diff options
Diffstat (limited to 'Linux-PAM/modules')
433 files changed, 56144 insertions, 11197 deletions
diff --git a/Linux-PAM/modules/Makefile b/Linux-PAM/modules/Makefile deleted file mode 100644 index 58be5a24..00000000 --- a/Linux-PAM/modules/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# $Id: Makefile,v 1.4 2004/09/28 13:48:47 kukuk Exp $ -# -# Makefile -# -# This makefile controls the build process of shared and static PAM modules. -# -# - -include ../Make.Rules - -MODDIRS=$(shell /bin/ls -d pam_*/Makefile | cut -f1 -d/) - -all: - @echo building the static modutil library - make -C pammodutil all - @echo modules sources available are: - @ls -d $(MODDIRS) 2>/dev/null ; echo :-------- - @echo -ifdef STATIC - rm -f ./_static_module_* -endif - @for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i all ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } elif [ -f ./.$$i ]; then { \ - cat ./.$$i ; \ - } fi ; \ - done - -download: - @./download-all - -install: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i install ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } fi ; \ - done - -remove: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i remove ; \ - } fi ; \ - done - -lclean: - rm -f _static_module_* - -clean: lclean - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i clean ; \ - } fi ; \ - done - make -C pammodutil clean diff --git a/Linux-PAM/modules/Makefile.am b/Linux-PAM/modules/Makefile.am new file mode 100644 index 00000000..1272b0e8 --- /dev/null +++ b/Linux-PAM/modules/Makefile.am @@ -0,0 +1,16 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ + pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \ + pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \ + pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \ + pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \ + pam_tally pam_time pam_umask pam_unix pam_userdb pam_warn \ + pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \ + pam_faildelay + +CLEANFILES = *~ + +EXTRA_DIST = modules.map diff --git a/Linux-PAM/modules/Makefile.in b/Linux-PAM/modules/Makefile.in new file mode 100644 index 00000000..ea167a5c --- /dev/null +++ b/Linux-PAM/modules/Makefile.in @@ -0,0 +1,553 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = modules +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +SOURCES = +DIST_SOURCES = +RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ + html-recursive info-recursive install-data-recursive \ + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ + pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \ + pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \ + pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \ + pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \ + pam_tally pam_time pam_umask pam_unix pam_userdb pam_warn \ + pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \ + pam_faildelay + +CLEANFILES = *~ +EXTRA_DIST = modules.map +all: all-recursive + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +# This directory's subdirectories are mostly independent; you can cd +# into them and run `make' without going through this Makefile. +# To change the values of `make' variables: instead of editing Makefiles, +# (1) if the variable is set in `config.status', edit `config.status' +# (which will cause the Makefiles to be regenerated when you run `make'); +# (2) otherwise, pass the desired values on the `make' command line. +$(RECURSIVE_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +$(RECURSIVE_CLEAN_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + rev=''; for subdir in $$list; do \ + if test "$$subdir" = "."; then :; else \ + rev="$$subdir $$rev"; \ + fi; \ + done; \ + rev="$$rev ."; \ + target=`echo $@ | sed s/-recursive//`; \ + for subdir in $$rev; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done && test -z "$$fail" +tags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + done +ctags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + distdir=`$(am__cd) $(distdir) && pwd`; \ + top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ + (cd $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$top_distdir" \ + distdir="$$distdir/$$subdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + distdir) \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-recursive +all-am: Makefile +installdirs: installdirs-recursive +installdirs-am: +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-recursive + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-recursive + -rm -f Makefile +distclean-am: clean-am distclean-generic distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +info: info-recursive + +info-am: + +install-data-am: + +install-dvi: install-dvi-recursive + +install-exec-am: + +install-html: install-html-recursive + +install-info: install-info-recursive + +install-man: + +install-pdf: install-pdf-recursive + +install-ps: install-ps-recursive + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: + +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ + install-strip + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am check check-am clean clean-generic clean-libtool \ + ctags ctags-recursive distclean distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/README b/Linux-PAM/modules/README deleted file mode 100644 index 73d3cf0c..00000000 --- a/Linux-PAM/modules/README +++ /dev/null @@ -1,55 +0,0 @@ -This directory contains the modules. - -If you want to reserve a module name please email <pam-list@redhat.com> -and announce its name. Andrew Morgan, <morgan@linux.kernel.org>, will -add it to the Makefile in the next release of Linux-PAM. - -As of Linux-PAM-0.40 modules can optionally conform to the static -modules conventions. - -This file was updated for Linux-PAM-0.53. - -The conventions are as follows: - -There are only 6 functions that a module may declare as "public" they -fall into 4 managment groups as follows: - - functions Management group - ------------------------------------------ ---------------- - pam_sm_authenticate, pam_sm_setcred, PAM_SM_AUTH - pam_sm_acct_mgmt, PAM_SM_ACCOUNT - pam_sm_open_session, pam_sm_close_session, PAM_SM_SESSION - pam_sm_chauthtok PAM_SM_PASSWORD - -If a module contains definitions for any of the above functions, it -must supply definitions for all of the functions in the corresponding -management group. - -The header file that defines the ANSI prototypes for these functions -is <security/pam_modules.h> . In the case that the module wishes to -offer the functions of a given managment group, it must #define -PAM_SM_XXX, where XXX is one of the above four tokens. These -definitions must occur *prior* to the -#include <security/pam_modules.h> line. - -The pam_sm_... functions should be defined to be of type 'PAM_EXTERN int'. - -In the case that a module is being compiled with PAM_STATIC #define'd -it should also define a globally accessible structure -_"NAME"_modstruct containing references to each of the functions -defined by the module. (this structure is defined in -<security/pam_modules.h>. "NAME" is the title of the module -(eg. "pam_deny") - -If a module wants to be included in the static libpam.a its Makefile -should execute "register_static" with appropriate arguments (in this -directory). - -[ -For SIMPLE working examples, see - - ./modules/pam_deny/* and ./modules/pam_rootok/* -.] - -Andrew Morgan -96/11/10 diff --git a/Linux-PAM/modules/Simple.Rules b/Linux-PAM/modules/Simple.Rules deleted file mode 100644 index 57b582de..00000000 --- a/Linux-PAM/modules/Simple.Rules +++ /dev/null @@ -1,109 +0,0 @@ -# $Id: Simple.Rules,v 1.7 2004/09/28 13:48:47 kukuk Exp $ -# -# For simple modules with no significant dependencies, set $(TITLE) -# and include this file. -# -# There are a few ways to customize this set of rules. Namely, define -# -# $(MODULE_SIMPLE_EXTRACLEAN) -# $(MODULE_SIMPLE_CLEAN) -# $(MODULE_SIMPLE_REMOVE) -# $(MODULE_SIMPLE_INSTALL) -# $(MODULE_SIMPLE_EXTRALIBS) - other things to link with the module -# $(MODULE_SIMPLE_EXTRAFILES) - other files to build (no .c suffix) -# - --include ../Make.Rules - -LIBFILES = $(TITLE) $(MODULE_SIMPLE_EXTRAFILES) -LIBSRC = $(addsuffix .c,$(LIBFILES)) -LIBOBJ = $(addsuffix .o,$(LIBFILES)) -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -LINK_PAMMODUTILS = -L../pammodutil -lpammodutil -L../../libpam -lpam -INCLUDE_PAMMODUTILS = -I../pammodutil/include - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(INCLUDE_PAMMODUTILS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(INCLUDE_PAMMODUTILS) $(STATIC) $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(MODULE_SIMPLE_EXTRALIBS) $(NEED_LINK_LIB_C) $(LINK_PAMMODUTILS) - -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(MODULE_SIMPLE_EXTRALIBS) $(LINK_PAMMODUTILS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif -ifdef MAN3 - test -d $(FAKEROOT)$(mandir)/man3 || $(MKDIR) $(FAKEROOT)$(mandir)/man3 - $(INSTALL) -m $(MANMODE) $(MAN3) $(FAKEROOT)$(mandir)/man3/ -endif -ifdef MAN5 - test -d $(FAKEROOT)$(mandir)/man5 || $(MKDIR) $(FAKEROOT)$(mandir)/man5 - $(INSTALL) -m $(MANMODE) $(MAN5) $(FAKEROOT)$(mandir)/man5/ -endif -ifdef MAN8 - test -d $(FAKEROOT)$(mandir)/man8 || $(MKDIR) $(FAKEROOT)$(mandir)/man8 - $(INSTALL) -m $(MANMODE) $(MAN8) $(FAKEROOT)$(mandir)/man8/ -endif - $(MODULE_SIMPLE_INSTALL) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - $(MODULE_SIMPLE_REMOVE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - $(MODULE_SIMPLE_CLEAN) - rm -f *.a *.o *.so *.bak - rm -rf dynamic static - $(MODULE_SIMPLE_EXTRACLEAN) - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/Linux-PAM/modules/dont_makefile b/Linux-PAM/modules/dont_makefile deleted file mode 100644 index 48307f02..00000000 --- a/Linux-PAM/modules/dont_makefile +++ /dev/null @@ -1,21 +0,0 @@ -######################################################################### -# $Id: dont_makefile,v 1.2 2000/11/19 23:54:03 agmorgan Exp $ -######################################################################### -# This is a makefile that does nothing. It is designed to be included -# by module Makefile-s when they are not compatable with the local -# system -######################################################################### - -all: - @echo "This module will not be compiled on this system" - -remove: clean - -install: clean - -clean: - @echo "Nothing to do" - -######################################################################### -# all over.. -######################################################################### diff --git a/Linux-PAM/modules/download-all b/Linux-PAM/modules/download-all deleted file mode 100755 index 9b6cf655..00000000 --- a/Linux-PAM/modules/download-all +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -# -# $Id: download-all,v 1.1.1.1 2000/06/20 22:11:29 agmorgan Exp $ -# -cat <<EOT -For a number of reasons it is not practical for Linux-PAM to be -distributed with every module out there. However, this shell script -is intended as a convenient way for users to download modules from the -'net in some semiautomated fashion. - -Please feel free to send (pam-list@redhat.com) snippets of code that -will help others to download and unpack your favorite module into the -Linux-PAM source tree. Especially welcome are snippets of the -following form: - -ncftp ftp://my.ftpsite.org/pub/fluff/pam_fluff.tar.gz -rm -fr pam_fluff -tar zvfx pam_fluff.tar.gz - -Cheers - -Andrew -morgan@linux.kernel.org -EOT - -# --- insert your snippets below --- - -# --- insert your snippets above --- - -exit 0 diff --git a/Linux-PAM/modules/install_conf b/Linux-PAM/modules/install_conf deleted file mode 100755 index 80f6be29..00000000 --- a/Linux-PAM/modules/install_conf +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -FAKEROOT=$1 -CONFD=$1$2 -CONFILE=$1$3 -MODULE=$4 -CONF=$5 - -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/Linux-PAM/modules/modules.map b/Linux-PAM/modules/modules.map new file mode 100644 index 00000000..2234aa40 --- /dev/null +++ b/Linux-PAM/modules/modules.map @@ -0,0 +1,11 @@ +{ + global: + pam_sm_acct_mgmt; + pam_sm_authenticate; + pam_sm_chauthtok; + pam_sm_close_session; + pam_sm_open_session; + pam_sm_setcred; + local: *; +}; + diff --git a/Linux-PAM/modules/pam_access/Makefile b/Linux-PAM/modules/pam_access/Makefile deleted file mode 100644 index d8a71ee5..00000000 --- a/Linux-PAM/modules/pam_access/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# $Id: Makefile,v 1.3 2003/07/13 18:41:04 vorlon Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_access -LOCAL_CONFILE=./access.conf -INSTALLED_CONFILE=$(SCONFIGD)/access.conf -ifeq ($(HAVE_LIBNSL),yes) -MODULE_SIMPLE_EXTRALIBS=-lnsl -endif - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_access/Makefile.am b/Linux-PAM/modules/pam_access/Makefile.am new file mode 100644 index 00000000..8641b97c --- /dev/null +++ b/Linux-PAM/modules/pam_access/Makefile.am @@ -0,0 +1,37 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access + +man_MANS = access.conf.5 pam_access.8 + +XMLS = README.xml access.conf.5.xml pam_access.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBNSL@ +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_access.la + +secureconf_DATA = access.conf + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_access.8.xml access.conf.5.xml + +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_access diff --git a/Linux-PAM/modules/pam_access/Makefile.in b/Linux-PAM/modules/pam_access/Makefile.in new file mode 100644 index 00000000..86303308 --- /dev/null +++ b/Linux-PAM/modules/pam_access/Makefile.in @@ -0,0 +1,738 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_access +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_access_la_LIBADD = +pam_access_la_SOURCES = pam_access.c +pam_access_la_OBJECTS = pam_access.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_access.c +DIST_SOURCES = pam_access.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access +man_MANS = access.conf.5 pam_access.8 +XMLS = README.xml access.conf.5.xml pam_access.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBNSL@ $(am__append_1) +securelib_LTLIBRARIES = pam_access.la +secureconf_DATA = access.conf +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_access +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_access/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_access/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_access.la: $(pam_access_la_OBJECTS) $(pam_access_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_access_la_OBJECTS) $(pam_access_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_access.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_access.8.xml access.conf.5.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_access/README b/Linux-PAM/modules/pam_access/README index ddd4725f..c3561da0 100644 --- a/Linux-PAM/modules/pam_access/README +++ b/Linux-PAM/modules/pam_access/README @@ -1,44 +1,103 @@ -# Description of its configuration file -# -# (The default config file is "/etc/security/access.conf". This -# default can be overridden with a module config argument -# 'accessfile=<full-path>'): -# -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). -# -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# -# Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15 -############################################################################ +pam_access — PAM module for logdaemon style login access control + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_access PAM module is mainly for access management. It provides +logdaemon style login access control based on login names, host or domain +names, internet addresses or network numbers, or on terminal line names in case +of non-networked logins. + +By default rules for access management are taken from config file /etc/security +/access.conf if you don't specify another file. + +OPTIONS + +accessfile=/path/to/access.conf + + Indicate an alternative access.conf style configuration file to override + the default. This can be useful when different services need different + access lists. + +debug + + A lot of debug informations are printed with syslog(3). + +fieldsep=separators + + This option modifies the field separator character that pam_access will + recognize when parsing the access configuration file. For example: fieldsep + =| will cause the default `:' character to be treated as part of a field + value and `|' becomes the field separator. Doing this may be useful in + conjuction with a system that wants to use pam_access with X based + applications, since the PAM_TTY item is likely to be of the form + "hostname:0" which includes a `:' character in its value. But you should + not need this. + +listsep=separators + + This option modifies the list separator character that pam_access will + recognize when parsing the access configuration file. For example: listsep + =, will cause the default ` ' (space) and `\t' (tab) characters to be + treated as part of a list element value and `,' becomes the only list + element separator. Doing this may be useful on a system with group + information obtained from a Windows domain, where the default built-in + groups "Domain Users", "Domain Admins" contain a space. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +access.conf. + +User root should be allowed to get access via cron, X11 terminal :0, tty1, ..., +tty5, tty6. + ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + +User root should be allowed to get access from hosts which own the IPv4 +addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 +connection from a host with one of this IPv4 addresses does work, too. + ++ : root : 192.168.200.1 192.168.200.4 192.168.200.9 + ++ : root : 127.0.0.1 + +User root should get access from network 192.168.201. where the term will be +evaluated by string matching. But it might be better to use network/netmask +instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/ +255.255.255.0. + ++ : root : 192.168.201. + +User root should be able to have access from hosts foo1.bar.org and +foo2.bar.org (uses string matching also). + ++ : root : foo1.bar.org foo2.bar.org + +User root should be able to have access from domain foo.bar.org (uses string +matching also). + ++ : root : .foo.bar.org + +User root should be denied to get access from all other sources. + +- : root : ALL + +User foo and members of netgroup admins should be allowed to get access from +all sources. This will only work if netgroup service is available. + ++ : @admins foo : ALL + +User john and foo should get access from IPv6 host address. + ++ : john foo : 2001:4ca0:0:101::1 + +User john should get access from IPv6 net/mask. + ++ : john : 2001:4ca0:0:101::/64 + +All other users should be denied to get access from all sources. + +- : ALL : ALL + diff --git a/Linux-PAM/modules/pam_access/README.xml b/Linux-PAM/modules/pam_access/README.xml new file mode 100644 index 00000000..8c7d078b --- /dev/null +++ b/Linux-PAM/modules/pam_access/README.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_access.8.xml"> +--> +<!-- +<!ENTITY accessconf SYSTEM "access.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_access-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_access/access.conf b/Linux-PAM/modules/pam_access/access.conf index cec2be0c..b22f1d43 100644 --- a/Linux-PAM/modules/pam_access/access.conf +++ b/Linux-PAM/modules/pam_access/access.conf @@ -1,5 +1,8 @@ # Login access control table. # +# Comment line must start with "#", no space at front. +# Order of lines is important. +# # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The @@ -28,11 +31,11 @@ # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). # -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. # # The EXCEPT operator makes it possible to write very compact rules. # @@ -63,3 +66,49 @@ # # All other accounts are allowed to login from anywhere. # +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +#+ : root : 127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+ : root : 192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+ : root : .foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#- : root : ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+ : @nis_group foo : ALL +# +# User "john" should get access from ipv4 net/mask +#+ : john : 127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+ : john : ::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+ : john : 2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+ : john : 2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+ : john : 2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#- : ALL : ALL diff --git a/Linux-PAM/modules/pam_access/access.conf.5 b/Linux-PAM/modules/pam_access/access.conf.5 new file mode 100644 index 00000000..43cc4fce --- /dev/null +++ b/Linux-PAM/modules/pam_access/access.conf.5 @@ -0,0 +1,163 @@ +.\" Title: access.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "ACCESS.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +access.conf \- the login access control table file +.SH "DESCRIPTION" +.PP +The +\fI/etc/security/access.conf\fR +file specifies (\fIuser\fR, +\fIhost\fR), (\fIuser\fR, +\fInetwork/netmask\fR) or (\fIuser\fR, +\fItty\fR) combinations for which a login will be either accepted or refused. +.PP +When someone logs in, the file +\fIaccess.conf\fR +is scanned for the first entry that matches the (\fIuser\fR, +\fIhost\fR) or (\fIuser\fR, +\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR, +\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused. +.PP +Each line of the login access control table has three fields separated by a ":" character (colon): +.PP + +\fIpermission\fR:\fIusers\fR:\fIorigins\fR +.PP +The first field, the +\fIpermission\fR +field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied. +.PP +The second field, the +\fIusers\fR +field, should be a list of one or more login names, group names, or +\fIALL\fR +(which always matches). +.PP +The third field, the +\fIorigins\fR +field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), +\fIALL\fR +(which always matches) or +\fILOCAL\fR +(which matches any string that does not contain a "." character). If supported by the system you can use +\fI@netgroupname\fR +in host or user patterns. +.PP +The +\fIexcept\fR +operator makes it possible to write very compact rules. +.PP +The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. +.PP +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/access.conf\fR. +.PP +User +\fIroot\fR +should be allowed to get access via +\fIcron\fR, X11 terminal +\fI:0\fR, +\fItty1\fR, ..., +\fItty5\fR, +\fItty6\fR. +.PP ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +.PP +User +\fIroot\fR +should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. +.PP ++ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +.PP ++ : root : 127.0.0.1 +.PP +User +\fIroot\fR +should get access from network +192.168.201. +where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of +192.168.201. +is +\fI192.168.201.0/24\fR +or +\fI192.168.201.0/255.255.255.0\fR. +.PP ++ : root : 192.168.201. +.PP +User +\fIroot\fR +should be able to have access from hosts +\fIfoo1.bar.org\fR +and +\fIfoo2.bar.org\fR +(uses string matching also). +.PP ++ : root : foo1.bar.org foo2.bar.org +.PP +User +\fIroot\fR +should be able to have access from domain +\fIfoo.bar.org\fR +(uses string matching also). +.PP ++ : root : .foo.bar.org +.PP +User +\fIroot\fR +should be denied to get access from all other sources. +.PP +\- : root : ALL +.PP +User +\fIfoo\fR +and members of netgroup +\fIadmins\fR +should be allowed to get access from all sources. This will only work if netgroup service is available. +.PP ++ : @admins foo : ALL +.PP +User +\fIjohn\fR +and +\fIfoo\fR +should get access from IPv6 host address. +.PP ++ : john foo : 2001:4ca0:0:101::1 +.PP +User +\fIjohn\fR +should get access from IPv6 net/mask. +.PP ++ : john : 2001:4ca0:0:101::/64 +.PP +All other users should be denied to get access from all sources. +.PP +\- : ALL : ALL +.SH "SEE ALSO" +.PP + +\fBpam_access\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHORS" +.PP +Original +\fBlogin.access\fR(5) +manual was provided by Guido van Rooij which was renamed to +\fBaccess.conf\fR(5) +to reflect relation to default config file. +.PP +Network address / netmask description and example text was introduced by Mike Becher <mike.becher@lrz\-muenchen.de>. diff --git a/Linux-PAM/modules/pam_access/access.conf.5.xml b/Linux-PAM/modules/pam_access/access.conf.5.xml new file mode 100644 index 00000000..492f995d --- /dev/null +++ b/Linux-PAM/modules/pam_access/access.conf.5.xml @@ -0,0 +1,194 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> + +<refentry id="access.conf"> + + <refmeta> + <refentrytitle>access.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>access.conf</refname> + <refpurpose>the login access control table file</refpurpose> + </refnamediv> + + + <refsect1 id='access.conf-description'> + <title>DESCRIPTION</title> + <para> + The <filename>/etc/security/access.conf</filename> file specifies + (<replaceable>user</replaceable>, <replaceable>host</replaceable>), + (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>) or + (<replaceable>user</replaceable>, <replaceable>tty</replaceable>) + combinations for which a login will be either accepted or refused. + </para> + <para> + When someone logs in, the file <filename>access.conf</filename> is + scanned for the first entry that matches the + (<replaceable>user</replaceable>, <replaceable>host</replaceable>) or + (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>) + combination, or, in case of non-networked logins, the first entry + that matches the + (<replaceable>user</replaceable>, <replaceable>tty</replaceable>) + combination. The permissions field of that table entry determines + whether the login will be accepted or refused. + </para> + + <para> + Each line of the login access control table has three fields separated + by a ":" character (colon): + </para> + + <para> + <replaceable>permission</replaceable>:<replaceable>users</replaceable>:<replaceable>origins</replaceable> + </para> + + + <para> + The first field, the <replaceable>permission</replaceable> field, can be either a + "<emphasis>+</emphasis>" character (plus) for access granted or a + "<emphasis>-</emphasis>" character (minus) for access denied. + </para> + + <para> + The second field, the <replaceable>users</replaceable> + field, should be a list of one or more login names, group names, or + <emphasis>ALL</emphasis> (which always matches). + </para> + + <para> + The third field, the <replaceable>origins</replaceable> + field, should be a list of one or more tty names (for non-networked + logins), host names, domain names (begin with "."), host addresses, + internet network numbers (end with "."), internet network addresses + with network mask (where network mask can be a decimal number or an + internet address also), <emphasis>ALL</emphasis> (which always matches) + or <emphasis>LOCAL</emphasis> (which matches any string that does not + contain a "." character). If supported by the system you can use + <emphasis>@netgroupname</emphasis> in host or user patterns. + </para> + + <para> + The <replaceable>except</replaceable> operator makes it possible to + write very compact rules. + </para> + + <para> + The group file is searched only when a name does not match that of + the logged-in user. Only groups are matched in which users are + explicitly listed. However the PAM module does not look at the + primary group id of a user. + </para> + + + <para> + The "<emphasis>#</emphasis>" character at start of line (no space + at front) can be used to mark this line as a comment line. + </para> + + </refsect1> + + <refsect1 id="access.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/access.conf</filename>. + </para> + + <para> + User <emphasis>root</emphasis> should be allowed to get access via + <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>, + <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>, + <emphasis>tty6</emphasis>. + </para> + <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para> + + <para> + User <emphasis>root</emphasis> should be allowed to get access from + hosts which own the IPv4 addresses. This does not mean that the + connection have to be a IPv4 one, a IPv6 connection from a host with + one of this IPv4 addresses does work, too. + </para> + <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para> + <para>+ : root : 127.0.0.1</para> + + <para> + User <emphasis>root</emphasis> should get access from network + <literal>192.168.201.</literal> where the term will be evaluated by + string matching. But it might be better to use network/netmask instead. + The same meaning of <literal>192.168.201.</literal> is + <emphasis>192.168.201.0/24</emphasis> or + <emphasis>192.168.201.0/255.255.255.0</emphasis>. + </para> + <para>+ : root : 192.168.201.</para> + + <para> + User <emphasis>root</emphasis> should be able to have access from hosts + <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis> + (uses string matching also). + </para> + <para>+ : root : foo1.bar.org foo2.bar.org</para> + + <para> + User <emphasis>root</emphasis> should be able to have access from + domain <emphasis>foo.bar.org</emphasis> (uses string matching also). + </para> + <para>+ : root : .foo.bar.org</para> + + <para> + User <emphasis>root</emphasis> should be denied to get access + from all other sources. + </para> + <para>- : root : ALL</para> + + <para> + User <emphasis>foo</emphasis> and members of netgroup + <emphasis>admins</emphasis> should be allowed to get access + from all sources. This will only work if netgroup service is available. + </para> + <para>+ : @admins foo : ALL</para> + + <para> + User <emphasis>john</emphasis> and <emphasis>foo</emphasis> + should get access from IPv6 host address. + </para> + <para>+ : john foo : 2001:4ca0:0:101::1</para> + + <para> + User <emphasis>john</emphasis> should get access from IPv6 net/mask. + </para> + <para>+ : john : 2001:4ca0:0:101::/64</para> + + <para> + All other users should be denied to get access from all sources. + </para> + <para>- : ALL : ALL</para> + + </refsect1> + + <refsect1 id="access.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="access.conf-author"> + <title>AUTHORS</title> + <para> + Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry> + manual was provided by Guido van Rooij which was renamed to + <citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> + to reflect relation to default config file. + </para> + <para> + Network address / netmask description and example text was + introduced by Mike Becher <mike.becher@lrz-muenchen.de>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_access/pam_access.8 b/Linux-PAM/modules/pam_access/pam_access.8 new file mode 100644 index 00000000..b613e323 --- /dev/null +++ b/Linux-PAM/modules/pam_access/pam_access.8 @@ -0,0 +1,80 @@ +.\" Title: pam_access +.\" Author: +.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 <http://docbook.sf.net/> +.\" Date: 08/31/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ACCESS" "8" "08/31/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_access \- PAM module for logdaemon style login access control +.SH "SYNOPSIS" +.HP 14 +\fBpam_access.so\fR [debug] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] +.SH "DESCRIPTION" +.PP +The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins. +.PP +By default rules for access management are taken from config file +\fI/etc/security/access.conf\fR +if you don't specify another file. +.SH "OPTIONS" +.TP 3n +\fBaccessfile=\fR\fB\fI/path/to/access.conf\fR\fR +Indicate an alternative +\fIaccess.conf\fR +style configuration file to override the default. This can be useful when different services need different access lists. +.TP 3n +\fBdebug\fR +A lot of debug informations are printed with +\fBsyslog\fR(3). +.TP 3n +\fBfieldsep=\fR\fB\fIseparators\fR\fR +This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example: +\fBfieldsep=|\fR +will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the +\fBPAM_TTY\fR +item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this. +.TP 3n +\fBlistsep=\fR\fB\fIseparators\fR\fR +This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: +\fBlistsep=,\fR +will cause the default ` ' (space) and `\\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space. +.SH "MODULE SERVICES PROVIDED" +.PP +All services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +Access was granted. +.TP 3n +PAM_PERM_DENIED +Access was not granted. +.TP 3n +PAM_IGNORE + +\fBpam_setcred\fR +was called which does nothing. +.TP 3n +PAM_ABORT +Not all relevant data or options could be gotten. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "FILES" +.TP 3n +\fI/etc/security/access.conf\fR +Default configuration file +.SH "SEE ALSO" +.PP + +\fBaccess.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHORS" +.PP +The logdaemon style login access control scheme was designed and implemented by Wietse Venema. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin.dnttm.ru>. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike.becher@lrz\-muenchen.de>. diff --git a/Linux-PAM/modules/pam_access/pam_access.8.xml b/Linux-PAM/modules/pam_access/pam_access.8.xml new file mode 100644 index 00000000..74e39993 --- /dev/null +++ b/Linux-PAM/modules/pam_access/pam_access.8.xml @@ -0,0 +1,220 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_access'> + + <refmeta> + <refentrytitle>pam_access</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_access-name'> + <refname>pam_access</refname> + <refpurpose> + PAM module for logdaemon style login access control + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_access-cmdsynopsis"> + <command>pam_access.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + accessfile=<replaceable>file</replaceable> + </arg> + <arg choice="opt"> + fieldsep=<replaceable>sep</replaceable> + </arg> + <arg choice="opt"> + listsep=<replaceable>sep</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_access-description"> + <title>DESCRIPTION</title> + <para> + The pam_access PAM module is mainly for access management. + It provides logdaemon style login access control based on login + names, host or domain names, internet addresses or network numbers, + or on terminal line names in case of non-networked logins. + </para> + <para> + By default rules for access management are taken from config file + <filename>/etc/security/access.conf</filename> if you don't specify + another file. + </para> + </refsect1> + + <refsect1 id="pam_access-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>accessfile=<replaceable>/path/to/access.conf</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative <filename>access.conf</filename> + style configuration file to override the default. This can + be useful when different services need different access lists. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + A lot of debug informations are printed with + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>fieldsep=<replaceable>separators</replaceable></option> + </term> + <listitem> + <para> + This option modifies the field separator character that + pam_access will recognize when parsing the access + configuration file. For example: + <emphasis remap='B'>fieldsep=|</emphasis> will cause the + default `:' character to be treated as part of a field value + and `|' becomes the field separator. Doing this may be + useful in conjuction with a system that wants to use + pam_access with X based applications, since the + <emphasis remap='B'>PAM_TTY</emphasis> item is likely to be + of the form "hostname:0" which includes a `:' character in + its value. But you should not need this. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>listsep=<replaceable>separators</replaceable></option> + </term> + <listitem> + <para> + This option modifies the list separator character that + pam_access will recognize when parsing the access + configuration file. For example: + <emphasis remap='B'>listsep=,</emphasis> will cause the + default ` ' (space) and `\t' (tab) characters to be treated + as part of a list element value and `,' becomes the only + list element separator. Doing this may be useful on a system + with group information obtained from a Windows domain, + where the default built-in groups "Domain Users", + "Domain Admins" contain a space. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_access-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services are supported. + </para> + </refsect1> + + <refsect1 id="pam_access-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Access was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Access was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_setcred</function> was called which does nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data or options could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_access-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/access.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_access-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_access-authors"> + <title>AUTHORS</title> + <para> + The logdaemon style login access control scheme was designed and implemented by + Wietse Venema. + The pam_access PAM module was developed by + Alexei Nogin <alexei@nogin.dnttm.ru>. + The IPv6 support and the network(address) / netmask feature + was developed and provided by Mike Becher <mike.becher@lrz-muenchen.de>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_access/pam_access.c b/Linux-PAM/modules/pam_access/pam_access.c index 4f6cf574..80d94cc9 100644 --- a/Linux-PAM/modules/pam_access/pam_access.c +++ b/Linux-PAM/modules/pam_access/pam_access.c @@ -25,7 +25,7 @@ ************************************************************************* */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -42,11 +42,9 @@ #include <ctype.h> #include <sys/utsname.h> #include <rpcsvc/ypclnt.h> - -#ifndef BROKEN_NETWORK_MATCH -# include <netdb.h> -# include <sys/socket.h> -#endif +#include <arpa/inet.h> +#include <netdb.h> +#include <sys/socket.h> /* * here, we make definitions for the externally accessible functions @@ -55,11 +53,15 @@ * modules include file to define their prototypes. */ +#define PAM_SM_AUTH #define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD #include <security/_pam_macros.h> #include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ @@ -77,16 +79,10 @@ #define MAXHOSTNAMELEN 256 #endif -#ifdef DEFAULT_CONF_FILE -# define PAM_ACCESS_CONFIG DEFAULT_CONF_FILE -#else -# define PAM_ACCESS_CONFIG "/etc/security/access.conf" -#endif - /* Delimiters for fields and for lists of users, ttys or hosts. */ static const char *fs = ":"; /* field separator */ -static const char sep[] = ", \t"; /* list-element separator */ +static const char *sep = ", \t"; /* list-element separator */ /* Constants to be used in assignments only, not in comparisons... */ @@ -98,28 +94,20 @@ static const char sep[] = ", \t"; /* list-element separator */ * functional interfaces as generic as possible. */ struct login_info { - struct passwd *user; - char *from; + const struct passwd *user; + const char *from; const char *config_file; - const char *service; }; -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_access", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_ERR, format, args); - va_end(args); - closelog(); -} +/* Print debugging messages. + Default is NO which means don't print debugging messages. */ +static char pam_access_debug = NO; /* Parse module config arguments */ -static int parse_args(struct login_info *loginfo, int argc, const char **argv) +static int +parse_args(pam_handle_t *pamh, struct login_info *loginfo, + int argc, const char **argv) { int i; @@ -129,6 +117,11 @@ static int parse_args(struct login_info *loginfo, int argc, const char **argv) /* the admin wants to override the default field separators */ fs = argv[i]+9; + } else if (!strncmp("listsep=", argv[i], 8)) { + + /* the admin wants to override the default list separators */ + sep = argv[i]+8; + } else if (!strncmp("accessfile=", argv[i], 11)) { FILE *fp = fopen(11 + argv[i], "r"); @@ -136,26 +129,184 @@ static int parse_args(struct login_info *loginfo, int argc, const char **argv) loginfo->config_file = 11 + argv[i]; fclose(fp); } else { - _log_err("for service [%s] failed to open accessfile=[%s]" - , loginfo->service, 11 + argv[i]); + pam_syslog(pamh, LOG_ERR, + "failed to open accessfile=[%s]: %m", 11 + argv[i]); return 0; } + } else if (strcmp (argv[i], "debug") == 0) { + pam_access_debug = YES; } else { - _log_err("unrecognized option [%s]", argv[i]); + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); } } return 1; /* OK */ } +/* --- static functions for checking whether the user should be let in --- */ + typedef int match_func (pam_handle_t *, char *, struct login_info *); static int list_match (pam_handle_t *, char *, struct login_info *, match_func *); static int user_match (pam_handle_t *, char *, struct login_info *); static int from_match (pam_handle_t *, char *, struct login_info *); -static int string_match (pam_handle_t *, char *, char *); +static int string_match (pam_handle_t *, const char *, const char *); +static int network_netmask_match (pam_handle_t *, const char *, const char *); + + +/* isipaddr - find out if string provided is an IP address or not */ + +static int +isipaddr (const char *string, int *addr_type, + struct sockaddr_storage *addr) +{ + struct sockaddr_storage local_addr; + int is_ip; + + /* We use struct sockaddr_storage addr because + * struct in_addr/in6_addr is an integral part + * of struct sockaddr and we doesn't want to + * use its value. + */ + + if (addr == NULL) + addr = &local_addr; + + memset(addr, 0, sizeof(struct sockaddr_storage)); + + /* first ipv4 */ + if (inet_pton(AF_INET, string, addr) > 0) + { + if (addr_type != NULL) + *addr_type = AF_INET; + + is_ip = YES; + } + else if (inet_pton(AF_INET6, string, addr) > 0) + { /* then ipv6 */ + if (addr_type != NULL) { + *addr_type = AF_INET6; + } + is_ip = YES; + } + else + is_ip = NO; + + return is_ip; +} + + +/* are_addresses_equal - translate IP address strings to real IP + * addresses and compare them to find out if they are equal. + * If netmask was provided it will be used to focus comparation to + * relevant bits. + */ +static int +are_addresses_equal (const char *ipaddr0, const char *ipaddr1, + const char *netmask) +{ + struct sockaddr_storage addr0; + struct sockaddr_storage addr1; + int addr_type0 = 0; + int addr_type1 = 0; + + if (isipaddr (ipaddr0, &addr_type0, &addr0) == NO) + return NO; + + if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO) + return NO; + + if (addr_type0 != addr_type1) + /* different address types */ + return NO; + + if (netmask != NULL) { + /* Got a netmask, so normalize addresses? */ + struct sockaddr_storage nmask; + unsigned char *byte_a, *byte_nm; + + memset(&nmask, 0, sizeof(struct sockaddr_storage)); + if (inet_pton(addr_type0, netmask, (void *)&nmask) > 0) { + unsigned int i; + byte_a = (unsigned char *)(&addr0); + byte_nm = (unsigned char *)(&nmask); + for (i=0; i<sizeof(struct sockaddr_storage); i++) { + byte_a[i] = byte_a[i] & byte_nm[i]; + } + + byte_a = (unsigned char *)(&addr1); + byte_nm = (unsigned char *)(&nmask); + for (i=0; i<sizeof(struct sockaddr_storage); i++) { + byte_a[i] = byte_a[i] & byte_nm[i]; + } + } + } + + + /* Are the two addresses equal? */ + if (memcmp((void *)&addr0, (void *)&addr1, + sizeof(struct sockaddr_storage)) == 0) { + return(YES); + } + + return(NO); +} + +static char * +number_to_netmask (long netmask, int addr_type, + char *ipaddr_buf, size_t ipaddr_buf_len) +{ + /* We use struct sockaddr_storage addr because + * struct in_addr/in6_addr is an integral part + * of struct sockaddr and we doesn't want to + * use its value. + */ + struct sockaddr_storage nmask; + unsigned char *byte_nm; + const char *ipaddr_dst = NULL; + int i, ip_bytes; + + if (netmask == 0) { + /* mask 0 is the same like no mask */ + return(NULL); + } + + memset(&nmask, 0, sizeof(struct sockaddr_storage)); + if (addr_type == AF_INET6) { + /* ipv6 address mask */ + ip_bytes = 16; + } else { + /* default might be an ipv4 address mask */ + addr_type = AF_INET; + ip_bytes = 4; + } + + byte_nm = (unsigned char *)(&nmask); + /* translate number to mask */ + for (i=0; i<ip_bytes; i++) { + if (netmask >= 8) { + byte_nm[i] = 0xff; + netmask -= 8; + } else + if (netmask > 0) { + byte_nm[i] = 0xff << (8 - netmask); + break; + } else + if (netmask <= 0) { + break; + } + } + + /* now generate netmask address string */ + ipaddr_dst = inet_ntop(addr_type, &nmask, ipaddr_buf, ipaddr_buf_len); + if (ipaddr_dst == ipaddr_buf) { + return (ipaddr_buf); + } + + return (NULL); +} /* login_access - match username/group and host/tty with access control file */ @@ -171,6 +322,12 @@ login_access (pam_handle_t *pamh, struct login_info *item) int end; int lineno = 0; /* for diagnostics */ + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "login_access: user=%s, from=%s, file=%s", + item->user->pw_name, + item->from, item->config_file); + /* * Process the table one line at a time and stop at the first match. * Blank lines and lines that begin with a '#' character are ignored. @@ -183,8 +340,9 @@ login_access (pam_handle_t *pamh, struct login_info *item) while (!match && fgets(line, sizeof(line), fp)) { lineno++; if (line[end = strlen(line) - 1] != '\n') { - _log_err("%s: line %d: missing newline or line too long", - item->config_file, lineno); + pam_syslog(pamh, LOG_ERR, + "%s: line %d: missing newline or line too long", + item->config_file, lineno); continue; } if (line[0] == '#') @@ -195,30 +353,44 @@ login_access (pam_handle_t *pamh, struct login_info *item) if (line[0] == 0) /* skip blank lines */ continue; - /* Allow trailing: in last field fo froms */ + /* Allow field seperator in last field of froms */ if (!