOG_WARNING, + "%s: IDMEF error: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); return -1; } -static void -pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) +static void +pam_alert_prelude(const char *msg, void *data, + pam_handle_t *pamh, int authval) { int ret; idmef_time_t *clienttime; @@ -331,10 +166,10 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) idmef_assessment_t *assessment; idmef_node_t *node; idmef_analyzer_t *analyzer; - + ret = idmef_message_new(&idmef); - if ( ret < 0 ) + if ( ret < 0 ) goto err; ret = idmef_message_new_alert(idmef, &alert); @@ -360,8 +195,8 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) goto err; idmef_alert_set_create_time(alert, clienttime); - idmef_alert_set_analyzer(alert, - idmef_analyzer_ref(prelude_client_get_analyzer(client)), + idmef_alert_set_analyzer(alert, + idmef_analyzer_ref(prelude_client_get_analyzer(client)), 0); /********** @@ -386,12 +221,12 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) ret = prelude_string_new(&str); if ( ret < 0 ) goto err; - + ret = prelude_string_set_ref(str, pam_get_item_ruser(pamh)); if ( ret < 0 ) goto err; - idmef_user_id_set_name(user_id, str); + idmef_user_id_set_name(user_id, str); } /* END */ /* BEGIN: Adds TTY infos */ @@ -439,7 +274,7 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) ret = prelude_string_set_ref(str, pam_get_item_service(pamh)); if ( ret < 0 ) goto err; - + idmef_process_set_name(process, str); } /* END */ @@ -483,7 +318,7 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) if ( ret < 0 ) goto err; - idmef_user_id_set_name(user_id, str); + idmef_user_id_set_name(user_id, str); } /* END */ /* BEGIN: Short description of the alert */ @@ -495,8 +330,8 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) if ( ret < 0 ) goto err; - ret = prelude_string_set_ref(str, - authval == PAM_SUCCESS ? + ret = prelude_string_set_ref(str, + authval == PAM_SUCCESS ? "Authentication Success" : "Authentication Failure"); if ( ret < 0 ) goto err; @@ -516,8 +351,7 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) if ( ret < 0 ) goto err; - ret = prelude_string_set_ref(str, - pam_get_alert_description(authval)); + ret = prelude_string_set_ref(str, pam_strerror (pamh, authval)); if ( ret < 0 ) goto err; @@ -525,7 +359,7 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) /* END */ /* BEGIN: Adding additional data */ if ( pam_get_item_user_prompt(pamh) ) { - ret = generate_additional_data(alert, "Local User Prompt", + ret = generate_additional_data(alert, "Local User Prompt", pam_get_item_user_prompt(pamh)); if ( ret < 0 ) goto err; @@ -533,16 +367,15 @@ pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) /* END */ prelude_client_send_idmef(client, idmef); - + if ( idmef ) idmef_message_destroy(idmef); return; err: - _pam_log(LOG_WARNING, - "%s: IDMEF error: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); - + pam_syslog(pamh, LOG_WARNING, "%s: IDMEF error: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + if ( idmef ) idmef_message_destroy(idmef); @@ -557,7 +390,7 @@ pam_alert_prelude_init(pam_handle_t *pamh, int authval) ret = prelude_init(NULL, NULL); if ( ret < 0 ) { - _pam_log(LOG_WARNING, + pam_syslog(pamh, LOG_WARNING, "%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; @@ -565,7 +398,7 @@ pam_alert_prelude_init(pam_handle_t *pamh, int authval) ret = prelude_client_new(&client, DEFAULT_ANALYZER_NAME); if ( ! client ) { - _pam_log(LOG_WARNING, + pam_syslog(pamh, LOG_WARNING, "%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); @@ -573,9 +406,9 @@ pam_alert_prelude_init(pam_handle_t *pamh, int authval) } - ret = setup_analyzer(prelude_client_get_analyzer(client)); + ret = setup_analyzer(pamh, prelude_client_get_analyzer(client)); if ( ret < 0 ) { - _pam_log(LOG_WARNING, + pam_syslog(pamh, LOG_WARNING, "%s: Unable to setup analyzer: %s\n", prelude_strsource(ret), prelude_strerror(ret)); @@ -586,10 +419,10 @@ pam_alert_prelude_init(pam_handle_t *pamh, int authval) ret = prelude_client_start(client); if ( ret < 0 ) { - _pam_log(LOG_WARNING, + pam_syslog(pamh, LOG_WARNING, "%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); return -1; @@ -602,4 +435,20 @@ pam_alert_prelude_init(pam_handle_t *pamh, int authval) return 0; } -#endif PRELUDE +void +prelude_send_alert(pam_handle_t *pamh, int authval) +{ + + int ret; + + prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG); + + ret = pam_alert_prelude_init(pamh, authval); + if ( ret < 0 ) + pam_syslog(pamh, LOG_WARNING, "No prelude alert sent"); + + prelude_deinit(); + +} + +#endif /* PRELUDE */ diff --git a/Linux-PAM/libpam/pam_private.h b/Linux-PAM/libpam/pam_private.h index 3c8d8538..8b7d9146 100644 --- a/Linux-PAM/libpam/pam_private.h +++ b/Linux-PAM/libpam/pam_private.h @@ -1,8 +1,6 @@ /* * pam_private.h * - * $Id: pam_private.h,v 1.6 2004/09/15 12:06:17 kukuk Exp $ - * * This is the Linux-PAM Library Private Header. It contains things * internal to the Linux-PAM library. Things not needed by either an * application or module. @@ -16,13 +14,13 @@ #ifndef _PAM_PRIVATE_H #define _PAM_PRIVATE_H -#include <security/_pam_aconf.h> +#include "config.h" -/* this is not used at the moment --- AGM */ -#define LIBPAM_VERSION (LIBPAM_VERSION_MAJOR*0x100 + LIBPAM_VERSION_MINOR) +#include <syslog.h> #include <security/pam_appl.h> #include <security/pam_modules.h> +#include <security/pam_ext.h> /* the Linux-PAM configuration file */ @@ -55,6 +53,7 @@ struct handler { int argc; char **argv; struct handler *next; + char *mod_name; }; struct loaded_module { @@ -122,6 +121,7 @@ struct _pam_former_state { int status; /* the status before returning incomplete */ /* state info used by pam_get_user() function */ + int fail_user; int want_user; char *prompt; /* saved prompt information */ @@ -146,6 +146,12 @@ struct pam_handle { struct service handlers; struct _pam_former_state former; /* library state - support for event driven applications */ + const char *mod_name; /* Name of the module currently executed */ + int choice; /* Which function we call from the module */ + +#ifdef HAVE_LIBAUDIT + int audit_state; /* keep track of reported audit messages */ +#endif }; /* Values for select arg to _pam_dispatch() */ @@ -211,17 +217,23 @@ void _pam_start_timer(pam_handle_t *pamh); void _pam_await_timer(pam_handle_t *pamh, int status); typedef void (*voidfunc(void))(void); -#ifdef PAM_STATIC +typedef int (*servicefn)(pam_handle_t *, int, int, char **); +#ifdef PAM_STATIC /* The next two in ../modules/_pam_static/pam_static.c */ /* Return pointer to data structure used to define a static module */ -struct pam_module * _pam_open_static_handler(const char *path); +struct pam_module * _pam_open_static_handler (pam_handle_t *pamh, + const char *path); /* Return pointer to function requested from static module */ voidfunc *_pam_get_static_sym(struct pam_module *mod, const char *symname); - +#else +void *_pam_dlopen (const char *mod_path); +servicefn _pam_dlsym (void *handle, const char *symbol); +void _pam_dlclose (void *handle); +const char *_pam_dlerror (void); #endif /* For now we just use a stack and linear search for module data. */ @@ -237,7 +249,6 @@ struct pam_data { void _pam_free_data(pam_handle_t *pamh, int status); -int _pam_strCMP(const char *s, const char *t); char *_pam_StrTok(char *from, const char *format, char **next); char *_pam_strdup(const char *s); @@ -250,14 +261,7 @@ void _pam_set_default_control(int *control_array, int default_action); void _pam_parse_control(int *control_array, char *tok); -void _pam_system_log(int priority, const char *format, ... ) -#ifdef __GNUC__ - __attribute__ ((format (printf, 2, 3))); -#else - ; -#endif - -#define _PAM_SYSTEM_LOG_PREFIX "PAM " +#define _PAM_SYSTEM_LOG_PREFIX "PAM" /* * XXX - Take care with this. It could confuse the logic of a trailing @@ -266,14 +270,10 @@ void _pam_system_log(int priority, const char *format, ... ) #define IF_NO_PAMH(X,pamh,ERR) \ if ((pamh) == NULL) { \ - _pam_system_log(LOG_ERR, X ": NULL pam handle passed"); \ + syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX " " X ": NULL pam handle passed"); \ return ERR; \ } -/* Definition for the default username prompt used by pam_get_user() */ - -#define PAM_DEFAULT_PROMPT "Please enter username: " - /* * include some helpful macros */ @@ -293,6 +293,11 @@ if ((pamh) == NULL) { \ #define __PAM_TO_APP(pamh) \ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) +#ifdef HAVE_LIBAUDIT +extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); +extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); +#endif + /* * Copyright (C) 1995 by Red Hat Software, Marc Ewing * Copyright (c) 1996-8,2001 by Andrew G. Morgan <morgan@kernel.org> @@ -311,13 +316,13 @@ if ((pamh) == NULL) { \ * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE diff --git a/Linux-PAM/libpam/pam_second.c b/Linux-PAM/libpam/pam_second.c deleted file mode 100644 index fa3bdf78..00000000 --- a/Linux-PAM/libpam/pam_second.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * pam_second.c -- PAM secondary authentication - * (based on XSSO draft spec of March 1997) - * - * $Id: pam_second.c,v 1.3 2001/09/19 06:18:46 agmorgan Exp $ - * - */ - -#include <stdio.h> -#include <stdlib.h> - -#include "pam_private.h" - -/* p 42 */ - -/* XXX - there are actually no plans to support this function. It does - not appear to be very well defined */ - -int pam_authenticate_secondary(pam_handle_t *pamh, - char *target_username, - char *target_module_type, - char *target_authn_domain, - char *target_supp_data, - unsigned char *target_module_authtok, - int flags); - -int pam_authenticate_secondary(pam_handle_t *pamh, - char *target_username, - char *target_module_type, - char *target_authn_domain, - char *target_supp_data, - unsigned char *target_module_authtok, - int flags) -{ - int retval=PAM_SYSTEM_ERR; - - D(("called")); - - _pam_start_timer(pamh); /* we try to make the time for a failure - independent of the time it takes to - fail */ - - IF_NO_PAMH("pam_authenticate_secondary",pamh,PAM_SYSTEM_ERR); - - _pam_await_timer(pamh, retval); /* if unsuccessful then wait now */ - - D(("pam_authenticate_secondary exit")); - - return retval; -} diff --git a/Linux-PAM/libpam/pam_session.c b/Linux-PAM/libpam/pam_session.c index c468cf96..440ca8e6 100644 --- a/Linux-PAM/libpam/pam_session.c +++ b/Linux-PAM/libpam/pam_session.c @@ -1,7 +1,7 @@ /* pam_session.c - PAM Session Management */ /* - * $Id: pam_session.c,v 1.4 2003/07/13 20:01:44 vorlon Exp $ + * $Id: pam_session.c,v 1.6 2006/07/24 15:47:40 kukuk Exp $ */ #include "pam_private.h" @@ -10,6 +10,8 @@ int pam_open_session(pam_handle_t *pamh, int flags) { + int retval; + D(("called")); IF_NO_PAMH("pam_open_session", pamh, PAM_SYSTEM_ERR); @@ -18,12 +20,18 @@ int pam_open_session(pam_handle_t *pamh, int flags) D(("called from module!?")); return PAM_SYSTEM_ERR; } + retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); - return _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); +#endif + return retval; } int pam_close_session(pam_handle_t *pamh, int flags) { + int retval; + D(("called")); IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR); @@ -33,5 +41,12 @@ int pam_close_session(pam_handle_t *pamh, int flags) return PAM_SYSTEM_ERR; } - return _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + +#ifdef HAVE_LIBAUDIT + retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); +#endif + + return retval; + } diff --git a/Linux-PAM/libpam/pam_start.c