(perm = strtok(line, fs)) || !(users = strtok((char *) 0, fs)) - || !(froms = strtok((char *) 0, fs))) { - _log_err("%s: line %d: bad field count", - item->config_file, lineno); + || !(froms = strtok((char *) 0, "\n"))) { + pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count", + item->config_file, lineno); continue; } if (perm[0] != '+' && perm[0] != '-') { - _log_err("%s: line %d: bad first field", - item->config_file, lineno); + pam_syslog(pamh, LOG_ERR, "%s: line %d: bad first field", + item->config_file, lineno); continue; } - match = (list_match(pamh, froms, item, from_match) - && list_match(pamh, users, item, user_match)); + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "line %d: %s : %s : %s", lineno, perm, users, froms); + match = list_match(pamh, froms, item, from_match); + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "from_match=%d, \"%s\"", match, item->from); + match = match && list_match (pamh, users, item, user_match); + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, "user_match=%d, \"%s\"", + match, item->user->pw_name); } (void) fclose(fp); - } else if (errno != ENOENT) { - _log_err("cannot open %s: %m", item->config_file); + } else if (errno == ENOENT) { + /* This is no error. */ + pam_syslog(pamh, LOG_WARNING, "warning: cannot open %s: %m", + item->config_file); + } else { + pam_syslog(pamh, LOG_ERR, "cannot open %s: %m", item->config_file); return NO; } - return (match == 0 || (line[0] == '+')); + return (match == NO || (line[0] == '+')); } + /* list_match - match an item against a list of tokens with exceptions */ static int list_match(pam_handle_t *pamh, @@ -266,23 +438,39 @@ static char * myhostname(void) /* netgroup_match - match group against machine or user */ -static int netgroup_match(char *group, char *machine, char *user) +static int +netgroup_match (pam_handle_t *pamh, const char *group, + const char *machine, const char *user) { - static char *mydomain = NULL; + char *mydomain = NULL; + int retval; + + yp_get_default_domain(&mydomain); + + + retval = innetgr (group, machine, user, mydomain); + if (pam_access_debug == YES) + pam_syslog (pamh, LOG_DEBUG, + "netgroup_match: %d (group=%s, machine=%s, user=%s, domain=%s)", + retval, group ? group : "NULL", machine ? machine : "NULL", + user ? user : "NULL", mydomain ? mydomain : "NULL"); + return retval; - if (mydomain == 0) - yp_get_default_domain(&mydomain); - return (innetgr(group, machine, user, mydomain)); } /* user_match - match a username against one token */ -static int user_match(pam_handle_t *pamh, char *tok, struct login_info *item) +static int +user_match (pam_handle_t *pamh, char *tok, struct login_info *item) { char *string = item->user->pw_name; struct login_info fake_item; char *at; + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "user_match: tok=%s, item=%s", tok, string); + /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, if the @@ -295,12 +483,13 @@ static int user_match(pam_handle_t *pamh, char *tok, struct login_info *item) fake_item.from = myhostname(); if (fake_item.from == NULL) return NO; - return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); + return (user_match (pamh, tok, item) && + from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') /* netgroup */ - return (netgroup_match(tok + 1, (char *) 0, string)); + return (netgroup_match (pamh, tok + 1, (char *) 0, string)); else if (string_match (pamh, tok, string)) /* ALL or exact match */ return YES; - else if (_pammodutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) + else if (pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) /* try group membership */ return YES; @@ -310,11 +499,15 @@ static int user_match(pam_handle_t *pamh, char *tok, struct login_info *item) /* from_match - match a host or tty against a list of tokens */ static int -from_match (pam_handle_t *pamh, char *tok, struct login_info *item) +from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) { - char *string = item->from; - int tok_len; - int str_len; + const char *string = item->from; + int tok_len; + int str_len; + + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "from_match: tok=%s, item=%s", tok, string); /* * If a token has the magic value "ALL" the match always succeeds. Return @@ -325,153 +518,322 @@ from_match (pam_handle_t *pamh, char *tok, struct login_info *item) * if it matches the head of the string. */ - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match (pamh, tok, string)) /* ALL or exact match */ - return YES; - else if (tok[0] == '.') { /* domain: match last fields */ + if (string == NULL) { + return NO; + } else if (tok[0] == '@') { /* netgroup */ + return (netgroup_match (pamh, tok + 1, string, (char *) 0)); + } else if (string_match(pamh, tok, string)) { + /* ALL or exact match */ + return (YES); + } else if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ if (strchr(string, '.') == 0) return (YES); -#ifdef BROKEN_NETWORK_MATCH - } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ - && strncmp(tok, string, tok_len) == 0) { - return (YES); -#else /* BROKEN_NETWORK_MATCH */ } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { - /* - The code below does a more correct check if the address specified - by "string" starts from "tok". - 1998/01/27 Andrey V. Savochkin <saw@msu.ru> - */ - - struct hostent *h; - char hn[3+1+3+1+3+1+3+1+1]; - int r; - - h = gethostbyname(string); - if (h == NULL) - return (NO); - if (h->h_addrtype != AF_INET) - return (NO); - if (h->h_length != 4) - return (NO); /* only IPv4 addresses (SAW) */ - r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u.", - (unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1], - (unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]); - if (r < 0 || r >= sizeof(hn)) - return (NO); - if (!strncmp(tok, hn, tok_len)) - return (YES); -#endif /* BROKEN_NETWORK_MATCH */ + struct addrinfo *res; + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_INET; + + if (getaddrinfo (string, NULL, &hint, &res) != 0) + return NO; + else + { + struct addrinfo *runp = res; + + while (runp != NULL) + { + char buf[INET_ADDRSTRLEN+2]; + + if (runp->ai_family == AF_INET) + { + inet_ntop (runp->ai_family, + &((struct sockaddr_in *) runp->ai_addr)->sin_addr, + buf, sizeof (buf)); + + strcat (buf, "."); + + if (strncmp(tok, buf, tok_len) == 0) + { + freeaddrinfo (res); + return YES; + } + } + runp = runp->ai_next; + } + freeaddrinfo (res); + } + } else if (isipaddr(string, NULL, NULL) == YES) { + /* Assume network/netmask with a IP of a host. */ + if (network_netmask_match(pamh, tok, string)) + return YES; + } else { + /* Assume network/netmask with a name of a host. */ + struct addrinfo *res; + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_UNSPEC; + + if (getaddrinfo (string, NULL, &hint, &res) != 0) + return NO; + else + { + struct addrinfo *runp = res; + + while (runp != NULL) + { + char buf[INET6_ADDRSTRLEN]; + + inet_ntop (runp->ai_family, + runp->ai_family == AF_INET + ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr + : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, + buf, sizeof (buf)); + + if (network_netmask_match(pamh, tok, buf)) + { + freeaddrinfo (res); + return YES; + } + runp = runp->ai_next; + } + freeaddrinfo (res); + } } - return (NO); + + return NO; } /* string_match - match a string against one token */ static int -string_match (pam_handle_t *pamh, char *tok, char *string) +string_match (pam_handle_t *pamh, const char *tok, const char *string) { + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "string_match: tok=%s, item=%s", tok, string); + /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. + * "NONE" token matches NULL string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ + } else if (string != NULL) { + if (strcasecmp(tok, string) == 0) { /* try exact match */ + return (YES); + } + } else if (strcasecmp(tok, "NONE") == 0) { return (YES); } return (NO); } -/* --- public account management functions --- */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +/* network_netmask_match - match a string against one token + * where string is an ip (v4,v6) address and tok represents + * whether a single ip (v4,v6) address or a network/netmask + */ +static int +network_netmask_match (pam_handle_t *pamh, + const char *tok, const char *string) { - struct login_info loginfo; - const char *user=NULL, *service=NULL; - char *from=NULL; - struct passwd *user_pw; + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s, item=%s", tok, string); + + if (isipaddr(string, NULL, NULL) == YES) + { + char *netmask_ptr = NULL; + static char netmask_string[MAXHOSTNAMELEN + 1] = ""; + int addr_type; + + /* OK, check if tok is of type addr/mask */ + if ((netmask_ptr = strchr(tok, '/')) != NULL) + { + long netmask = 0; + + /* YES */ + *netmask_ptr = 0; + netmask_ptr++; + + if (isipaddr(tok, &addr_type, NULL) == NO) + { /* no netaddr */ + return(NO); + } - if ((pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS) || (service == NULL) || (*service == ' ')) { - _log_err("cannot find the service name"); - return PAM_ABORT; + /* check netmask */ + if (isipaddr(netmask_ptr, NULL, NULL) == NO) + { /* netmask as integre value */ + char *endptr = NULL; + netmask = strtol(netmask_ptr, &endptr, 0); + if ((endptr == NULL) || (*endptr != '\0')) + { /* invalid netmask value */ + return(NO); + } + if ((netmask < 0) || (netmask >= 128)) + { /* netmask value out of range */ + return(NO); + } + + netmask_ptr = number_to_netmask(netmask, addr_type, + netmask_string, MAXHOSTNAMELEN); + } + + /* Netmask is now an ipv4/ipv6 address. + * This works also if netmask_ptr is NULL. + */ + return (are_addresses_equal(string, tok, netmask_ptr)); + } + else + /* NO, then check if it is only an addr */ + if (isipaddr(tok, NULL, NULL) == YES) + { /* check if they are the same, no netmask */ + return(are_addresses_equal(string, tok, NULL)); + } } + return (NO); +} + + +/* --- public PAM management functions --- */ + +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct login_info loginfo; + const char *user=NULL; + const void *void_from=NULL; + const char *from; + struct passwd *user_pw; + /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err("cannot determine the user's name"); + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } /* remote host name */ - if (pam_get_item(pamh, PAM_RHOST, (const void **)&from) + if (pam_get_item(pamh, PAM_RHOST, &void_from) != PAM_SUCCESS) { - _log_err("cannot find the remote host name"); + pam_syslog(pamh, LOG_ERR, "cannot find the remote host name"); return PAM_ABORT; } + from = void_from; if ((from==NULL) || (*from=='\0')) { /* local login, set tty name */ - if (pam_get_item(pamh, PAM_TTY, (const void **)&from) != PAM_SUCCESS - || from == NULL) { + if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS + || void_from == NULL) { D(("PAM_TTY not set, probing stdin")); from = ttyname(STDIN_FILENO); - if (from == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - - if (from[0] == '/') { /* full path */ - from++; - from = strchr(from, '/'); - from++; + if (from != NULL) { + if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) + pam_syslog(pamh, LOG_WARNING, "couldn't set tty name"); + } else { + if (pam_get_item(pamh, PAM_SERVICE, &void_from) != PAM_SUCCESS + || void_from == NULL) { + pam_syslog (pamh, LOG_ERR, + "cannot determine remote host, tty or service name"); + return PAM_ABORT; + } + from = void_from; + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "cannot determine tty or remote hostname, using service %s", + from); + } } + else + from = void_from; + + if (from[0] == '/') { /* full path, remove device path. */ + const char *f; + from++; + if ((f = strchr(from, '/')) != NULL) { + from = f + 1; + } + } } - if ((user_pw=_pammodutil_getpwnam(pamh, user))==NULL) return (PAM_USER_UNKNOWN); + if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL) + return (PAM_USER_UNKNOWN); /* * Bundle up the arguments to avoid unnecessary clumsiness later on. */ loginfo.user = user_pw; loginfo.from = from; - loginfo.service = service; loginfo.config_file = PAM_ACCESS_CONFIG; /* parse the argument list */ - if (!parse_args(&loginfo, argc, argv)) { - _log_err("failed to parse the module arguments"); + if (!parse_args(pamh, &loginfo, argc, argv)) { + pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments"); return PAM_ABORT; } if (login_access(pamh, &loginfo)) { return (PAM_SUCCESS); } else { - _log_err("access denied for user `%s' from `%s'",user,from); + pam_syslog(pamh, LOG_ERR, + "access denied for user `%s' from `%s'",user,from); return (PAM_PERM_DENIED); } } +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate (pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + /* end of module definition */ #ifdef PAM_STATIC @@ -480,11 +842,11 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc struct pam_module _pam_access_modstruct = { "pam_access", - NULL, - NULL, + pam_sm_authenticate, + pam_sm_setcred, pam_sm_acct_mgmt, - NULL, - NULL, - NULL + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok }; #endif diff --git a/Linux-PAM/modules/pam_access/tst-pam_access b/Linux-PAM/modules/pam_access/tst-pam_access new file mode 100755 index 00000000..271e69fe --- /dev/null +++ b/Linux-PAM/modules/pam_access/tst-pam_access @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_access.so diff --git a/Linux-PAM/modules/pam_cracklib/Makefile b/Linux-PAM/modules/pam_cracklib/Makefile deleted file mode 100644 index 371ac0a8..00000000 --- a/Linux-PAM/modules/pam_cracklib/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -# -# $Id: Makefile,v 1.3 2001/02/10 22:15:23 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@kernel.org> 2000/10/08 -# - -include ../../Make.Rules - -TITLE=pam_cracklib - -ifeq ($(HAVE_LIBCRACK),yes) -BUILD_THIS_MODULE=yes -MODULE_SIMPLE_EXTRALIBS=-lcrack - -# These two should really be provided by ../../pam_aconf.h -CFLAGS+=-DCRACKLIB_DICTPATH=\"$(CRACKLIB_DICTPATH)\" - -ifeq ($(HAVE_LIBCRYPT),yes) - MODULE_SIMPLE_EXTRALIBS += -lcrypt -endif - -endif - -ifeq ($(BUILD_THIS_MODULE),yes) - include ../Simple.Rules -else - include ../dont_makefile -endif diff --git a/Linux-PAM/modules/pam_cracklib/Makefile.am b/Linux-PAM/modules/pam_cracklib/Makefile.am new file mode 100644 index 00000000..cc8d6ff9 --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/Makefile.am @@ -0,0 +1,38 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_cracklib + +man_MANS = pam_cracklib.8 + +XMLS = README.xml pam_cracklib.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_LIBCRACK +securelib_LTLIBRARIES = pam_cracklib.la + +TESTS = tst-pam_cracklib +endif + +pam_cracklib_la_LIBADD = @LIBCRACK@ @LIBCRYPT@ + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_cracklib.8.xml + +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/Linux-PAM/modules/pam_cracklib/Makefile.in b/Linux-PAM/modules/pam_cracklib/Makefile.in new file mode 100644 index 00000000..bda59695 --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/Makefile.in @@ -0,0 +1,669 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_cracklib +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_cracklib_la_DEPENDENCIES = +pam_cracklib_la_SOURCES = pam_cracklib.c +pam_cracklib_la_OBJECTS = pam_cracklib.lo +@HAVE_LIBCRACK_TRUE@am_pam_cracklib_la_rpath = -rpath $(securelibdir) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_cracklib.c +DIST_SOURCES = pam_cracklib.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_cracklib +man_MANS = pam_cracklib.8 +XMLS = README.xml pam_cracklib.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +@HAVE_LIBCRACK_TRUE@securelib_LTLIBRARIES = pam_cracklib.la +@HAVE_LIBCRACK_TRUE@TESTS = tst-pam_cracklib +pam_cracklib_la_LIBADD = @LIBCRACK@ @LIBCRYPT@ +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_cracklib/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_cracklib/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_cracklib.la: $(pam_cracklib_la_OBJECTS) $(pam_cracklib_la_DEPENDENCIES) + $(LINK) $(am_pam_cracklib_la_rpath) $(pam_cracklib_la_OBJECTS) $(pam_cracklib_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_cracklib.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_cracklib.8.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_cracklib/README b/Linux-PAM/modules/pam_cracklib/README index 69662f73..89e80318 100644 --- a/Linux-PAM/modules/pam_cracklib/README +++ b/Linux-PAM/modules/pam_cracklib/README @@ -1,37 +1,212 @@ +pam_cracklib — PAM module to check the password against dictionary words -pam_cracklib: - check the passwd against dictionary words. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -RECOGNIZED ARGUMENTS: - debug verbose log +DESCRIPTION - type=XXX alter the message printed as a prompt to the user. - the message printed is in the form - "New XXX password: ". - Default XXX=UNIX +This module can be plugged into the password stack of a given application to +provide some plug-in strength-checking for passwords. - retry=N Prompt user at most N times before returning with - error. Default N=1. +The action of this module is to prompt the user for a password and check its +strength against a system dictionary and a set of rules for identifying poor +choices. - difok=N How many characters can be the same in the new - password relative to the old - difignore=N How many characters long should the password be - before we ignore difok. +The first action is to prompt for a single password, check its strength and +then, if it is considered strong, prompt for the password a second time (to +verify that it was typed correctly on the first occasion). All being well, the +password is passed on to subsequent modules to be installed as the new +authentication token. - minlen=N The minimum simplicity count for a good password. +The strength checks works in the following manner: at first the Cracklib +routine is called to check if the password is part of a dictionary; if this is +not the case an additional set of strength checks is done. These checks are: - dcredit=N - ucredit=N - lcredit=N - ocredit=N Weight, digits, upper, lower, other characters with - count N. Use these values to compute the - 'unsimplicity' of the password. +Palindrome - use_authtok Get the proposed password from PAM_AUTHTOK + Is the new password a palindrome of the old one? -MODULE SERVICES PROVIDED: - passwd chauthtok +Case Change Only -AUTHOR: - Cristian Gafton <gafton@redhat.com> + Is the new password the the old one with only a change of case? + +Similar + + Is the new password too much like the old one? This is primarily controlled + by one argument, difok which is a number of characters that if different + between the old and new are enough to accept the new password, this + defaults to 10 or 1/2 the size of the new password whichever is smaller. + + To avoid the lockup associated with trying to change a long and complicated + password, difignore is available. This argument can be used to specify the + minimum length a new password needs to be before the difok value is + ignored. The default value for difignore is 23. + +Simple + + Is the new password too small? This is controlled by 5 arguments minlen, + dcredit, ucredit, lcredit, and ocredit. See the section on the arguments + for the details of how these work and there defaults. + +Rotated + + Is the new password a rotated version of the old password? + +Already used + + Was the password used in the past? Previously used passwords are to be + found in /etc/security/opasswd. + +This module with no arguments will work well for standard unix password +encryption. With md5 encryption, passwords can be longer than 8 characters and +the default settings for this module can make it hard for the user to choose a +satisfactory new password. Notably, the requirement that the new password +contain no more than 1/2 of the characters in the old password becomes a +non-trivial constraint. For example, an old password of the form "the quick +brown fox jumped over the lazy dogs" would be difficult to change... In +addition, the default action is to allow passwords as small as 5 characters in +length. For a md5 systems it can be a good idea to increase the required +minimum size of a password. One can then allow more credit for different kinds +of characters but accept that the new password may share most of these +characters with the old password. + +OPTIONS + +debug + + This option makes the module write information to syslog(3) indicating the + behavior of the module (this option does not write password information to + the log file). + +type=XXX + + The default action is for the module to use the following prompts when + requesting passwords: "New UNIX password: " and "Retype UNIX password: ". + The default word UNIX can be replaced with this option. + +retry=N + + Prompt user at most N times before returning with error. The default is 1 + +difok=N + + This argument will change the default of 5 for the number of characters in + the new password that must not be present in the old password. In addition, + if 1/2 of the characters in the new password are different then the new + password will be accepted anyway. + +difignore=N + + How many characters should the password have before difok will be ignored. + The default is 23. + +minlen=N + + The minimum acceptable size for the new password (plus one if credits are + not disabled which is the default). In addition to the number of characters + in the new password, credit (of +1 in length) is given for each different + kind of character (other, upper, lower and digit). The default for this + parameter is 9 which is good for a old style UNIX password all of the same + type of character but may be too low to exploit the added security of a md5 + system. Note that there is a pair of length limits in Cracklib itself, a + "way too short" limit of 4 which is hard coded in and a defined limit (6) + that will be checked without reference to minlen. If you want to allow + passwords as short as 5 characters you should not use this module. + +dcredit=N + + (N >= 0) This is the maximum credit for having digits in the new password. + If you have less than or N digits, each digit will count +1 towards meeting + the current minlen value. The default for dcredit is 1 which is the + recommended value for minlen less than 10. + + (N < 0) This is the minimum number of digits that must be met for a new + password. + +ucredit=N + + (N >= 0) This is the maximum credit for having upper case letters in the + new password. If you have less than or N upper case letters each letter + will count +1 towards meeting the current minlen value. The default for + ucredit is 1 which is the recommended value for minlen less than 10. + + (N > 0) This is the minimum number of upper case letters that must be met + for a new password. + +lcredit=N + + (N >= 0) This is the maximum credit for having lower case letters in the + new password. If you have less than or N lower case letters, each letter + will count +1 towards meeting the current minlen value. The default for + lcredit is 1 which is the recommended value for minlen less than 10. + + (N < 0) This is the minimum number of lower case letters that must be met + for a new password. + +ocredit=N + + (N >= 0) This is the maximum credit for having other characters in the new + password. If you have less than or N other characters, each character will + count +1 towards meeting the current minlen value. The default for ocredit + is 1 which is the recommended value for minlen less than 10. + + (N < 0) This is the minimum number of other characters that must be met for + a new password. + +use_authtok + + This argument is used to force the module to not prompt the user for a new + password but use the one provided by the previously stacked password + module. + +dictpath=/path/to/dict + + Path to the cracklib dictionaries. + +EXAMPLES + +For an example of the use of this module, we show how it may be stacked with +the password component of pam_unix(8) + +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + + +Another example (in the /etc/pam.d/passwd format) is for the case that you want +to use md5 password encryption: + +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + + +And here is another example in case you don't want to use credits: + +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + + +AUTHOR + +pam_cracklib was written by Cristian Gafton <gafton@redhat.com> diff --git a/Linux-PAM/modules/pam_cracklib/README.xml b/Linux-PAM/modules/pam_cracklib/README.xml new file mode 100644 index 00000000..c4a7b54c --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_cracklib.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_cracklib.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_cracklib-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 new file mode 100644 index 00000000..526817a4 --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 @@ -0,0 +1,258 @@ +.\" Title: pam_cracklib +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/02/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_CRACKLIB" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_cracklib \- PAM module to check the password against dictionary words +.SH "SYNOPSIS" +.HP 16 +\fBpam_cracklib.so\fR [\fI...\fR] +.SH "DESCRIPTION" +.PP +This module can be plugged into the +\fIpassword\fR +stack of a given application to provide some plug\-in strength\-checking for passwords. +.PP +The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices. +.PP +The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token. +.PP +The strength checks works in the following manner: at first the +\fBCracklib\fR +routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are: +.TP 3n +Palindrome +Is the new password a palindrome of the old one? +.TP 3n +Case Change Only +Is the new password the the old one with only a change of case? +.TP 3n +Similar +Is the new password too much like the old one? This is primarily controlled by one argument, +\fBdifok\fR +which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller. +.sp +To avoid the lockup associated with trying to change a long and complicated password, +\fBdifignore\fR +is available. This argument can be used to specify the minimum length a new password needs to be before the +\fBdifok\fR +value is ignored. The default value for +\fBdifignore\fR +is 23. +.TP 3n +Simple +Is the new password too small? This is controlled by 5 arguments +\fBminlen\fR, +\fBdcredit\fR, +\fBucredit\fR, +\fBlcredit\fR, and +\fBocredit\fR. See the section on the arguments for the details of how these work and there defaults. +.TP 3n +Rotated +Is the new password a rotated version of the old password? +.TP 3n +Already used +Was the password used in the past? Previously used passwords are to be found in +\fI/etc/security/opasswd\fR. +.PP +This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password. +.SH "OPTIONS" +.PP +.TP 3n +\fBdebug\fR +This option makes the module write information to +\fBsyslog\fR(3) +indicating the behavior of the module (this option does not write password information to the log file). +.TP 3n +\fBtype=\fR\fB\fIXXX\fR\fR +The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word +\fIUNIX\fR +can be replaced with this option. +.TP 3n +\fBretry=\fR\fB\fIN\fR\fR +Prompt user at most +\fIN\fR +times before returning with error. The default is +\fI1\fR +.TP 3n +\fBdifok=\fR\fB\fIN\fR\fR +This argument will change the default of +\fI5\fR +for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway. +.TP 3n +\fBdifignore=\fR\fB\fIN\fR\fR +How many characters should the password have before difok will be ignored. The default is +\fI23\fR. +.TP 3n +\fBminlen=\fR\fB\fIN\fR\fR +The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, +\fIupper\fR, +\fIlower\fR +and +\fIdigit\fR). The default for this parameter is +\fI9\fR +which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in +\fICracklib\fR +itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to +\fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module. +.TP 3n +\fBdcredit=\fR\fB\fIN\fR\fR +(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or +\fIN\fR +digits, each digit will count +1 towards meeting the current +\fBminlen\fR +value. The default for +\fBdcredit\fR +is 1 which is the recommended value for +\fBminlen\fR +less than 10. +.sp +(N < 0) This is the minimum number of digits that must be met for a new password. +.TP 3n +\fBucredit=\fR\fB\fIN\fR\fR +(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or +\fIN\fR +upper case letters each letter will count +1 towards meeting the current +\fBminlen\fR +value. The default for +\fBucredit\fR +is +\fI1\fR +which is the recommended value for +\fBminlen\fR +less than 10. +.sp +(N > 0) This is the minimum number of upper case letters that must be met for a new password. +.TP 3n +\fBlcredit=\fR\fB\fIN\fR\fR +(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or +\fIN\fR +lower case letters, each letter will count +1 towards meeting the current +\fBminlen\fR +value. The default for +\fBlcredit\fR +is 1 which is the recommended value for +\fBminlen\fR +less than 10. +.sp +(N < 0) This is the minimum number of lower case letters that must be met for a new password. +.TP 3n +\fBocredit=\fR\fB\fIN\fR\fR +(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or +\fIN\fR +other characters, each character will count +1 towards meeting the current +\fBminlen\fR +value. The default for +\fBocredit\fR +is 1 which is the recommended value for +\fBminlen\fR +less than 10. +.sp +(N < 0) This is the minimum number of other characters that must be met for a new password. +.TP 3n +\fBuse_authtok\fR +This argument is used to +\fIforce\fR +the module to not prompt the user for a new password but use the one provided by the previously stacked +\fIpassword\fR +module. +.TP 3n +\fBdictpath=\fR\fB\fI/path/to/dict\fR\fR +Path to the cracklib dictionaries. +.SH "MODULE SERVICES PROVIDED" +.PP +Only he +\fBpassword\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +The new password passes all checks. +.TP 3n +PAM_AUTHTOK_ERR +No new password was entered, the username could not be determined or the new password fails the strength checks. +.TP 3n +PAM_AUTHTOK_RECOVERY_ERR +The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if +\fBuse_authtok\fR +is specified. +.TP 3n +PAM_SERVICE_ERR +A internal error occured. +.SH "EXAMPLES" +.PP +For an example of the use of this module, we show how it may be stacked with the password component of +\fBpam_unix\fR(8) +.sp +.RS 3n +.nf +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + +.fi +.RE +.sp +.PP +Another example (in the +\fI/etc/pam.d/passwd\fR +format) is for the case that you want to use md5 password encryption: +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \\ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + +.fi +.RE +.sp +.PP +And here is another example in case you don't want to use credits: +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \\ + dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_cracklib was written by Cristian Gafton <gafton@redhat.com> diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml new file mode 100644 index 00000000..7edabe0f --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml @@ -0,0 +1,495 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_cracklib"> + + <refmeta> + <refentrytitle>pam_cracklib</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_cracklib-name"> + <refname>pam_cracklib</refname> + <refpurpose>PAM module to check the password against dictionary words</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_cracklib-cmdsynopsis"> + <command>pam_cracklib.so</command> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_cracklib-description"> + + <title>DESCRIPTION</title> + + <para> + This module can be plugged into the <emphasis>password</emphasis> stack of + a given application to provide some plug-in strength-checking for passwords. + </para> + + <para> + The action of this module is to prompt the user for a password and + check its strength against a system dictionary and a set of rules for + identifying poor choices. + </para> + + <para> + The first action is to prompt for a single password, check its + strength and then, if it is considered strong, prompt for the password + a second time (to verify that it was typed correctly on the first + occasion). All being well, the password is passed on to subsequent + modules to be installed as the new authentication token. + </para> + + <para> + The strength checks works in the following manner: at first the + <function>Cracklib</function> routine is called to check if the password + is part of a dictionary; if this is not the case an additional set of + strength checks is done. These checks are: + </para> + + <variablelist> + <varlistentry> + <term>Palindrome</term> + <listitem> + <para> + Is the new password a palindrome of the old one? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Case Change Only</term> + <listitem> + <para> + Is the new password the the old one with only a change of case? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Similar</term> + <listitem> + <para> + Is the new password too much like the old one? + This is primarily controlled by one argument, + <option>difok</option> which is a number of characters + that if different between the old and new are enough to accept + the new password, this defaults to 10 or 1/2 the size of the + new password whichever is smaller. + </para> + <para> + To avoid the lockup associated with trying to change a long and + complicated password, <option>difignore</option> is available. + This argument can be used to specify the minimum length a new + password needs to be before the <option>difok</option> value is + ignored. The default value for <option>difignore</option> is 23. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Simple</term> + <listitem> + <para> + Is the new password too small? + This is controlled by 5 arguments <option>minlen</option>, + <option>dcredit</option>, <option>ucredit</option>, + <option>lcredit</option>, and <option>ocredit</option>. See the section + on the arguments for the details of how these work and there defaults. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Rotated</term> + <listitem> + <para> + Is the new password a rotated version of the old password? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Already used</term> + <listitem> + <para> + Was the password used in the past? Previously used passwords + are to be found in <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + This module with no arguments will work well for standard unix + password encryption. With md5 encryption, passwords can be longer + than 8 characters and the default settings for this module can make it + hard for the user to choose a satisfactory new password. Notably, the + requirement that the new password contain no more than 1/2 of the + characters in the old password becomes a non-trivial constraint. For + example, an old password of the form "the quick brown fox jumped over + the lazy dogs" would be difficult to change... In addition, the + default action is to allow passwords as small as 5 characters in + length. For a md5 systems it can be a good idea to increase the + required minimum size of a password. One can then allow more credit + for different kinds of characters but accept that the new password may + share most of these characters with the old password. + </para> + + </refsect1> + + <refsect1 id="pam_cracklib-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + This option makes the module write information to + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + indicating the behavior of the module (this option does + not write password information to the log file). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>type=<replaceable>XXX</replaceable></option> + </term> + <listitem> + <para> + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The default word <emphasis>UNIX</emphasis> can + be replaced with this option. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>retry=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Prompt user at most <replaceable>N</replaceable> times + before returning with error. The default is + <emphasis>1</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>difok=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + This argument will change the default of + <emphasis>5</emphasis> for the number of characters in + the new password that must not be present in the old + password. In addition, if 1/2 of the characters in the + new password are different then the new password will + be accepted anyway. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>difignore=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + How many characters should the password have before + difok will be ignored. The default is + <emphasis>23</emphasis>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>minlen=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum acceptable size for the new password (plus + one if credits are not disabled which is the default). + In addition to the number of characters in the new password, + credit (of +1 in length) is given for each different kind + of character (<emphasis>other</emphasis>, + <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and + <emphasis>digit</emphasis>). The default for this parameter + is <emphasis>9</emphasis> which is good for a old style UNIX + password all of the same type of character but may be too low + to exploit the added security of a md5 system. Note that + there is a pair of length limits in + <emphasis>Cracklib</emphasis> itself, a "way too short" limit + of 4 which is hard coded in and a defined limit (6) that will + be checked without reference to <option>minlen</option>. + If you want to allow passwords as short as 5 characters you + should not use this module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having digits in + the new password. If you have less than or + <replaceable>N</replaceable> + digits, each digit will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>dcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of digits that must + be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ucredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having upper + case letters in the new password. If you have less than + or <replaceable>N</replaceable> upper case letters each + letter will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ucredit</option> is <emphasis>1</emphasis> which + is the recommended value for <option>minlen</option> less + than 10. + </para> + <para> + (N > 0) This is the minimum number of upper + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>lcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having + lower case letters in the new password. If you have + less than or <replaceable>N</replaceable> lower case + letters, each letter will count +1 towards meeting the + current <option>minlen</option> value. The default for + <option>lcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of lower + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ocredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having other + characters in the new password. If you have less than or + <replaceable>N</replaceable> other characters, each + character will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ocredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of other + characters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>use_authtok</option> + </term> + <listitem> + <para> + This argument is used to <emphasis>force</emphasis> the + module to not prompt the user for a new password but use + the one provided by the previously stacked + <emphasis>password</emphasis> module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dictpath=<replaceable>/path/to/dict</replaceable></option> + </term> + <listitem> + <para> + Path to the cracklib dictionaries. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id="pam_cracklib-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only he <option>password</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_cracklib-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new password passes all checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + No new password was entered, + the username could not be determined or the new + password fails the strength checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + The old password was not supplied by a previous stackked + module or got not requested from the user. + The first error can happen if <option>use_authtok</option> + is specified. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A internal error occured. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-examples'> + <title>EXAMPLES</title> + <para> + For an example of the use of this module, we show how it may be + stacked with the password component of + <citerefentry> + <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + <programlisting> +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + </programlisting> + </para> + + <para> + Another example (in the <filename>/etc/pam.d/passwd</filename> format) + is for the case that you want to use md5 password encryption: + <programlisting> +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + <para> + And here is another example in case you don't want to use credits: + <programlisting> +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + </refsect1> + + <refsect1 id='pam_cracklib-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-author'> + <title>AUTHOR</title> + <para> + pam_cracklib was written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.c b/Linux-PAM/modules/pam_cracklib/pam_cracklib.c index 8f3e4c42..9b496202 100644 --- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.c +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.c @@ -1,6 +1,5 @@ /* * pam_cracklib module - * $Id: pam_cracklib.c,v 1.9 2004/09/15 12:06:17 kukuk Exp $ */ /* @@ -35,7 +34,7 @@ * S.A.G. in the section on the cracklib module. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #ifdef HAVE_CRYPT_H @@ -49,16 +48,19 @@ #include <sys/types.h> #include <sys/stat.h> #include <ctype.h> +#include <limits.h> +#ifdef HAVE_CRACK_H +#include <crack.h> +#else extern char *FascistCheck(char *pw, const char *dictpath); - -#ifndef CRACKLIB_DICTPATH -#define CRACKLIB_DICTPATH "/usr/share/dict/cracklib_dict" #endif -#define PROMPT1 "New %s%spassword: " -#define PROMPT2 "Retype new %s%spassword: " -#define MISTYPED_PASS "Sorry, passwords do not match" +/* For Translators: "%s%s" could be replaced with "<service> " or "". */ +#define PROMPT1 _("New %s%spassword: ") +/* For Translators: "%s%s" could be replaced with "<service> " or "". */ +#define PROMPT2 _("Retype new %s%spassword: ") +#define MISTYPED_PASS _("Sorry, passwords do not match.") #ifdef MIN #undef MIN @@ -76,23 +78,7 @@ extern char *FascistCheck(char *pw, const char *dictpath); #include <security/pam_modules.h> #include <security/_pam_macros.