b/Linux-PAM/libpam/pam_start.c index 5d6e066a..b2c62e54 100644 --- a/Linux-PAM/libpam/pam_start.c +++ b/Linux-PAM/libpam/pam_start.c @@ -3,7 +3,7 @@ /* Creator Marc Ewing * Maintained by AGM * - * $Id: pam_start.c,v 1.5 2004/09/14 13:48:41 kukuk Exp $ + * $Id: pam_start.c,v 1.9 2006/07/24 15:47:40 kukuk Exp $ * */ @@ -25,12 +25,25 @@ int pam_start ( ,service_name, user, pam_conversation, pamh)); if (pamh == NULL) { - _pam_system_log(LOG_CRIT, "pam_start: invalid argument: pamh == NULL"); - return (PAM_BUF_ERR); + pam_syslog(NULL, LOG_CRIT, + "pam_start: invalid argument: pamh == NULL"); + return (PAM_SYSTEM_ERR); + } + + if (service_name == NULL) { + pam_syslog(NULL, LOG_CRIT, + "pam_start: invalid argument: service == NULL"); + return (PAM_SYSTEM_ERR); + } + + if (pam_conversation == NULL) { + pam_syslog(NULL, LOG_CRIT, + "pam_start: invalid argument: conv == NULL"); + return (PAM_SYSTEM_ERR); } if ((*pamh = calloc(1, sizeof(**pamh))) == NULL) { - _pam_system_log(LOG_CRIT, "pam_start: calloc failed for *pamh"); + pam_syslog(NULL, LOG_CRIT, "pam_start: calloc failed for *pamh"); return (PAM_BUF_ERR); } @@ -44,24 +57,22 @@ int pam_start ( __PAM_TO_APP(*pamh); - if (service_name) { + if (((*pamh)->service_name = _pam_strdup(service_name)) == NULL) { + pam_syslog(*pamh, LOG_CRIT, + "pam_start: _pam_strdup failed for service name"); + _pam_drop(*pamh); + return (PAM_BUF_ERR); + } else { char *tmp; - if (((*pamh)->service_name = _pam_strdup(service_name)) == NULL) { - _pam_system_log(LOG_CRIT, - "pam_start: _pam_strdup failed for service name"); - _pam_drop(*pamh); - return (PAM_BUF_ERR); - } for (tmp=(*pamh)->service_name; *tmp; ++tmp) *tmp = tolower(*tmp); /* require lower case */ - } else - (*pamh)->service_name = NULL; + } if (user) { if (((*pamh)->user = _pam_strdup(user)) == NULL) { - _pam_system_log(LOG_CRIT, - "pam_start: _pam_strdup failed for user"); + pam_syslog(*pamh, LOG_CRIT, + "pam_start: _pam_strdup failed for user"); _pam_drop((*pamh)->service_name); _pam_drop(*pamh); return (PAM_BUF_ERR); @@ -77,11 +88,13 @@ int pam_start ( (*pamh)->oldauthtok = NULL; (*pamh)->fail_delay.delay_fn_ptr = NULL; (*pamh)->former.choice = PAM_NOT_STACKED; +#ifdef HAVE_LIBAUDIT + (*pamh)->audit_state = 0; +#endif - if (pam_conversation == NULL - || ((*pamh)->pam_conversation = (struct pam_conv *) - malloc(sizeof(struct pam_conv))) == NULL) { - _pam_system_log(LOG_CRIT, "pam_start: malloc failed for pam_conv"); + if (((*pamh)->pam_conversation = (struct pam_conv *) + malloc(sizeof(struct pam_conv))) == NULL) { + pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv"); _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); _pam_drop(*pamh); @@ -93,7 +106,7 @@ int pam_start ( (*pamh)->data = NULL; if ( _pam_make_env(*pamh) != PAM_SUCCESS ) { - _pam_system_log(LOG_ERR,"pam_start: failed to initialize environment"); + pam_syslog(*pamh,LOG_ERR,"pam_start: failed to initialize environment"); _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); _pam_drop(*pamh); @@ -108,7 +121,7 @@ int pam_start ( * symbols happens on the first call from the application. */ if ( _pam_init_handlers(*pamh) != PAM_SUCCESS ) { - _pam_system_log(LOG_ERR, "pam_start: failed to initialize handlers"); + pam_syslog(*pamh, LOG_ERR, "pam_start: failed to initialize handlers"); _pam_drop_env(*pamh); /* purge the environment */ _pam_drop((*pamh)->service_name); _pam_drop((*pamh)->user); diff --git a/Linux-PAM/libpam/pam_static.c b/Linux-PAM/libpam/pam_static.c index 5a2b5a5d..511026d4 100644 --- a/Linux-PAM/libpam/pam_static.c +++ b/Linux-PAM/libpam/pam_static.c @@ -1,8 +1,7 @@ -/* pam_static.c -- static module loading helper functions */ - -/* created by Michael K. Johnson, johnsonm@redhat.com +/* + * pam_static.c -- static module loading helper functions * - * $Id: pam_static.c,v 1.1.1.1 2000/06/20 