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Cracklib", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_ext.h> /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 @@ -108,6 +94,7 @@ struct cracklib_options { int oth_credit; int use_authtok; char prompt_type[BUFSIZ]; + char cracklib_dictpath[PATH_MAX]; }; #define CO_RETRY_TIMES 1 @@ -121,7 +108,9 @@ struct cracklib_options { #define CO_OTH_CREDIT 1 #define CO_USE_AUTHTOK 0 -static int _pam_parse(struct cracklib_options *opt, int argc, const char **argv) +static int +_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, + int argc, const char **argv) { int ctrl=0; @@ -169,63 +158,21 @@ static int _pam_parse(struct cracklib_options *opt, int argc, const char **argv) opt->oth_credit = 0; } else if (!strncmp(*argv,"use_authtok",11)) { opt->use_authtok = 1; + } else if (!strncmp(*argv,"dictpath=",9)) { + strncpy(opt->cracklib_dictpath, *argv+9, + sizeof(opt->cracklib_dictpath) - 1); } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); } } opt->prompt_type[sizeof(opt->prompt_type) - 1] = '\0'; + opt->cracklib_dictpath[sizeof(opt->cracklib_dictpath) - 1] = '\0'; return ctrl; } /* Helper functions */ -/* this is a front-end for module-application conversations */ -static int converse(pam_handle_t *pamh, int ctrl, int nargs, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - struct pam_conv *conv = NULL; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - - if ( retval == PAM_SUCCESS && conv ) { - retval = conv->conv(nargs, (const struct pam_message **)message, - response, conv->appdata_ptr); - if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) { - _pam_log(LOG_DEBUG, "conversation failure [%s]", - pam_strerror(pamh, retval)); - } - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]", - pam_strerror(pamh, retval)); - if ( retval == PAM_SUCCESS ) - retval = PAM_BAD_ITEM; /* conv was NULL */ - } - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl, - int type, const char *text) -{ - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - int retval; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; - - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (retval == PAM_SUCCESS) - _pam_drop_reply(resp, 1); - - return retval; -} - /* use this to free strings. ESPECIALLY password strings */ static char *_pam_delete(register char *xx) { @@ -237,7 +184,7 @@ static char *_pam_delete(register char *xx) /* * can't be a palindrome - like `R A D A R' or `M A D A M' */ -static int palindrome(const char *old, const char *new) +static int palindrome(const char *new) { int i, j; @@ -256,7 +203,8 @@ static int palindrome(const char *old, const char *new) * the other */ -static int distdifferent(const char *old, const char *new, int i, int j) +static int distdifferent(const char *old, const char *new, + size_t i, size_t j) { char c, d; @@ -274,7 +222,7 @@ static int distdifferent(const char *old, const char *new, int i, int j) } static int distcalculate(int **distances, const char *old, const char *new, - int i, int j) + size_t i, size_t j) { int tmp = 0; @@ -295,7 +243,7 @@ static int distcalculate(int **distances, const char *old, const char *new, static int distance(const char *old, const char *new) { int **distances = NULL; - int m, n, i, j, r; + size_t m, n, i, j, r; m = strlen(old); n = strlen(new); @@ -344,8 +292,7 @@ static int similar(struct cracklib_options *opt, /* * a nice mix of characters. */ -static int simple(struct cracklib_options *opt, - const char *old, const char *new) +static int simple(struct cracklib_options *opt, const char *new) { int digits = 0; int uppers = 0; @@ -428,7 +375,7 @@ static const char * password_check(struct cracklib_options *opt, const char *old char *oldmono, *newmono, *wrapped; if (strcmp(new, old) == 0) { - msg = "is the same as the old one"; + msg = _("is the same as the old one"); return msg; } @@ -438,20 +385,20 @@ static const char * password_check(struct cracklib_options *opt, const char *old strcpy (wrapped, oldmono); strcat (wrapped, oldmono); - if (palindrome(oldmono, newmono)) - msg = "is a palindrome"; + if (palindrome(newmono)) + msg = _("is a palindrome"); if (!msg && strcmp(oldmono, newmono) == 0) - msg = "case changes only"; + msg = _("case changes only"); if (!msg && similar(opt, oldmono, newmono)) - msg = "is too similar to the old one"; + msg = _("is too similar to the old one"); - if (!msg && simple(opt, old, new)) - msg = "is too simple"; + if (!msg && simple(opt, new)) + msg = _("is too simple"); if (!msg && strstr(wrapped, newmono)) - msg = "is rotated"; + msg = _("is rotated"); memset(newmono, 0, strlen(newmono)); memset(oldmono, 0, strlen(oldmono)); @@ -486,7 +433,7 @@ static const char * check_old_password(const char *forwho, const char *newpass) s_pas = strtok(NULL, ":,"); while (s_pas != NULL) { if (!strcmp(crypt(newpass, s_pas), s_pas)) { - msg = "has been already used"; + msg = _("has been already used"); break; } s_pas = strtok(NULL, ":,"); @@ -507,15 +454,14 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, const char *pass_new) { const char *msg = NULL; - const char *user; + const void *user; int retval; if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "bad authentication token"); - make_remark(pamh, ctrl, PAM_ERROR_MSG, - pass_new == NULL ? - "No password supplied":"Password unchanged" ); + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); + pam_error(pamh, "%s", pass_new == NULL ? + _("No password supplied"):_("Password unchanged")); return PAM_AUTHTOK_ERR; } @@ -525,25 +471,20 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, */ msg = password_check(opt, pass_old,pass_new); if (!msg) { - retval = pam_get_item(pamh, PAM_USER, (const void **)&user); + retval = pam_get_item(pamh, PAM_USER, &user); if (retval != PAM_SUCCESS || user == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_ERR,"Can not get username"); - return PAM_AUTHTOK_ERR; - } + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh,LOG_ERR,"Can not get username"); + return PAM_AUTHTOK_ERR; } msg = check_old_password(user, pass_new); } if (msg) { - char remark[BUFSIZ]; - - memset(remark,0,sizeof(remark)); - snprintf(remark,sizeof(remark),"BAD PASSWORD: %s",msg); - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "new passwd fails strength check: %s", - msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh, LOG_NOTICE, + "new passwd fails strength check: %s", msg); + pam_error(pamh, _("BAD PASSWORD: %s"), msg); return PAM_AUTHTOK_ERR; }; return PAM_SUCCESS; @@ -573,45 +514,26 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, options.use_authtok = CO_USE_AUTHTOK; memset(options.prompt_type, 0, BUFSIZ); strcpy(options.prompt_type,"UNIX"); + memset(options.cracklib_dictpath, 0, + sizeof (options.cracklib_dictpath)); - ctrl = _pam_parse(&options, argc, argv); + ctrl = _pam_parse(pamh, &options, argc, argv); if (flags & PAM_PRELIM_CHECK) { /* Check for passwd dictionary */ - struct stat st; - char buf[sizeof(CRACKLIB_DICTPATH)+10]; - - D(("prelim check")); - - memset(buf,0,sizeof(buf)); /* zero the buffer */ - snprintf(buf,sizeof(buf),"%s.pwd",CRACKLIB_DICTPATH); - - if (!stat(buf,&st) && st.st_size) - return PAM_SUCCESS; - else { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"dict path '%s'[.pwd] is invalid", - CRACKLIB_DICTPATH); - return PAM_ABORT; - } - - /* Not reached */ - return PAM_SERVICE_ERR; - + /* We cannot do that, since the original path is compiled + into the cracklib library and we don't know it. */ + return PAM_SUCCESS; } else if (flags & PAM_UPDATE_AUTHTOK) { int retval; - char *token1, *token2, *oldtoken; - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - const char *cracklib_dictpath = CRACKLIB_DICTPATH; - char prompt[BUFSIZ]; + char *token1, *token2, *resp; + const void *oldtoken; D(("do update")); - retval = pam_get_item(pamh, PAM_OLDAUTHTOK, - (const void **)&oldtoken); + retval = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldtoken); if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_ERR,"Can not get old passwd"); + pam_syslog(pamh,LOG_ERR,"Can not get old passwd"); oldtoken=NULL; retval = PAM_SUCCESS; } @@ -637,71 +559,60 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, */ if (options.use_authtok == 1) { - const char *item = NULL; + const void *item = NULL; - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &item); + retval = pam_get_item(pamh, PAM_AUTHTOK, &item); if (retval != PAM_SUCCESS) { /* very strange. */ - _pam_log(LOG_ALERT - ,"pam_get_item returned error to pam_cracklib" - ); + pam_syslog(pamh, LOG_ALERT, + "pam_get_item returned error to pam_cracklib"); } else if (item != NULL) { /* we have a password! */ token1 = x_strdup(item); item = NULL; } else { - retval = PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ + retval = PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */ } } else { /* Prepare to ask the user for the first time */ - memset(prompt,0,sizeof(prompt)); - snprintf(prompt,sizeof(prompt),PROMPT1, - options.prompt_type, options.prompt_type[0]?" ":""); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token1 = x_strdup(resp[0].resp); - if (token1 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 1"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + PROMPT1, options.prompt_type, + options.prompt_type[0]?" ":""); + + if (retval == PAM_SUCCESS) { /* a good conversation */ + token1 = x_strdup(resp); + if (token1 == NULL) { + pam_syslog(pamh, LOG_NOTICE, + "could not recover authentication token 1"); + retval = PAM_AUTHTOK_RECOVERY_ERR; + } /* * tidy up the conversation (resp_retcode) is ignored */ - _pam_drop_reply(resp, 1); + _pam_drop(resp); } else { retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; + PAM_AUTHTOK_RECOVERY_ERR:retval ; } } if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"unable to obtain a password"); + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh,LOG_DEBUG,"unable to obtain a password"); continue; } D(("testing password, retval = %s", pam_strerror(pamh, retval))); /* now test this passwd against cracklib */ { - char *crack_msg; - char remark[BUFSIZ]; + const char *crack_msg; - bzero(remark,sizeof(remark)); D(("against cracklib")); - if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"bad password: %s",crack_msg); - snprintf(remark,sizeof(remark),"BAD PASSWORD: %s", crack_msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); + if ((crack_msg = FascistCheck(token1,options.cracklib_dictpath[0] == '\0'?NULL:options.cracklib_dictpath))) { + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); + pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg); if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) retval = PAM_AUTHTOK_ERR; else @@ -735,51 +646,41 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, /* Now we have a good passwd. Ask for it once again */ if (options.use_authtok == 0) { - bzero(prompt,sizeof(prompt)); - snprintf(prompt,sizeof(prompt),PROMPT2, - options.prompt_type, options.prompt_type[0]?" ":""); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token2 = x_strdup(resp[0].resp); - if (token2 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 2"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + PROMPT2, options.prompt_type, + options.prompt_type[0]?" ":""); + if (retval == PAM_SUCCESS) { /* a good conversation */ + token2 = x_strdup(resp); + if (token2 == NULL) { + pam_syslog(pamh,LOG_NOTICE, + "could not recover authentication token 2"); + retval = PAM_AUTHTOK_RECOVERY_ERR; + } /* * tidy up the conversation (resp_retcode) is ignored */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; + _pam_drop(resp); } - if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG - ,"unable to obtain the password a second time"); - continue; - } + /* No else, the a retval == PAM_SUCCESS path can change retval + to a failure code. */ + if (retval != PAM_SUCCESS) { + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh,LOG_DEBUG,"unable to obtain retyped password"); + continue; + } /* Hopefully now token1 and token2 the same password ... */ if (strcmp(token1,token2) != 0) { /* tell the user */ - make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS); + pam_error(pamh, "%s", MISTYPED_PASS); token1 = _pam_delete(token1); token2 = _pam_delete(token2); pam_set_item(pamh, PAM_AUTHTOK, NULL); if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Password mistyped"); - retval = PAM_AUTHTOK_RECOVER_ERR; + pam_syslog(pamh,LOG_NOTICE,"Password mistyped"); + retval = PAM_AUTHTOK_RECOVERY_ERR; continue; } @@ -788,7 +689,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, */ { - const char *item = NULL; + const void *item = NULL; retval = pam_set_item(pamh, PAM_AUTHTOK, token1); @@ -797,10 +698,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, token2 = _pam_delete(token2); if ( (retval != PAM_SUCCESS) || - ((retval = pam_get_item(pamh, PAM_AUTHTOK, - (const void **)&item) + ((retval = pam_get_item(pamh, PAM_AUTHTOK, &item) ) != PAM_SUCCESS) ) { - _pam_log(LOG_CRIT, "error manipulating password"); + pam_syslog(pamh, LOG_CRIT, "error manipulating password"); continue; } item = NULL; /* break link to password */ @@ -812,7 +712,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } else { if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "UNKNOWN flags setting %02X",flags); + pam_syslog(pamh, LOG_NOTICE, "UNKNOWN flags setting %02X",flags); return PAM_SERVICE_ERR; } diff --git a/Linux-PAM/modules/pam_cracklib/tst-pam_cracklib b/Linux-PAM/modules/pam_cracklib/tst-pam_cracklib new file mode 100755 index 00000000..46a7060d --- /dev/null +++ b/Linux-PAM/modules/pam_cracklib/tst-pam_cracklib @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_cracklib.so diff --git a/Linux-PAM/modules/pam_debug/Makefile b/Linux-PAM/modules/pam_debug/Makefile deleted file mode 100644 index 56e9a14e..00000000 --- a/Linux-PAM/modules/pam_debug/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.1 2001/10/10 05:00:11 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_debug - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_debug/Makefile.am b/Linux-PAM/modules/pam_debug/Makefile.am new file mode 100644 index 00000000..889d7877 --- /dev/null +++ b/Linux-PAM/modules/pam_debug/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug + +man_MANS = pam_debug.8 +XMLS = README.xml pam_debug.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_debug.la + +TESTS = tst-pam_debug + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_debug.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_debug/Makefile.in b/Linux-PAM/modules/pam_debug/Makefile.in new file mode 100644 index 00000000..b2d11867 --- /dev/null +++ b/Linux-PAM/modules/pam_debug/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_debug +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_debug_la_LIBADD = +pam_debug_la_SOURCES = pam_debug.c +pam_debug_la_OBJECTS = pam_debug.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_debug.c +DIST_SOURCES = pam_debug.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug +man_MANS = pam_debug.8 +XMLS = README.xml pam_debug.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_debug.la +TESTS = tst-pam_debug +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_debug/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_debug/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_debug.la: $(pam_debug_la_OBJECTS) $(pam_debug_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_debug_la_OBJECTS) $(pam_debug_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_debug.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_debug.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_debug/README b/Linux-PAM/modules/pam_debug/README index 85401651..4afff114 100644 --- a/Linux-PAM/modules/pam_debug/README +++ b/Linux-PAM/modules/pam_debug/README @@ -1,15 +1,64 @@ -# $Id: README,v 1.1 2001/10/10 05:00:11 agmorgan Exp $ -# +pam_debug — PAM module to debug the PAM stack -This module returns what its module arguments tell it to return. It -can be used for debugging libpam and/or an application. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -Here are some example ways to use it: +DESCRIPTION -auth requisite pam_permit.so +The pam_debug PAM module is intended as a debugging aide for determining how +the PAM stack is operating. This module returns what its module arguments tell +it to return. + +OPTIONS + +auth=value + + The pam_sm_authenticate(3) function will return value. + +cred=value + + The pam_sm_setcred(3) function will return value. + +acct=value + + The pam_sm_acct_mgmt(3) function will return value. + +prechauthtok=value + + The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK + flag is set. + +chauthtok=value + + The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK + flag is not set. + +open_session=value + + The pam_sm_open_session(3) function will return value. + +close_session=value + + The pam_sm_close_session(3) function will return value. + +Where value can be one of: success, open_err, symbol_err, service_err, +system_err, buf_err, perm_denied, auth_err, cred_insufficient, +authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, +session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, +authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, +try_again, ignore, abort, authtok_expired, module_unknown, bad_item, +conv_again, incomplete. + +EXAMPLES + +auth requisite pam_permit.so auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success auth [default=reset] pam_debug.so auth=success cred=perm_denied auth [success=done default=die] pam_debug.so auth optional pam_debug.so auth=perm_denied cred=perm_denied auth sufficient pam_debug.so auth=success cred=success + +AUTHOR + +pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. + diff --git a/Linux-PAM/modules/pam_debug/README.xml b/Linux-PAM/modules/pam_debug/README.xml new file mode 100644 index 00000000..ef41911b --- /dev/null +++ b/Linux-PAM/modules/pam_debug/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_debug.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_debug.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_debug-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_debug/pam_debug.8 b/Linux-PAM/modules/pam_debug/pam_debug.8 new file mode 100644 index 00000000..ae4a1407 --- /dev/null +++ b/Linux-PAM/modules/pam_debug/pam_debug.8 @@ -0,0 +1,110 @@ +.\" Title: pam_debug +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/23/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_DEBUG" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_debug \- PAM module to debug the PAM stack +.SH "SYNOPSIS" +.HP 13 +\fBpam_debug.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] +.SH "DESCRIPTION" +.PP +The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating. This module returns what its module arguments tell it to return. +.SH "OPTIONS" +.TP 3n +\fBauth=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_authenticate\fR(3) +function will return +\fIvalue\fR. +.TP 3n +\fBcred=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_setcred\fR(3) +function will return +\fIvalue\fR. +.TP 3n +\fBacct=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_acct_mgmt\fR(3) +function will return +\fIvalue\fR. +.TP 3n +\fBprechauthtok=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_chauthtok\fR(3) +function will return +\fIvalue\fR +if the +\fIPAM_PRELIM_CHECK\fR +flag is set. +.TP 3n +\fBchauthtok=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_chauthtok\fR(3) +function will return +\fIvalue\fR +if the +\fIPAM_PRELIM_CHECK\fR +flag is +\fBnot\fR +set. +.TP 3n +\fBopen_session=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_open_session\fR(3) +function will return +\fIvalue\fR. +.TP 3n +\fBclose_session=\fR\fB\fIvalue\fR\fR +The +\fBpam_sm_close_session\fR(3) +function will return +\fIvalue\fR. +.PP +Where +\fIvalue\fR +can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +Default return code if no other value was specified, else specified return value. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +auth requisite pam_permit.so +auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success +auth [default=reset] pam_debug.so auth=success cred=perm_denied +auth [success=done default=die] pam_debug.so +auth optional pam_debug.so auth=perm_denied cred=perm_denied +auth sufficient pam_debug.so auth=success cred=success + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_debug/pam_debug.8.xml b/Linux-PAM/modules/pam_debug/pam_debug.8.xml new file mode 100644 index 00000000..65519852 --- /dev/null +++ b/Linux-PAM/modules/pam_debug/pam_debug.8.xml @@ -0,0 +1,231 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_debug"> + + <refmeta> + <refentrytitle>pam_debug</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_debug-name"> + <refname>pam_debug</refname> + <refpurpose>PAM module to debug the PAM stack</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_debug-cmdsynopsis"> + <command>pam_debug.so</command> + <arg choice="opt"> + auth=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + cred=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + acct=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + prechauthtok=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + chauthtok=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + auth=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + open_session=<replaceable>value</replaceable> + </arg> + <arg choice="opt"> + close_session=<replaceable>value</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_debug-description"> + <title>DESCRIPTION</title> + <para> + The pam_debug PAM module is intended as a debugging aide for + determining how the PAM stack is operating. This module returns + what its module arguments tell it to return. + </para> + </refsect1> + + <refsect1 id="pam_debug-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>auth=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>cred=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>acct=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>prechauthtok=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable> if the + <emphasis>PAM_PRELIM_CHECK</emphasis> flag is set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>chauthtok=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable> if the + <emphasis>PAM_PRELIM_CHECK</emphasis> flag is + <emphasis remap='B'>not</emphasis> set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>open_session=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>close_session=<replaceable>value</replaceable></option> + </term> + <listitem> + <para> + The + <citerefentry> + <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function will return + <replaceable>value</replaceable>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + Where <replaceable>value</replaceable> can be one of: success, + open_err, symbol_err, service_err, system_err, buf_err, perm_denied, + auth_err, cred_insufficient, authinfo_unavail, user_unknown, + maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, + cred_expired, cred_err, no_module_data, conv_err, authtok_err, + authtok_recover_err, authtok_lock_busy, authtok_disable_aging, + try_again, ignore, abort, authtok_expired, module_unknown, + bad_item, conv_again, incomplete. + </para> + </refsect1> + + <refsect1 id="pam_debug-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_debug-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Default return code if no other value was specified, + else specified return value. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_debug-examples'> + <title>EXAMPLES</title> + <programlisting> +auth requisite pam_permit.so +auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success +auth [default=reset] pam_debug.so auth=success cred=perm_denied +auth [success=done default=die] pam_debug.so +auth optional pam_debug.so auth=perm_denied cred=perm_denied +auth sufficient pam_debug.so auth=success cred=success + </programlisting> + </refsect1> + + <refsect1 id='pam_debug-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_debug-author'> + <title>AUTHOR</title> + <para> + pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_debug/pam_debug.c b/Linux-PAM/modules/pam_debug/pam_debug.c index 819cd651..b0f5bf59 100644 --- a/Linux-PAM/modules/pam_debug/pam_debug.c +++ b/Linux-PAM/modules/pam_debug/pam_debug.c @@ -1,7 +1,7 @@ /* pam_permit module */ /* - * $Id: pam_debug.c,v 1.2 2004/09/15 12:06:17 kukuk Exp $ + * $Id: pam_debug.c,v 1.5 2006/01/24 09:42:46 kukuk Exp $ * * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04 * @@ -9,6 +9,8 @@ #define DEFAULT_USER "nobody" +#include "config.h" + #include <stdio.h> /* @@ -28,6 +30,7 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> +#include <security/pam_ext.h> #define _PAM_ACTION_UNDEF (-10) #include "../../libpam/pam_tokens.h" @@ -37,24 +40,11 @@ static int state(pam_handle_t *pamh, const char *text) { int retval; - struct pam_conv *conv; - struct pam_message msg[1], *mesg[1]; - struct pam_response *response; - - retval = pam_get_item(pamh, PAM_CONV, (const void **)&conv); - if ((retval != PAM_SUCCESS) || (conv == NULL)) { - D(("failed to obtain conversation function")); - return PAM_ABORT; - } - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = text; - mesg[0] = &msg[0]; + retval = pam_info (pamh, "%s", text); - retval = conv->conv(1, (const struct pam_message **) mesg, - &response, conv->appdata_ptr); if (retval != PAM_SUCCESS) { - D(("conversation failed")); + D(("pam_info failed")); } return retval; @@ -86,8 +76,8 @@ static int parse_args(int retval, const char *event, } PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval; const char *user=NULL; @@ -114,8 +104,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, } PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { return parse_args(PAM_SUCCESS, "cred", pamh, argc, argv); } @@ -123,8 +113,8 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, /* --- account management functions --- */ PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { return parse_args(PAM_SUCCESS, "acct", pamh, argc, argv); } @@ -132,8 +122,8 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, /* --- password management --- */ PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { if (flags & PAM_PRELIM_CHECK) { return parse_args(PAM_SUCCESS, "prechauthtok", pamh, argc, argv); @@ -145,15 +135,15 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, /* --- session management --- */ PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc, - const char **argv) +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { return parse_args(PAM_SUCCESS, "open_session", pamh, argc, argv); } PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { return parse_args(PAM_SUCCESS, "close_session", pamh, argc, argv); } @@ -164,7 +154,7 @@ int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc /* static module data */ -struct pam_module _pam_permit_modstruct = { +struct pam_module _pam_debug_modstruct = { "pam_debug", pam_sm_authenticate, pam_sm_setcred, diff --git a/Linux-PAM/modules/pam_debug/tst-pam_debug b/Linux-PAM/modules/pam_debug/tst-pam_debug new file mode 100755 index 00000000..f07ff640 --- /dev/null +++ b/Linux-PAM/modules/pam_debug/tst-pam_debug @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_debug.so diff --git a/Linux-PAM/modules/pam_deny/Makefile b/Linux-PAM/modules/pam_deny/Makefile deleted file mode 100644 index 2fdd6e11..00000000 --- a/Linux-PAM/modules/pam_deny/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:03 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_deny - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_deny/Makefile.am b/Linux-PAM/modules/pam_deny/Makefile.am new file mode 100644 index 00000000..9837f880 --- /dev/null +++ b/Linux-PAM/modules/pam_deny/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny + +man_MANS = pam_deny.8 + +XMLS = README.xml pam_deny.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_deny.la + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_deny.8.xml + +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_deny diff --git a/Linux-PAM/modules/pam_deny/Makefile.in b/Linux-PAM/modules/pam_deny/Makefile.in new file mode 100644 index 00000000..3fcee127 --- /dev/null +++ b/Linux-PAM/modules/pam_deny/Makefile.in @@ -0,0 +1,667 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_deny +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_deny_la_LIBADD = +pam_deny_la_SOURCES = pam_deny.c +pam_deny_la_OBJECTS = pam_deny.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_deny.c +DIST_SOURCES = pam_deny.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny +man_MANS = pam_deny.8 +XMLS = README.xml pam_deny.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_deny.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_deny +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_deny/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_deny/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_deny.la: $(pam_deny_la_OBJECTS) $(pam_deny_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_deny_la_OBJECTS) $(pam_deny_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_deny.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_deny.8.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_deny/README b/Linux-PAM/modules/pam_deny/README index 2eb96d4e..6b3a86f8 100644 --- a/Linux-PAM/modules/pam_deny/README +++ b/Linux-PAM/modules/pam_deny/README @@ -1,4 +1,31 @@ -# $Id: README,v 1.1.1.1 2000/06/20 22:11:33 agmorgan Exp $ +pam_deny — The locking-out PAM module + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +This module can be used to deny access. It always indicates a failure to the +application through the PAM framework. It might be suitable for using for +default (the OTHER) entries. + +EXAMPLES + +#%PAM-1.0 # +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so + + +AUTHOR + +pam_deny was written by Andrew G. Morgan <morgan@kernel.org> -this module always fails, it ignores all options. diff --git a/Linux-PAM/modules/pam_deny/README.xml b/Linux-PAM/modules/pam_deny/README.xml new file mode 100644 index 00000000..ff2e82b0 --- /dev/null +++ b/Linux-PAM/modules/pam_deny/README.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_deny.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_deny.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_deny-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_deny/pam_deny.8 b/Linux-PAM/modules/pam_deny/pam_deny.8 new file mode 100644 index 00000000..f9f2d439 --- /dev/null +++ b/Linux-PAM/modules/pam_deny/pam_deny.8 @@ -0,0 +1,74 @@ +.\" Title: pam_deny +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_DENY" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_deny \- The locking\-out PAM module +.SH "SYNOPSIS" +.HP 12 +\fBpam_deny.so\fR +.SH "DESCRIPTION" +.PP +This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable for using for default (the +\fIOTHER\fR) entries. +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +All services (\fBaccount\fR, +\fBauth\fR, +\fBpassword\fR +and +\fBsession\fR) are supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_AUTH_ERR +This is returned by the account and auth services. +.TP 3n +PAM_CRED_ERR +This is returned by the setcred function. +.TP 3n +PAM_AUTHTOK_ERR +This is returned by the password service. +.TP 3n +PAM_SESSION_ERR +This is returned by the session service. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_deny was written by Andrew G. Morgan <morgan@kernel.org> diff --git a/Linux-PAM/modules/pam_deny/pam_deny.8.xml b/Linux-PAM/modules/pam_deny/pam_deny.8.xml new file mode 100644 index 00000000..91916003 --- /dev/null +++ b/Linux-PAM/modules/pam_deny/pam_deny.8.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_deny"> + + <refmeta> + <refentrytitle>pam_deny</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_deny-name"> + <refname>pam_deny</refname> + <refpurpose>The locking-out PAM module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_deny-cmdsynopsis"> + <command>pam_deny.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_deny-description"> + + <title>DESCRIPTION</title> + + <para> + This module can be used to deny access. It always indicates a failure + to the application through the PAM framework. It might be suitable + for using for default (the <emphasis>OTHER</emphasis>) entries. + </para> + + </refsect1> + + <refsect1 id="pam_deny-options"> + <title>OPTIONS</title> + <para>This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_deny-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services (<option>account</option>, <option>auth</option>, + <option>password</option> and <option>session</option>) are supported. + </para> + </refsect1> + + <refsect1 id='pam_deny-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + This is returned by the account and auth services. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + This is returned by the setcred function. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + This is returned by the password service. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + This is returned by the session service. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_deny-examples'> + <title>EXAMPLES</title> + <programlisting> +#%PAM-1.0 +# +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so + </programlisting> + </refsect1> + + <refsect1 id='pam_deny-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_deny-author'> + <title>AUTHOR</title> + <para> + pam_deny was written by Andrew G. Morgan <morgan@kernel.org> + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_deny/pam_deny.c b/Linux-PAM/modules/pam_deny/pam_deny.c index 8be1a8a8..83524802 100644 --- a/Linux-PAM/modules/pam_deny/pam_deny.c +++ b/Linux-PAM/modules/pam_deny/pam_deny.c @@ -1,7 +1,7 @@ -/* pam_permit module */ +/* pam_deny module */ /* - * $Id: pam_deny.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ + * $Id: pam_deny.c,v 1.4 2005/12/14 09:58:32 kukuk Exp $ * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 * @@ -14,6 +14,8 @@ * modules include file to define their prototypes. */ +#include "config.h" + #define PAM_SM_AUTH #define PAM_SM_ACCOUNT #define PAM_SM_SESSION @@ -23,46 +25,52 @@ /* --- authentication management functions --- */ -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_AUTH_ERR; } -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return PAM_CRED_UNAVAIL; + return PAM_CRED_ERR; } /* --- account management functions --- */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return PAM_ACCT_EXPIRED; + return PAM_AUTH_ERR; } /* --- password management --- */ -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_AUTHTOK_ERR; } /* --- session management --- */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return PAM_SYSTEM_ERR; + return PAM_SESSION_ERR; } -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return PAM_SYSTEM_ERR; + return PAM_SESSION_ERR; } /* end of module definition */ diff --git a/Linux-PAM/modules/pam_deny/tst-pam_deny b/Linux-PAM/modules/pam_deny/tst-pam_deny new file mode 100755 index 00000000..7d9d6bad --- /dev/null +++ b/Linux-PAM/modules/pam_deny/tst-pam_deny @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_deny.so diff --git a/Linux-PAM/modules/pam_echo/Makefile.am b/Linux-PAM/modules/pam_echo/Makefile.am new file mode 100644 index 00000000..40415c7b --- /dev/null +++ b/Linux-PAM/modules/pam_echo/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo + +man_MANS = pam_echo.8 + +XMLS = README.xml pam_echo.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_echo.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_echo.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_echo diff --git a/Linux-PAM/modules/pam_echo/Makefile.in b/Linux-PAM/modules/pam_echo/Makefile.in new file mode 100644 index 00000000..b584cfdd --- /dev/null +++ b/Linux-PAM/modules/pam_echo/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_echo +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_echo_la_LIBADD = +pam_echo_la_SOURCES = pam_echo.c +pam_echo_la_OBJECTS = pam_echo.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_echo.c +DIST_SOURCES = pam_echo.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo +man_MANS = pam_echo.8 +XMLS = README.xml pam_echo.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_echo.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_echo +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_echo/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_echo/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_echo.la: $(pam_echo_la_OBJECTS) $(pam_echo_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_echo_la_OBJECTS) $(pam_echo_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_echo.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_echo.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_echo/README b/Linux-PAM/modules/pam_echo/README new file mode 100644 index 00000000..fca26b77 --- /dev/null +++ b/Linux-PAM/modules/pam_echo/README @@ -0,0 +1,50 @@ +pam_echo — PAM module for printing text messages + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_echo PAM module is for printing text messages to inform user about +special things. Sequences starting with the % character are interpreted in the +following way: + +%H + + The name of the remote host (PAM_RHOST). + +%h + + The name of the local host. + +%s + + The service name (PAM_SERVICE). + +%t + + The name of the controlling terminal (PAM_TTY). + +%U + + The remote user name (PAM_RUSER). + +%u + + The local user name (PAM_USER). + +All other sequences beginning with % expands to the characters following the % +character. + +EXAMPLES + +For an example of the use of this module, we show how it may be used to print +informations about good passwords: + +password optional pam_echo.so file=/usr/share/doc/good-password.txt +password required pam_unix.so + + +AUTHOR + +Thorsten Kukuk <kukuk@thkukuk.de> + diff --git a/Linux-PAM/modules/pam_echo/README.xml b/Linux-PAM/modules/pam_echo/README.xml new file mode 100644 index 00000000..b1556e38 --- /dev/null +++ b/Linux-PAM/modules/pam_echo/README.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_echo.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_echo.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_echo-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_echo/pam_echo.8 b/Linux-PAM/modules/pam_echo/pam_echo.8 new file mode 100644 index 00000000..423a8e1b --- /dev/null +++ b/Linux-PAM/modules/pam_echo/pam_echo.8 @@ -0,0 +1,88 @@ +.\" Title: pam_echo +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ECHO" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_echo \- PAM module for printing text messages +.SH "SYNOPSIS" +.HP 12 +\fBpam_echo.so\fR [file=\fI/path/message\fR] +.SH "DESCRIPTION" +.PP +The +\fIpam_echo\fR +PAM module is for printing text messages to inform user about special things. Sequences starting with the +\fI%\fR +character are interpreted in the following way: +.TP 3n +\fI%H\fR +The name of the remote host (PAM_RHOST). +.TP 3n +\fB%h\fR +The name of the local host. +.TP 3n +\fI%s\fR +The service name (PAM_SERVICE). +.TP 3n +\fI%t\fR +The name of the controlling terminal (PAM_TTY). +.TP 3n +\fI%U\fR +The remote user name (PAM_RUSER). +.TP 3n +\fI%u\fR +The local user name (PAM_USER). +.PP +All other sequences beginning with +\fI%\fR +expands to the characters following the +\fI%\fR +character. +.SH "OPTIONS" +.TP 3n +\fBfile=\fR\fB\fI/path/message\fR\fR +The content of the file +\fI/path/message\fR +will be printed with the PAM conversion function as PAM_TEXT_INFO. +.SH "MODULE SERVICES PROVIDED" +.PP +All services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_SUCCESS +Message was successful printed. +.TP 3n +PAM_IGNORE +PAM_SILENT flag was given or message file does not exist, no message printed. +.SH "EXAMPLES" +.PP +For an example of the use of this module, we show how it may be used to print informations about good passwords: +.sp +.RS 3n +.nf +password optional pam_echo.so file=/usr/share/doc/good\-password.txt +password required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(8), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +Thorsten Kukuk <kukuk@thkukuk.de> diff --git a/Linux-PAM/modules/pam_echo/pam_echo.8.xml b/Linux-PAM/modules/pam_echo/pam_echo.8.xml new file mode 100644 index 00000000..4a495195 --- /dev/null +++ b/Linux-PAM/modules/pam_echo/pam_echo.8.xml @@ -0,0 +1,168 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_echo'> + <refmeta> + <refentrytitle>pam_echo</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_echo-name'> + <refname>pam_echo</refname> + <refpurpose>PAM module for printing text messages</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_echo-cmdsynopsis"> + <command>pam_echo.so</command> + <arg choice="opt"> + file=<replaceable>/path/message</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_echo-description'> + <title>DESCRIPTION</title> + <para> + The <emphasis>pam_echo</emphasis> PAM module is for printing + text messages to inform user about special things. Sequences + starting with the <emphasis>%</emphasis> character are + interpreted in the following way: + </para> + <variablelist> + <varlistentry> + <term><emphasis>%H</emphasis></term> + <listitem> + <para>The name of the remote host (PAM_RHOST).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>%h</emphasis></term> + <listitem> + <para>The name of the local host.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis>%s</emphasis></term> + <listitem> + <para>The service name (PAM_SERVICE).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis>%t</emphasis></term> + <listitem> + <para>The name of the controlling terminal (PAM_TTY).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis>%U</emphasis></term> + <listitem> + <para>The remote user name (PAM_RUSER).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis>%u</emphasis></term> + <listitem> + <para>The local user name (PAM_USER).</para> + </listitem> + </varlistentry> + </variablelist> + + <para> + All other sequences beginning with <emphasis>%</emphasis> + expands to the characters following the <emphasis>%</emphasis> + character. + </para> + </refsect1> + + <refsect1 id='pam_echo-options'> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>file=<replaceable>/path/message</replaceable></option> + </term> + <listitem> + <para> + The content of the file <filename>/path/message</filename> + will be printed with the PAM conversion function as PAM_TEXT_INFO. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_echo-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services are supported. + </para> + </refsect1> + + + <refsect1 id="pam_echo-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Message was successful printed. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + PAM_SILENT flag was given or message file does not + exist, no message printed. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_echo-examples'> + <title>EXAMPLES</title> + <para> + For an example of the use of this module, we show how it may be + used to print informations about good passwords: + <programlisting> +password optional pam_echo.so file=/usr/share/doc/good-password.txt +password required pam_unix.so + </programlisting> + </para> + </refsect1> + + + <refsect1 id='pam_echo-see_also'><title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry></para> + </refsect1> + + <refsect1 id='pam_echo-author'> + <title>AUTHOR</title> + <para>Thorsten Kukuk <kukuk@thkukuk.de></para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_echo/pam_echo.c b/Linux-PAM/modules/pam_echo/pam_echo.c new file mode 100644 index 00000000..31ebca22 --- /dev/null +++ b/Linux-PAM/modules/pam_echo/pam_echo.c @@ -0,0 +1,269 @@ +/* + * Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(HAVE_CONFIG_H) +#include "config.h" +#endif + +#include <errno.h> +#include <stdio.h> +#include <fcntl.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <limits.h> +#include <syslog.h> +#include <sys/types.h> +#include <sys/stat.h> + +#ifndef HOST_NAME_MAX +#define HOST_NAME_MAX 255 +#endif + +#define PAM_SM_ACCOUNT +#define PAM_SM_AUTH +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> + +static int +replace_and_print (pam_handle_t *pamh, const char *mesg) +{ + char *output; + size_t length = strlen (mesg) + PAM_MAX_MSG_SIZE; + char myhostname[HOST_NAME_MAX+1]; + const void *str = NULL; + const char *p, *q; + int item; + size_t len; + + output = malloc (length); + if (output == NULL) + { + pam_syslog (pamh, LOG_ERR, "running out of memory"); + return PAM_BUF_ERR; + } + + for (p = mesg, len = 0; *p != '\0' && len < length - 1; ++p) + { + if (*p != '%' || p[1] == '\0') + { + output[len++] = *p; + continue; + } + switch (*++p) + { + case 'H': + item = PAM_RHOST; + break; + case 'h': + item = -2; /* aka PAM_LOCALHOST */ + break; + case 's': + item = PAM_SERVICE; + break; + case 't': + item = PAM_TTY; + break; + case 'U': + item = PAM_RUSER; + break; + case 'u': + item = PAM_USER; + break; + default: + output[len++] = *p; + continue; + } + if (item == -2) + { + if (gethostname (myhostname, sizeof (myhostname)) == -1) + str = NULL; + else + str = &myhostname; + } + else + pam_get_item (pamh, item, &str); + if (str == NULL) + str = "(null)"; + for (q = str; *q != '\0' && len < length - 1; ++q) + output[len++] = *q; + } + output[len] = '\0'; + + pam_info (pamh, "%s", output); + free (output); + + return PAM_SUCCESS; +} + +static int +pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + int fd; + int orig_argc = argc; + const char **orig_argv = argv; + const char *file = NULL; + int retval; + + if (flags & PAM_SILENT) + return PAM_IGNORE; + + for (; argc-- > 0; ++argv) + { + if (!strncmp (*argv, "file=", 5)) + file = (5 + *argv); + } + + /* No file= option, use argument for output. */ + if (file == NULL || file[0] == '\0') + { + char msg[PAM_MAX_MSG_SIZE]; + const char *p; + int i; + size_t len; + + for (i = 0, len = 0; i < orig_argc && len < sizeof (msg) - 1; ++i) + { + if (i > 0) + msg[len++] = ' '; + for (p = orig_argv[i]; *p != '\0' && len < sizeof(msg) - 1; ++p) + msg[len++] = *p; + } + msg[len] = '\0'; + + retval = replace_and_print (pamh, msg); + } + else if ((fd = open (file, O_RDONLY, 0)) >= 0) + { + char *mtmp = NULL; + struct stat st; + + /* load file into message buffer. */ + if ((fstat (fd, &st) < 0) || !st.st_size) + return PAM_IGNORE; + + mtmp = malloc (st.st_size + 1); + if (!mtmp) + return PAM_BUF_ERR; + + if (pam_modutil_read (fd, mtmp, st.st_size) == -1) + { + pam_syslog (pamh, LOG_ERR, "Error while reading %s: %m", file); + free (mtmp); + return PAM_IGNORE; + } + + if (mtmp[st.st_size - 1] == '\n') + mtmp[st.st_size - 1] = '\0'; + else + mtmp[st.st_size] = '\0'; + + close (fd); + retval = replace_and_print (pamh, mtmp); + free (mtmp); + } + else + { + pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", file); + retval = PAM_IGNORE; + } + return retval; +} + +int +pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + return pam_echo (pamh, flags, argc, argv); +} + +int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + return pam_echo (pamh, flags, argc, argv); +} + +int +pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + return pam_echo (pamh, flags, argc, argv); +} + +int +pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +int +pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + if (flags & PAM_PRELIM_CHECK) + return pam_echo (pamh, flags, argc, argv); + else + return PAM_IGNORE; +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_echo_modstruct = { + "pam_echo", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok, +}; + +#endif diff --git a/Linux-PAM/modules/pam_echo/tst-pam_echo b/Linux-PAM/modules/pam_echo/tst-pam_echo new file mode 100755 index 00000000..483a2c23 --- /dev/null +++ b/Linux-PAM/modules/pam_echo/tst-pam_echo @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_echo.so diff --git a/Linux-PAM/modules/pam_env/Makefile b/Linux-PAM/modules/pam_env/Makefile deleted file mode 100644 index 189f1ee3..00000000 --- a/Linux-PAM/modules/pam_env/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:03 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_env -LOCAL_CONFILE=./pam_env.conf-example -INSTALLED_CONFILE=$(SCONFIGD)/pam_env.conf - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_env/Makefile.am b/Linux-PAM/modules/pam_env/Makefile.am new file mode 100644 index 00000000..83236e9b --- /dev/null +++ b/Linux-PAM/modules/pam_env/Makefile.am @@ -0,0 +1,35 @@ +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment + +man_MANS = pam_env.conf.5 pam_env.8 + +XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_env.la + +secureconf_DATA = pam_env.conf +sysconf_DATA = environment + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_env.8.xml pam_env.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_env diff --git a/Linux-PAM/modules/pam_env/Makefile.in b/Linux-PAM/modules/pam_env/Makefile.in new file mode 100644 index 00000000..7bd1e9a3 --- /dev/null +++ b/Linux-PAM/modules/pam_env/Makefile.in @@ -0,0 +1,757 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_env +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" \ + "$(DESTDIR)$(sysconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_env_la_LIBADD = +pam_env_la_SOURCES = pam_env.c +pam_env_la_OBJECTS = pam_env.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_env.c +DIST_SOURCES = pam_env.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +sysconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) $(sysconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment +man_MANS = pam_env.conf.5 pam_env.8 +XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_env.la +secureconf_DATA = pam_env.conf +sysconf_DATA = environment +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_env +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_env/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_env/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_env.la: $(pam_env_la_OBJECTS) $(pam_env_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_env_la_OBJECTS) $(pam_env_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done +install-sysconfDATA: $(sysconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(sysconfdir)" || $(MKDIR_P) "$(DESTDIR)$(sysconfdir)" + @list='$(sysconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(sysconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(sysconfdir)/$$f'"; \ + $(sysconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(sysconfdir)/$$f"; \ + done + +uninstall-sysconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(sysconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(sysconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(sysconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sysconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: install-sysconfDATA + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES uninstall-sysconfDATA + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip install-sysconfDATA installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-man uninstall-man5 uninstall-man8 \ + uninstall-secureconfDATA uninstall-securelibLTLIBRARIES \ + uninstall-sysconfDATA + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_env/README b/Linux-PAM/modules/pam_env/README index 5053618a..81c63154 100644 --- a/Linux-PAM/modules/pam_env/README +++ b/Linux-PAM/modules/pam_env/README @@ -1,72 +1,74 @@ -# $Date: 2000/06/20 22:11:33 $ -# $Author: agmorgan $ -# $Id: README,v 1.1.1.1 2000/06/20 22:11:33 agmorgan Exp $ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -#<quote> -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -#</quote> -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -PAGER DEFAULT=less -MANPAGER DEFAULT=less -LESS DEFAULT="M q e h15 z23 b80" -NNTPSERVER DEFAULT=localhost -PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -DOLLAR DEFAULT=\$ -DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -ATSIGN DEFAULT="" OVERRIDE=\@ +pam_env — PAM module to set/unset environment variables + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_env PAM module allows the (un)setting of environment variables. +Supported is the use of previously set environment variables as well as +PAM_ITEMs such as PAM_RHOST. + +By default rules for (un)setting of variables is taken from the config file / +etc/security/pam_env.conf if no other file is specified. + +This module can also parse a file with simple KEY=VAL pairs on seperate lines +(/etc/environment by default). You can change the default file to parse, with +the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 +respectively. + +OPTIONS + +conffile=/path/to/pam_env.conf + + Indicate an alternative pam_env.conf style configuration file to override + the default. This can be useful when different services need different + environments. + +debug + + A lot of debug informations are printed with syslog(3). + +envfile=/path/to/environment + + Indicate an alternative environment file to override the default. This can + be useful when different services need different environments. + +readenv=0|1 + + Turns on or off the reading of the file specified by envfile (0 is off, 1 + is on). By default this option is on. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +pam_env.conf. + +Set the REMOTEHOST variable for any hosts that are remote, default to +"localhost" rather than not being set at all + + REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} + + +Set the DISPLAY variable if it seems reasonable + + DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} + + +Now some simple variables + + PAGER DEFAULT=less + MANPAGER DEFAULT=less + LESS DEFAULT="M q e h15 z23 b80" + NNTPSERVER DEFAULT=localhost + PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ + :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 + + +Silly examples of escaped variables, just to show how they work. + + DOLLAR DEFAULT=\$ + DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} + DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} + ATSIGN DEFAULT="" OVERRIDE=\@ + + diff --git a/Linux-PAM/modules/pam_env/README.xml b/Linux-PAM/modules/pam_env/README.xml new file mode 100644 index 00000000..21a9b855 --- /dev/null +++ b/Linux-PAM/modules/pam_env/README.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_env.8.xml"> +--> +<!-- +<!ENTITY accessconf SYSTEM "pam_env.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_env.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_env-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_env/environment b/Linux-PAM/modules/pam_env/environment new file mode 100644 index 00000000..f46b8d94 --- /dev/null +++ b/Linux-PAM/modules/pam_env/environment @@ -0,0 +1,5 @@ +# +# This file is parsed by pam_env module +# +# Syntax: simple "KEY=VAL" pairs on seperate lines +# diff --git a/Linux-PAM/modules/pam_env/pam_env.8 b/Linux-PAM/modules/pam_env/pam_env.8 new file mode 100644 index 00000000..e7746de3 --- /dev/null +++ b/Linux-PAM/modules/pam_env/pam_env.8 @@ -0,0 +1,89 @@ +.\" Title: pam_env +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ENV" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_env \- PAM module to set/unset environment variables +.SH "SYNOPSIS" +.HP 11 +\fBpam_env.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] +.SH "DESCRIPTION" +.PP +The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as +\fIPAM_ITEM\fRs such as +\fIPAM_RHOST\fR. +.PP +By default rules for (un)setting of variables is taken from the config file +\fI/etc/security/pam_env.conf\fR +if no other file is specified. +.PP +This module can also parse a file with simple +\fIKEY=VAL\fR +pairs on seperate lines (\fI/etc/environment\fR +by default). You can change the default file to parse, with the +\fIenvfile\fR +flag and turn it on or off by setting the +\fIreadenv\fR +flag to 1 or 0 respectively. +.SH "OPTIONS" +.TP 3n +\fBconffile=\fR\fB\fI/path/to/pam_env.conf\fR\fR +Indicate an alternative +\fIpam_env.conf\fR +style configuration file to override the default. This can be useful when different services need different environments. +.TP 3n +\fBdebug\fR +A lot of debug informations are printed with +\fBsyslog\fR(3). +.TP 3n +\fBenvfile=\fR\fB\fI/path/to/environment\fR\fR +Indicate an alternative +\fIenvironment\fR +file to override the default. This can be useful when different services need different environments. +.TP 3n +\fBreadenv=\fR\fB\fI0|1\fR\fR +Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on. +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBsession\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_ABORT +Not all relevant data or options could be gotten. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +No pam_env.conf and environment file was found. +.TP 3n +PAM_SUCCESS +Environment variables were set. +.SH "FILES" +.TP 3n +\fI/etc/security/pam_env.conf\fR +Default configuration file +.TP 3n +\fI/etc/environment\fR +Default environment file +.SH "SEE ALSO" +.PP + +\fBpam_env.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHOR" +.PP +pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. diff --git a/Linux-PAM/modules/pam_env/pam_env.8.xml b/Linux-PAM/modules/pam_env/pam_env.8.xml new file mode 100644 index 00000000..731c20b2 --- /dev/null +++ b/Linux-PAM/modules/pam_env/pam_env.8.xml @@ -0,0 +1,206 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_env'> + + <refmeta> + <refentrytitle>pam_env</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_env-name'> + <refname>pam_env</refname> + <refpurpose> + PAM module to set/unset environment variables + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_env-cmdsynopsis"> + <command>pam_env.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + conffile=<replaceable>conf-file</replaceable> + </arg> + <arg choice="opt"> + envfile=<replaceable>env-file</replaceable> + </arg> + <arg choice="opt"> + readenv=<replaceable>0|1</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_env-description"> + <title>DESCRIPTION</title> + <para> + The pam_env PAM module allows the (un)setting of environment + variables. Supported is the use of previously set environment + variables as well as <emphasis>PAM_ITEM</emphasis>s such as + <emphasis>PAM_RHOST</emphasis>. + </para> + <para> + By default rules for (un)setting of variables is taken from the + config file <filename>/etc/security/pam_env.conf</filename> if + no other file is specified. + </para> + <para> + This module can also parse a file with simple + <emphasis>KEY=VAL</emphasis> pairs on seperate lines + (<filename>/etc/environment</filename> by default). You can + change the default file to parse, with the <emphasis>envfile</emphasis> + flag and turn it on or off by setting the <emphasis>readenv</emphasis> + flag to 1 or 0 respectively. + </para> + </refsect1> + + <refsect1 id="pam_env-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>conffile=<replaceable>/path/to/pam_env.conf</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative <filename>pam_env.conf</filename> + style configuration file to override the default. This can + be useful when different services need different environments. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + A lot of debug informations are printed with + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>envfile=<replaceable>/path/to/environment</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative <filename>environment</filename> + file to override the default. This can be useful when different + services need different environments. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>readenv=<replaceable>0|1</replaceable></option> + </term> + <listitem> + <para> + Turns on or off the reading of the file specified by envfile + (0 is off, 1 is on). By default this option is on. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_env-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <option>auth</option> and <option>session</option> services + are supported. + </para> + </refsect1> + + <refsect1 id="pam_env-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data or options could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + No pam_env.conf and environment file was found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Environment variables were set. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_env-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/pam_env.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/environment</filename></term> + <listitem> + <para>Default environment file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_env-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_env.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_env-authors"> + <title>AUTHOR</title> + <para> + pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_env/pam_env.c b/Linux-PAM/modules/pam_env/pam_env.c index a3cf7684..1a41833c 100644 --- a/Linux-PAM/modules/pam_env/pam_env.c +++ b/Linux-PAM/modules/pam_env/pam_env.c @@ -1,21 +1,17 @@ -/* pam_mail module */ +/* pam_env module */ /* - * $Id: pam_env.c,v 1.5 2004/09/15 12:06:17 kukuk Exp $ + * $Id: pam_env.c,v 1.13 2005/12/12 14:45:00 ldv Exp $ * * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31 - * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the + * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the * template for this file (via pam_mail) */ -#ifndef DEFAULT_CONF_FILE -#define DEFAULT_CONF_FILE "/etc/security/pam_env.conf" -#endif - #define DEFAULT_ETC_ENVFILE "/etc/environment" -#define DEFAULT_READ_ENVFILE 0 +#define DEFAULT_READ_ENVFILE 1 -#include <security/_pam_aconf.h> +#include "config.h" #include <ctype.h> #include <errno.h> @@ -43,6 +39,7 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> +#include <security/pam_ext.h> /* This little structure makes it easier to keep variables together */ @@ -59,34 +56,21 @@ typedef struct var { #define GOOD_LINE 0 #define BAD_LINE 100 /* This must be > the largest PAM_* error code */ -#define DEFINE_VAR 101 +#define DEFINE_VAR 101 #define UNDEFINE_VAR 102 #define ILLEGAL_VAR 103 static int _assemble_line(FILE *, char *, int); -static int _parse_line(char *, VAR *); +static int _parse_line(const pam_handle_t *, char *, VAR *); static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); +static void _clean_var(VAR *); static int _expand_arg(pam_handle_t *, char **); static const char * _pam_get_item_byname(pam_handle_t *, const char *); static int _define_var(pam_handle_t *, VAR *); static int _undefine_var(pam_handle_t *, VAR *); /* This is a flag used to designate an empty string */ -static char quote='Z'; - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-env", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +static char quote='Z'; /* argument parsing */ @@ -95,8 +79,9 @@ static void _log_err(int err, const char *format, ...) #define PAM_ENV_SILENT 0x04 #define PAM_NEW_ENV_FILE 0x10 -static int _pam_parse(int flags, int argc, const char **argv, char **conffile, - char **envfile, int *readenv) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv, + const char **conffile, const char **envfile, int *readenv) { int ctrl=0; @@ -109,59 +94,59 @@ static int _pam_parse(int flags, int argc, const char **argv, char **conffile, if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else if (!strncmp(*argv,"conffile=",9)) { - *conffile = x_strdup(9+*argv); - if (*conffile != NULL) { + *conffile = 9 + *argv; + if (**conffile != '\0') { D(("new Configuration File: %s", *conffile)); ctrl |= PAM_NEW_CONF_FILE; } else { - _log_err(LOG_CRIT, - "Configuration file specification missing argument - ignored"); + pam_syslog(pamh, LOG_ERR, + "conffile= specification missing argument - ignored"); } } else if (!strncmp(*argv,"envfile=",8)) { - *envfile = x_strdup(8+*argv); - if (*envfile != NULL) { + *envfile = 8 + *argv; + if (**envfile != '\0') { D(("new Env File: %s", *envfile)); ctrl |= PAM_NEW_ENV_FILE; } else { - _log_err(LOG_CRIT, - "Env file specification missing argument - ignored"); + pam_syslog (pamh, LOG_ERR, + "envfile= specification missing argument - ignored"); } } else if (!strncmp(*argv,"readenv=",8)) *readenv = atoi(8+*argv); else - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } return ctrl; } -static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile) +static int +_parse_config_file(pam_handle_t *pamh, int ctrl, const char *conffile) { int retval; const char *file; char buffer[BUF_SIZE]; FILE *conf; - VAR Var, *var=&Var; + VAR Var, *var=&Var; var->name=NULL; var->defval=NULL; var->override=NULL; D(("Called.")); if (ctrl & PAM_NEW_CONF_FILE) { - file = *conffile; + file = conffile; } else { file = DEFAULT_CONF_FILE; } D(("Config file name is: %s", file)); - /* - * Lets try to open the config file, parse it and process + /* + * Lets try to open the config file, parse it and process * any variables found. */ if ((conf = fopen(file,"r")) == NULL) { - _log_err(LOG_ERR, "Unable to open config file: %s", - strerror(errno)); + pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file); return PAM_IGNORE; } @@ -172,36 +157,34 @@ static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile) while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { D(("Read line: %s", buffer)); - if ((retval = _parse_line(buffer, var)) == GOOD_LINE) { + if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) { retval = _check_var(pamh, var); if (DEFINE_VAR == retval) { - retval = _define_var(pamh, var); + retval = _define_var(pamh, var); } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval + retval = _undefine_var(pamh, var); + } + } + if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); + + _clean_var(var); } /* while */ - + (void) fclose(conf); /* tidy up */ _clean_var(var); /* We could have got here prematurely, * this is safe though */ - _pam_overwrite(*conffile); - _pam_drop(*conffile); - file = NULL; D(("Exit.")); return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); } -static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file) +static int +_parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file) { int retval=PAM_SUCCESS, i, t; const char *file; @@ -209,15 +192,15 @@ static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file) FILE *conf; if (ctrl & PAM_NEW_ENV_FILE) - file = *env_file; + file = env_file; else file = DEFAULT_ETC_ENVFILE; D(("Env file name is: %s", file)); if ((conf = fopen(file,"r")) == NULL) { - D(("Unable to open env file: %s", strerror(errno))); - return PAM_ABORT; + pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file); + return PAM_IGNORE; } while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { @@ -272,15 +255,12 @@ static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file) break; } } - + (void) fclose(conf); /* tidy up */ - _pam_overwrite(*env_file); - _pam_drop(*env_file); - file = NULL; D(("Exit.")); - return (retval != 0 ? PAM_IGNORE : PAM_SUCCESS); + return retval; } /* @@ -365,43 +345,44 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len) return used; } -static int _parse_line(char *buffer, VAR *var) +static int +_parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) { - /* - * parse buffer into var, legal syntax is + /* + * parse buffer into var, legal syntax is * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]] * - * Any other options defined make this a bad line, + * Any other options defined make this a bad line, * error logged and no var set */ - + int length, quoteflg=0; - char *ptr, **valptr, *tmpptr; - + char *ptr, **valptr, *tmpptr; + D(("Called buffer = <%s>", buffer)); length = strcspn(buffer," \t\n"); - + if ((var->name = malloc(length + 1)) == NULL) { - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); + pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); return PAM_BUF_ERR; } - - /* - * The first thing on the line HAS to be the variable name, + + /* + * The first thing on the line HAS to be the variable name, * it may be the only thing though. */ strncpy(var->name, buffer, length); var->name[length] = '\0'; D(("var->name = <%s>, length = %d", var->name, length)); - /* + /* * Now we check for arguments, we only support two kinds and ('cause I am lazy) * each one can actually be listed any number of times */ - + ptr = buffer+length; - while ((length = strspn(ptr, " \t")) > 0) { + while ((length = strspn(ptr, " \t")) > 0) { ptr += length; /* remove leading whitespace */ D((ptr)); if (strncmp(ptr,"DEFAULT=",8) == 0) { @@ -414,24 +395,24 @@ static int _parse_line(char *buffer, VAR *var) valptr=&(var->override); } else { D(("Unrecognized options: <%s> - ignoring line", ptr)); - _log_err(LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr); + pam_syslog(pamh, LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr); return BAD_LINE; } - + if ('"' != *ptr) { /* Escaped quotes not supported */ length = strcspn(ptr, " \t\n"); tmpptr = ptr+length; } else { - tmpptr = strchr(++ptr, '"'); + tmpptr = strchr(++ptr, '"'); if (!tmpptr) { D(("Unterminated quoted string: %s", ptr-1)); - _log_err(LOG_ERR, "Unterminated quoted string: %s", ptr-1); + pam_syslog(pamh, LOG_ERR, "Unterminated quoted string: %s", ptr-1); return BAD_LINE; } - length = tmpptr - ptr; + length = tmpptr - ptr; if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) { D(("Quotes must cover the entire string: <%s>", ptr)); - _log_err(LOG_ERR, "Quotes must cover the entire string: <%s>", ptr); + pam_syslog(pamh, LOG_ERR, "Quotes must cover the entire string: <%s>", ptr); return BAD_LINE; } quoteflg++; @@ -439,7 +420,7 @@ static int _parse_line(char *buffer, VAR *var) if (length) { if ((*valptr = malloc(length + 1)) == NULL) { D(("Couldn't malloc %d bytes", length+1)); - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); + pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); return PAM_BUF_ERR; } (void)strncpy(*valptr,ptr,length); @@ -449,11 +430,11 @@ static int _parse_line(char *buffer, VAR *var) } ptr = tmpptr; /* Start the search where we stopped */ } /* while */ - - /* + + /* * The line is parsed, all is well. */ - + D(("Exit.")); ptr = NULL; tmpptr = NULL; valptr = NULL; return GOOD_LINE; @@ -461,16 +442,16 @@ static int _parse_line(char *buffer, VAR *var) static int _check_var(pam_handle_t *pamh, VAR *var) { - /* - * Examine the variable and determine what action to take. + /* + * Examine the variable and determine what action to take. * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take * or a PAM_* error code if passed back from other routines * * if no DEFAULT provided, the empty string is assumed * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, + * if DEFAULT= and OVERRIDE evaluates to the empty string, * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, + * if DEFAULT="" and OVERRIDE evaluates to the empty string, * this variable should be defined with no value * if OVERRIDE=value and value turns into the empty string, DEFAULT is used * @@ -498,18 +479,18 @@ static int _check_var(pam_handle_t *pamh, VAR *var) } /* Now its easy */ - - if (var->override && *(var->override) && "e != var->override) { + + if (var->override && *(var->override) && "e != var->override) { /* if there is a non-empty string in var->override, we use it */ D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); var->value = var->override; retval = DEFINE_VAR; } else { - + var->value = var->defval; if ("e == var->defval) { - /* - * This means that the empty string was given for defval value + /* + * This means that the empty string was given for defval value * which indicates that a variable should be defined with no value */ *var->defval = '\0'; @@ -531,12 +512,12 @@ static int _check_var(pam_handle_t *pamh, VAR *var) static int _expand_arg(pam_handle_t *pamh, char **value) { const char *orig=*value, *tmpptr=NULL; - char *ptr; /* - * Sure would be nice to use tmpptr but it needs to be + char *ptr; /* + * Sure would be nice to use tmpptr but it needs to be * a constant so that the compiler will shut up when I * call pam_getenv and _pam_get_item_byname -- sigh */ - + /* No unexpanded variable can be bigger than BUF_SIZE */ char type, tmpval[BUF_SIZE]; @@ -546,11 +527,11 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Remember to initialize tmp!")); memset(tmp, 0, MAX_ENV); - /* + /* * (possibly non-existent) environment variables can be used as values * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\" - * (possibly non-existent) PAM items can be used as values - * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape + * (possibly non-existent) PAM items can be used as values + * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape * */ D(("Expanding <%s>",orig)); @@ -559,23 +540,24 @@ static int _expand_arg(pam_handle_t *pamh, char **value) ++orig; if ('$' != *orig && '@' != *orig) { D(("Unrecognized escaped character: <%c> - ignoring", *orig)); - _log_err(LOG_ERR, "Unrecognized escaped character: <%c> - ignoring", - *orig); + pam_syslog(pamh, LOG_ERR, + "Unrecognized escaped character: <%c> - ignoring", + *orig); } else if ((strlen(tmp) + 1) < MAX_ENV) { tmp[strlen(tmp)] = *orig++; /* Note the increment */ } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", + pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); } continue; - } + } if ('$' == *orig || '@' == *orig) { if ('{' != *(orig+1)) { D(("Expandable variables must be wrapped in {}" " <%s> - ignoring", orig)); - _log_err(LOG_ERR, "Expandable variables must be wrapped in {}" + pam_syslog(pamh, LOG_ERR, "Expandable variables must be wrapped in {}" " <%s> - ignoring", orig); if ((strlen(tmp) + 1) < MAX_ENV) { tmp[strlen(tmp)] = *orig++; /* Note the increment */ @@ -586,28 +568,29 @@ static int _expand_arg(pam_handle_t *pamh, char **value) type = *orig; orig+=2; /* skip the ${ or @{ characters */ ptr = strchr(orig, '}'); - if (ptr) { + if (ptr) { *ptr++ = '\0'; } else { D(("Unterminated expandable variable: <%s>", orig-2)); - _log_err(LOG_ERR, "Unterminated expandable variable: <%s>", orig-2); + pam_syslog(pamh, LOG_ERR, + "Unterminated expandable variable: <%s>", orig-2); return PAM_ABORT; } strncpy(tmpval, orig, sizeof(tmpval)); tmpval[sizeof(tmpval)-1] = '\0'; orig=ptr; - /* - * so, we know we need to expand tmpval, it is either + /* + * so, we know we need to expand tmpval, it is either * an environment variable or a PAM_ITEM. type will tell us which */ switch (type) { - + case '$': D(("Expanding env var: <%s>",tmpval)); tmpptr = pam_getenv(pamh, tmpval); D(("Expanded to <%s>", tmpptr)); break; - + case '@': D(("Expanding pam item: <%s>",tmpval)); tmpptr = _pam_get_item_byname(pamh, tmpval); @@ -616,17 +599,18 @@ static int _expand_arg(pam_handle_t *pamh, char **value) default: D(("Impossible error, type == <%c>", type)); - _log_err(LOG_CRIT, "Impossible error, type == <%c>", type); + pam_syslog(pamh, LOG_CRIT, "Impossible error, type == <%c>", type); return PAM_ABORT; } /* switch */ - + if (tmpptr) { if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) { strcat(tmp, tmpptr); } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + pam_syslog (pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); } } } /* if ('{' != *orig++) */ @@ -636,7 +620,8 @@ static int _expand_arg(pam_handle_t *pamh, char **value) } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + pam_syslog(pamh, LOG_ERR, + "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); } } } /* for (;*orig;) */ @@ -645,8 +630,8 @@ static int _expand_arg(pam_handle_t *pamh, char **value) free(*value); if ((*value = malloc(strlen(tmp) +1)) == NULL) { D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); - _log_err(LOG_ERR,"Couldn't malloc %d bytes for expanded var", - strlen(tmp)+1); + pam_syslog (pamh, LOG_ERR, "Couldn't malloc %lu bytes for expanded var", + (unsigned long)strlen(tmp)+1); return PAM_BUF_ERR; } } @@ -659,13 +644,13 @@ static int _expand_arg(pam_handle_t *pamh, char **value) static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) { - /* + /* * This function just allows me to use names as given in the config * file and translate them into the appropriate PAM_ITEM macro */ int item; - const char *itemval; + const void *itemval; D(("Called.")); if (strcmp(name, "PAM_USER") == 0) { @@ -680,11 +665,11 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) item = PAM_RHOST; } else { D(("Unknown PAM_ITEM: <%s>", name)); - _log_err(LOG_ERR, "Unknown PAM_ITEM: <%s>", name); + pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); return NULL; } - - if (pam_get_item(pamh, item, (const void **)&itemval) != PAM_SUCCESS) { + + if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { D(("pam_get_item failed")); return NULL; /* let pam_get_item() log the error */ } @@ -695,20 +680,18 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) static int _define_var(pam_handle_t *pamh, VAR *var) { /* We have a variable to define, this is a simple function */ - + char *envvar; - int size, retval=PAM_SUCCESS; - + int retval = PAM_SUCCESS; + D(("Called.")); - size = strlen(var->name)+strlen(var->value)+2; - if ((envvar = malloc(size)) == NULL) { - D(("Malloc fail, size = %d", size)); - _log_err(LOG_ERR, "Malloc fail, size = %d", size); + if (asprintf(&envvar, "%s=%s", var->name, var->value) < 0) { + pam_syslog(pamh, LOG_ERR, "out of memory"); return PAM_BUF_ERR; } - (void) sprintf(envvar,"%s=%s",var->name,var->value); + retval = pam_putenv(pamh, envvar); - free(envvar); envvar=NULL; + _pam_drop(envvar); D(("Exit.")); return retval; } @@ -716,7 +699,7 @@ static int _define_var(pam_handle_t *pamh, VAR *var) static int _undefine_var(pam_handle_t *pamh, VAR *var) { /* We have a variable to undefine, this is a simple function */ - + D(("Called and exit.")); return pam_putenv(pamh, var->name); } @@ -724,13 +707,13 @@ static int _undefine_var(pam_handle_t *pamh, VAR *var) static void _clean_var(VAR *var) { if (var->name) { - free(var->name); + free(var->name); } if (var->defval && ("e != var->defval)) { - free(var->defval); + free(var->defval); } if (var->override && ("e != var->override)) { - free(var->override); + free(var->override); } var->name = NULL; var->value = NULL; /* never has memory specific to it */ @@ -743,84 +726,90 @@ static void _clean_var(VAR *var) /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ return PAM_IGNORE; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; - char *conf_file=NULL, *env_file=NULL; + const char *conf_file = NULL, *env_file = NULL; /* * this module sets environment variables read in from a file */ - + D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file, &env_file, &readenv); + ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); - retval = _parse_config_file(pamh, ctrl, &conf_file); + retval = _parse_config_file(pamh, ctrl, conf_file); - if(readenv && retval == PAM_SUCCESS) - retval = _parse_env_file(pamh, ctrl, &env_file); + if(readenv && retval == PAM_SUCCESS) { + retval = _parse_env_file(pamh, ctrl, env_file); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; + } /* indicate success or failure */ - + D(("Exit.")); return retval; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - _log_err(LOG_NOTICE, "pam_sm_acct_mgmt called inappropriatly"); + pam_syslog (pamh, LOG_NOTICE, "pam_sm_acct_mgmt called inappropriately"); return PAM_SERVICE_ERR; } - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) + +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; - char *conf_file=NULL, *env_file=NULL; - + const char *conf_file = NULL, *env_file = NULL; + /* * this module sets environment variables read in from a file */ - + D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file, &env_file, &readenv); - - retval = _parse_config_file(pamh, ctrl, &conf_file); - - if(readenv && retval == PAM_SUCCESS) - retval = _parse_env_file(pamh, ctrl, &env_file); + ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); + + retval = _parse_config_file(pamh, ctrl, conf_file); + + if(readenv && retval == PAM_SUCCESS) { + retval = _parse_env_file(pamh, ctrl, env_file); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; + } /* indicate success or failure */ - + D(("Exit.")); return retval; } -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc, - const char **argv) +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { D(("Called and Exit")); return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_chauthtok (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - _log_err(LOG_NOTICE, "pam_sm_chauthtok called inappropriatly"); + pam_syslog (pamh, LOG_NOTICE, "pam_sm_chauthtok called inappropriately"); return PAM_SERVICE_ERR; } diff --git a/Linux-PAM/modules/pam_env/pam_env.conf-example b/Linux-PAM/modules/pam_env/pam_env.conf index 612a31c2..d0ba35c2 100644 --- a/Linux-PAM/modules/pam_env/pam_env.conf-example +++ b/Linux-PAM/modules/pam_env/pam_env.conf @@ -1,6 +1,3 @@ -# $Date: 2004/11/16 14:27:41 $ -# $Author: toady $ -# $Id: pam_env.conf-example,v 1.2 2004/11/16 14:27:41 toady Exp $ # # This is the configuration file for pam_env, a PAM module to load in # a configurable list of environment variables for a diff --git a/Linux-PAM/modules/pam_env/pam_env.conf.5 b/Linux-PAM/modules/pam_env/pam_env.conf.5 new file mode 100644 index 00000000..17c1a19d --- /dev/null +++ b/Linux-PAM/modules/pam_env/pam_env.conf.5 @@ -0,0 +1,87 @@ +.\" Title: pam_env.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ENV.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_env.conf \- the environment variables config file +.SH "DESCRIPTION" +.PP +The +\fI/etc/security/pam_env.conf\fR +file specifies the environment variables to be set, unset or modified by +\fBpam_env\fR(8). When someone logs in, this file is read and the environment variables are set according. +.PP +Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. OVERRIDE is not used, "" is assumed and no override will be done. +.PP + +\fIVARIABLE\fR +[\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR] +.PP +(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. For example, HOME is used below several times, but many PAM applications don't make it available by the time you need it. +.PP +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/pam_env.conf\fR. +.PP +Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all +.sp +.RS 3n +.nf + REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} + +.fi +.RE +.PP +Set the DISPLAY variable if it seems reasonable +.sp +.RS 3n +.nf + DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} + +.fi +.RE +.PP +Now some simple variables +.sp +.RS 3n +.nf + PAGER DEFAULT=less + MANPAGER DEFAULT=less + LESS DEFAULT="M q e h15 z23 b80" + NNTPSERVER DEFAULT=localhost + PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\\ + :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 + +.fi +.RE +.PP +Silly examples of escaped variables, just to show how they work. +.sp +.RS 3n +.nf + DOLLAR DEFAULT=\\$ + DOLLARDOLLAR DEFAULT= OVERRIDE=\\$${DOLLAR} + DOLLARPLUS DEFAULT=\\${REMOTEHOST}${REMOTEHOST} + ATSIGN DEFAULT="" OVERRIDE=\\@ + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam_env\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. diff --git a/Linux-PAM/modules/pam_env/pam_env.conf.5.xml b/Linux-PAM/modules/pam_env/pam_env.conf.5.xml new file mode 100644 index 00000000..090e0e75 --- /dev/null +++ b/Linux-PAM/modules/pam_env/pam_env.conf.5.xml @@ -0,0 +1,123 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_env.conf"> + + <refmeta> + <refentrytitle>pam_env.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>pam_env.conf</refname> + <refpurpose>the environment variables config file</refpurpose> + </refnamediv> + + + <refsect1 id='pam_env.conf-description'> + <title>DESCRIPTION</title> + + <para> + The <filename>/etc/security/pam_env.conf</filename> file specifies + the environment variables to be set, unset or modified by + <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + When someone logs in, this file is read and the environment + variables are set according. + </para> + <para> + Each line starts with the variable name, there are then two possible + options for each variable DEFAULT and OVERRIDE. DEFAULT allows and + administrator to set the value of the variable to some default + value, if none is supplied then the empty string is assumed. The + OVERRIDE option tells pam_env that it should enter in its value + (overriding the default value) if there is one to use. OVERRIDE is + not used, "" is assumed and no override will be done. + </para> + <para> + <replaceable>VARIABLE</replaceable> + [<replaceable>DEFAULT=[value]</replaceable>] + [<replaceable>OVERRIDE=[value]</replaceable>] + </para> + + <para> + (Possibly non-existent) environment variables may be used in values + using the ${string} syntax and (possibly non-existent) PAM_ITEMs may + be used in values using the @{string} syntax. Both the $ and @ + characters can be backslash escaped to be used as literal values + values can be delimited with "", escaped " not supported. + Note that many environment variables that you would like to use + may not be set by the time the module is called. + For example, HOME is used below several times, but + many PAM applications don't make it available by the time you need it. + </para> + + <para> + The "<emphasis>#</emphasis>" character at start of line (no space + at front) can be used to mark this line as a comment line. + </para> + + </refsect1> + + <refsect1 id="pam_env.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/pam_env.conf</filename>. + </para> + + <para> + Set the REMOTEHOST variable for any hosts that are remote, default + to "localhost" rather than not being set at all + </para> + <programlisting> + REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} + </programlisting> + + <para> + Set the DISPLAY variable if it seems reasonable + </para> + <programlisting> + DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} + </programlisting> + + <para> + Now some simple variables + </para> + <programlisting> + PAGER DEFAULT=less + MANPAGER DEFAULT=less + LESS DEFAULT="M q e h15 z23 b80" + NNTPSERVER DEFAULT=localhost + PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ + :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 + </programlisting> + + <para> + Silly examples of escaped variables, just to show how they work. + </para> + <programlisting> + DOLLAR DEFAULT=\$ + DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} + DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} + ATSIGN DEFAULT="" OVERRIDE=\@ + </programlisting> + </refsect1> + + <refsect1 id="pam_env.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="pam_env.conf-author"> + <title>AUTHOR</title> + <para> + pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_env/tst-pam_env b/Linux-PAM/modules/pam_env/tst-pam_env new file mode 100755 index 00000000..c40e70a8 --- /dev/null +++ b/Linux-PAM/modules/pam_env/tst-pam_env @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_env.so diff --git a/Linux-PAM/modules/pam_exec/Makefile.am b/Linux-PAM/modules/pam_exec/Makefile.am new file mode 100644 index 00000000..4fc28b28 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec + +man_MANS = pam_exec.8 + +XMLS = README.xml pam_exec.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_exec.la + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_exec.8.xml + +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_exec diff --git a/Linux-PAM/modules/pam_exec/Makefile.in b/Linux-PAM/modules/pam_exec/Makefile.in new file mode 100644 index 00000000..34f7ac51 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/Makefile.in @@ -0,0 +1,667 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_exec +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_exec_la_LIBADD = +pam_exec_la_SOURCES = pam_exec.c +pam_exec_la_OBJECTS = pam_exec.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_exec.c +DIST_SOURCES = pam_exec.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec +man_MANS = pam_exec.8 +XMLS = README.xml pam_exec.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_exec.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_exec +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_exec/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_exec/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_exec.la: $(pam_exec_la_OBJECTS) $(pam_exec_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_exec_la_OBJECTS) $(pam_exec_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_exec.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_exec.8.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_exec/README b/Linux-PAM/modules/pam_exec/README new file mode 100644 index 00000000..8ff9a742 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/README @@ -0,0 +1,42 @@ +pam_exec — PAM module which calls an external command + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_exec is a PAM module that can be used to run an external command. + +OPTIONS + +debug + + Print debug information. + +log=file + + The output of the command is appended to file + +seteuid + + Per default pam_exec.so will execute the external command with the real + user ID of the calling process. Specifying this option means the command is + run with the effective user ID. + +EXAMPLES + +Add the following line to /etc/pam.d/passwd to rebuild the NIS database after +each local password change: + + passwd optional pam_exec.so seteuid make -C /var/yp + + +This will execute the command + +make -C /var/yp + +with effective user ID. + +AUTHOR + +pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. + diff --git a/Linux-PAM/modules/pam_exec/README.xml b/Linux-PAM/modules/pam_exec/README.xml new file mode 100644 index 00000000..5e76cab3 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_exec.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_exec/pam_exec.8 b/Linux-PAM/modules/pam_exec/pam_exec.8 new file mode 100644 index 00000000..ae8f8a46 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/pam_exec.8 @@ -0,0 +1,88 @@ +.\" Title: pam_exec +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_EXEC" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_exec \- PAM module which calls an external command +.SH "SYNOPSIS" +.HP 12 +\fBpam_exec.so\fR [debug] [seteuid] [log=\fIfile\fR] \fIcommand\fR [\fI...\fR] +.SH "DESCRIPTION" +.PP +pam_exec is a PAM module that can be used to run an external command. +.SH "OPTIONS" +.PP +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBlog=\fR\fB\fIfile\fR\fR +The output of the command is appended to +\fIfile\fR +.TP 3n +\fBseteuid\fR +Per default pam_exec.so will execute the external command with the real user ID of the calling process. Specifying this option means the command is run with the effective user ID. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +The external command runs successfull. +.TP 3n +PAM_SERVICE_ERR +No argument or a wrong number of arguments were given. +.TP 3n +PAM_SYSTEM_ERR +A system error occured or the command to execute failed. +.TP 3n +PAM_IGNORE + +\fBpam_setcred\fR +was called, which does not execute the command. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/passwd\fR +to rebuild the NIS database after each local password change: +.sp +.RS 3n +.nf + passwd optional pam_exec.so seteuid make \-C /var/yp + +.fi +.RE +.sp +This will execute the command +.sp +.RS 3n +.nf +make \-C /var/yp +.fi +.RE +.sp +with effective user ID. +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. diff --git a/Linux-PAM/modules/pam_exec/pam_exec.8.xml b/Linux-PAM/modules/pam_exec/pam_exec.8.xml new file mode 100644 index 00000000..1e8bb0ba --- /dev/null +++ b/Linux-PAM/modules/pam_exec/pam_exec.8.xml @@ -0,0 +1,189 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_exec"> + + <refmeta> + <refentrytitle>pam_exec</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_exec-name"> + <refname>pam_exec</refname> + <refpurpose>PAM module which calls an external command</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_exec-cmdsynopsis"> + <command>pam_exec.