22:11:21 agmorgan Exp $ + * created by Michael K. Johnson, johnsonm@redhat.com */ /* This whole file is only used for PAM_STATIC */ @@ -15,31 +14,15 @@ #include "pam_private.h" -/* - * Need to include pointers to static modules; this was built by each - * of the modules that register... - */ - -#include "../modules/_static_module_list" - -/* - * and here is a structure that connects libpam to the above static - * modules - */ - -static struct pam_module *static_modules[] = { - -#include "../modules/_static_module_entry" - - NULL -}; +#include "pam_static_modules.h" /* * and now for the functions */ /* Return pointer to data structure used to define a static module */ -struct pam_module * _pam_open_static_handler(const char *path) +struct pam_module * +_pam_open_static_handler (pam_handle_t *pamh, const char *path) { int i; const char *clpath = path; @@ -47,7 +30,7 @@ struct pam_module * _pam_open_static_handler(const char *path) if (strchr(clpath, '/')) { /* ignore path and leading "/" */ - clpath = strrchr(lpath, '/') + 1; + clpath = strrchr(path, '/') + 1; } /* create copy to muck with (must free before return) */ lpath = _pam_strdup(clpath); @@ -68,8 +51,7 @@ struct pam_module * _pam_open_static_handler(const char *path) } if (static_modules[i] == NULL) { - _pam_system_log(NULL, NULL, LOG_ERR, "no static module named %s", - lpath); + pam_syslog (pamh, LOG_ERR, "no static module named %s", lpath); } free(lpath); @@ -102,7 +84,11 @@ voidfunc *_pam_get_static_sym(struct pam_module *mod, const char *symname) { return ((voidfunc *)NULL); } -#endif /* PAM_STATIC */ +#else /* ! PAM_STATIC */ + +typedef int blarg; + +#endif /* ! PAM_STATIC */ /* * Copyright (C) 1995 by Red Hat Software, Michael K. Johnson @@ -120,13 +106,13 @@ voidfunc *_pam_get_static_sym(struct pam_module *mod, const char *symname) { * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE diff --git a/Linux-PAM/libpam/pam_static_modules.h b/Linux-PAM/libpam/pam_static_modules.h new file mode 100644 index 00000000..27b70826 --- /dev/null +++ b/Linux-PAM/libpam/pam_static_modules.h @@ -0,0 +1,136 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* Pointers to static module data. */ + +extern struct pam_module _pam_access_modstruct; +extern struct pam_module _pam_cracklib_modstruct; +extern struct pam_module _pam_debug_modstruct; +extern struct pam_module _pam_deny_modstruct; +extern struct pam_module _pam_echo_modstruct; +extern struct pam_module _pam_env_modstruct; +extern struct pam_module _pam_exec_modstruct; +extern struct pam_module _pam_faildelay_modstruct; +extern struct pam_module _pam_filter_modstruct; +extern struct pam_module _pam_ftp_modstruct; +extern struct pam_module _pam_group_modstruct; +extern struct pam_module _pam_issue_modstruct; +extern struct pam_module _pam_keyinit_modstruct; +extern struct pam_module _pam_lastlog_modstruct; +extern struct pam_module _pam_limits_modstruct; +extern struct pam_module _pam_listfile_modstruct; +extern struct pam_module _pam_localuser_modstruct; +extern struct pam_module _pam_loginuid_modstruct; +extern struct pam_module _pam_mail_modstruct; +extern struct pam_module _pam_mkhomedir_modstruct; +extern struct pam_module _pam_motd_modstruct; +#ifdef HAVE_UNSHARE +extern struct pam_module _pam_namespace; +#endif +extern struct pam_module _pam_nologin_modstruct; +extern struct pam_module _pam_permit_modstruct; +extern struct pam_module _pam_rhosts_modstruct; +extern struct pam_module _pam_rhosts_auth_modstruct; +extern struct pam_module _pam_rootok_modstruct; +extern struct pam_module _pam_securetty_modstruct; +#ifdef WITH_SELINUX +extern struct pam_module _pam_selinux_modstruct; +#endif +extern struct pam_module _pam_shells_modstruct; +extern struct pam_module _pam_stress_modstruct; +extern struct pam_module _pam_succeed_if_modstruct; +extern struct