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + seteuid + </arg> + <arg choice="opt"> + log=<replaceable>file</replaceable> + </arg> + <arg choice="plain"> + <replaceable>command</replaceable> + </arg> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_exec-description"> + + <title>DESCRIPTION</title> + + <para> + pam_exec is a PAM module that can be used to run + an external command. + </para> + + </refsect1> + + <refsect1 id="pam_exec-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>log=<replaceable>file</replaceable></option> + </term> + <listitem> + <para> + The output of the command is appended to + <filename>file</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>seteuid</option> + </term> + <listitem> + <para> + Per default pam_exec.so will execute the external command + with the real user ID of the calling process. + Specifying this option means the command is run + with the effective user ID. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_exec-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_exec-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The external command runs successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + No argument or a wrong number of arguments were given. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A system error occured or the command to execute failed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_setcred</function> was called, which + does not execute the command. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_exec-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/passwd</filename> to + rebuild the NIS database after each local password change: + <programlisting> + passwd optional pam_exec.so seteuid make -C /var/yp + </programlisting> + + This will execute the command + <programlisting>make -C /var/yp</programlisting> + with effective user ID. + </para> + </refsect1> + + <refsect1 id='pam_exec-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_exec-author'> + <title>AUTHOR</title> + <para> + pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_exec/pam_exec.c b/Linux-PAM/modules/pam_exec/pam_exec.c new file mode 100644 index 00000000..34ba7404 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/pam_exec.c @@ -0,0 +1,285 @@ +/* + * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(HAVE_CONFIG_H) +#include "config.h" +#endif + +#include <time.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <string.h> +#include <syslog.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/wait.h> +#include <sys/stat.h> +#include <sys/types.h> + + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +static int +call_exec (pam_handle_t *pamh, int argc, const char **argv) +{ + int debug = 0; + int call_setuid = 0; + int optargc; + const char *logfile = NULL; + pid_t pid; + + if (argc < 1) { + pam_syslog (pamh, LOG_ERR, + "This module needs at least one argument"); + return PAM_SERVICE_ERR; + } + + for (optargc = 0; optargc < argc; optargc++) + { + if (argv[optargc][0] == '/') /* paths starts with / */ + break; + + if (strcasecmp (argv[optargc], "debug") == 0) + debug = 1; + else if (strncasecmp (argv[optargc], "log=", 4) == 0) + logfile = &argv[optargc][4]; + else if (strcasecmp (argv[optargc], "seteuid") == 0) + call_setuid = 1; + else + break; /* Unknown option, assume program to execute. */ + } + + + if (optargc >= argc) { + pam_syslog (pamh, LOG_ERR, "No path given as argument"); + return PAM_SERVICE_ERR; + } + + pid = fork(); + if (pid == -1) + return PAM_SYSTEM_ERR; + if (pid > 0) /* parent */ + { + int status = 0; + pid_t retval; + while ((retval = waitpid (pid, &status, 0)) == -1 && + errno == EINTR); + if (retval == (pid_t)-1) + { + pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); + return PAM_SYSTEM_ERR; + } + else if (status != 0) + { + if (WIFEXITED(status)) + { + pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d", + argv[optargc], WEXITSTATUS(status)); + pam_error (pamh, _("%s failed: exit code %d"), + argv[optargc], WEXITSTATUS(status)); + } + else if (WIFSIGNALED(status)) + { + pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s", + argv[optargc], WTERMSIG(status), + WCOREDUMP(status) ? " (core dumped)" : ""); + pam_error (pamh, _("%s failed: caught signal %d%s"), + argv[optargc], WTERMSIG(status), + WCOREDUMP(status) ? " (core dumped)" : ""); + } + else + { + pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x", + argv[optargc], status); + pam_error (pamh, _("%s failed: unknown status 0x%x"), + argv[optargc], status); + } + return PAM_SYSTEM_ERR; + } + return PAM_SUCCESS; + } + else /* child */ + { + char **arggv; + int i; + + for (i = 0; i < sysconf (_SC_OPEN_MAX); i++) + close (i); + + /* New stdin. */ + if ((i = open ("/dev/null", O_RDWR)) < 0) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m"); + exit (err); + } + /* New stdout and stderr. */ + if (logfile) + { + time_t tm = time (NULL); + char *buffer = NULL; + + if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "open of %s failed: %m", + logfile); + exit (err); + } + if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0) + { + pam_modutil_write (i, buffer, strlen (buffer)); + free (buffer); + } + } + else + if (dup (i) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "dup failed: %m"); + exit (err); + } + if (dup (i) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "dup failed: %m"); + exit (err); + } + + if (call_setuid) + if (setuid (geteuid ()) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "setuid(%lu) failed: %m", + (unsigned long) geteuid ()); + exit (err); + } + + if (setsid () == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "setsid failed: %m"); + exit (err); + } + + arggv = calloc (argc + 4, sizeof (char *)); + if (arggv == NULL) + exit (ENOMEM); + + for (i = 0; i < (argc - optargc); i++) + arggv[i] = argv[i+optargc]; + arggv[i] = NULL; + + if (debug) + pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]); + + if (execv (arggv[0], arggv) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "execv(%s,...) failed: %m", + arggv[0]); + exit (err); + } + exit (1); /* should never be reached. */ + } + return PAM_SYSTEM_ERR; +} + +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + return call_exec (pamh, argc, argv); +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +/* password updating functions */ + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + if (flags & PAM_PRELIM_CHECK) + return PAM_SUCCESS; + return call_exec (pamh, argc, argv); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + return call_exec (pamh, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + return call_exec (pamh, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + return call_exec (pamh, argc, argv); +} + +#ifdef PAM_STATIC +struct pam_module _pam_exec_modstruct = { + "pam_exec", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok, +}; +#endif diff --git a/Linux-PAM/modules/pam_exec/tst-pam_exec b/Linux-PAM/modules/pam_exec/tst-pam_exec new file mode 100755 index 00000000..a0b00393 --- /dev/null +++ b/Linux-PAM/modules/pam_exec/tst-pam_exec @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_exec.so diff --git a/Linux-PAM/modules/pam_faildelay/Makefile.am b/Linux-PAM/modules/pam_faildelay/Makefile.am new file mode 100644 index 00000000..ac1bc1d3 --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay + +man_MANS = pam_faildelay.8 +XMLS = README.xml pam_faildelay.8.xml + +TESTS = tst-pam_faildelay + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_faildelay.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_faildelay.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_faildelay/Makefile.in b/Linux-PAM/modules/pam_faildelay/Makefile.in new file mode 100644 index 00000000..02c94322 --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_faildelay +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_faildelay_la_LIBADD = +pam_faildelay_la_SOURCES = pam_faildelay.c +pam_faildelay_la_OBJECTS = pam_faildelay.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_faildelay.c +DIST_SOURCES = pam_faildelay.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay +man_MANS = pam_faildelay.8 +XMLS = README.xml pam_faildelay.8.xml +TESTS = tst-pam_faildelay +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_faildelay.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_faildelay/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_faildelay/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_faildelay.la: $(pam_faildelay_la_OBJECTS) $(pam_faildelay_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_faildelay_la_OBJECTS) $(pam_faildelay_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_faildelay.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_faildelay.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_faildelay/README b/Linux-PAM/modules/pam_faildelay/README new file mode 100644 index 00000000..a06d7e3f --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/README @@ -0,0 +1,33 @@ +pam_faildelay — Change the delay on failure per-application + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_faildelay is a PAM module that can be used to set the delay on failure +per-application. + +If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/ +login.defs. + +OPTIONS + +debug + + Turns on debugging messages sent to syslog. + +delay=N + + Set the delay on failure to N microseconds. + +EXAMPLES + +The following example will set the delay on failure to 10 seconds: + +auth optional pam_faildelay.so delay=10000000 + + +AUTHOR + +pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. + diff --git a/Linux-PAM/modules/pam_faildelay/README.xml b/Linux-PAM/modules/pam_faildelay/README.xml new file mode 100644 index 00000000..64d4accc --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +"http://www.docbook.org/xml/4.4/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_faildelay.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_faildelay.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faildelay-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_faildelay/pam_faildelay.8 b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8 new file mode 100644 index 00000000..86eb031a --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8 @@ -0,0 +1,65 @@ +.\" Title: pam_faildelay +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 12/06/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_FAILDELAY" "8" "12/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_faildelay \- Change the delay on failure per\-application +.SH "SYNOPSIS" +.HP 17 +\fBpam_faildelay.so\fR [debug] [delay=\fImicroseconds\fR] +.SH "DESCRIPTION" +.PP +pam_faildelay is a PAM module that can be used to set the delay on failure per\-application. +.PP +If no +\fBdelay\fR +is given, pam_faildelay will use the value of FAIL_DELAY from +\fI/etc/login.defs\fR. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Turns on debugging messages sent to syslog. +.TP 3n +\fBdelay=\fR\fB\fIN\fR\fR +Set the delay on failure to N microseconds. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_IGNORE +Delay was successful adjusted. +.TP 3n +PAM_SYSTEM_ERR +The specified delay was not valid. +.SH "EXAMPLES" +.PP +The following example will set the delay on failure to 10 seconds: +.sp +.RS 3n +.nf +auth optional pam_faildelay.so delay=10000000 + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam_fail_delay\fR(3), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. diff --git a/Linux-PAM/modules/pam_faildelay/pam_faildelay.8.xml b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8.xml new file mode 100644 index 00000000..d2dfd266 --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8.xml @@ -0,0 +1,136 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> + +<refentry id="pam_faildelay"> + + <refmeta> + <refentrytitle>pam_faildelay</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_faildelay-name"> + <refname>pam_faildelay</refname> + <refpurpose>Change the delay on failure per-application</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_faildelay-cmdsynopsis"> + <command>pam_faildelay.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + delay=<replaceable>microseconds</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_faildelay-description"> + + <title>DESCRIPTION</title> + + <para> + pam_faildelay is a PAM module that can be used to set + the delay on failure per-application. + </para> + <para> + If no <option>delay</option> is given, pam_faildelay will + use the value of FAIL_DELAY from <filename>/etc/login.defs</filename>. + </para> + </refsect1> + + <refsect1 id="pam_faildelay-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging messages sent to syslog. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>delay=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Set the delay on failure to N microseconds. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_faildelay-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_faildelay-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + Delay was successful adjusted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + The specified delay was not valid. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_faildelay-examples'> + <title>EXAMPLES</title> + <para> + The following example will set the delay on failure to + 10 seconds: + <programlisting> +auth optional pam_faildelay.so delay=10000000 + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_faildelay-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_faildelay-author'> + <title>AUTHOR</title> + <para> + pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_faildelay/pam_faildelay.c b/Linux-PAM/modules/pam_faildelay/pam_faildelay.c new file mode 100644 index 00000000..16cb7458 --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/pam_faildelay.c @@ -0,0 +1,231 @@ +/* pam_faildelay module */ + +/* + * Allows an admin to set the delay on failure per-application. + * Provides "auth" interface only. + * + * Use by putting something like this in the relevant pam config: + * auth required pam_faildelay.so delay=[microseconds] + * + * eg: + * auth required pam_faildelay.so delay=10000000 + * will set the delay on failure to 10 seconds. + * + * If no delay option was given, pam_faildelay.so will use the + * FAIL_DELAY value of /etc/login.defs. + * + * Based on pam_rootok and parts of pam_unix both by Andrew Morgan + * <morgan@linux.kernel.org> + * + * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> + * - Rewrite to use extended PAM functions + * - Add /etc/login.defs support + * + * Portions Copyright (c) 2005 Darren Tucker <dtucker at zip com au>. + * + * Redistribution and use in source and binary forms of, with + * or without modification, are permitted provided that the following + * conditions are met: + * + * 1. Redistributions of source code must retain any existing copyright + * notice, and this entire permission notice in its entirety, + * including the disclaimer of warranties. + * + * 2. Redistributions in binary form must reproduce all prior and current + * copyright notices, this list of conditions, and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * 3. The name of any author may not be used to endorse or promote + * products derived from this software without their specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of the + * GNU General Public License, in which case the provisions of the GNU + * GPL are required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential conflict between the GNU GPL and the + * restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR + * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#include "config.h" + +#include <errno.h> +#include <ctype.h> +#include <stdio.h> +#include <limits.h> +#include <unistd.h> +#include <syslog.h> +#include <string.h> +#include <stdlib.h> + + +#define PAM_SM_AUTH + +#include <security/pam_modules.h> +#include <security/pam_ext.h> + + +#define BUF_SIZE 8192 +#define LOGIN_DEFS "/etc/login.defs" + +static char * +search_key (const char *filename) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + + fp = fopen (filename, "r"); + if (NULL == fp) + return NULL; + + while (!feof (fp)) + { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline (&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim (&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + } + buf[0] = '\0'; + if (fgets (buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen (buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace ((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + if (cp[strlen (cp) - 1] == '\n') + cp[strlen (cp) - 1] = '\0'; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace ((int)*cp) || *cp == '=') + ++cp; + + if (strcasecmp (tmp, "FAIL_DELAY") == 0) + { + retval = strdup (cp); + break; + } + } + fclose (fp); + + free (buf); + + return retval; +} + + +/* --- authentication management functions (only) --- */ + +PAM_EXTERN +int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, debug_flag = 0; + long int delay = -1; + + /* step through arguments */ + for (i = 0; i < argc; i++) { + if (sscanf(argv[i], "delay=%ld", &delay) == 1) { + /* sscanf did already everything necessary */ + } else if (strcmp (argv[i], "debug") == 0) + debug_flag = 1; + else + pam_syslog (pamh, LOG_ERR, "unknown option; %s", argv[i]); + } + + if (delay == -1) + { + char *endptr; + char *val = search_key (LOGIN_DEFS); + const char *val_orig = val; + + if (val == NULL) + return PAM_IGNORE; + + errno = 0; + delay = strtol (val, &endptr, 10) & 0777; + if (((delay == 0) && (val_orig == endptr)) || + ((delay == LONG_MIN || delay == LONG_MAX) && (errno == ERANGE))) + { + pam_syslog (pamh, LOG_ERR, "FAIL_DELAY=%s in %s not valid", + val, LOGIN_DEFS); + free (val); + return PAM_IGNORE; + } + + free (val); + /* delay is in seconds, convert to microseconds. */ + delay *= 1000000; + } + + if (debug_flag) + pam_syslog (pamh, LOG_DEBUG, "setting fail delay to %ld", delay); + + i = pam_fail_delay(pamh, delay); + if (i == PAM_SUCCESS) + return PAM_IGNORE; + else + return i; +} + +PAM_EXTERN +int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_rootok_modstruct = { + "pam_faildelay", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL, +}; + +#endif + +/* end of module definition */ diff --git a/Linux-PAM/modules/pam_faildelay/tst-pam_faildelay b/Linux-PAM/modules/pam_faildelay/tst-pam_faildelay new file mode 100755 index 00000000..87f7fd44 --- /dev/null +++ b/Linux-PAM/modules/pam_faildelay/tst-pam_faildelay @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_faildelay.so diff --git a/Linux-PAM/modules/pam_filter/.upperLOWER b/Linux-PAM/modules/pam_filter/.upperLOWER deleted file mode 100644 index 2531b468..00000000 --- a/Linux-PAM/modules/pam_filter/.upperLOWER +++ /dev/null @@ -1 +0,0 @@ -a test filter that transposes upper and lower case characters diff --git a/Linux-PAM/modules/pam_filter/Makefile b/Linux-PAM/modules/pam_filter/Makefile deleted file mode 100644 index e7d7041e..00000000 --- a/Linux-PAM/modules/pam_filter/Makefile +++ /dev/null @@ -1,126 +0,0 @@ -# -# $Id: Makefile,v 1.4 2001/11/11 07:43:54 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 -# - -ifeq ($(OS),solaris) - -include ../dont_makefile - -else - -include ../../Make.Rules - -TITLE=pam_filter -FILTERS=upperLOWER -FILTERSDIR=$(SECUREDIR)/pam_filter -export FILTERSDIR - -CFLAGS += -Iinclude - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -# -# this is where we compile this module -# - -all: dirs $(LIBSHARED) $(LIBSTATIC) register filters - -dirs: - if [ ! -r include/security ]; then ln -sf . include/security ; fi -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -filters: - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i all ; \ - fi ; \ - done - - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(INCLUDED)/pam_filter.h - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i remove ; \ - fi ; \ - done - -install: all - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i install ; \ - fi ; \ - done - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/pam_filter.h $(FAKEROOT)$(INCLUDED) - -clean: - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i clean ; \ - fi ; \ - done - rm -f $(LIBSHARED) $(LIBOBJD) $(LIBOBJS) core *~ - rm -f include/security - rm -fr dynamic static - rm -f *.a *.o *.so *.bak - -endif diff --git a/Linux-PAM/modules/pam_filter/Makefile.am b/Linux-PAM/modules/pam_filter/Makefile.am new file mode 100644 index 00000000..b218bffb --- /dev/null +++ b/Linux-PAM/modules/pam_filter/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +SUBDIRS = upperLOWER + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter + +man_MANS = pam_filter.8 +XMLS = README.xml pam_filter.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +include_HEADERS=pam_filter.h + +securelib_LTLIBRARIES = pam_filter.la +TESTS = tst-pam_filter + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_filter.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_filter/Makefile.in b/Linux-PAM/modules/pam_filter/Makefile.in new file mode 100644 index 00000000..03b39bcd --- /dev/null +++ b/Linux-PAM/modules/pam_filter/Makefile.in @@ -0,0 +1,805 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_filter +DIST_COMMON = README $(include_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(includedir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_filter_la_LIBADD = +pam_filter_la_SOURCES = pam_filter.c +pam_filter_la_OBJECTS = pam_filter.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_filter.c +DIST_SOURCES = pam_filter.c +RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ + html-recursive info-recursive install-data-recursive \ + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +includeHEADERS_INSTALL = $(INSTALL_HEADER) +HEADERS = $(include_HEADERS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +SUBDIRS = upperLOWER +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter +man_MANS = pam_filter.8 +XMLS = README.xml pam_filter.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +include_HEADERS = pam_filter.h +securelib_LTLIBRARIES = pam_filter.la +TESTS = tst-pam_filter +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-recursive + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_filter/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_filter/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_filter.la: $(pam_filter_la_OBJECTS) $(pam_filter_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_filter_la_OBJECTS) $(pam_filter_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_filter.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-includeHEADERS: $(include_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(include_HEADERS)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ + $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + done + +uninstall-includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(include_HEADERS)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ + rm -f "$(DESTDIR)$(includedir)/$$f"; \ + done + +# This directory's subdirectories are mostly independent; you can cd +# into them and run `make' without going through this Makefile. +# To change the values of `make' variables: instead of editing Makefiles, +# (1) if the variable is set in `config.status', edit `config.status' +# (which will cause the Makefiles to be regenerated when you run `make'); +# (2) otherwise, pass the desired values on the `make' command line. +$(RECURSIVE_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +$(RECURSIVE_CLEAN_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + rev=''; for subdir in $$list; do \ + if test "$$subdir" = "."; then :; else \ + rev="$$subdir $$rev"; \ + fi; \ + done; \ + rev="$$rev ."; \ + target=`echo $@ | sed s/-recursive//`; \ + for subdir in $$rev; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done && test -z "$$fail" +tags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + done +ctags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + distdir=`$(am__cd) $(distdir) && pwd`; \ + top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ + (cd $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$top_distdir" \ + distdir="$$distdir/$$subdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + distdir) \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-recursive +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) +installdirs: installdirs-recursive +installdirs-am: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-recursive + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-recursive + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +info: info-recursive + +info-am: + +install-data-am: install-includeHEADERS install-man \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-recursive + +install-exec-am: + +install-html: install-html-recursive + +install-info: install-info-recursive + +install-man: install-man8 + +install-pdf: install-pdf-recursive + +install-ps: install-ps-recursive + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: uninstall-includeHEADERS uninstall-man \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ + install-strip + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am check check-TESTS check-am clean clean-generic \ + clean-libtool clean-securelibLTLIBRARIES ctags ctags-recursive \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ + install-includeHEADERS install-info install-info-am \ + install-man install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-securelibLTLIBRARIES install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \ + uninstall-includeHEADERS uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_filter.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_filter/README b/Linux-PAM/modules/pam_filter/README index 12c4aeb5..4d4e2194 100644 --- a/Linux-PAM/modules/pam_filter/README +++ b/Linux-PAM/modules/pam_filter/README @@ -1,94 +1,78 @@ -# -# $Id: README,v 1.1.1.1 2000/06/20 22:11:35 agmorgan Exp $ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan <morgan@parc.power.net> -# +pam_filter — PAM filter module -This module is intended to be a platform for providing access to all -of the input/output that passes between the user and the application. -It is only suitable for tty-based and (stdin/stdout) applications. And -is only known to work on Linux based systems. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -The action of the module is dictated by the arguments it is given in -the pam.conf file. +DESCRIPTION -recognized flags are: +This module is intended to be a platform for providing access to all of the +input/output that passes between the user and the application. It is only +suitable for tty-based and (stdin/stdout) applications. - debug print some information to syslog(3) +To function this module requires filters to be installed on the system. The +single filter provided with the module simply transposes upper and lower case +letters in the input and output streams. (This can be very annoying and is not +kind to termcap based editors). - new_term set the PAM_TTY item to the new filtered - terminal (the default is to set it - to be that of the users terminal) +Each component of the module has the potential to invoke the desired filter. +The filter is always execv(2) with the privilege of the calling application and +not that of the user. For this reason it cannot usually be killed by the user +without closing their session. - non_term don't try to set the PAM_TTY item +OPTIONS - run1/run2 these arguments indicate that the - module should separate the application - from the user and insert a filter - program between them. The pathname of - the filter program follows the 'runN' - argument. Arguments that follow this - pathname are passed as arguments to - the filter program. +debug - The distinction between run1 and run2 - is which of the two functions of - the given management-type triggers the - execution of the indicated filter. + Print debug information. - type: run1 run2 - ----- ---- ---- +new_term - auth pam_sm_authenticate pam_sm_setcred + The default action of the filter is to set the PAM_TTY item to indicate the + terminal that the user is using to connect to the application. This + argument indicates that the filter should set PAM_TTY to the filtered + pseudo-terminal. - account [ pam_sm_acct_mgmt (either is good) ] +non_term - session pam_sm_open_session pam_sm_close_session + don't try to set the PAM_TTY item. - password pam_sm_chauthtok/PRELIM pam_sm_chauthtok/UPDATE +runX -Note, in the case of 'password' PRELIM/UPDATE indicates which of the -two calls to pam_sm_chauthtok from libpam (not the application) will -trigger the filter. + In order that the module can invoke a filter it should know when to invoke + it. This argument is required to tell the filter when to do this. -What a filter program should expect: ------------------------------------- + Permitted values for X are 1 and 2. These indicate the precise time that + the filter is to be run. To understand this concept it will be useful to + have read the pam(3) manual page. Basically, for each management group + there are up to two ways of calling the module's functions. In the case of + the authentication and session components there are actually two separate + functions. For the case of authentication, these functions are + pam_authenticate(3) and pam_setcred(3), here run1 means run the filter from + the pam_authenticate function and run2 means run the filter from + pam_setcred. In the case of the session modules, run1 implies that the + filter is invoked at the pam_open_session(3) stage, and run2 for + pam_close_session(3). -Definitions for filter programs (which may be locally designed) are -contained in the <security/pam_filter.h> file. + For the case of the account component. Either run1 or run2 may be used. -Arguments are not passed to the filter on the command line, since this -is plainly visible when a user types 'ps -a'. Instead they are passed -as the filter's environment. Other information is passed in this way -too. + For the case of the password component, run1 is used to indicate that the + filter is run on the first occasion of pam_chauthtok(3) (the + PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run + on the second occasion (the PAM_UPDATE_AUTHTOK phase). -Here is a list of the environment variables that a filter should -expect: +filter - ARGS="filter_path_name argument list" - SERVICE="service_name" (as it appears in /etc/pam.conf) - USER="username" - TYPE="module_fn" (the name of the function in pam_filter.so - that invoked the filter) + The full pathname of the filter to be run and any command line arguments + that the filter might expect. -[This list is likely to grow. If you want something added, email me!] +EXAMPLES -Among other things this module is intended to provide a useful means -of logging the activity of users in as discrete a manner as possible. +Add the following line to /etc/pam.d/login to see how to configure login to +transpose upper and lower case letters once the user has logged in: -Existing filters: ------------------ + session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER -Currently, there is a single supplied filter (upperLOWER). The effect -of using this filter is to transpose upper and lower case letters -between the user and the application. This is really annoying when you -try the 'xsh' example application! ;) -TODO: provide more filters... - Decide if providing stderr interception is really overkill. +AUTHOR -Andrew G. Morgan <morgan@parc.power.net> 1996/5/27 +pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_filter/README.xml b/Linux-PAM/modules/pam_filter/README.xml new file mode 100644 index 00000000..b76cb743 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_filter.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_filter.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_filter-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_filter/pam_filter.8 b/Linux-PAM/modules/pam_filter/pam_filter.8 new file mode 100644 index 00000000..7def7fe9 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/pam_filter.8 @@ -0,0 +1,140 @@ +.\" Title: pam_filter +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_FILTER" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_filter \- PAM filter module +.SH "SYNOPSIS" +.HP 14 +\fBpam_filter.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI...\fR] +.SH "DESCRIPTION" +.PP +This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application. It is only suitable for tty\-based and (stdin/stdout) applications. +.PP +To function this module requires +\fIfilters\fR +to be installed on the system. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams. (This can be very annoying and is not kind to termcap based editors). +.PP +Each component of the module has the potential to invoke the desired filter. The filter is always +\fBexecv\fR(2) +with the privilege of the calling application and +\fInot\fR +that of the user. For this reason it cannot usually be killed by the user without closing their session. +.SH "OPTIONS" +.PP +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBnew_term\fR +The default action of the filter is to set the +\fIPAM_TTY\fR +item to indicate the terminal that the user is using to connect to the application. This argument indicates that the filter should set +\fIPAM_TTY\fR +to the filtered pseudo\-terminal. +.TP 3n +\fBnon_term\fR +don't try to set the +\fIPAM_TTY\fR +item. +.TP 3n +\fBrunX\fR +In order that the module can invoke a filter it should know when to invoke it. This argument is required to tell the filter when to do this. +.sp +Permitted values for +\fIX\fR +are +\fI1\fR +and +\fI2\fR. These indicate the precise time that the filter is to be run. To understand this concept it will be useful to have read the +\fBpam\fR(3) +manual page. Basically, for each management group there are up to two ways of calling the module's functions. In the case of the +\fIauthentication\fR +and +\fIsession\fR +components there are actually two separate functions. For the case of authentication, these functions are +\fBpam_authenticate\fR(3) +and +\fBpam_setcred\fR(3), here +\fBrun1\fR +means run the filter from the +\fBpam_authenticate\fR +function and +\fBrun2\fR +means run the filter from +\fBpam_setcred\fR. In the case of the session modules, +\fIrun1\fR +implies that the filter is invoked at the +\fBpam_open_session\fR(3) +stage, and +\fIrun2\fR +for +\fBpam_close_session\fR(3). +.sp +For the case of the account component. Either +\fIrun1\fR +or +\fIrun2\fR +may be used. +.sp +For the case of the password component, +\fIrun1\fR +is used to indicate that the filter is run on the first occasion of +\fBpam_chauthtok\fR(3) +(the +\fIPAM_PRELIM_CHECK\fR +phase) and +\fIrun2\fR +is used to indicate that the filter is run on the second occasion (the +\fIPAM_UPDATE_AUTHTOK\fR +phase). +.TP 3n +\fBfilter\fR +The full pathname of the filter to be run and any command line arguments that the filter might expect. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +The new filter was set successfull. +.TP 3n +PAM_ABORT +Critical error, immediate abort. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to see how to configure login to transpose upper and lower case letters once the user has logged in: +.sp +.RS 3n +.nf + session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_filter/pam_filter.8.xml b/Linux-PAM/modules/pam_filter/pam_filter.8.xml new file mode 100644 index 00000000..d15d7e97 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/pam_filter.8.xml @@ -0,0 +1,261 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_filter"> + + <refmeta> + <refentrytitle>pam_filter</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_filter-name"> + <refname>pam_filter</refname> + <refpurpose>PAM filter module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_filter-cmdsynopsis"> + <command>pam_filter.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + new_term + </arg> + <arg choice="opt"> + non_term + </arg> + <arg choice="plain"> + run1|run2 + </arg> + <arg choice="plain"> + <replaceable>filter</replaceable> + </arg> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_filter-description"> + + <title>DESCRIPTION</title> + + <para> + This module is intended to be a platform for providing access to all + of the input/output that passes between the user and the application. + It is only suitable for tty-based and (stdin/stdout) applications. + </para> + <para> + To function this module requires <emphasis>filters</emphasis> to be + installed on the system. + The single filter provided with the module simply transposes upper and + lower case letters in the input and output streams. (This can be very + annoying and is not kind to termcap based editors). + </para> + <para> + Each component of the module has the potential to invoke the + desired filter. The filter is always + <citerefentry> + <refentrytitle>execv</refentrytitle><manvolnum>2</manvolnum> + </citerefentry> with the privilege of the calling application + and <emphasis>not</emphasis> that of the user. For this reason it + cannot usually be killed by the user without closing their session. + </para> + </refsect1> + + <refsect1 id="pam_filter-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>new_term</option> + </term> + <listitem> + <para> + The default action of the filter is to set the + <emphasis>PAM_TTY</emphasis> item to indicate the + terminal that the user is using to connect to the + application. This argument indicates that the filter + should set <emphasis>PAM_TTY</emphasis> to the filtered + pseudo-terminal. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>non_term</option> + </term> + <listitem> + <para> + don't try to set the <emphasis>PAM_TTY</emphasis> item. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>runX</option> + </term> + <listitem> + <para> + In order that the module can invoke a filter it should + know when to invoke it. This argument is required to tell + the filter when to do this. + </para> + <para> + Permitted values for <emphasis>X</emphasis> are + <emphasis>1</emphasis> and <emphasis>2</emphasis>. These + indicate the precise time that the filter is to be run. + To understand this concept it will be useful to have read + the <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> manual page. + Basically, for each management group there are up to two ways + of calling the module's functions. + In the case of the <emphasis>authentication</emphasis> and + <emphasis>session</emphasis> components there are actually + two separate functions. For the case of authentication, these + functions are + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, here <option>run1</option> means run the + filter from the <function>pam_authenticate</function> function + and <option>run2</option> means run the filter from + <function>pam_setcred</function>. In the case of the + session modules, <emphasis>run1</emphasis> implies + that the filter is invoked at the + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> stage, and <emphasis>run2</emphasis> for + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + For the case of the account component. Either + <emphasis>run1</emphasis> or <emphasis>run2</emphasis> + may be used. + </para> + <para> + For the case of the password component, <emphasis>run1</emphasis> + is used to indicate that the filter is run on the first + occasion of + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> (the <emphasis>PAM_PRELIM_CHECK</emphasis> + phase) and <emphasis>run2</emphasis> is used to indicate + that the filter is run on the second occasion (the + <emphasis>PAM_UPDATE_AUTHTOK</emphasis> phase). + + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>filter</option> + </term> + <listitem> + <para> + The full pathname of the filter to be run and any command line + arguments that the filter might expect. + </para> + </listitem> + </varlistentry> + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_filter-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_filter-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new filter was set successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Critical error, immediate abort. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_filter-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + see how to configure login to transpose upper and lower case letters + once the user has logged in: + + <programlisting> + session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_filter-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_filter-author'> + <title>AUTHOR</title> + <para> + pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_filter/pam_filter.c b/Linux-PAM/modules/pam_filter/pam_filter.c index 9aa23f29..1c7731b3 100644 --- a/Linux-PAM/modules/pam_filter/pam_filter.c +++ b/Linux-PAM/modules/pam_filter/pam_filter.c @@ -1,11 +1,11 @@ /* - * $Id: pam_filter.c,v 1.6 2004/11/16 14:27:41 toady Exp $ + * $Id: pam_filter.c,v 1.12 2005/12/12 14:45:00 ldv Exp $ * * written by Andrew Morgan <morgan@transmeta.com> with much help from * Richard Stevens' UNIX Network Programming book. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdlib.h> #include <syslog.h> @@ -31,7 +31,8 @@ #define PAM_SM_PASSWORD #include <security/pam_modules.h> -#include <security/pam_filter.h> +#include <security/pam_ext.h> +#include "pam_filter.h" /* ------ some tokens used for convenience throughout this file ------- */ @@ -47,20 +48,10 @@ #include <stdarg.h> -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_filter", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - #define TERMINAL_LEN 12 -static int master(char *terminal) +static int +master (const pam_handle_t *pamh, char *terminal) /* * try to open all of the terminals in sequence return first free one, * or -1 @@ -77,7 +68,8 @@ static int master(char *terminal) terminal[8] = *pty++; terminal[9] = '0'; if (stat(terminal,&tstat) < 0) { - _pam_log(LOG_WARNING, "unknown pseudo terminal; %s", terminal); + pam_syslog(pamh, LOG_WARNING, + "unknown pseudo terminal: %s", terminal); break; } for (hex = hexs; *hex; ) { /* step through 16 of these */ @@ -109,17 +101,17 @@ static int process_args(pam_handle_t *pamh } else if (strcmp("run1",*argv) == 0) { ctrl |= FILTER_RUN1; if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); + pam_syslog(pamh, LOG_ALERT, "no run filter supplied"); } else break; } else if (strcmp("run2",*argv) == 0) { ctrl |= FILTER_RUN2; if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); + pam_syslog(pamh, LOG_ALERT, "no run filter supplied"); } else break; } else { - _pam_log(LOG_ERR, "unrecognized option: %s (ignored)", *argv); + pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", *argv); } ++argv; /* step along list */ } @@ -130,17 +122,18 @@ static int process_args(pam_handle_t *pamh *evp = NULL; } else { char **levp; - const char *tmp; + const char *user = NULL; + const void *tmp; int i,size, retval; *filtername = *++argv; if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"will run filter %s\n", *filtername); + pam_syslog(pamh, LOG_DEBUG, "will run filter %s", *filtername); } levp = (char **) malloc(5*sizeof(char *)); if (levp == NULL) { - _pam_log(LOG_CRIT,"no memory for environment of filter"); + pam_syslog(pamh, LOG_CRIT, "no memory for environment of filter"); return -1; } @@ -157,7 +150,7 @@ static int process_args(pam_handle_t *pamh levp[0] = (char *) malloc(size); if (levp[0] == NULL) { - _pam_log(LOG_CRIT,"no memory for filter arguments"); + pam_syslog(pamh, LOG_CRIT, "no memory for filter arguments"); if (levp) { free(levp); } @@ -177,9 +170,9 @@ static int process_args(pam_handle_t *pamh #define SERVICE_OFFSET 8 /* strlen('SERVICE='); */ #define SERVICE_NAME "SERVICE=" - retval = pam_get_item(pamh, PAM_SERVICE, (const void **)&tmp); + retval = pam_get_item(pamh, PAM_SERVICE, &tmp); if (retval != PAM_SUCCESS || tmp == NULL) { - _pam_log(LOG_CRIT,"service name not found"); + pam_syslog(pamh, LOG_CRIT, "service name not found"); if (levp) { free(levp[0]); free(levp); @@ -190,7 +183,7 @@ static int process_args(pam_handle_t *pamh levp[1] = (char *) malloc(size+1); if (levp[1] == NULL) { - _pam_log(LOG_CRIT,"no memory for service name"); + pam_syslog(pamh, LOG_CRIT, "no memory for service name"); if (levp) { free(levp[0]); free(levp); @@ -207,16 +200,15 @@ static int process_args(pam_handle_t *pamh #define USER_OFFSET 5 /* strlen('USER='); */ #define USER_NAME "USER=" - tmp = NULL; - pam_get_user(pamh, &tmp, NULL); - if (tmp == NULL) { - tmp = "<unknown>"; + pam_get_user(pamh, &user, NULL); + if (user == NULL) { + user = "<unknown>"; } - size = USER_OFFSET+strlen(tmp); + size = USER_OFFSET+strlen(user); levp[2] = (char *) malloc(size+1); if (levp[2] == NULL) { - _pam_log(LOG_CRIT,"no memory for user's name"); + pam_syslog(pamh, LOG_CRIT, "no memory for user's name"); if (levp) { free(levp[1]); free(levp[0]); @@ -226,7 +218,7 @@ static int process_args(pam_handle_t *pamh } strncpy(levp[2],USER_NAME,USER_OFFSET); - strcpy(levp[2]+USER_OFFSET, tmp); + strcpy(levp[2]+USER_OFFSET, user); levp[2][size] = '\0'; /* <NUL> terminate */ /* the "USER" variable */ @@ -238,7 +230,7 @@ static int process_args(pam_handle_t *pamh levp[3] = (char *) malloc(size+1); if (levp[3] == NULL) { - _pam_log(LOG_CRIT,"no memory for type"); + pam_syslog(pamh, LOG_CRIT, "no memory for type"); if (levp) { free(levp[2]); free(levp[1]); @@ -260,10 +252,10 @@ static int process_args(pam_handle_t *pamh if ((ctrl & FILTER_DEBUG) && *filtername) { char **e; - _pam_log(LOG_DEBUG,"filter[%s]: %s",type,*filtername); - _pam_log(LOG_DEBUG,"environment:"); + pam_syslog(pamh, LOG_DEBUG, "filter[%s]: %s", type, *filtername); + pam_syslog(pamh, LOG_DEBUG, "environment:"); for (e=*evp; e && *e; ++e) { - _pam_log(LOG_DEBUG," %s",*e); + pam_syslog(pamh, LOG_DEBUG, " %s", *e); } } @@ -282,8 +274,9 @@ static void free_evp(char *evp[]) free(evp); } -static int set_filter(pam_handle_t *pamh, int flags, int ctrl - , const char **evp, const char *filtername) +static int +set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, + const char **evp, const char *filtername) { int status=-1; char terminal[TERMINAL_LEN]; @@ -291,7 +284,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl int fd[2], child=0, child2=0, aterminal; if (filtername == NULL || *filtername != '/') { - _pam_log(LOG_ALERT, "filtername not permitted; require full path"); + pam_syslog(pamh, LOG_ALERT, + "filtername not permitted; full pathname required"); return PAM_ABORT; } @@ -305,9 +299,9 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl /* open the master pseudo terminal */ - fd[0] = master(terminal); + fd[0] = master(pamh,terminal); if (fd[0] < 0) { - _pam_log(LOG_CRIT,"no master terminal"); + pam_syslog(pamh, LOG_CRIT, "no master terminal"); return PAM_AUTH_ERR; } @@ -317,9 +311,9 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl /* this is termios terminal handling... */ if ( tcgetattr(STDIN_FILENO, &stored_mode) < 0 ) { + pam_syslog(pamh, LOG_CRIT, "couldn't copy terminal mode: %m"); /* in trouble, so close down */ close(fd[0]); - _pam_log(LOG_CRIT, "couldn't copy terminal mode"); return PAM_ABORT; } else { struct termios t_mode = stored_mode; @@ -328,7 +322,10 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl t_mode.c_oflag &= ~OPOST; /* no ouput post processing */ /* no signals, canonical input, echoing, upper/lower output */ - t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE); +#ifdef XCASE + t_mode.c_lflag &= ~(XCASE); +#endif + t_mode.c_lflag &= ~(ISIG|ICANON|ECHO); t_mode.c_cflag &= ~(CSIZE|PARENB); /* no parity */ t_mode.c_cflag |= CS8; /* 8 bit chars */ @@ -336,8 +333,9 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */ if ( tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_mode) < 0 ) { + pam_syslog(pamh, LOG_WARNING, + "couldn't put terminal in RAW mode: %m"); close(fd[0]); - _pam_log(LOG_WARNING, "couldn't put terminal in RAW mode"); return PAM_ABORT; } @@ -354,7 +352,7 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl */ if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) { - _pam_log(LOG_CRIT,"couldn't open a stream pipe"); + pam_syslog(pamh, LOG_CRIT, "couldn't open a stream pipe: %m"); return PAM_ABORT; } } @@ -363,7 +361,7 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( (child = fork()) < 0 ) { - _pam_log(LOG_WARNING,"first fork failed"); + pam_syslog(pamh, LOG_WARNING, "first fork failed: %m"); if (aterminal) { (void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode); } @@ -389,7 +387,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl /* make this process it's own process leader */ if (setsid() == -1) { - _pam_log(LOG_WARNING,"child cannot become new session"); + pam_syslog(pamh, LOG_WARNING, + "child cannot become new session: %m"); return PAM_ABORT; } @@ -399,8 +398,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl close(fd[0]); /* process is the child -- uses line fd[1] */ if (fd[1] < 0) { - _pam_log(LOG_WARNING,"cannot open slave terminal; %s" - ,terminal); + pam_syslog(pamh, LOG_WARNING, + "cannot open slave terminal: %s: %m", terminal); return PAM_ABORT; } @@ -408,8 +407,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl parent's was before we set it into RAW mode */ if ( tcsetattr(fd[1], TCSANOW, &stored_mode) < 0 ) { - _pam_log(LOG_WARNING,"cannot set slave terminal mode; %s" - ,terminal); + pam_syslog(pamh, LOG_WARNING, + "cannot set slave terminal mode: %s: %m", terminal); close(fd[1]); return PAM_ABORT; } @@ -425,8 +424,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO || dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO || dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); + pam_syslog(pamh, LOG_WARNING, + "unable to re-assign STDIN/OUT/ERR: %m"); close(fd[1]); return PAM_ABORT; } @@ -436,8 +435,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( fcntl(STDIN_FILENO, F_SETFD, 0) || fcntl(STDOUT_FILENO,F_SETFD, 0) || fcntl(STDERR_FILENO,F_SETFD, 0) ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); + pam_syslog(pamh, LOG_WARNING, + "unable to re-assign STDIN/OUT/ERR: %m"); return PAM_ABORT; } @@ -470,7 +469,7 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( (child2 = fork()) < 0 ) { - _pam_log(LOG_WARNING,"filter fork failed"); + pam_syslog(pamh, LOG_WARNING, "filter fork failed: %m"); child2 = 0; } else if ( child2 == 0 ) { /* exec the child filter */ @@ -478,8 +477,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO || dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO || dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign APPIN/OUT/ERR...'s"); + pam_syslog(pamh, LOG_WARNING, + "unable to re-assign APPIN/OUT/ERR: %m"); close(fd[0]); exit(1); } @@ -489,8 +488,8 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 || fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 || fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) { - _pam_log(LOG_WARNING - ,"unable to retain APPIN/OUT/ERR...'s"); + pam_syslog(pamh, LOG_WARNING, + "unable to retain APPIN/OUT/ERR: %m"); close(APPIN_FILENO); close(APPOUT_FILENO); close(APPERR_FILENO); @@ -503,7 +502,7 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl /* getting to here is an error */ - _pam_log(LOG_ALERT, "filter: %s, not executable", filtername); + pam_syslog(pamh, LOG_ALERT, "filter: %s: %m", filtername); } else { /* wait for either of the two children to exit */ @@ -531,10 +530,10 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl child2 = 0; } else { - _pam_log(LOG_ALERT - ,"programming error <chid=%d,lstatus=%x>: " - __FILE__ " line %d" - , lstatus, __LINE__ ); + pam_syslog(pamh, LOG_ALERT, + "programming error <chid=%d,lstatus=%x> " + "in file %s at line %d", + chid, lstatus, __FILE__, __LINE__); child = child2 = 0; status = -1; @@ -569,10 +568,10 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl } else { - _pam_log(LOG_ALERT - ,"programming error <chid=%d,lstatus=%x>: " - __FILE__ " line %d" - , lstatus, __LINE__ ); + pam_syslog(pamh, LOG_ALERT, + "programming error <chid=%d,lstatus=%x> " + "in file %s at line %d", + chid, lstatus, __FILE__, __LINE__); child = child2 = 0; status = -1; @@ -585,27 +584,28 @@ static int set_filter(pam_handle_t *pamh, int flags, int ctrl } if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"parent process exited"); /* clock off */ + pam_syslog(pamh, LOG_DEBUG, "parent process exited"); /* clock off */ } /* quit the parent process, returning the child's exit status */ exit(status); + return status; /* never reached, to make gcc happy */ } static int set_the_terminal(pam_handle_t *pamh) { - const char *tty; + const void *tty; - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS + if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS || tty == NULL) { tty = ttyname(STDIN_FILENO); if (tty == NULL) { - _pam_log(LOG_ERR, "couldn't get the tty name"); + pam_syslog(pamh, LOG_ERR, "couldn't get the tty name"); return PAM_ABORT; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _pam_log(LOG_ERR, "couldn't set tty name"); + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); return PAM_ABORT; } } @@ -631,7 +631,7 @@ static int need_a_filter(pam_handle_t *pamh if (!(ctrl & NON_TERM) && !(ctrl & NEW_TERM)) { retval = set_the_terminal(pamh); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "tried and failed to set PAM_TTY"); + pam_syslog(pamh, LOG_ERR, "tried and failed to set PAM_TTY"); } } else { retval = PAM_SUCCESS; /* nothing to do which is always a success */ @@ -642,20 +642,20 @@ static int need_a_filter(pam_handle_t *pamh , (const char **)evp, filterfile); } - if (retval == PAM_SUCCESS + if (retval == PAM_SUCCESS && !(ctrl & NON_TERM) && (ctrl & NEW_TERM)) { retval = set_the_terminal(pamh); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR - , "tried and failed to set new terminal as PAM_TTY"); + pam_syslog(pamh, LOG_ERR, + "tried and failed to set new terminal as PAM_TTY"); } } free_evp(evp); if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG, "filter/%s, returning %d", name, retval); - _pam_log(LOG_DEBUG, "[%s]", pam_strerror(pamh, retval)); + pam_syslog(pamh, LOG_DEBUG, "filter/%s, returning %d", name, retval); + pam_syslog(pamh, LOG_DEBUG, "[%s]", pam_strerror(pamh, retval)); } return retval; @@ -720,7 +720,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags else if (flags & PAM_UPDATE_AUTHTOK) runN = FILTER_RUN2; else { - _pam_log(LOG_ERR, "unknown flags for chauthtok (0x%X)", flags); + pam_syslog(pamh, LOG_ERR, "unknown flags for chauthtok (0x%X)", flags); return PAM_TRY_AGAIN; } diff --git a/Linux-PAM/modules/pam_filter/include/pam_filter.h b/Linux-PAM/modules/pam_filter/pam_filter.h index 69e3a3e2..d15d113c 100644 --- a/Linux-PAM/modules/pam_filter/include/pam_filter.h +++ b/Linux-PAM/modules/pam_filter/pam_filter.h @@ -1,5 +1,5 @@ /* - * $Id: pam_filter.h,v 1.1.1.1 2000/06/20 22:11:36 agmorgan Exp $ + * $Id: pam_filter.h,v 1.1 2005/08/16 12:27:42 kukuk Exp $ * * this file is associated with the Linux-PAM filter module. * it was written by Andrew G. Morgan <morgan@linux.kernel.org> diff --git a/Linux-PAM/modules/pam_filter/tst-pam_filter b/Linux-PAM/modules/pam_filter/tst-pam_filter new file mode 100755 index 00000000..56a5d083 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/tst-pam_filter @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_filter.so diff --git a/Linux-PAM/modules/pam_filter/upperLOWER/Makefile b/Linux-PAM/modules/pam_filter/upperLOWER/Makefile deleted file mode 100644 index c75f4964..00000000 --- a/Linux-PAM/modules/pam_filter/upperLOWER/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# -# $Id: Makefile,v 1.4 2004/09/22 09:37:47 kukuk Exp $ -# -# This directory contains a pam_filter filter executable -# -# Created by Andrew Morgan <morgan@transmeta.com> 1996/3/11 -# - -include ../../../Make.Rules - -TITLE=upperLOWER - -# - -CFLAGS += -I../include -I../../pammodutil/include - -OBJS = $(TITLE).o - -LIBS += $(GLIB_LIBS) -L../../pammodutil -lpammodutil -LDFLAGS = $(LIBS) - -####################### don't edit below ####################### - -all: $(TITLE) - -$(TITLE): $(OBJS) - $(CC) $(CFLAGS) -o $(TITLE) $(OBJS) $(LDFLAGS) - $(STRIP) $(TITLE) - -install: - $(MKDIR) $(FAKEROOT)$(FILTERSDIR) - $(INSTALL) -m 511 $(TITLE) $(FAKEROOT)$(FILTERSDIR) - -remove: - cd $(FAKEROOT)$(FILTERSDIR) && rm -f $(TITLE) - -clean: - rm -f $(TITLE) $(OBJS) core *~ - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.am b/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.am new file mode 100644 index 00000000..205429c8 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.am @@ -0,0 +1,14 @@ +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +securelibfilterdir = $(SECUREDIR)/pam_filter + + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(srcdir)/.. @PIE_CFLAGS@ +AM_LDFLAGS = @PIE_LDFLAGS@ -L$(top_builddir)/libpam -lpam + +securelibfilter_PROGRAMS = upperLOWER diff --git a/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in b/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in new file mode 100644 index 00000000..e2d799f4 --- /dev/null +++ b/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in @@ -0,0 +1,525 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +securelibfilter_PROGRAMS = upperLOWER$(EXEEXT) +subdir = modules/pam_filter/upperLOWER +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__installdirs = "$(DESTDIR)$(securelibfilterdir)" +securelibfilterPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(securelibfilter_PROGRAMS) +upperLOWER_SOURCES = upperLOWER.c +upperLOWER_OBJECTS = upperLOWER.$(OBJEXT) +upperLOWER_LDADD = $(LDADD) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = upperLOWER.c +DIST_SOURCES = upperLOWER.c +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +securelibfilterdir = $(SECUREDIR)/pam_filter +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(srcdir)/.. @PIE_CFLAGS@ + +AM_LDFLAGS = @PIE_LDFLAGS@ -L$(top_builddir)/libpam -lpam +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_filter/upperLOWER/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_filter/upperLOWER/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibfilterPROGRAMS: $(securelibfilter_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(securelibfilterdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibfilterdir)" + @list='$(securelibfilter_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(securelibfilterPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(securelibfilterdir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(securelibfilterPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(securelibfilterdir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-securelibfilterPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(securelibfilter_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(securelibfilterdir)/$$f'"; \ + rm -f "$(DESTDIR)$(securelibfilterdir)/$$f"; \ + done + +clean-securelibfilterPROGRAMS: + @list='$(securelibfilter_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +upperLOWER$(EXEEXT): $(upperLOWER_OBJECTS) $(upperLOWER_DEPENDENCIES) + @rm -f upperLOWER$(EXEEXT) + $(LINK) $(upperLOWER_OBJECTS) $(upperLOWER_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upperLOWER.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(securelibfilterdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibfilterPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-securelibfilterPROGRAMS + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-securelibfilterPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-securelibfilterPROGRAMS ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-securelibfilterPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-securelibfilterPROGRAMS + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c b/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c index ee3544a1..c0fc5b17 100644 --- a/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c +++ b/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c @@ -1,17 +1,11 @@ /* - * $Id: upperLOWER.c,v 1.5 2004/09/22 09:37:48 kukuk Exp $ - * * This is a sample filter program, for use with pam_filter (a module * provided with Linux-PAM). This filter simply transposes upper and * lower case letters, it is intended for demonstration purposes and * it serves no purpose other than to annoy the user... */ -#include <security/_pam_aconf.h> - -#ifdef MEMORY_DEBUG -# undef exit -#endif /* MEMORY_DEBUG */ +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -20,29 +14,13 @@ #include <sys/types.h> #include <unistd.h> -#include <security/pam_filter.h> +#include "pam_filter.h" #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> /* ---------------------------------------------------------------- */ -#include <stdarg.h> -#ifdef hpux -# define log_this syslog -#else -static void log_this(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} -#endif - #include <ctype.h> static void do_transpose(char *buffer,int len) @@ -59,13 +37,15 @@ static void do_transpose(char *buffer,int len) extern char **environ; -int main(int argc, char **argv) +int main(int argc, char **argv UNUSED) { char buffer[BUFSIZ]; fd_set readers; void (*before_user)(char *,int); void (*before_app)(char *,int); + openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTHPRIV); + #ifdef DEBUG { int i; @@ -82,7 +62,7 @@ int main(int argc, char **argv) #ifdef DEBUG fprintf(stderr,"filter invoked as conventional executable\n"); #else - log_this(LOG_ERR, "filter invoked as conventional executable"); + syslog(LOG_ERR, "filter invoked as conventional executable"); #endif exit(1); } @@ -104,7 +84,7 @@ int main(int argc, char **argv) #ifdef DEBUG fprintf(stderr,"select failed\n"); #else - log_this(LOG_WARNING,"select failed"); + syslog(LOG_WARNING,"select failed"); #endif break; } @@ -112,49 +92,49 @@ int main(int argc, char **argv) /* application errors */ if ( FD_ISSET(APPERR_FILENO,&readers) ) { - int got = _pammodutil_read(APPERR_FILENO, buffer, BUFSIZ); + int got = pam_modutil_read(APPERR_FILENO, buffer, BUFSIZ); if (got <= 0) { break; } else { /* translate to give to real terminal */ if (before_user != NULL) before_user(buffer, got); - if (_pammodutil_write(STDERR_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes?!",got); + if (pam_modutil_write(STDERR_FILENO, buffer, got) != got ) { + syslog(LOG_WARNING,"couldn't write %d bytes?!",got); break; } } } else if ( FD_ISSET(APPOUT_FILENO,&readers) ) { /* app output */ - int got = _pammodutil_read(APPOUT_FILENO, buffer, BUFSIZ); + int got = pam_modutil_read(APPOUT_FILENO, buffer, BUFSIZ); if (got <= 0) { break; } else { /* translate to give to real terminal */ if (before_user != NULL) before_user(buffer, got); - if (_pammodutil_write(STDOUT_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes!?",got); + if (pam_modutil_write(STDOUT_FILENO, buffer, got) != got ) { + syslog(LOG_WARNING,"couldn't write %d bytes!?",got); break; } } } if ( FD_ISSET(STDIN_FILENO, &readers) ) { /* user input */ - int got = _pammodutil_read(STDIN_FILENO, buffer, BUFSIZ); + int got = pam_modutil_read(STDIN_FILENO, buffer, BUFSIZ); if (got < 0) { - log_this(LOG_WARNING,"user input junked"); + syslog(LOG_WARNING,"user input junked"); break; } else if (got) { /* translate to give to application */ if (before_app != NULL) before_app(buffer, got); - if (_pammodutil_write(APPIN_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't pass %d bytes!?",got); + if (pam_modutil_write(APPIN_FILENO, buffer, got) != got ) { + syslog(LOG_WARNING,"couldn't pass %d bytes!?",got); break; } } else { /* nothing received -- an error? */ - log_this(LOG_WARNING,"user input null?"); + syslog(LOG_WARNING,"user input null?"); break; } } @@ -162,6 +142,3 @@ int main(int argc, char **argv) exit(0); } - - - diff --git a/Linux-PAM/modules/pam_ftp/Makefile b/Linux-PAM/modules/pam_ftp/Makefile deleted file mode 100644 index 456161bf..00000000 --- a/Linux-PAM/modules/pam_ftp/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:03 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_ftp - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_ftp/Makefile.am b/Linux-PAM/modules/pam_ftp/Makefile.am new file mode 100644 index 00000000..e6d510a1 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp + +man_MANS = pam_ftp.8 +XMLS = README.xml pam_ftp.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_ftp.la + +TESTS = tst-pam_ftp + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_ftp.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_ftp/Makefile.in b/Linux-PAM/modules/pam_ftp/Makefile.in new file mode 100644 index 00000000..875a71a1 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_ftp +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_ftp_la_LIBADD = +pam_ftp_la_SOURCES = pam_ftp.c +pam_ftp_la_OBJECTS = pam_ftp.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_ftp.c +DIST_SOURCES = pam_ftp.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp +man_MANS = pam_ftp.8 +XMLS = README.xml pam_ftp.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_ftp.la +TESTS = tst-pam_ftp +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_ftp/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_ftp/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_ftp.la: $(pam_ftp_la_OBJECTS) $(pam_ftp_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_ftp_la_OBJECTS) $(pam_ftp_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_ftp.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_ftp.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_ftp/README b/Linux-PAM/modules/pam_ftp/README index 6d03330c..15f4130e 100644 --- a/Linux-PAM/modules/pam_ftp/README +++ b/Linux-PAM/modules/pam_ftp/README @@ -1,18 +1,52 @@ -This is the README for pam_ftp ------------------------------- +pam_ftp — PAM module for anonymous access module -This module is an authentication module that does simple ftp -authentication. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -Recognized arguments: +DESCRIPTION - "debug" print debug messages - "users=" comma separated list of users which - could login only with email adress - "ignore" allow invalid email adresses +pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of +access. -Options for: -auth: for authentication it provides pam_authenticate() and - pam_setcred() hooks. +This module intercepts the user's name and password. If the name is ftp or +anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER +and a PAM_RHOST part; these pam-items being set accordingly. The username ( +PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the +module sets the PAM_AUTHTOK item with the entered password and fails. + +This module is not safe and easily spoofable. + +OPTIONS + +debug + + Print debug information. + +ignore + + Pay no attention to the email address of the user (if supplied). + +ftp=XXX,YYY,... + + Instead of ftp or anonymous, provide anonymous login to the comma separated + list of users: XXX,YYY,.... Should the applicant enter one of these + usernames the returned username is set to the first in the list: XXX. + +EXAMPLES + +Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous login: + +# +# ftpd; add ftp-specifics. These lines enable anonymous ftp over +# standard UN*X access (the listfile entry blocks access to +# users listed in /etc/ftpusers) +# +auth sufficient pam_ftp.so +auth required pam_unix.so use_first_pass +auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers + + +AUTHOR + +pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. -Thorsten Kukuk <kukuk@suse.de>, 17. June 1999 diff --git a/Linux-PAM/modules/pam_ftp/README.xml b/Linux-PAM/modules/pam_ftp/README.xml new file mode 100644 index 00000000..65de28e3 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_ftp.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_ftp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_ftp-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_ftp/pam_ftp.8 b/Linux-PAM/modules/pam_ftp/pam_ftp.8 new file mode 100644 index 00000000..0c730267 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/pam_ftp.8 @@ -0,0 +1,95 @@ +.\" Title: pam_ftp +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_FTP" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_ftp \- PAM module for anonymous access module +.SH "SYNOPSIS" +.HP 11 +\fBpam_ftp.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] +.SH "DESCRIPTION" +.PP +pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access. +.PP +This module intercepts the user's name and password. If the name is +\fIftp\fR +or +\fIanonymous\fR, the user's password is broken up at the +\fI@\fR +delimiter into a +\fIPAM_RUSER\fR +and a +\fIPAM_RHOST\fR +part; these pam\-items being set accordingly. The username (\fIPAM_USER\fR) is set to +\fIftp\fR. In this case the module succeeds. Alternatively, the module sets the +\fIPAM_AUTHTOK\fR +item with the entered password and fails. +.PP +This module is not safe and easily spoofable. +.SH "OPTIONS" +.PP +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBignore\fR +Pay no attention to the email address of the user (if supplied). +.TP 3n +\fBftp=\fR\fB\fIXXX,YYY,...\fR\fR +Instead of +\fIftp\fR +or +\fIanonymous\fR, provide anonymous login to the comma separated list of users: +\fB\fIXXX,YYY,...\fR\fR. Should the applicant enter one of these usernames the returned username is set to the first in the list: +\fIXXX\fR. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +The authentication was successfull. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/ftpd\fR +to handle ftp style anonymous login: +.sp +.RS 3n +.nf +# +# ftpd; add ftp\-specifics. These lines enable anonymous ftp over +# standard UN*X access (the listfile entry blocks access to +# users listed in /etc/ftpusers) +# +auth sufficient pam_ftp.so +auth required pam_unix.so use_first_pass +auth required pam_listfile.so \\ + onerr=succeed item=user sense=deny file=/etc/ftpusers + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_ftp/pam_ftp.8.xml b/Linux-PAM/modules/pam_ftp/pam_ftp.8.xml new file mode 100644 index 00000000..aca21694 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/pam_ftp.8.xml @@ -0,0 +1,183 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_ftp"> + + <refmeta> + <refentrytitle>pam_ftp</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_ftp-name"> + <refname>pam_ftp</refname> + <refpurpose>PAM module for anonymous access module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_ftp-cmdsynopsis"> + <command>pam_ftp.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + ignore + </arg> + <arg choice="opt" rep='repeat'> + users=<replaceable>XXX,YYY,</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_ftp-description"> + + <title>DESCRIPTION</title> + + <para> + pam_ftp is a PAM module which provides a pluggable + anonymous ftp mode of access. + </para> + <para> + This module intercepts the user's name and password. If the name is + <emphasis>ftp</emphasis> or <emphasis>anonymous</emphasis>, the + user's password is broken up at the <emphasis>@</emphasis> delimiter + into a <emphasis>PAM_RUSER</emphasis> and a + <emphasis>PAM_RHOST</emphasis> part; these pam-items being set + accordingly. The username (<emphasis>PAM_USER</emphasis>) is set + to <emphasis>ftp</emphasis>. In this case the module succeeds. + Alternatively, the module sets the <emphasis>PAM_AUTHTOK</emphasis> + item with the entered password and fails. + </para> + <para> + This module is not safe and easily spoofable. + </para> + </refsect1> + + <refsect1 id="pam_ftp-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ignore</option> + </term> + <listitem> + <para> + Pay no attention to the email address of the user + (if supplied). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ftp=<replaceable>XXX,YYY,...</replaceable></option> + </term> + <listitem> + <para> + Instead of <emphasis>ftp</emphasis> or + <emphasis>anonymous</emphasis>, provide anonymous login + to the comma separated list of users: + <option><replaceable>XXX,YYY,...</replaceable></option>. + Should the applicant enter + one of these usernames the returned username is set to + the first in the list: <emphasis>XXX</emphasis>. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_ftp-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_ftp-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication was successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_ftp-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/ftpd</filename> to + handle ftp style anonymous login: + <programlisting> +# +# ftpd; add ftp-specifics. These lines enable anonymous ftp over +# standard UN*X access (the listfile entry blocks access to +# users listed in /etc/ftpusers) +# +auth sufficient pam_ftp.so +auth required pam_unix.so use_first_pass +auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_ftp-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_ftp-author'> + <title>AUTHOR</title> + <para> + pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_ftp/pam_ftp.c b/Linux-PAM/modules/pam_ftp/pam_ftp.c index 64df95ac..948dd729 100644 --- a/Linux-PAM/modules/pam_ftp/pam_ftp.c +++ b/Linux-PAM/modules/pam_ftp/pam_ftp.c @@ -1,7 +1,7 @@ /* pam_ftp module */ /* - * $Id: pam_ftp.c,v 1.3 2004/09/22 09:37:48 kukuk Exp $ + * $Id: pam_ftp.c,v 1.10 2005/10/04 11:35:18 ldv Exp $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * @@ -14,7 +14,7 @@ /* the following is a password that "can't be correct" */ #define BLOCK_PASSWORD "\177BAD PASSWPRD\177" -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -34,53 +34,7 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-ftp", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static int converse(pam_handle_t *pamh, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse\n")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS && conv ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function\n")); - - if ((retval != PAM_SUCCESS) && (retval != PAM_CONV_AGAIN)) { - _pam_log(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - if (retval == PAM_SUCCESS) - retval = PAM_BAD_ITEM; /* conv was NULL */ - } - - D(("ready to return from module conversation\n")); - - return retval; /* propagate error status */ -} +#include <security/pam_ext.h> /* argument parsing */ @@ -88,7 +42,8 @@ static int converse(pam_handle_t *pamh, int nargs #define PAM_IGNORE_EMAIL 02 #define PAM_NO_ANON 04 -static int _pam_parse(int argc, const char **argv, char **users) +static int +_pam_parse(pam_handle_t *pamh, int argc, const char **argv, const char **users) { int ctrl=0; @@ -100,15 +55,11 @@ static int _pam_parse(int argc, const char **argv, char **users) if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else if (!strncmp(*argv,"users=",6)) { - *users = x_strdup(6+*argv); - if (*users == NULL) { - ctrl |= PAM_NO_ANON; - _pam_log(LOG_CRIT, "failed to duplicate user list - anon off"); - } + *users = 6 + *argv; } else if (!strcmp(*argv,"ignore")) { ctrl |= PAM_IGNORE_EMAIL; } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -120,23 +71,26 @@ static int _pam_parse(int argc, const char **argv, char **users) * return 1 if listed 0 if not. */ -static int lookup(const char *name, char *list, const char **_user) +static int lookup(const char *name, const char *list, const char **_user) { int anon = 0; *_user = name; /* this is the default */ - if (list) { + if (list && *list) { const char *l; - char *x; + char *list_copy, *x; - x = list; - while ((l = strtok(x, ","))) { + list_copy = x_strdup(list); + x = list_copy; + while (list_copy && (l = strtok(x, ","))) { x = NULL; if (!strcmp(name, l)) { *_user = list; anon = 1; } } + _pam_overwrite(list_copy); + _pam_drop(list_copy); } else { #define MAX_L 2 static const char *l[MAX_L] = { "ftp", "anonymous" }; @@ -156,13 +110,13 @@ static int lookup(const char *name, char *list, const char **_user) /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval, anon=0, ctrl; const char *user; - char *users=NULL; + const char *users = NULL; /* * this module checks if the user name is ftp or annonymous. If @@ -170,11 +124,11 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc * address and SUCCEEDS, otherwise it FAILS. */ - ctrl = _pam_parse(argc, argv, &users); + ctrl = _pam_parse(pamh, argc, argv, &users); retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS || user == NULL) { - _pam_log(LOG_ERR, "no user specified"); + pam_syslog(pamh, LOG_ERR, "no user specified"); return PAM_USER_UNKNOWN; } @@ -185,7 +139,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc if (anon) { retval = pam_set_item(pamh, PAM_USER, (const void *)user); if (retval != PAM_SUCCESS || user == NULL) { - _pam_log(LOG_ERR, "user resetting failed"); + pam_syslog(pamh, LOG_ERR, "user resetting failed"); return PAM_USER_UNKNOWN; } } @@ -196,46 +150,27 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc */ { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; + char *resp = NULL; const char *token; - char *prompt=NULL; - int i=0; - - if (!anon) { - prompt = malloc(strlen(PLEASE_ENTER_PASSWORD) + strlen(user)); - if (prompt == NULL) { - D(("out of memory!?")); - return PAM_BUF_ERR; - } else { - sprintf(prompt, PLEASE_ENTER_PASSWORD, user); - msg[i].msg = prompt; - } - } else { - msg[i].msg = GUEST_LOGIN_PROMPT; - } - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - mesg[i] = &msg[i]; - - retval = converse(pamh, ++i, mesg, &resp); - if (prompt) { - _pam_overwrite(prompt); - _pam_drop(prompt); - } + if (!anon) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + PLEASE_ENTER_PASSWORD, user); + else + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + GUEST_LOGIN_PROMPT); if (retval != PAM_SUCCESS) { - if (resp != NULL) - _pam_drop_reply(resp,i); + _pam_drop (resp); return ((retval == PAM_CONV_AGAIN) ? PAM_INCOMPLETE:PAM_AUTHINFO_UNAVAIL); } if (anon) { - /* XXX: Some effort should be made to verify this email address! */ + /* XXX: Some effort should be made to verify this email address! */ if (!(ctrl & PAM_IGNORE_EMAIL)) { - token = strtok(resp->resp, "@"); + token = strtok(resp, "@"); retval = pam_set_item(pamh, PAM_RUSER, token); if ((token) && (retval == PAM_SUCCESS)) { @@ -252,7 +187,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc * we have a password so set AUTHTOK */ - (void) pam_set_item(pamh, PAM_AUTHTOK, resp->resp); + pam_set_item(pamh, PAM_AUTHTOK, resp); /* * this module failed, but the next one might succeed with @@ -262,9 +197,8 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc retval = PAM_AUTH_ERR; } - if (resp) { /* clean up */ - _pam_drop_reply(resp, i); - } + /* clean up */ + _pam_drop(resp); /* success or failure */ @@ -272,9 +206,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc } } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_IGNORE; } diff --git a/Linux-PAM/modules/pam_ftp/tst-pam_ftp b/Linux-PAM/modules/pam_ftp/tst-pam_ftp new file mode 100755 index 00000000..1a4f67c7 --- /dev/null +++ b/Linux-PAM/modules/pam_ftp/tst-pam_ftp @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_ftp.so diff --git a/Linux-PAM/modules/pam_group/Makefile b/Linux-PAM/modules/pam_group/Makefile deleted file mode 100644 index 06c88998..00000000 --- a/Linux-PAM/modules/pam_group/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: Makefile,v 1.3 2003/11/27 07:49:46 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_group -LOCAL_CONFILE=./group.conf -INSTALLED_CONFILE=$(SCONFIGD)/group.conf - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_group/Makefile.am b/Linux-PAM/modules/pam_group/Makefile.am new file mode 100644 index 00000000..544fa12f --- /dev/null +++ b/Linux-PAM/modules/pam_group/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group + +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_group.la + +secureconf_DATA = group.conf + +TESTS = tst-pam_group + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_group.8.xml group.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_group/Makefile.in b/Linux-PAM/modules/pam_group/Makefile.in new file mode 100644 index 00000000..7deca09c --- /dev/null +++ b/Linux-PAM/modules/pam_group/Makefile.in @@ -0,0 +1,736 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_group +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_group_la_LIBADD = +pam_group_la_SOURCES = pam_group.c +pam_group_la_OBJECTS = pam_group.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_group.c +DIST_SOURCES = pam_group.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group +man_MANS = group.conf.5 pam_group.8 +XMLS = README.xml group.conf.5.xml pam_group.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_group.la +secureconf_DATA = group.conf +TESTS = tst-pam_group +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_group/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_group/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_group.la: $(pam_group_la_OBJECTS) $(pam_group_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_group_la_OBJECTS) $(pam_group_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_group.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_group.8.xml group.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_group/README b/Linux-PAM/modules/pam_group/README new file mode 100644 index 00000000..2e1e37a5 --- /dev/null +++ b/Linux-PAM/modules/pam_group/README @@ -0,0 +1,45 @@ +pam_group — PAM module for group access + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module fuctions in parallel with the /etc/group file. If the user +is granted any groups based on the behavior of this module, they are granted in +addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to +games (through membership of the floppy group) after work hours. + +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + diff --git a/Linux-PAM/modules/pam_group/README.xml b/Linux-PAM/modules/pam_group/README.xml new file mode 100644 index 00000000..387d6987 --- /dev/null +++ b/Linux-PAM/modules/pam_group/README.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> +--> +<!-- +<!ENTITY groupconf SYSTEM "group.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_group/group.conf b/Linux-PAM/modules/pam_group/group.conf index e721b990..d4a10672 100644 --- a/Linux-PAM/modules/pam_group/group.conf +++ b/Linux-PAM/modules/pam_group/group.conf @@ -1,10 +1,7 @@ -## -## Note, to get this to work as it is currently typed you need -## -## 1. to run an application as root -## 2. add the following groups to the /etc/group file: -## floppy, games, sound -## +# +# This is the configuration file for the pam_group module. +# + # # *** Please note that giving group membership on a session basis is # *** NOT inherently secure. If a user can create an executable that @@ -16,11 +13,9 @@ # *** "chgrp games toplay; chmod g+s toplay". They are basically able # *** to play games any time... You have been warned. AGM # -# this is an example configuration file for the pam_group module. Its -# syntax is based on that of the pam_time module and (at some point in -# the distant past was inspired by the 'shadow' package) + # -# the syntax of the lines is as follows: +# The syntax of the lines is as follows: # # services;ttys;users;times;groups # @@ -28,15 +23,59 @@ # newlines). From reading these comments, it is clear that # text following a '#' is ignored to the end of the line. # -# the first four fields are described in the pam_time directory. -# The only difference for these is how the time field is interpretted: -# it is used to indicate "when" these groups are to be given to the user. +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). # # groups -# The (comma or space separated) list of groups that the user +# The (comma or space separated) list of groups that the user # inherits membership of. These groups are added if the previous # fields are satisfied by the user's request # +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, games, sound +# # # Here is a simple example: running 'xsh' on tty* (any ttyXXX device), diff --git a/Linux-PAM/modules/pam_group/group.conf.5 b/Linux-PAM/modules/pam_group/group.conf.5 new file mode 100644 index 00000000..0e36ebf4 --- /dev/null +++ b/Linux-PAM/modules/pam_group/group.conf.5 @@ -0,0 +1,83 @@ +.\" Title: group.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "GROUP.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +group.conf \- configuration file for the pam_group module +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. +.PP +For this module to function correctly there must be a correctly formatted +\fI/etc/security/group.conf\fR +file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line. +.PP +The syntax of the lines is as follows: +.PP + +\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR;\fIgroups\fR +.PP +The first field, the +\fIservices\fR +field, is a logic list of PAM service names that the rule applies to. +.PP +The second field, the +\fItty\fR +field, is a logic list of terminal names that this rule applies to. +.PP +The third field, the +\fIusers\fR +field, is a logic list of users or a netgroup of users to whom this rule applies. +.PP +For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. +.PP +The +\fItimes\fR +field is used to indicate "when" these groups are to be given to the user. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday. +.PP +Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day). +.PP +The +\fIgroups\fR +field is a comma or space separated list of groups that the user inherits membership of. These groups are added if the previous fields are satisfied by the user's request. +.PP +For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/group.conf\fR. +.PP +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the floppy (through membership of the floppy group) +.sp +.RS 3n +.nf +xsh;tty*&!ttyp*;us;Al0000\-2400;floppy +.fi +.RE +.PP +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to games (through membership of the floppy group) after work hours. +.sp +.RS 3n +.nf +xsh; tty* ;sword;!Wk0900\-1800;games, sound +xsh; tty* ;*;Al0900\-1800;floppy + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam_group\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_group was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_group/group.conf.5.xml b/Linux-PAM/modules/pam_group/group.conf.5.xml new file mode 100644 index 00000000..9c008eb0 --- /dev/null +++ b/Linux-PAM/modules/pam_group/group.conf.5.xml @@ -0,0 +1,131 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="group.conf"> + + <refmeta> + <refentrytitle>group.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>group.conf</refname> + <refpurpose>configuration file for the pam_group module</refpurpose> + </refnamediv> + + <refsect1 id='group.conf-description'> + <title>DESCRIPTION</title> + + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + For this module to function correctly there must be a correctly + formatted <filename>/etc/security/group.conf</filename> file present. + White spaces are ignored and lines maybe extended with '\' (escaped + newlines). Text following a '#' is ignored to the end of the line. + </para> + + <para> + The syntax of the lines is as follows: + </para> + + <para> + <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>;<replaceable>groups</replaceable> + </para> + + + <para> + The first field, the <replaceable>services</replaceable> field, is a logic list + of PAM service names that the rule applies to. + </para> + + <para> + The second field, the <replaceable>tty</replaceable> + field, is a logic list of terminal names that this rule applies to. + </para> + + <para> + The third field, the <replaceable>users</replaceable> + field, is a logic list of users or a netgroup of users to whom this + rule applies. + </para> + + <para> + For these items the simple wildcard '*' may be used only once. + With netgroups no wildcards or logic operators are allowed. + </para> + + <para> + The <replaceable>times</replaceable> field is used to indicate "when" + these groups are to be given to the user. The format here is a logic + list of day/time-range entries. The days are specified by a sequence of + two character entries, MoTuSa for example is Monday Tuesday and Saturday. + Note that repeated days are unset MoMo = no day, and MoWk = all weekdays + bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa + Su Wk Wd Al, the last two being week-end days and all 7 days of the week + respectively. As a final example, AlFr means all days except Friday. + </para> + <para> + Each day/time-range can be prefixed with a '!' to indicate "anything but". + The time-range part is two 24-hour times HHMM, separated by a hyphen, + indicating the start and finish time (if the finish time is smaller + than the start time it is deemed to apply on the following day). + </para> + + <para> + The <replaceable>groups</replaceable> field is a comma or space + separated list of groups that the user inherits membership of. These + groups are added if the previous fields are satisfied by the user's request. + </para> + + <para> + For a rule to be active, ALL of service+ttys+users must be satisfied + by the applying process. + </para> + </refsect1> + + <refsect1 id="group.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/group.conf</filename>. + </para> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access + to the floppy (through membership of the floppy group) + </para> + <programlisting>xsh;tty*&!ttyp*;us;Al0000-2400;floppy</programlisting> + + <para> + Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access + to games (through membership of the floppy group) after work hours. + </para> + <programlisting> +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + </programlisting> + </refsect1> + + <refsect1 id="group.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="group.conf-author"> + <title>AUTHOR</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_group/pam_group.8 b/Linux-PAM/modules/pam_group/pam_group.8 new file mode 100644 index 00000000..7058f1aa --- /dev/null +++ b/Linux-PAM/modules/pam_group/pam_group.8 @@ -0,0 +1,80 @@ +.