pam_module _pam_tally_modstruct; +extern struct pam_module _pam_time_modstruct; +extern struct pam_module _pam_umask_modstruct; +extern struct pam_module _pam_unix_acct_modstruct; +extern struct pam_module _pam_unix_auth_modstruct; +extern struct pam_module _pam_unix_passwd_modstruct; +extern struct pam_module _pam_unix_session_modstruct; +extern struct pam_module _pam_userdb_modstruct; +extern struct pam_module _pam_warn_modstruct; +extern struct pam_module _pam_wheel_modstruct; +extern struct pam_module _pam_xauth_modstruct; + +/* and here is a structure that connects libpam to the above static + modules. */ + +static struct pam_module *static_modules[] = { + &_pam_access_modstruct, + &_pam_cracklib_modstruct, + &_pam_debug_modstruct, + &_pam_deny_modstruct, + &_pam_echo_modstruct, + &_pam_env_modstruct, + &_pam_exec_modstruct, + &_pam_faildelay, + &_pam_filter_modstruct, + &_pam_ftp_modstruct, + &_pam_group_modstruct, + &_pam_issue_modstruct, + &_pam_keyinit_modstruct, + &_pam_lastlog_modstruct, + &_pam_limits_modstruct, + &_pam_listfile_modstruct, + &_pam_localuser_modstruct, + &_pam_loginuid_modstruct, + &_pam_mail_modstruct, + &_pam_mkhomedir_modstruct, + &_pam_motd_modstruct, +#ifdef HAVE_UNSHARE + &_pam_namespace, +#endif + &_pam_nologin_modstruct, + &_pam_permit_modstruct, + &_pam_rhosts_modstruct, + &_pam_rhosts_auth_modstruct, + &_pam_rootok_modstruct, + &_pam_securetty_modstruct, +#ifdef WITH_SELINUX + &_pam_selinux_modstruct, +#endif + &_pam_shells_modstruct, + &_pam_stress_modstruct, + &_pam_succeed_if_modstruct, + &_pam_tally_modstruct, + &_pam_time_modstruct, + &_pam_umask_modstruct, + &_pam_unix_acct_modstruct, + &_pam_unix_auth_modstruct, + &_pam_unix_passwd_modstruct, + &_pam_unix_session_modstruct, + &_pam_userdb_modstruct, + &_pam_warn_modstruct, + &_pam_wheel_modstruct, + &_pam_xauth_modstruct, + NULL +}; diff --git a/Linux-PAM/libpam/pam_strerror.c b/Linux-PAM/libpam/pam_strerror.c index 788c7a51..17c81945 100644 --- a/Linux-PAM/libpam/pam_strerror.c +++ b/Linux-PAM/libpam/pam_strerror.c @@ -1,93 +1,106 @@ -/* pam_strerror.c */ - /* - * $Id: pam_strerror.c,v 1.4 2005/01/07 15:31:26 t8m Exp $ + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "pam_private.h" -const char *pam_strerror(pam_handle_t *pamh, int errnum) +const char *pam_strerror(pam_handle_t *pamh UNUSED, int errnum) { -#ifdef UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT /* will be removed from v 1.0 */ - - int possible_error; - - possible_error = (int) pamh; - if (!(possible_error >= 0 && possible_error <= PAM_BAD_ITEM)) { - possible_error = errnum; - } - -/* mask standard behavior to use possible_error variable. */ -#define errnum possible_error - -#endif /* UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT */ - switch (errnum) { case PAM_SUCCESS: - return "Success"; + return _("Success"); case PAM_ABORT: - return "Critical error - immediate abort"; + return _("Critical error - immediate abort"); case PAM_OPEN_ERR: - return "dlopen() failure"; + return _("Failed to load module"); case PAM_SYMBOL_ERR: - return "Symbol not found"; + return _("Symbol not found"); case PAM_SERVICE_ERR: - return "Error in service module"; + return _("Error in service module"); case PAM_SYSTEM_ERR: - return "System error"; + return _("System error"); case PAM_BUF_ERR: - return "Memory buffer error"; + return _("Memory buffer error"); case PAM_PERM_DENIED: - return "Permission denied"; + return _("Permission denied"); case PAM_AUTH_ERR: - return "Authentication failure"; + return _("Authentication failure"); case PAM_CRED_INSUFFICIENT: - return "Insufficient credentials to access authentication data"; + return _("Insufficient credentials to access authentication data"); case PAM_AUTHINFO_UNAVAIL: - return "Authentication service cannot retrieve authentication info."; + return _("Authentication service cannot retrieve authentication info"); case PAM_USER_UNKNOWN: - return "User not known to the underlying authentication module"; + return _("User not known to the underlying authentication module"); case PAM_MAXTRIES: - return "Have exhausted maximum number of retries for service."; + return _("Have exhausted maximum number of retries for service"); case PAM_NEW_AUTHTOK_REQD: - return "Authentication token is no longer valid; new one required."; + return _("Authentication token is no longer valid; new one required"); case PAM_ACCT_EXPIRED: - return "User account has expired"; + return _("User account has expired"); case PAM_SESSION_ERR: - return "Cannot make/remove an entry for the specified session"; + return _("Cannot make/remove an entry for the specified session"); case PAM_CRED_UNAVAIL: - return "Authentication service cannot retrieve user credentials"; + return _("Authentication service cannot retrieve user credentials"); case PAM_CRED_EXPIRED: - return "User credentials expired"; + return _("User credentials expired"); case PAM_CRED_ERR: - return "Failure setting user credentials"; + return _("Failure setting user credentials"); case PAM_NO_MODULE_DATA: - return "No module specific data is present"; + return _("No module specific data is present"); case PAM_BAD_ITEM: - return "Bad item passed to pam_*_item()"; + return _("Bad item passed to pam_*_item()"); case PAM_CONV_ERR: - return "Conversation error"; + return _("Conversation error"); case PAM_AUTHTOK_ERR: - return "Authentication token manipulation error"; - case PAM_AUTHTOK_RECOVER_ERR: - return "Authentication information cannot be recovered"; + return _("Authentication token manipulation error"); + case PAM_AUTHTOK_RECOVERY_ERR: + return _("Authentication information cannot be recovered"); case PAM_AUTHTOK_LOCK_BUSY: - return "Authentication token lock busy"; + return _("Authentication token lock busy"); case PAM_AUTHTOK_DISABLE_AGING: - return "Authentication token aging disabled"; + return _("Authentication token aging disabled"); case PAM_TRY_AGAIN: - return "Failed preliminary check by password service"; + return _("Failed preliminary check by password service"); case PAM_IGNORE: - return "The return value should be ignored by PAM dispatch"; + return _("The return value should be ignored by PAM dispatch"); case PAM_MODULE_UNKNOWN: - return "Module is unknown"; + return _("Module is unknown"); case PAM_AUTHTOK_EXPIRED: - return "Authentication token expired"; + return _("Authentication token expired"); case PAM_CONV_AGAIN: - return "Conversation is waiting for event"; + return _("Conversation is waiting for event"); case PAM_INCOMPLETE: - return "Application needs to call libpam again"; + return _("Application needs to call libpam again"); } - return "Unknown PAM error"; + return _("Unknown PAM error"); } diff --git a/Linux-PAM/libpam/pam_syslog.c b/Linux-PAM/libpam/pam_syslog.c new file mode 100644 index 00000000..c5a6feca --- /dev/null +++ b/Linux-PAM/libpam/pam_syslog.c @@ -0,0 +1,115 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <stdarg.h> +#include <errno.h> + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> + +#include "pam_private.h" + +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + +static const char * +_pam_choice2str (int choice) +{ + switch (choice) + { + case PAM_AUTHENTICATE: + return "auth"; + case PAM_SETCRED: + return "setcred"; + case PAM_ACCOUNT: + return "account"; + case PAM_OPEN_SESSION: + case PAM_CLOSE_SESSION: + return "session"; + case PAM_CHAUTHTOK: + return "chauthtok"; + } + return ""; +} + +void +pam_vsyslog (const pam_handle_t *pamh, int priority, + const char *fmt, va_list args) +{ + char *msgbuf1 = NULL, *msgbuf2 = NULL; + int save_errno = errno; + + if (pamh && pamh->mod_name) + { + if (asprintf (&msgbuf1, "%s(%s:%s):", pamh->mod_name, + pamh->service_name?pamh->service_name:"<unknown>", + _pam_choice2str (pamh->choice)) < 0) + { + syslog (LOG_AUTHPRIV|LOG_ERR, "asprintf: %m"); + return; + } + } + + errno = save_errno; + if (vasprintf (&msgbuf2, fmt, args) < 0) + { + syslog (LOG_AUTHPRIV|LOG_ERR, "vasprintf: %m"); + _pam_drop (msgbuf1); + return; + } + + errno = save_errno; + syslog (LOG_AUTHPRIV|priority, "%s %s", + (msgbuf1 ? msgbuf1 : _PAM_SYSTEM_LOG_PREFIX), msgbuf2); + + _pam_drop (msgbuf1); + _pam_drop (msgbuf2); +} + +void +pam_syslog (const pam_handle_t *pamh, int priority, + const char *fmt, ...) +{ + va_list args; + + va_start (args, fmt); + pam_vsyslog (pamh, priority, fmt, args); + va_end (args); +} diff --git a/Linux-PAM/libpam/pam_tokens.h b/Linux-PAM/libpam/pam_tokens.h index 69e79489..35c127dc 100644 --- a/Linux-PAM/libpam/pam_tokens.h +++ b/Linux-PAM/libpam/pam_tokens.h @@ -1,7 +1,7 @@ /* * pam_tokens.h * - * $Id: pam_tokens.h,v 1.3 2001/01/22 06:07:29 agmorgan Exp $ + * $Id: pam_tokens.h,v 1.4 2006/01/24 23:28:32 kukuk Exp $ * * This is a Linux-PAM Library Private Header file. It contains tokens * that are used when we parse the configuration file(s). @@ -17,6 +17,9 @@ /* an array of actions */ +#ifndef LIBPAM_COMPILE +static +#endif const char * const _pam_token_actions[-_PAM_ACTION_UNDEF] = { "ignore", /* 0 */ "ok", /* -1 */ @@ -28,6 +31,9 @@ const char * const _pam_token_actions[-_PAM_ACTION_UNDEF] = { /* an array of possible return values */ +#ifndef LIBPAM_COMPILE +static +#endif const char * const _pam_token_returns[_PAM_RETURN_VALUES+1] = { "success", /* 0 */ "open_err", /* 1 */ @@ -41,7 +47,7 @@ const char * const _pam_token_returns[_PAM_RETURN_VALUES+1] = { "authinfo_unavail", /* 9 */ "user_unknown", /* 10 */ "maxtries", /* 11 */ - "new_authtok_reqd", /* 12 */ + "new_authtok_reqd", /* 12 */ "acct_expired", /* 13 */ "session_err", /* 14 */ "cred_unavail", /* 15 */ diff --git a/Linux-PAM/libpam/pam_vprompt.c b/Linux-PAM/libpam/pam_vprompt.c new file mode 100644 index 00000000..c53079b5 --- /dev/null +++ b/Linux-PAM/libpam/pam_vprompt.c @@ -0,0 +1,115 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <stdarg.h> +#include <errno.h> + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> + +#include "pam_private.h" + +int +pam_vprompt (pam_handle_t *pamh, int style, char **response, + const char *fmt, va_list args) +{ + struct pam_message msg; + struct pam_response *pam_resp = NULL; + const struct pam_message *pmsg; + const struct pam_conv *conv; + const void *convp; + char *msgbuf; + int retval; + + if (response) + *response = NULL; + + retval = pam_get_item (pamh, PAM_CONV, &convp); + if (retval != PAM_SUCCESS) + return retval; + conv = convp; + if (conv == NULL || conv->conv == NULL) + { + pam_syslog (pamh, LOG_ERR, "no conversation function"); + return PAM_SYSTEM_ERR; + } + + if (vasprintf (&msgbuf, fmt, args) < 0) + { + pam_syslog (pamh, LOG_ERR, "vasprintf: %m"); + return PAM_BUF_ERR; + } + + msg.msg_style = style; + msg.msg = msgbuf; + pmsg = &msg; + + retval = conv->conv (1, &pmsg, &pam_resp, conv->appdata_ptr); + if (retval != PAM_SUCCESS && pam_resp != NULL) + pam_syslog(pamh, LOG_WARNING, + "unexpected response from failed conversation function"); + if (response) + *response = pam_resp == NULL ? NULL : pam_resp->resp; + else if (pam_resp && pam_resp->resp) + { + _pam_overwrite (pam_resp->resp); + _pam_drop (pam_resp->resp); + } + _pam_overwrite (msgbuf); + _pam_drop (pam_resp); + free (msgbuf); + if (retval != PAM_SUCCESS) + pam_syslog (pamh, LOG_ERR, "conversation failed"); + + return retval; +} + +int +pam_prompt (pam_handle_t *pamh, int style, char **response, + const char *fmt, ...) +{ + va_list args; + int retval; + + va_start (args, fmt); + retval = pam_vprompt (pamh, style, response, fmt, args); + va_end (args); + + return retval; +} |