\" Title: pam_group +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/22/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_GROUP" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_group \- PAM module for group access +.SH "SYNOPSIS" +.HP 13 +\fBpam_group.so\fR +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. +.PP +By default rules for group memberships are taken from config file +\fI/etc/security/group.conf\fR. +.PP +This module's usefulness relies on the file\-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a +\fBsetgid\fR +binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted +\fInosuid\fR +the user is unable to create or execute such a binary file. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted +\fInosuid\fR. +.PP +The pam_group module fuctions in parallel with the +\fI/etc/group\fR +file. If the user is granted any groups based on the behavior of this module, they are granted +\fIin addition\fR +to those entries +\fI/etc/group\fR +(or equivalent). +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +group membership was granted. +.TP 3n +PAM_ABORT +Not all relevant data could be gotten. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_CRED_ERR +Group membership was not granted. +.TP 3n +PAM_IGNORE + +\fBpam_sm_authenticate\fR +was called which does nothing. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "FILES" +.TP 3n +\fI/etc/security/group.conf\fR +Default configuration file +.SH "SEE ALSO" +.PP + +\fBgroup.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHORS" +.PP +pam_group was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_group/pam_group.8.xml b/Linux-PAM/modules/pam_group/pam_group.8.xml new file mode 100644 index 00000000..61c7eef1 --- /dev/null +++ b/Linux-PAM/modules/pam_group/pam_group.8.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_group'> + + <refmeta> + <refentrytitle>pam_group</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_group-name'> + <refname>pam_group</refname> + <refpurpose> + PAM module for group access + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_group-cmdsynopsis"> + <command>pam_group.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_group-description"> + <title>DESCRIPTION</title> + <para> + The pam_group PAM module does not authenticate the user, but instead + it grants group memberships (in the credential setting phase of the + authentication module) to the user. Such memberships are based on the + service they are applying for. + </para> + <para> + By default rules for group memberships are taken from config file + <filename>/etc/security/group.conf</filename>. + </para> + <para> + This module's usefulness relies on the file-systems + accessible to the user. The point being that once granted the + membership of a group, the user may attempt to create a + <function>setgid</function> binary with a restricted group ownership. + Later, when the user is not given membership to this group, they can + recover group membership with the precompiled binary. The reason that + the file-systems that the user has access to are so significant, is the + fact that when a system is mounted <emphasis>nosuid</emphasis> the user + is unable to create or execute such a binary file. For this module to + provide any level of security, all file-systems that the user has write + access to should be mounted <emphasis>nosuid</emphasis>. + </para> + <para> + The pam_group module fuctions in parallel with the + <filename>/etc/group</filename> file. If the user is granted any groups + based on the behavior of this module, they are granted + <emphasis>in addition</emphasis> to those entries + <filename>/etc/group</filename> (or equivalent). + </para> + </refsect1> + + <refsect1 id="pam_group-options"> + <title>OPTIONS</title> + <para>This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_group-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_group-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + group membership was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + Group membership was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_sm_authenticate</function> was called which does nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/group.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_group-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>group.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_group-authors"> + <title>AUTHORS</title> + <para> + pam_group was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_group/pam_group.c b/Linux-PAM/modules/pam_group/pam_group.c index c7b75fe2..1dc329ef 100644 --- a/Linux-PAM/modules/pam_group/pam_group.c +++ b/Linux-PAM/modules/pam_group/pam_group.c @@ -1,17 +1,10 @@ /* pam_group module */ /* - * $Id: pam_group.c,v 1.7 2004/09/24 13:13:20 kukuk Exp $ - * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6 */ -const static char rcsid[] = -"$Id: pam_group.c,v 1.7 2004/09/24 13:13:20 kukuk Exp $;\n" -"Version 0.5 for Linux-PAM\n" -"Copyright (c) Andrew G. Morgan 1996 <morgan@linux.kernel.org>\n"; - -#define _BSD_SOURCE +#include "config.h" #include <sys/file.h> #include <stdio.h> @@ -27,23 +20,18 @@ const static char rcsid[] = #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <netdb.h> -#ifdef DEFAULT_CONF_FILE -# define PAM_GROUP_CONF DEFAULT_CONF_FILE /* from external define */ -#else -# define PAM_GROUP_CONF "/etc/security/group.conf" -#endif #define PAM_GROUP_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ -#ifdef TRUE -# undef TRUE -#endif -#ifdef FALSE -# undef FALSE +#ifndef TRUE +# define TRUE 1 +#endif +#ifndef FALSE +# define FALSE 0 #endif -typedef enum { FALSE, TRUE } boolean; typedef enum { AND, OR } operator; /* @@ -57,21 +45,11 @@ typedef enum { AND, OR } operator; #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* --- static functions for checking whether the user should be let in --- */ -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_group", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - static void shift_bytes(char *mem, int from, int by) { while (by-- > 0) { @@ -86,14 +64,15 @@ static void shift_bytes(char *mem, int from, int by) * Therefore, always check buf after calling this to see if an error * occurred. */ -static int read_field(int fd, char **buf, int *from, int *to) +static int +read_field (const pam_handle_t *pamh, int fd, char **buf, int *from, int *to) { /* is buf set ? */ if (! *buf) { *buf = (char *) malloc(PAM_GROUP_BUFLEN); if (! *buf) { - _log_err("out of memory"); + pam_syslog(pamh, LOG_ERR, "out of memory"); return -1; } *from = *to = 0; @@ -103,7 +82,7 @@ static int read_field(int fd, char **buf, int *from, int *to) /* do we have a file open ? return error */ if (fd < 0 && *to <= 0) { - _log_err( PAM_GROUP_CONF " not opened"); + pam_syslog(pamh, LOG_ERR, "%s not opened", PAM_GROUP_CONF); memset(*buf, 0, PAM_GROUP_BUFLEN); _pam_drop(*buf); return -1; @@ -132,7 +111,7 @@ static int read_field(int fd, char **buf, int *from, int *to) i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to); if (i < 0) { - _log_err("error reading " PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF); close(fd); return -1; } else if (!i) { @@ -140,7 +119,7 @@ static int read_field(int fd, char **buf, int *from, int *to) fd = -1; /* end of file reached */ } else *to += i; - + /* * contract the buffer. Delete any comments, and replace all * multiple spaces with single commas @@ -161,8 +140,9 @@ static int read_field(int fd, char **buf, int *from, int *to) } } switch ((*buf)[i]) { - int j,c; + int j, c; case '#': + c = 0; for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); if (j >= *to) { (*buf)[*to = ++i] = '\0'; @@ -171,8 +151,9 @@ static int read_field(int fd, char **buf, int *from, int *to) *to -= j-i; ++i; } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); + pam_syslog(pamh, LOG_CRIT, + "internal error in file %s at line %d", + __FILE__, __LINE__); close(fd); return -1; } @@ -236,11 +217,10 @@ static int read_field(int fd, char **buf, int *from, int *to) static int logic_member(const char *string, int *at) { - int len,c,to; + int c,to; int done=0; int token=0; - len=0; to=*at; do { c = string[to++]; @@ -263,7 +243,7 @@ static int logic_member(const char *string, int *at) default: if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.' || c == '/') { + || c == '-' || c == '.' || c == '/' || c == ':') { token = 1; } else if (token) { --to; @@ -279,11 +259,13 @@ static int logic_member(const char *string, int *at) typedef enum { VAL, OP } expect; -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) +static int +logic_field (const pam_handle_t *pamh, const void *me, + const char *x, int rule, + int (*agrees)(const pam_handle_t *pamh, const void *, + const char *, int, int)) { - boolean left=FALSE, right, not=FALSE; + int left=FALSE, right, not=FALSE; operator oper=OR; int at=0, l; expect next=VAL; @@ -294,15 +276,18 @@ static boolean logic_field(const void *me, const char *x, int rule, if (next == VAL) { if (c == '!') not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); + else if (isalpha(c) || c == '*' || isdigit(c) || c == '_' + || c == '-' || c == '.' || c == '/' || c == ':') { + right = not ^ agrees(pamh, me, x+at, l, rule); if (oper == AND) left &= right; else left |= right; next = OP; } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected name (rule #%d)", + rule); return FALSE; } } else { /* OP */ @@ -314,8 +299,9 @@ static boolean logic_field(const void *me, const char *x, int rule, oper = OR; break; default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected & or | (rule #%d)", + rule); D(("%c at %d",c,at)); return FALSE; } @@ -327,7 +313,9 @@ static boolean logic_field(const void *me, const char *x, int rule, return left; } -static boolean is_same(const void *A, const char *b, int len, int rule) +static int +is_same (const pam_handle_t *pamh UNUSED, + const void *A, const char *b, int len, int rule UNUSED) { int i; const char *a; @@ -349,10 +337,10 @@ typedef struct { int minute; /* integer, hour*100+minute for now */ } TIME; -struct day { +static struct day { const char *d; int bit; -} static const days[11] = { +} const days[11] = { { "su", 01 }, { "mo", 02 }, { "tu", 04 }, @@ -382,9 +370,11 @@ static TIME time_now(void) } /* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) +static int +check_time (const pam_handle_t *pamh, const void *AT, + const char *times, int len, int rule) { - boolean not,pass; + int not,pass; int marked_day, time_start, time_end; const TIME *at; int i,j=0; @@ -394,7 +384,8 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) if (times == NULL) { /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); + pam_syslog(pamh, LOG_CRIT, "internal error in file %s at line %d", + __FILE__, __LINE__); return FALSE; } @@ -418,13 +409,13 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) } j += 2; if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule); return FALSE; } marked_day ^= this_day; } if (marked_day == 0) { - _log_err("no day specified"); + pam_syslog(pamh, LOG_ERR, "no day specified"); return FALSE; } D(("day range = 0%o", marked_day)); @@ -448,7 +439,7 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule); return TRUE; } D(("times(%d to %d)", time_start,time_end)); @@ -483,11 +474,10 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) static int find_member(const char *string, int *at) { - int len,c,to; + int c,to; int done=0; int token=0; - len=0; to=*at; do { c = string[to++]; @@ -547,7 +537,7 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len) if (tmp != NULL) { (*list) = tmp; } else { - _log_err("out of memory for group list"); + pam_syslog(pamh, LOG_ERR, "out of memory for group list"); free(*list); (*list) = NULL; return -1; @@ -561,44 +551,17 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len) D(("found group: %s",buf+at)); /* this is where we convert a group name to a gid_t */ -#ifdef WANT_PWDB - { - int retval; - const struct pwdb *pw=NULL; - - retval = pwdb_locate("group", PWDB_DEFAULT, buf+at - , PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS) { - _log_err("bad group: %s; %s", buf+at, pwdb_strerror(retval)); - } else { - const struct pwdb_entry *pwe=NULL; - - D(("group %s exists", buf+at)); - retval = pwdb_get_entry(pw, "gid", &pwe); - if (retval == PWDB_SUCCESS) { - D(("gid = %d [%p]",* (const gid_t *) pwe->value,list)); - (*list)[len++] = * (const gid_t *) pwe->value; - pwdb_entry_delete(&pwe); /* tidy up */ - } else { - _log_err("%s group entry is bad; %s" - , pwdb_strerror(retval)); - } - pw = NULL; /* break link - cached for later use */ - } - } -#else { const struct group *grp; - grp = _pammodutil_getgrnam(pamh, buf+at); + grp = pam_modutil_getgrnam(pamh, buf+at); if (grp == NULL) { - _log_err("bad group: %s", buf+at); + pam_syslog(pamh, LOG_ERR, "bad group: %s", buf+at); } else { D(("group %s exists", buf+at)); (*list)[len++] = grp->gr_gid; } } -#endif /* next entry along */ @@ -630,7 +593,11 @@ static int check_account(pam_handle_t *pamh, const char *service, if (no_grps > 0) { grps = calloc( blk_size(no_grps) , sizeof(gid_t) ); D(("copying current list into grps [%d big]",blk_size(no_grps))); - (void) getgroups(no_grps, grps); + if (getgroups(no_grps, grps) < 0) { + D(("getgroups call failed")); + no_grps = 0; + grps = NULL; + } #ifdef DEBUG { int z; @@ -653,7 +620,7 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the service name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { /* empty line .. ? */ continue; @@ -661,44 +628,51 @@ static int check_account(pam_handle_t *pamh, const char *service, ++count; D(("working on rule #%d",count)); - good = logic_field(service, buffer, count, is_same); + good = logic_field(pamh,service, buffer, count, is_same); D(("with service: %s", good ? "passes":"fails" )); /* here we get the terminal name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no tty entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no tty entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(tty, buffer, count, is_same); + good &= logic_field(pamh,tty, buffer, count, is_same); D(("with tty: %s", good ? "passes":"fails" )); /* here we get the username field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no user entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no user entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(user, buffer, count, is_same); + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') + good &= innetgr (&buffer[1], NULL, user, NULL); + else + good &= logic_field(pamh,user, buffer, count, is_same); D(("with user: %s", good ? "passes":"fails" )); /* here we get the time field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no time entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no time entry #%d", PAM_GROUP_CONF, count); continue; } - good &= logic_field(&here_and_now, buffer, count, check_time); + good &= logic_field(pamh,&here_and_now, buffer, count, check_time); D(("with time: %s", good ? "passes":"fails" )); - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no listed groups for rule #%d" - , count); + pam_syslog(pamh, LOG_ERR, + "%s: no listed groups for rule #%d", PAM_GROUP_CONF, count); continue; } @@ -719,9 +693,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* check the line is terminated correctly */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh,fd,&buffer,&from,&to); if (buffer && buffer[0]) { - _log_err(PAM_GROUP_CONF "; poorly terminated rule #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count); } if (good > 0) { @@ -737,17 +712,19 @@ static int check_account(pam_handle_t *pamh, const char *service, /* now set the groups for the user */ if (no_grps > 0) { +#ifdef DEBUG int err; +#endif D(("trying to set %d groups", no_grps)); #ifdef DEBUG for (err=0; err<no_grps; ++err) { D(("gid[%d]=%d", err, grps[err])); } #endif - if ((err = setgroups(no_grps, grps))) { - D(("but couldn't set groups %d", err)); - _log_err("unable to set the group membership for user (err=%d)" - , err); + if (setgroups(no_grps, grps) != 0) { + D(("but couldn't set groups %m")); + pam_syslog(pamh, LOG_ERR, + "unable to set the group membership for user: %m"); retval = PAM_CRED_ERR; } } @@ -763,17 +740,20 @@ static int check_account(pam_handle_t *pamh, const char *service, /* --- public authentication management functions --- */ -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_IGNORE; } -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh, int flags, + int argc UNUSED, const char **argv UNUSED) { - const char *service=NULL, *tty=NULL; + const void *service=NULL, *void_tty=NULL; const char *user=NULL; + const char *tty; int retval; unsigned setting; @@ -787,9 +767,9 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags /* set service name */ - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) + if (pam_get_item(pamh, PAM_SERVICE, &service) != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); + pam_syslog(pamh, LOG_ERR, "cannot find the current service name"); return PAM_ABORT; } @@ -797,28 +777,33 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err("cannot determine the user's name"); + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } /* set tty name */ - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS + || void_tty == NULL) { D(("PAM_TTY not set, probing stdin")); tty = ttyname(STDIN_FILENO); if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; + tty = ""; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); return PAM_ABORT; } } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; + else + tty = (const char *) void_tty; + + if (tty[0] == '/') { /* full path */ + const char *t; + tty++; + if ((t = strchr(tty, '/')) != NULL) { + tty = t + 1; + } } /* good, now we have the service name, the user and the terminal name */ @@ -827,22 +812,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags D(("user=%s", user)); D(("tty=%s", tty)); -#ifdef WANT_PWDB - - /* We initialize the pwdb library and check the account */ - retval = pwdb_start(); /* initialize */ - if (retval == PWDB_SUCCESS) { - retval = check_account(pamh, service,tty,user); /* get groups */ - (void) pwdb_end(); /* tidy up */ - } else { - D(("failed to initialize pwdb; %s", pwdb_strerror(retval))); - _log_err("unable to initialize libpwdb"); - retval = PAM_ABORT; - } - -#else /* WANT_PWDB */ retval = check_account(pamh,service,tty,user); /* get groups */ -#endif /* WANT_PWDB */ return retval; } diff --git a/Linux-PAM/modules/pam_group/tst-pam_group b/Linux-PAM/modules/pam_group/tst-pam_group new file mode 100755 index 00000000..29f7ba06 --- /dev/null +++ b/Linux-PAM/modules/pam_group/tst-pam_group @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_group.so diff --git a/Linux-PAM/modules/pam_issue/Makefile b/Linux-PAM/modules/pam_issue/Makefile deleted file mode 100644 index 1bd2be21..00000000 --- a/Linux-PAM/modules/pam_issue/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_issue - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_issue/Makefile.am b/Linux-PAM/modules/pam_issue/Makefile.am new file mode 100644 index 00000000..4e43bd05 --- /dev/null +++ b/Linux-PAM/modules/pam_issue/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue + +man_MANS = pam_issue.8 +XMLS = README.xml pam_issue.8.xml + +TESTS = tst-pam_issue + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_issue.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_issue.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_issue/Makefile.in b/Linux-PAM/modules/pam_issue/Makefile.in new file mode 100644 index 00000000..9cec3a85 --- /dev/null +++ b/Linux-PAM/modules/pam_issue/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_issue +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_issue_la_LIBADD = +pam_issue_la_SOURCES = pam_issue.c +pam_issue_la_OBJECTS = pam_issue.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_issue.c +DIST_SOURCES = pam_issue.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue +man_MANS = pam_issue.8 +XMLS = README.xml pam_issue.8.xml +TESTS = tst-pam_issue +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_issue.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_issue/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_issue/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_issue.la: $(pam_issue_la_OBJECTS) $(pam_issue_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_issue_la_OBJECTS) $(pam_issue_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_issue.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_issue.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_issue/README b/Linux-PAM/modules/pam_issue/README new file mode 100644 index 00000000..e3192beb --- /dev/null +++ b/Linux-PAM/modules/pam_issue/README @@ -0,0 +1,79 @@ +pam_issue — PAM module to add issue file to user prompt + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_issue is a PAM module to prepend an issue file to the username prompt. It +also by default parses escape codes in the issue file similar to some common +getty's (using \x format). + +Recognized escapes: + +\d + + current day + +\l + + name of this tty + +\m + + machine architecture (uname -m) + +\n + + machine's network node hostname (uname -n) + +\o + + domain name of this system + +\r + + release number of operating system (uname -r) + +\t + + current time + +\s + + operating system name (uname -s) + +\u + + number of users currently logged in + +\U + + same as \u except it is suffixed with "user" or "users" (eg. "1 user" or + "10 users") + +\v + + operating system version and build date (uname -v) + +OPTIONS + +noesc + + Turns off escape code parsing. + +issue=issue-file-name + + The file to output if not using the default. + +EXAMPLES + +Add the following line to /etc/pam.d/login to set the user specific issue at +login: + + auth optional pam_issue.so issue=/etc/issue + + +AUTHOR + +pam_issue was written by Ben Collins <bcollins@debian.org>. + diff --git a/Linux-PAM/modules/pam_issue/README.xml b/Linux-PAM/modules/pam_issue/README.xml new file mode 100644 index 00000000..b5b61c3a --- /dev/null +++ b/Linux-PAM/modules/pam_issue/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_issue.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_issue.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_issue-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_issue/pam_issue.8 b/Linux-PAM/modules/pam_issue/pam_issue.8 new file mode 100644 index 00000000..011a5e91 --- /dev/null +++ b/Linux-PAM/modules/pam_issue/pam_issue.8 @@ -0,0 +1,104 @@ +.\" Title: pam_issue +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/17/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ISSUE" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_issue \- PAM module to add issue file to user prompt +.SH "SYNOPSIS" +.HP 13 +\fBpam_issue.so\fR [noesc] [issue=\fIissue\-file\-name\fR] +.SH "DESCRIPTION" +.PP +pam_issue is a PAM module to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file similar to some common getty's (using \\x format). +.PP +Recognized escapes: +.TP 3n +\fB\\d\fR +current day +.TP 3n +\fB\\l\fR +name of this tty +.TP 3n +\fB\\m\fR +machine architecture (uname \-m) +.TP 3n +\fB\\n\fR +machine's network node hostname (uname \-n) +.TP 3n +\fB\\o\fR +domain name of this system +.TP 3n +\fB\\r\fR +release number of operating system (uname \-r) +.TP 3n +\fB\\t\fR +current time +.TP 3n +\fB\\s\fR +operating system name (uname \-s) +.TP 3n +\fB\\u\fR +number of users currently logged in +.TP 3n +\fB\\U\fR +same as \\u except it is suffixed with "user" or "users" (eg. "1 user" or "10 users") +.TP 3n +\fB\\v\fR +operating system version and build date (uname \-v) +.SH "OPTIONS" +.PP +.TP 3n +\fBnoesc\fR +Turns off escape code parsing. +.TP 3n +\fBissue=\fR\fB\fIissue\-file\-name\fR\fR +The file to output if not using the default. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +The prompt was already changed. +.TP 3n +PAM_SERVICE_ERR +A service module error occured. +.TP 3n +PAM_SUCCESS +The new prompt was set successfull. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to set the user specific issue at login: +.sp +.RS 3n +.nf + auth optional pam_issue.so issue=/etc/issue + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_issue was written by Ben Collins <bcollins@debian.org>. diff --git a/Linux-PAM/modules/pam_issue/pam_issue.8.xml b/Linux-PAM/modules/pam_issue/pam_issue.8.xml new file mode 100644 index 00000000..fd0d06ae --- /dev/null +++ b/Linux-PAM/modules/pam_issue/pam_issue.8.xml @@ -0,0 +1,234 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_issue"> + + <refmeta> + <refentrytitle>pam_issue</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_issue-name"> + <refname>pam_issue</refname> + <refpurpose>PAM module to add issue file to user prompt</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_issue-cmdsynopsis"> + <command>pam_issue.so</command> + <arg choice="opt"> + noesc + </arg> + <arg choice="opt"> + issue=<replaceable>issue-file-name</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_issue-description"> + + <title>DESCRIPTION</title> + + <para> + pam_issue is a PAM module to prepend an issue file to the username + prompt. It also by default parses escape codes in the issue file + similar to some common getty's (using \x format). + </para> + <para> + Recognized escapes: + </para> + <variablelist> + <varlistentry> + <term><emphasis remap='B'>\d</emphasis></term> + <listitem> + <para>current day</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\l</emphasis></term> + <listitem> + <para>name of this tty</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\m</emphasis></term> + <listitem> + <para>machine architecture (uname -m)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\n</emphasis></term> + <listitem> + <para>machine's network node hostname (uname -n)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\o</emphasis></term> + <listitem> + <para>domain name of this system</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\r</emphasis></term> + <listitem> + <para>release number of operating system (uname -r)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\t</emphasis></term> + <listitem> + <para>current time</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\s</emphasis></term> + <listitem> + <para>operating system name (uname -s)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\u</emphasis></term> + <listitem> + <para>number of users currently logged in</para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\U</emphasis></term> + <listitem> + <para> + same as \u except it is suffixed with "user" or + "users" (eg. "1 user" or "10 users") + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><emphasis remap='B'>\v</emphasis></term> + <listitem> + <para>operating system version and build date (uname -v)</para> + </listitem> + </varlistentry> + </variablelist> + + </refsect1> + + <refsect1 id="pam_issue-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>noesc</option> + </term> + <listitem> + <para> + Turns off escape code parsing. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>issue=<replaceable>issue-file-name</replaceable></option> + </term> + <listitem> + <para> + The file to output if not using the default. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_issue-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_issue-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The prompt was already changed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A service module error occured. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new prompt was set successfull. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_issue-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + set the user specific issue at login: + <programlisting> + auth optional pam_issue.so issue=/etc/issue + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_issue-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_issue-author'> + <title>AUTHOR</title> + <para> + pam_issue was written by Ben Collins <bcollins@debian.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_issue/pam_issue.c b/Linux-PAM/modules/pam_issue/pam_issue.c index 5665966e..7a8a24d5 100644 --- a/Linux-PAM/modules/pam_issue/pam_issue.c +++ b/Linux-PAM/modules/pam_issue/pam_issue.c @@ -14,8 +14,7 @@ * Released under the GNU LGPL version 2 or later */ -#define _GNU_SOURCE -#define _BSD_SOURCE +#include "config.h" #include <string.h> #include <stdio.h> @@ -27,50 +26,46 @@ #include <unistd.h> #include <sys/utsname.h> #include <utmp.h> -#include <malloc.h> #include <time.h> - -#include <security/_pam_macros.h> +#include <syslog.h> #define PAM_SM_AUTH +#include <security/_pam_macros.h> #include <security/pam_modules.h> +#include <security/pam_ext.h> static int _user_prompt_set = 0; -static char *do_prompt (FILE *); +static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt); +static int read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt); /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { - int retval = PAM_SUCCESS; - FILE *fd; + int retval = PAM_SERVICE_ERR; + FILE *fp; + const char *issue_file = NULL; int parse_esc = 1; - char *prompt_tmp = NULL; - const char *cur_prompt = NULL; - struct stat st; - char *issue_file = NULL; + const void *item = NULL; + const char *cur_prompt; + char *issue_prompt = NULL; /* If we've already set the prompt, don't set it again */ if(_user_prompt_set) return PAM_IGNORE; - else - /* we set this here so if we fail below, we wont get further - than this next time around (only one real failure) */ - _user_prompt_set = 1; + + /* We set this here so if we fail below, we wont get further + than this next time around (only one real failure) */ + _user_prompt_set = 1; for ( ; argc-- > 0 ; ++argv ) { if (!strncmp(*argv,"issue=",6)) { - issue_file = (char *) strdup(6+*argv); - if (issue_file != NULL) { - D(("set issue_file to: %s", issue_file)); - } else { - D(("failed to strdup issue_file - ignored")); - return PAM_IGNORE; - } + issue_file = 6 + *argv; + D(("set issue_file to: %s", issue_file)); } else if (!strcmp(*argv,"noesc")) { parse_esc = 0; D(("turning off escape parsing by request")); @@ -79,152 +74,139 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, } if (issue_file == NULL) - issue_file = strdup("/etc/issue"); + issue_file = "/etc/issue"; - if ((fd = fopen(issue_file, "r")) != NULL) { - int tot_size = 0; - - if (fstat(fileno(fd), &st) < 0) { - fclose(fd); - if (issue_file) - free(issue_file); - return PAM_IGNORE; - } + if ((fp = fopen(issue_file, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file); + return PAM_SERVICE_ERR; + } - retval = pam_get_item(pamh, PAM_USER_PROMPT, - (const void **) &cur_prompt); - if (retval != PAM_SUCCESS) { - fclose(fd); - if (issue_file) - free(issue_file); - return PAM_IGNORE; - } - if (cur_prompt == NULL) { - cur_prompt = ""; - } + if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) { + fclose(fp); + return retval; + } - /* first read in the issue file */ + cur_prompt = item; + if (cur_prompt == NULL) + cur_prompt = ""; - if (parse_esc) { - prompt_tmp = do_prompt(fd); - if (prompt_tmp == NULL) { - fclose(fd); - if (issue_file) - free(issue_file); - return PAM_IGNORE; - } - } else { - int count = 0; - - prompt_tmp = malloc(st.st_size + 1); - if (prompt_tmp == NULL) { - fclose(fd); - if (issue_file) - free(issue_file); - return PAM_IGNORE; - } - memset (prompt_tmp, '\0', st.st_size + 1); - count = fread(prompt_tmp, 1, st.st_size, fd); - if (count != st.st_size) { - fclose(fd); - retval = PAM_IGNORE; - goto cleanup; - } - prompt_tmp[st.st_size] = '\0'; - } + if (parse_esc) + retval = read_issue_quoted(pamh, fp, &issue_prompt); + else + retval = read_issue_raw(pamh, fp, &issue_prompt); - fclose(fd); + fclose(fp); - tot_size = strlen(prompt_tmp) + strlen(cur_prompt) + 1; + if (retval != PAM_SUCCESS) + goto out; - /* - * alloc some extra space for the original prompt - * and postpend it to the buffer - */ - { - char *prompt_tmp_tmp = prompt_tmp; + { + size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1; + char *new_prompt = realloc(issue_prompt, size); - prompt_tmp = realloc(prompt_tmp, tot_size + 1); - if (prompt_tmp == NULL) { - prompt_tmp = prompt_tmp_tmp; - retval = PAM_IGNORE; - goto cleanup; - } + if (new_prompt == NULL) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + retval = PAM_BUF_ERR; + goto out; } + issue_prompt = new_prompt; + } - strcpy(prompt_tmp+strlen(prompt_tmp), cur_prompt); + strcat(issue_prompt, cur_prompt); + retval = pam_set_item(pamh, PAM_USER_PROMPT, + (const void *) issue_prompt); + out: + _pam_drop(issue_prompt); + return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval; +} - prompt_tmp[tot_size] = '\0'; +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} - retval = pam_set_item(pamh, PAM_USER_PROMPT, - (const char *) prompt_tmp); +static int +read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt) +{ + char *issue; + struct stat st; - cleanup: - free(issue_file); - free(prompt_tmp); + *prompt = NULL; - } else { - D(("could not open issue_file: %s", issue_file)); - free(issue_file); - return PAM_IGNORE; + if (fstat(fileno(fp), &st) < 0) { + pam_syslog(pamh, LOG_ERR, "stat error: %m"); + return PAM_SERVICE_ERR; } - return retval; -} + if ((issue = malloc(st.st_size + 1)) == NULL) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + return PAM_BUF_ERR; + } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return PAM_IGNORE; + if (fread(issue, 1, st.st_size, fp) != st.st_size) { + pam_syslog(pamh, LOG_ERR, "read error: %m"); + _pam_drop(issue); + return PAM_SERVICE_ERR; + } + + issue[st.st_size] = '\0'; + *prompt = issue; + return PAM_SUCCESS; } -static char *do_prompt(FILE *fd) +static int +read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) { - int c, size = 1024; + int c; + size_t size = 1024; char *issue; - char buf[1024]; struct utsname uts; - if (fd == NULL) - return NULL; + *prompt = NULL; - issue = (char *)malloc(size); - if (issue == NULL) - return NULL; + if ((issue = malloc(size)) == NULL) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + return PAM_BUF_ERR; + } - issue[0] = '\0'; /* zero this, for strcat to work on first buf */ + issue[0] = '\0'; (void) uname(&uts); - while ((c = getc(fd)) != EOF) { + while ((c = getc(fp)) != EOF) { + char buf[1024]; + + buf[0] = '\0'; if (c == '\\') { - c = getc(fd); + if ((c = getc(fp)) == EOF) + break; switch (c) { case 's': - snprintf (buf, 1024, "%s", uts.sysname); + strncat(buf, uts.sysname, sizeof(buf) - 1); break; case 'n': - snprintf (buf, 1024, "%s", uts.nodename); + strncat(buf, uts.nodename, sizeof(buf) - 1); break; case 'r': - snprintf (buf, 1024, "%s", uts.release); + strncat(buf, uts.release, sizeof(buf) - 1); break; case 'v': - snprintf (buf, 1024, "%s", uts.version); + strncat(buf, uts.version, sizeof(buf) - 1); break; case 'm': - snprintf (buf, 1024, "%s", uts.machine); + strncat(buf, uts.machine, sizeof(buf) - 1); break; case 'o': { char domainname[256]; - getdomainname(domainname, sizeof(domainname)); - domainname[sizeof(domainname)-1] = '\0'; - snprintf (buf, 1024, "%s", domainname); + if (getdomainname(domainname, sizeof(domainname)) >= 0) { + domainname[sizeof(domainname)-1] = '\0'; + strncat(buf, domainname, sizeof(buf) - 1); + } } break; - case 'd': case 't': { @@ -242,70 +224,71 @@ static char *do_prompt(FILE *fd) tm = localtime(&now); if (c == 'd') - snprintf (buf, 1024, "%s %s %d %d", + snprintf (buf, sizeof buf, "%s %s %d %d", weekday[tm->tm_wday], month[tm->tm_mon], - tm->tm_mday, - tm->tm_year + 1900); + tm->tm_mday, tm->tm_year + 1900); else - snprintf (buf, 1024, "%02d:%02d:%02d", + snprintf (buf, sizeof buf, "%02d:%02d:%02d", tm->tm_hour, tm->tm_min, tm->tm_sec); } break; case 'l': { char *ttyn = ttyname(1); - if (!strncmp(ttyn, "/dev/", 5)) - ttyn += 5; - snprintf (buf, 1024, "%s", ttyn); + if (ttyn) { + if (!strncmp(ttyn, "/dev/", 5)) + ttyn += 5; + strncat(buf, ttyn, sizeof(buf) - 1); + } } break; case 'u': case 'U': { - int users = 0; + unsigned int users = 0; struct utmp *ut; setutent(); - while ((ut = getutent())) + while ((ut = getutent())) { if (ut->ut_type == USER_PROCESS) - users++; + ++users; + } endutent(); - printf ("%d ", users); if (c == 'U') - snprintf (buf, 1024, "%s", (users == 1) ? - " user" : " users"); + snprintf (buf, sizeof buf, "%u %s", users, + (users == 1) ? "user" : "users"); + else + snprintf (buf, sizeof buf, "%u", users); break; } default: buf[0] = c; buf[1] = '\0'; } - if ((strlen(issue) + strlen(buf)) < size + 1) { - char *old_issue = issue; - - size += strlen(buf) + 1; - issue = (char *) realloc (issue, size); - if (issue == NULL) { - free(old_issue); - return NULL; - } - } - strcat(issue, buf); } else { buf[0] = c; buf[1] = '\0'; - if ((strlen(issue) + strlen(buf)) < size + 1) { - char *old_issue = issue; - - size += strlen(buf) + 1; - issue = (char *) realloc (issue, size); - if (issue == NULL) { - free(old_issue); - return NULL; - } + } + + if ((strlen(issue) + strlen(buf)) + 1 > size) { + char *new_issue; + + size += strlen(buf) + 1; + new_issue = (char *) realloc (issue, size); + if (new_issue == NULL) { + _pam_drop(issue); + return PAM_BUF_ERR; } + issue = new_issue; strcat(issue, buf); } } - return issue; + if (ferror(fp)) { + pam_syslog(pamh, LOG_ERR, "read error: %m"); + _pam_drop(issue); + return PAM_SERVICE_ERR; + } + + *prompt = issue; + return PAM_SUCCESS; } #ifdef PAM_STATIC diff --git a/Linux-PAM/modules/pam_issue/tst-pam_issue b/Linux-PAM/modules/pam_issue/tst-pam_issue new file mode 100755 index 00000000..0fe4f763 --- /dev/null +++ b/Linux-PAM/modules/pam_issue/tst-pam_issue @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_issue.so diff --git a/Linux-PAM/modules/pam_keyinit/Makefile.am b/Linux-PAM/modules/pam_keyinit/Makefile.am new file mode 100644 index 00000000..49e34d75 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/Makefile.am @@ -0,0 +1,33 @@ +# +# Copyright (c) 2006 David Howells <dhowells@redhat.com> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit +XMLS = README.xml pam_keyinit.8.xml + +if HAVE_KEY_MANAGEMENT + man_MANS = pam_keyinit.8 + TESTS = tst-pam_keyinit +endif + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_keyinit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_KEY_MANAGEMENT + securelib_LTLIBRARIES = pam_keyinit.la +endif diff --git a/Linux-PAM/modules/pam_keyinit/Makefile.in b/Linux-PAM/modules/pam_keyinit/Makefile.in new file mode 100644 index 00000000..401c09b6 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/Makefile.in @@ -0,0 +1,667 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006 David Howells <dhowells@redhat.com> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_keyinit +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_keyinit_la_LIBADD = +pam_keyinit_la_SOURCES = pam_keyinit.c +pam_keyinit_la_OBJECTS = pam_keyinit.lo +@HAVE_KEY_MANAGEMENT_TRUE@am_pam_keyinit_la_rpath = -rpath \ +@HAVE_KEY_MANAGEMENT_TRUE@ $(securelibdir) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_keyinit.c +DIST_SOURCES = pam_keyinit.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit +XMLS = README.xml pam_keyinit.8.xml +@HAVE_KEY_MANAGEMENT_TRUE@man_MANS = pam_keyinit.8 +@HAVE_KEY_MANAGEMENT_TRUE@TESTS = tst-pam_keyinit +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +@HAVE_KEY_MANAGEMENT_TRUE@securelib_LTLIBRARIES = pam_keyinit.la +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_keyinit.la: $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_DEPENDENCIES) + $(LINK) $(am_pam_keyinit_la_rpath) $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_keyinit.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_keyinit.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_keyinit/README b/Linux-PAM/modules/pam_keyinit/README new file mode 100644 index 00000000..da22a535 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/README @@ -0,0 +1,24 @@ +# $Id: README,v 1.1 2006/06/27 12:34:07 t8m Exp $ -*- text -*- +# + +This module makes sure the calling process has its own session keyring rather +than using the default per-user session keyring. + +The following words may be supplied as arguments to the module through the PAM +configuration scripts: + + (*) "force" + + This will cause the process's current session keyring to be replaced with + a new one. If this isn't supplied, a session keyring will only be created + if the process doesn't already have its own. + + (*) "revoke" + + If the module actually created a keyring, this will cause that keyring to + be revoked on session closure. + + (*) "debug" + + This will cause the module to write some debugging information to the + syslog. diff --git a/Linux-PAM/modules/pam_keyinit/README.xml b/Linux-PAM/modules/pam_keyinit/README.xml new file mode 100644 index 00000000..47659e89 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 new file mode 100644 index 00000000..40b1e125 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 @@ -0,0 +1,133 @@ +.\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "PAM_KEYINIT" 8 "" "" "" +.SH NAME +pam_keyinit \- Kernel session keyring initialiser module +.SH "SYNOPSIS" +.ad l +.hy 0 +.HP 15 +\fBpam_keyinit\&.so\fR [debug] [force] [revoke] +.ad +.hy + +.SH "DESCRIPTION" + +.PP +The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. + +.PP +The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. + +.PP +If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. + +.PP +The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. + +.PP +This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. + +.PP +This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. + +.PP +This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. + +.PP +The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from: + +.PP + Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR + +.SH "OPTIONS" + +.TP +\fBdebug\fR +Log debug information with \fBsyslog\fR(3)\&. + +.TP +\fBforce\fR +Causes the session keyring of the invoking process to be replaced unconditionally\&. + +.TP +\fBrevoke\fR +Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. + +.SH "MODULE SERVICES PROVIDED" + +.PP +Only the \fIsession\fR service is supported\&. + +.SH "RETURN VALUES" + +.TP +PAM_SUCCESS +This module will usually return this value + +.TP +PAM_AUTH_ERR +Authentication failure\&. + +.TP +PAM_BUF_ERR +Memory buffer error\&. + +.TP +PAM_IGNORE +The return value should be ignored by PAM dispatch\&. + +.TP +PAM_SERVICE_ERR +Cannot determine the user name\&. + +.TP +PAM_SESSION_ERR +This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. + +.TP +PAM_USER_UNKNOWN +User not known\&. + +.SH "EXAMPLES" + +.PP +Add this line to your login entries to start each login session with its own session keyring: + +.nf + +session required pam_keyinit\&.so + +.fi + + +.PP +This will prevent keys from one session leaking into another session for the same user\&. + +.SH "SEE ALSO" + +.PP + \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8) \fBkeyctl\fR(1) + +.SH "AUTHOR" + +.PP +pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. + diff --git a/Linux-PAM/modules/pam_keyinit/pam_keyinit.8.xml b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8.xml new file mode 100644 index 00000000..c7dddf54 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8.xml @@ -0,0 +1,241 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_keyinit"> + + <refmeta> + <refentrytitle>pam_keyinit</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_keyinit-name"> + <refname>pam_keyinit</refname> + <refpurpose>Kernel session keyring initialiser module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_keyinit-cmdsynopsis"> + <command>pam_keyinit.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + force + </arg> + <arg choice="opt"> + revoke + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_keyinit-description"> + <title>DESCRIPTION</title> + <para> + The pam_keyinit PAM module ensures that the invoking process has a + session keyring other than the user default session keyring. + </para> + <para> + The session component of the module checks to see if the process's + session keyring is the user default, and, if it is, creates a new + anonymous session keyring with which to replace it. + </para> + <para> + If a new session keyring is created, it will install a link to the user + common keyring in the session keyring so that keys common to the user + will be automatically accessible through it. + </para> + <para> + The session keyring of the invoking process will thenceforth be inherited + by all its children unless they override it. + </para> + <para> + This module is intended primarily for use by login processes. Be aware + that after the session keyring has been replaced, the old session keyring + and the keys it contains will no longer be accessible. + </para> + <para> + This module should not, generally, be invoked by programs like + <emphasis remap='B'>su</emphasis>, since it is usually desirable for the + key set to percolate through to the alternate context. The keys have + their own permissions system to manage this. + </para> + <para> + This module should be included as early as possible in a PAM + configuration, so that other PAM modules can attach tokens to the + keyring. + </para> + <para> + The keyutils package is used to manipulate keys more directly. This + can be obtained from: + </para> + <para> + <ulink url="http://people.redhat.com/~dhowells/keyutils/"> + Keyutils + </ulink> + </para> + </refsect1> + + <refsect1 id="pam_keyinit-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Log debug information with <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>force</option> + </term> + <listitem> + <para> + Causes the session keyring of the invoking process to be replaced + unconditionally. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>revoke</option> + </term> + <listitem> + <para> + Causes the session keyring of the invoking process to be revoked + when the invoking process exits if the session keyring was created + for this process in the first place. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_keyinit-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <emphasis remap='B'>session</emphasis> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_keyinit-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + This module will usually return this value + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The return value should be ignored by PAM dispatch. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Cannot determine the user name. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + This module will return this value if its arguments are invalid or + if a system error such as ENOMEM occurs. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_keyinit-examples'> + <title>EXAMPLES</title> + <para> + Add this line to your login entries to start each login session with its + own session keyring: + <programlisting> +session required pam_keyinit.so + </programlisting> + </para> + <para> + This will prevent keys from one session leaking into another session for + the same user. + </para> + </refsect1> + + <refsect1 id='pam_keyinit-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + <citerefentry> + <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_keyinit-author'> + <title>AUTHOR</title> + <para> + pam_keyinit was written by David Howells, <dhowells@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_keyinit/pam_keyinit.c b/Linux-PAM/modules/pam_keyinit/pam_keyinit.c new file mode 100644 index 00000000..378a7723 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/pam_keyinit.c @@ -0,0 +1,269 @@ +/* pam_keyinit.c: Initialise the session keyring on login through a PAM module + * + * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ + +#include "config.h" +#include <stdarg.h> +#include <string.h> +#include <syslog.h> +#include <pwd.h> +#include <unistd.h> +#include <errno.h> +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> +#include <sys/syscall.h> + +#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */ +#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */ +#define KEY_SPEC_USER_SESSION_KEYRING -5 /* - key ID for UID-session keyring */ + +#define KEYCTL_GET_KEYRING_ID 0 /* ask for a keyring's ID */ +#define KEYCTL_JOIN_SESSION_KEYRING 1 /* start named session keyring */ +#define KEYCTL_REVOKE 3 /* revoke a key */ +#define KEYCTL_LINK 8 /* link a key into a keyring */ + +static int my_session_keyring; +static int session_counter; +static int do_revoke; +static int revoke_as_uid; +static int revoke_as_gid; +static int xdebug = 0; + +static void debug(pam_handle_t *pamh, const char *fmt, ...) + __attribute__((format(printf, 2, 3))); + +static void debug(pam_handle_t *pamh, const char *fmt, ...) +{ + va_list va; + + if (xdebug) { + va_start(va, fmt); + pam_vsyslog(pamh, LOG_DEBUG, fmt, va); + va_end(va); + } +} + +static int error(pam_handle_t *pamh, const char *fmt, ...) + __attribute__((format(printf, 2, 3))); + +static int error(pam_handle_t *pamh, const char *fmt, ...) +{ + va_list va; + + va_start(va, fmt); + pam_vsyslog(pamh, LOG_ERR, fmt, va); + va_end(va); + + return PAM_SESSION_ERR; +} + +/* + * initialise the session keyring for this process + */ +static int init_keyrings(pam_handle_t *pamh, int force) +{ + int session, usession, ret; + + if (!force) { + /* get the IDs of the session keyring and the user session + * keyring */ + session = syscall(__NR_keyctl, + KEYCTL_GET_KEYRING_ID, + KEY_SPEC_SESSION_KEYRING, + 0); + debug(pamh, "GET SESSION = %d", session); + if (session < 0) { + /* don't worry about keyrings if facility not + * installed */ + if (errno == ENOSYS) + return PAM_SUCCESS; + return PAM_SESSION_ERR; + } + + usession = syscall(__NR_keyctl, + KEYCTL_GET_KEYRING_ID, + KEY_SPEC_USER_SESSION_KEYRING, + 0); + debug(pamh, "GET SESSION = %d", usession); + if (usession < 0) + return PAM_SESSION_ERR; + + /* if the user session keyring is our keyring, then we don't + * need to do anything if we're not forcing */ + if (session != usession) + return PAM_SUCCESS; + } + + /* create a session keyring, discarding the old one */ + ret = syscall(__NR_keyctl, + KEYCTL_JOIN_SESSION_KEYRING, + NULL); + debug(pamh, "JOIN = %d", ret); + if (ret < 0) + return PAM_SESSION_ERR; + + my_session_keyring = ret; + + /* make a link from the session keyring to the user keyring */ + ret = syscall(__NR_keyctl, + KEYCTL_LINK, + KEY_SPEC_USER_KEYRING, + KEY_SPEC_SESSION_KEYRING); + + return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS; +} + +/* + * revoke the session keyring for this process + */ +static void kill_keyrings(pam_handle_t *pamh) +{ + int old_uid, old_gid; + + /* revoke the session keyring we created earlier */ + if (my_session_keyring > 0) { + debug(pamh, "REVOKE %d", my_session_keyring); + + old_uid = geteuid(); + old_gid = getegid(); + debug(pamh, "UID:%d [%d] GID:%d [%d]", + revoke_as_uid, old_uid, revoke_as_gid, old_gid); + + /* switch to the real UID and GID so that we have permission to + * revoke the key */ + if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) + error(pamh, "Unable to change GID to %d temporarily\n", + revoke_as_gid); + + if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0) + error(pamh, "Unable to change UID to %d temporarily\n", + revoke_as_uid); + + syscall(__NR_keyctl, + KEYCTL_REVOKE, + my_session_keyring); + + /* return to the orignal UID and GID (probably root) */ + if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) + error(pamh, "Unable to change UID back to %d\n", old_uid); + + if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + + my_session_keyring = 0; + } +} + +/* + * open a PAM session by making sure there's a session keyring + */ +PAM_EXTERN +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct passwd *pw; + const char *username; + int ret, old_uid, uid, old_gid, gid, loop, force = 0; + + for (loop = 0; loop < argc; loop++) { + if (strcmp(argv[loop], "force") == 0) + force = 1; + else if (strcmp(argv[loop], "debug") == 0) + xdebug = 1; + else if (strcmp(argv[loop], "revoke") == 0) + do_revoke = 1; + } + + /* don't do anything if already created a keyring (will be called + * multiple times if mentioned more than once in a pam script) + */ + session_counter++; + + debug(pamh, "OPEN %d", session_counter); + + if (my_session_keyring > 0) + return PAM_SUCCESS; + + /* look up the target UID */ + ret = pam_get_user(pamh, &username, "key user"); + if (ret != PAM_SUCCESS) + return ret; + + pw = pam_modutil_getpwnam(pamh, username); + if (!pw) { + error(pamh, "Unable to look up user \"%s\"\n", username); + return PAM_USER_UNKNOWN; + } + + revoke_as_uid = uid = pw->pw_uid; + old_uid = getuid(); + revoke_as_gid = gid = pw->pw_gid; + old_gid = getgid(); + debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid); + + /* switch to the real UID and GID so that the keyring ends up owned by + * the right user */ + if (gid != old_gid && setregid(gid, -1) < 0) { + error(pamh, "Unable to change GID to %d temporarily\n", gid); + return PAM_SESSION_ERR; + } + + if (uid != old_uid && setreuid(uid, -1) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", uid); + setregid(old_gid, -1); + return PAM_SESSION_ERR; + } + + ret = init_keyrings(pamh, force); + + /* return to the orignal UID and GID (probably root) */ + if (uid != old_uid && setreuid(old_uid, -1) < 0) + ret = error(pamh, "Unable to change UID back to %d\n", old_uid); + + if (gid != old_gid && setregid(old_gid, -1) < 0) + ret = error(pamh, "Unable to change GID back to %d\n", old_gid); + + return ret; +} + +/* + * close a PAM session by revoking the session keyring if requested + */ +PAM_EXTERN +int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + debug(pamh, "CLOSE %d,%d,%d", + session_counter, my_session_keyring, do_revoke); + + session_counter--; + + if (session_counter == 0 && my_session_keyring > 0 && do_revoke) + kill_keyrings(pamh); + + return PAM_SUCCESS; +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_keyinit_modstruct = { + "pam_keyinit", + NULL, + NULL, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif + diff --git a/Linux-PAM/modules/pam_keyinit/tst-pam_keyinit b/Linux-PAM/modules/pam_keyinit/tst-pam_keyinit new file mode 100755 index 00000000..f0a7b9bc --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/tst-pam_keyinit @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_keyinit.so diff --git a/Linux-PAM/modules/pam_lastlog/Makefile b/Linux-PAM/modules/pam_lastlog/Makefile deleted file mode 100644 index e8062714..00000000 --- a/Linux-PAM/modules/pam_lastlog/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# -# $Id: Makefile,v 1.3 2001/02/10 22:33:10 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -ifeq ($(HAVE_LIBUTIL),yes) - MODULE_SIMPLE_EXTRALIBS += -lutil -endif - -TITLE=pam_lastlog - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_lastlog/Makefile.am b/Linux-PAM/modules/pam_lastlog/Makefile.am new file mode 100644 index 00000000..e81e7833 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog + +man_MANS = pam_lastlog.8 +XMLS = README.xml pam_lastlog.8.xml + +TESTS = tst-pam_lastlog + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam -lutil +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_lastlog.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_lastlog.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_lastlog/Makefile.in b/Linux-PAM/modules/pam_lastlog/Makefile.in new file mode 100644 index 00000000..6f19ba1f --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_lastlog +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_lastlog_la_LIBADD = +pam_lastlog_la_SOURCES = pam_lastlog.c +pam_lastlog_la_OBJECTS = pam_lastlog.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_lastlog.c +DIST_SOURCES = pam_lastlog.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog +man_MANS = pam_lastlog.8 +XMLS = README.xml pam_lastlog.8.xml +TESTS = tst-pam_lastlog +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam -lutil $(am__append_1) +securelib_LTLIBRARIES = pam_lastlog.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_lastlog/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_lastlog/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_lastlog.la: $(pam_lastlog_la_OBJECTS) $(pam_lastlog_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_lastlog_la_OBJECTS) $(pam_lastlog_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_lastlog.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_lastlog.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_lastlog/README b/Linux-PAM/modules/pam_lastlog/README new file mode 100644 index 00000000..9f6c5505 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/README @@ -0,0 +1,57 @@ +pam_lastlog — PAM module to display date of last login + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_lastlog is a PAM module to display a line of information about the last +login of the user. In addition, the module maintains the /var/log/lastlog file. + +Some applications may perform this function themselves. In such cases, this +module is not necessary. + +OPTIONS + +debug + + Print debug information. + +silent + + Don't inform the user about any previous login, just upate the /var/log/ + lastlog file. + +never + + If the /var/log/lastlog file does not contain any old entries for the user, + indicate that the user has never previously logged in with a welcome + message. + +nodate + + Don't display the date of the last login. + +noterm + + Don't display the terminal name on which the last login was attempted. + +nohost + + Don't indicate from which host the last login was attempted. + +nowtmp + + Don't update the wtmp entry. + +EXAMPLES + +Add the following line to /etc/pam.d/login to display the last login time of an +user: + + session required pam_lastlog.so nowtmp + + +AUTHOR + +pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. + diff --git a/Linux-PAM/modules/pam_lastlog/README.xml b/Linux-PAM/modules/pam_lastlog/README.xml new file mode 100644 index 00000000..7fe70339 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_lastlog.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_lastlog.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_lastlog-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_lastlog/pam_lastlog.8 b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8 new file mode 100644 index 00000000..81b04470 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8 @@ -0,0 +1,91 @@ +.\" Title: pam_lastlog +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_LASTLOG" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_lastlog \- PAM module to display date of last login +.SH "SYNOPSIS" +.HP 15 +\fBpam_lastlog.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] +.SH "DESCRIPTION" +.PP +pam_lastlog is a PAM module to display a line of information about the last login of the user. In addition, the module maintains the +\fI/var/log/lastlog\fR +file. +.PP +Some applications may perform this function themselves. In such cases, this module is not necessary. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBsilent\fR +Don't inform the user about any previous login, just upate the +\fI/var/log/lastlog\fR +file. +.TP 3n +\fBnever\fR +If the +\fI/var/log/lastlog\fR +file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message. +.TP 3n +\fBnodate\fR +Don't display the date of the last login. +.TP 3n +\fBnoterm\fR +Don't display the terminal name on which the last login was attempted. +.TP 3n +\fBnohost\fR +Don't indicate from which host the last login was attempted. +.TP 3n +\fBnowtmp\fR +Don't update the wtmp entry. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +Everything was successfull. +.TP 3n +PAM_SERVICE_ERR +Internal service module error. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to display the last login time of an user: +.sp +.RS 3n +.nf + session required pam_lastlog.so nowtmp + +.fi +.RE +.SH "FILES" +.TP 3n +\fI/var/log/lastlog\fR +Lastlog logging file +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_lastlog/pam_lastlog.8.xml b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8.xml new file mode 100644 index 00000000..066eff58 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8.xml @@ -0,0 +1,231 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_lastlog"> + + <refmeta> + <refentrytitle>pam_lastlog</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_lastlog-name"> + <refname>pam_lastlog</refname> + <refpurpose>PAM module to display date of last login</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_lastlog-cmdsynopsis"> + <command>pam_lastlog.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + never + </arg> + <arg choice="opt"> + nodate + </arg> + <arg choice="opt"> + nohost + </arg> + <arg choice="opt"> + noterm + </arg> + <arg choice="opt"> + nowtmp + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_lastlog-description"> + + <title>DESCRIPTION</title> + + <para> + pam_lastlog is a PAM module to display a line of information + about the last login of the user. In addition, the module maintains + the <filename>/var/log/lastlog</filename> file. + </para> + <para> + Some applications may perform this function themselves. In such + cases, this module is not necessary. + </para> + </refsect1> + + <refsect1 id="pam_lastlog-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't inform the user about any previous login, + just upate the <filename>/var/log/lastlog</filename> file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>never</option> + </term> + <listitem> + <para> + If the <filename>/var/log/lastlog</filename> file does + not contain any old entries for the user, indicate that + the user has never previously logged in with a welcome + message. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nodate</option> + </term> + <listitem> + <para> + Don't display the date of the last login. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>noterm</option> + </term> + <listitem> + <para> + Don't display the terminal name on which the + last login was attempted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nohost</option> + </term> + <listitem> + <para> + Don't indicate from which host the last login was + attempted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nowtmp</option> + </term> + <listitem> + <para> + Don't update the wtmp entry. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_lastlog-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_lastlog-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Internal service module error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_lastlog-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + display the last login time of an user: + </para> + <programlisting> + session required pam_lastlog.so nowtmp + </programlisting> + </refsect1> + + <refsect1 id="pam_lastlog-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/log/lastlog</filename></term> + <listitem> + <para>Lastlog logging file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_lastlog-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_lastlog-author'> + <title>AUTHOR</title> + <para> + pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_lastlog/pam_lastlog.c b/Linux-PAM/modules/pam_lastlog/pam_lastlog.c index c9c5e24e..a75e1ce7 100644 --- a/Linux-PAM/modules/pam_lastlog/pam_lastlog.c +++ b/Linux-PAM/modules/pam_lastlog/pam_lastlog.c @@ -1,8 +1,6 @@ /* pam_lastlog module */ /* - * $Id: pam_lastlog.c,v 1.8 2004/09/24 13:13:20 kukuk Exp $ - * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * * This module does the necessary work to display the last login @@ -10,10 +8,11 @@ * present (login) service. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <fcntl.h> #include <time.h> +#include <errno.h> #ifdef HAVE_UTMP_H # include <utmp.h> #else @@ -28,10 +27,6 @@ #include <syslog.h> #include <unistd.h> -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> /* use POSIX front end */ -#endif - #if defined(hpux) || defined(sunos) || defined(solaris) # ifndef _PATH_LASTLOG # define _PATH_LASTLOG "/usr/adm/lastlog" @@ -56,17 +51,6 @@ struct lastlog { #define DEFAULT_HOST "" /* "[no.where]" */ #define DEFAULT_TERM "" /* "tt???" */ -#define LASTLOG_NEVER_WELCOME "Welcome to your new account!" -#define LASTLOG_INTRO "Last login:" -#define LASTLOG_TIME " %s" -#define _LASTLOG_HOST_FORMAT " from %%.%ds" -#define _LASTLOG_LINE_FORMAT " on %%.%ds" -#define LASTLOG_TAIL "" -#define LASTLOG_MAXSIZE (sizeof(LASTLOG_INTRO)+0 \ - +sizeof(LASTLOG_TIME)+strlen(the_time) \ - +sizeof(_LASTLOG_HOST_FORMAT)+UT_HOSTSIZE \ - +sizeof(_LASTLOG_LINE_FORMAT)+UT_LINESIZE \ - +sizeof(LASTLOG_TAIL)) /* * here, we make a definition for the externally accessible function @@ -79,20 +63,8 @@ struct lastlog { #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-lastlog", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* argument parsing */ @@ -102,10 +74,12 @@ static void _log_err(int err, const char *format, ...) #define LASTLOG_NEVER 010 /* display a welcome message for first login */ #define LASTLOG_DEBUG 020 /* send info to syslog(3) */ #define LASTLOG_QUIET 040 /* keep quiet about things */ +#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ -static int _pam_parse(int flags, int argc, const char **argv) +static int +_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE); + int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP); /* does the appliction require quiet? */ if (flags & PAM_SILENT) { @@ -120,17 +94,19 @@ static int _pam_parse(int flags, int argc, const char **argv) if (!strcmp(*argv,"debug")) { ctrl |= LASTLOG_DEBUG; } else if (!strcmp(*argv,"nodate")) { - ctrl |= ~LASTLOG_DATE; + ctrl &= ~LASTLOG_DATE; } else if (!strcmp(*argv,"noterm")) { - ctrl |= ~LASTLOG_LINE; + ctrl &= ~LASTLOG_LINE; } else if (!strcmp(*argv,"nohost")) { - ctrl |= ~LASTLOG_HOST; + ctrl &= ~LASTLOG_HOST; } else if (!strcmp(*argv,"silent")) { ctrl |= LASTLOG_QUIET; } else if (!strcmp(*argv,"never")) { ctrl |= LASTLOG_NEVER; + } else if (!strcmp(*argv,"nowtmp")) { + ctrl &= ~LASTLOG_WTMP; } else { - _log_err(LOG_ERR,"unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -138,273 +114,269 @@ static int _pam_parse(int flags, int argc, const char **argv) return ctrl; } -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) +static const char * +get_tty(pam_handle_t *pamh) { - int retval; - struct pam_conv *conv; + const void *void_terminal_line = NULL; + const char *terminal_line; - D(("begin to converse")); + if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS + || void_terminal_line == NULL) { + terminal_line = DEFAULT_TERM; + } else { + terminal_line = void_terminal_line; + } + if (!strncmp("/dev/", terminal_line, 5)) { + /* strip leading "/dev/" from tty. */ + terminal_line += 5; + } + D(("terminal = %s", terminal_line)); + return terminal_line; +} - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS && conv) { +static int +last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid) +{ + struct flock last_lock; + struct lastlog last_login; + int retval = PAM_SUCCESS; + char the_time[256]; + char *date = NULL; + char *host = NULL; + char *line = NULL; + + memset(&last_lock, 0, sizeof(last_lock)); + last_lock.l_type = F_RDLCK; + last_lock.l_whence = SEEK_SET; + last_lock.l_start = sizeof(last_login) * (off_t) uid; + last_lock.l_len = sizeof(last_login); + + if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_WARNING, + "file %s is locked/read", _PATH_LASTLOG); + sleep(LASTLOG_IGNORE_LOCK_TIME); + } - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); + if (pam_modutil_read(last_fd, (char *) &last_login, + sizeof(last_login)) != sizeof(last_login)) { + memset(&last_login, 0, sizeof(last_login)); + } - D(("returned from application's conversation function")); + last_lock.l_type = F_UNLCK; + (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - if (retval != PAM_SUCCESS && (ctrl & LASTLOG_DEBUG) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); + if (!last_login.ll_time) { + if (announce & LASTLOG_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, + "first login for user with uid %lu", + (unsigned long int)uid); } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - if (retval == PAM_SUCCESS) - retval = PAM_BAD_ITEM; /* conv was NULL */ } - D(("ready to return from module conversation")); + if (!(announce & LASTLOG_QUIET)) { - return retval; /* propagate error status */ -} + if (last_login.ll_time) { -static int make_remark(pam_handle_t *pamh, int ctrl, const char *remark) -{ - int retval; + /* we want the date? */ + if (announce & LASTLOG_DATE) { + struct tm *tm, tm_buf; + time_t ll_time; - if (!(ctrl & LASTLOG_QUIET)) { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; + ll_time = last_login.ll_time; + tm = localtime_r (&ll_time, &tm_buf); + strftime (the_time, sizeof (the_time), + /* TRANSLATORS: "strftime options for date of last login" */ + _(" %a %b %e %H:%M:%S %Z %Y"), tm); - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; + date = the_time; + } - retval = converse(pamh, ctrl, 1, mesg, &resp); + /* we want & have the host? */ + if ((announce & LASTLOG_HOST) + && (last_login.ll_host[0] != '\0')) { + /* TRANSLATORS: " from <host>" */ + if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE, + last_login.ll_host) < 0) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + retval = PAM_BUF_ERR; + goto cleanup; + } + } + + /* we want and have the terminal? */ + if ((announce & LASTLOG_LINE) + && (last_login.ll_line[0] != '\0')) { + /* TRANSLATORS: " on <terminal>" */ + if (asprintf(&line, _(" on %.*s"), UT_LINESIZE, + last_login.ll_line) < 0) { + pam_syslog(pamh, LOG_ERR, "out of memory"); + retval = PAM_BUF_ERR; + goto cleanup; + } + } - msg[0].msg = NULL; - if (resp) { - _pam_drop_reply(resp, 1); + /* TRANSLATORS: "Last login: <date> from <host> on <terminal>" */ + retval = pam_info(pamh, _("Last login:%s%s%s"), + date ? date : "", + host ? host : "", + line ? line : ""); + } else if (announce & LASTLOG_NEVER) { + D(("this is the first time this user has logged in")); + retval = pam_info(pamh, "%s", _("Welcome to your new account!")); } - } else { - D(("keeping quiet")); - retval = PAM_SUCCESS; } - D(("returning %s", pam_strerror(pamh, retval))); + /* cleanup */ + cleanup: + memset(&last_login, 0, sizeof(last_login)); + _pam_overwrite(date); + _pam_overwrite(host); + _pam_drop(host); + _pam_overwrite(line); + _pam_drop(line); + return retval; } -/* - * Values for the announce flags.. - */ - -static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid) +static int +last_login_write(pam_handle_t *pamh, int announce, int last_fd, + uid_t uid, const char *user) { struct flock last_lock; struct lastlog last_login; - int retval = PAM_SESSION_ERR; - int last_fd; - - /* obtain the last login date and all the relevant info */ - last_fd = open(_PATH_LASTLOG, O_RDWR); - if (last_fd < 0) { - D(("unable to open the %s file", _PATH_LASTLOG)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "unable to open %s file", _PATH_LASTLOG); - } - retval = PAM_PERM_DENIED; - } else { - int win; + time_t ll_time; + const void *void_remote_host = NULL; + const char *remote_host; + const char *terminal_line; + int retval = PAM_SUCCESS; + + /* rewind */ + if (lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET) < 0) { + pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); + return PAM_SERVICE_ERR; + } - /* read the lastlogin file - for this uid */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); + /* set this login date */ + D(("set the most recent login time")); + (void) time(&ll_time); /* set the time */ + last_login.ll_time = ll_time; - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_RDLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); + /* set the remote host */ + if (pam_get_item(pamh, PAM_RHOST, &void_remote_host) != PAM_SUCCESS + || void_remote_host == NULL) { + remote_host = DEFAULT_HOST; + } else { + remote_host = void_remote_host; + } - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/read", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } + /* copy to last_login */ + last_login.ll_host[0] = '\0'; + strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1); - win = (_pammodutil_read (last_fd, (char *) &last_login, - sizeof(last_login)) == sizeof(last_login)); + /* set the terminal line */ + terminal_line = get_tty(pamh); - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ + /* copy to last_login */ + last_login.ll_line[0] = '\0'; + strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1); + terminal_line = NULL; - if (!win) { - D(("First login for user uid=%d", _PATH_LASTLOG, uid)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "creating lastlog for uid %d", uid); - } - memset(&last_login, 0, sizeof(last_login)); - } + D(("locking lastlog file")); - /* rewind */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); + /* now we try to lock this file-record exclusively; non-blocking */ + memset(&last_lock, 0, sizeof(last_lock)); + last_lock.l_type = F_WRLCK; + last_lock.l_whence = SEEK_SET; + last_lock.l_start = sizeof(last_login) * (off_t) uid; + last_lock.l_len = sizeof(last_login); - if (!(announce & LASTLOG_QUIET)) { - if (last_login.ll_time) { - time_t ll_time; - char *the_time; - char *remark; + if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_WARNING, "file %s is locked/write", _PATH_LASTLOG); + sleep(LASTLOG_IGNORE_LOCK_TIME); + } - ll_time = last_login.ll_time; - the_time = ctime(&ll_time); - the_time[-1+strlen(the_time)] = '\0'; /* delete '\n' */ + D(("writing to the lastlog file")); + if (pam_modutil_write (last_fd, (char *) &last_login, + sizeof (last_login)) != sizeof(last_login)) { + pam_syslog(pamh, LOG_ERR, "failed to write %s: %m", _PATH_LASTLOG); + retval = PAM_SERVICE_ERR; + } - remark = malloc(LASTLOG_MAXSIZE); - if (remark == NULL) { - D(("no memory for last login remark")); - retval = PAM_BUF_ERR; - } else { - int at; - - /* printing prefix */ - at = sprintf(remark, "%s", LASTLOG_INTRO); - - /* we want the date? */ - if (announce & LASTLOG_DATE) { - at += sprintf(remark+at, LASTLOG_TIME, the_time); - } - - /* we want & have the host? */ - if ((announce & LASTLOG_HOST) - && (last_login.ll_host[0] != '\0')) { - char format[2*sizeof(_LASTLOG_HOST_FORMAT)]; - - (void) sprintf(format, _LASTLOG_HOST_FORMAT - , UT_HOSTSIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_host); - _pam_overwrite(format); - } - - /* we want and have the terminal? */ - if ((announce & LASTLOG_LINE) - && (last_login.ll_line[0] != '\0')) { - char format[2*sizeof(_LASTLOG_LINE_FORMAT)]; - - (void) sprintf(format, _LASTLOG_LINE_FORMAT - , UT_LINESIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_line); - _pam_overwrite(format); - } - - /* display requested combo */ - sprintf(remark+at, "%s", LASTLOG_TAIL); - - retval = make_remark(pamh, announce, remark); - - /* free all the stuff malloced */ - _pam_overwrite(remark); - _pam_drop(remark); - } - } else if ((!last_login.ll_time) && (announce & LASTLOG_NEVER)) { - D(("this is the first time this user has logged in")); - retval = make_remark(pamh, announce, LASTLOG_NEVER_WELCOME); - } - } else { - D(("no text was requested")); - retval = PAM_SUCCESS; - } + last_lock.l_type = F_UNLCK; + (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ + D(("unlocked")); - /* write latest value */ - { - time_t ll_time; - const char *remote_host=NULL - , *terminal_line=DEFAULT_TERM; + if (announce & LASTLOG_WTMP) { + /* write wtmp entry for user */ + logwtmp(last_login.ll_line, user, remote_host); + } - /* set this login date */ - D(("set the most recent login time")); + /* cleanup */ + memset(&last_login, 0, sizeof(last_login)); - (void) time(&ll_time); /* set the time */ - last_login.ll_time = ll_time; + return retval; +} - /* set the remote host */ - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&remote_host); - if (remote_host == NULL) { - remote_host = DEFAULT_HOST; - } +static int +last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user) +{ + int retval; + int last_fd; - /* copy to last_login */ - strncpy(last_login.ll_host, remote_host, - sizeof(last_login.ll_host)); - last_login.ll_host[sizeof(last_login.ll_host) - 1] = '\0'; - remote_host = NULL; - - /* set the terminal line */ - (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal_line); - D(("terminal = %s", terminal_line)); - if (terminal_line == NULL) { - terminal_line = DEFAULT_TERM; - } else if ( !strncmp("/dev/", terminal_line, 5) ) { - /* strip leading "/dev/" from tty.. */ - terminal_line += 5; - } - D(("terminal = %s", terminal_line)); - - /* copy to last_login */ - strncpy(last_login.ll_line, terminal_line, - sizeof(last_login.ll_line)); - last_login.ll_host[sizeof(last_login.ll_host) - 1] = '\0'; - terminal_line = NULL; - - D(("locking last_log file")); - - /* now we try to lock this file-record exclusively; non-blocking */ - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_WRLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); - - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/write", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } + /* obtain the last login date and all the relevant info */ + last_fd = open(_PATH_LASTLOG, O_RDWR); + if (last_fd < 0) { + if (errno == ENOENT) { + last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if (last_fd < 0) { + pam_syslog(pamh, LOG_ERR, + "unable to create %s: %m", _PATH_LASTLOG); + D(("unable to create %s file", _PATH_LASTLOG)); + return PAM_SERVICE_ERR; + } + pam_syslog(pamh, LOG_WARNING, + "file %s created", _PATH_LASTLOG); + D(("file %s created", _PATH_LASTLOG)); + } else { + pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG); + D(("unable to open %s file", _PATH_LASTLOG)); + return PAM_SERVICE_ERR; + } + } - D(("writing to the last_log file")); - _pammodutil_write (last_fd, (char *) &last_login, - sizeof (last_login)); + if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) { + pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); + D(("unable to lseek %s file", _PATH_LASTLOG)); + return PAM_SERVICE_ERR; + } - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - D(("unlocked")); + retval = last_login_read(pamh, announce, last_fd, uid); + if (retval != PAM_SUCCESS) + { + close(last_fd); + D(("error while reading lastlog file")); + return retval; + } - close(last_fd); /* all done */ - } - D(("all done with last login")); - } + retval = last_login_write(pamh, announce, last_fd, uid, user); - /* reset the last login structure */ - memset(&last_login, 0, sizeof(last_login)); + close(last_fd); + D(("all done with last login")); return retval; } /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc - , const char **argv) +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) { int retval, ctrl; - const char *user; + const void *user; const struct passwd *pwd; uid_t uid; @@ -413,29 +385,29 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc * last login info and then updates the lastlog for that user. */ - ctrl = _pam_parse(flags, argc, argv); + ctrl = _pam_parse(pamh, flags, argc, argv); /* which user? */ - retval = pam_get_item(pamh, PAM_USER, (const void **)&user); - if (retval != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err(LOG_NOTICE, "user unknown"); + retval = pam_get_item(pamh, PAM_USER, &user); + if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0') { + pam_syslog(pamh, LOG_NOTICE, "user unknown"); return PAM_USER_UNKNOWN; } /* what uid? */ - pwd = _pammodutil_getpwnam (pamh, user); + pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) { D(("couldn't identify user %s", user)); - return PAM_CRED_INSUFFICIENT; + return PAM_USER_UNKNOWN; } uid = pwd->pw_uid; pwd = NULL; /* tidy up */ /* process the current login attempt (indicate last) */ - retval = last_login_date(pamh, ctrl, uid); + retval = last_login_date(pamh, ctrl, uid, user); /* indicate success or failure */ @@ -444,10 +416,20 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc return retval; } -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh, int flags, + int argc, const char **argv) { + const char *terminal_line; + + if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP)) + return PAM_SUCCESS; + + terminal_line = get_tty(pamh); + + /* Wipe out utmp logout entry */ + logwtmp(terminal_line, "", ""); + return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_lastlog/tst-pam_lastlog b/Linux-PAM/modules/pam_lastlog/tst-pam_lastlog new file mode 100755 index 00000000..ea9a5eb0 --- /dev/null +++ b/Linux-PAM/modules/pam_lastlog/tst-pam_lastlog @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_lastlog.so diff --git a/Linux-PAM/modules/pam_limits/Makefile b/Linux-PAM/modules/pam_limits/Makefile deleted file mode 100644 index d15fd9f7..00000000 --- a/Linux-PAM/modules/pam_limits/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -# -# $Id: Makefile,v 1.4 2004/09/28 13:48:47 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_limits - -ifeq ($(OS),linux) - -LOCAL_CONFILE=./limits.skel -INSTALLED_CONFILE=$(SCONFIGD)/limits.conf - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age -ifeq ($(HAVE_LIBCAP),yes) -MODULE_SIMPLE_EXTRALIBS=-lcap -endif - -include ../Simple.Rules - -#else -#include ../dont_makefile -#endif -else - -include ../dont_makefile - -endif diff --git a/Linux-PAM/modules/pam_limits/Makefile.am b/Linux-PAM/modules/pam_limits/Makefile.am new file mode 100644 index 00000000..be2852a9 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits + +man_MANS = limits.conf.5 pam_limits.8 +XMLS = README.xml limits.conf.5.xml pam_limits.8.xml + +TESTS = tst-pam_limits + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_limits.la + +secureconf_DATA = limits.conf + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_limits.8.xml limits.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_limits/Makefile.in b/Linux-PAM/modules/pam_limits/Makefile.in new file mode 100644 index 00000000..a50dbff9 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/Makefile.in @@ -0,0 +1,736 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_limits +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_limits_la_LIBADD = +pam_limits_la_SOURCES = pam_limits.c +pam_limits_la_OBJECTS = pam_limits.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_limits.c +DIST_SOURCES = pam_limits.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits +man_MANS = limits.conf.5 pam_limits.8 +XMLS = README.xml limits.conf.5.xml pam_limits.8.xml +TESTS = tst-pam_limits +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_limits.la +secureconf_DATA = limits.conf +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_limits/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_limits/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_limits.la: $(pam_limits_la_OBJECTS) $(pam_limits_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_limits_la_OBJECTS) $(pam_limits_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_limits.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_limits.8.xml limits.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_limits/README b/Linux-PAM/modules/pam_limits/README index 32afb197..adab19df 100644 --- a/Linux-PAM/modules/pam_limits/README +++ b/Linux-PAM/modules/pam_limits/README @@ -1,110 +1,50 @@ +pam_limits — PAM module to limit resources -pam_limits module: - Imposing user limits on login. - -THEORY OF OPERATION: - -First, make a root-only-readable file (/etc/security/limits.conf by -default or INSTALLED_CONFILE defined Makefile) that describes the -resource limits you wish to impose. No limits are imposed on UID 0 -accounts. - -Each line describes a limit for a user in the form: - -<domain> <type> <item> <value> - -Where: -<domain> can be: - - an user name - - a group name, with @group syntax - - the wildcard *, for default entry - -<type> can have the three values: - - "soft" for enforcing the soft limits - - "hard" for enforcing hard limits - - "-" for enforcing both soft and hard limits - -<item> can be one of the following: - - core - limits the core file size (KB) - - data - max data size (KB) - - fsize - maximum filesize (KB) - - memlock - max locked-in-memory address space (KB) - - nofile - max number of open files - - rss - max resident set size (KB) - - stack - max stack size (KB) - - cpu - max CPU time (MIN) - - nproc - max number of processes - - as - address space limit - - maxlogins - max number of logins for this user - - maxsyslogins - max number of logins on the system - - priority - lower the priority by given value (value can be -ve) - - locks - max locked files (Linux 2.4 and higher) - - sigpending - max number of pending signals (Linux 2.6 and higher) - - msgqueue - max memory used by POSIX message queues (bytes) - (Linux 2.6 and higher) - -Note, if you specify a type of '-' but neglect to supply the item and -value fields then the module will never enforce any limits on the -specified user/group etc. . - -Please remember that individual limits have priority over group -limits, so if you impose no limits for admin group, but one of the -members in this group has a limits line, the user will have its limits -set according to this line. - -Also, please note that all limit settings are set PER LOGIN. They are -not global, nor are they permanent (they apply for the session only). - -In the LIMITS_FILE, the # character introduces a comment - the rest of the -line is ignored. - -The pam_limits module does its best to report configuration problems found -in LIMITS_FILE via syslog. - -EXAMPLE configuration file: -=========================== -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_limits PAM module sets limits on the system resources that can be +obtained in a user-session. Users of uid=0 are affected by this limits, too. + +By default limits are taken from the /etc/security/limits.conf config file. + +OPTIONS +change_uid -ARGUMENTS RECOGNIZED: - debug verbose logging + Change real uid to the user for who the limits are set up. Use this option + if you have problems like login not forking a shell for user who has no + processes. Be warned that something else may break when you do this. - conf=/path/to/file the limits configuration file if different from the - one set at compile time. +conf=/path/to/limits.conf - change_uid change real uid to the user for who the limits - are set up. Use this option if you have problems - like login not forking a shell for user who has - no processes. Be warned that something else - may break when you do this. + Indicate an alternative limits.conf style configuration file to override + the default. - utmp_early some broken applications actually allocate a - utmp entry for the user before the user is - admitted to the system. If the service you are - configuring PAM for does this, you can use - this module argument to compensate for this - brokenness. +debug -MODULE SERVICES PROVIDED: - session _open_session and _close_session (blank) + Print debug information. -USAGE: - For the services you need resources limits (login for example) put a - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line: +utmp_early - login session required /lib/security/pam_limits.so + Some broken applications actually allocate a utmp entry for the user before + the user is admitted to the system. If some of the services you are + configuring PAM for do this, you can selectively use this module argument + to compensate for this behavior and at the same time maintain system-wide + consistency with a single limits.conf file. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +limits.conf. + +* soft core 0 +* hard rss 10000 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student - maxlogins 4 - Replace "login" for each service you are using this module, replace - "/lib/security" path with your real modules path. -AUTHOR: - Cristian Gafton <gafton@redhat.com> - Thanks to Elliot Lee <sopwith@redhat.com> for his comments on - improving this module, and Jens Sorensen for Linux 2.4 updates. diff --git a/Linux-PAM/modules/pam_limits/README.xml b/Linux-PAM/modules/pam_limits/README.xml new file mode 100644 index 00000000..964a5a21 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/README.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamlimits SYSTEM "pam_limits.8.xml"> +--> +<!-- +<!ENTITY limitsconf SYSTEM "limits.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_limits.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_limits-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_limits/limits.skel b/Linux-PAM/modules/pam_limits/limits.conf index 9ba31b19..c52778b1 100644 --- a/Linux-PAM/modules/pam_limits/limits.skel +++ b/Linux-PAM/modules/pam_limits/limits.conf @@ -28,10 +28,13 @@ # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to +# - rtprio - max realtime priority # #<domain> <type> <item> <value> # diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5 b/Linux-PAM/modules/pam_limits/limits.conf.5 new file mode 100644 index 00000000..e6ba853f --- /dev/null +++ b/Linux-PAM/modules/pam_limits/limits.conf.5 @@ -0,0 +1,172 @@ +.\" Title: limits.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/22/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "LIMITS.CONF" "5" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +limits.conf \- configuration file for the pam_limits module +.SH "DESCRIPTION" +.PP +The syntax of the lines is as follows: +.PP + +\fI<domain>\fR +\fI<type>\fR +\fI<item>\fR +\fI<value>\fR +.PP +The fields listed above should be filled as follows: +.TP 3n +\fB<domain>\fR +.RS 3n +.TP 3n +\(bu +a username +.TP 3n +\(bu +a groupname, with +\fB@group\fR +syntax. This should not be confused with netgroups. +.TP 3n +\(bu +the wildcard +\fB*\fR, for default entry. +.TP 3n +\(bu +the wildcard +\fB%\fR, for maxlogins limit only, can also be used with +\fI%group\fR +syntax. +.RE +.TP 3n +\fB<type>\fR +.RS 3n +.TP 3n +\fBhard\fR +for enforcing +\fBhard\fR +resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. +.TP 3n +\fBsoft\fR +for enforcing +\fBsoft\fR +resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting +\fBhard\fR +limits. The values specified with this token can be thought of as +\fIdefault\fR +values, for normal system usage. +.TP 3n +\fB\-\fR +for enforcing both +\fBsoft\fR +and +\fBhard\fR +resource limits together. +.sp +Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . +.RE +.TP 3n +\fB<item>\fR +.RS 3n +.TP 3n +\fBcore\fR +limits the core file size (KB) +.TP 3n +\fBdata\fR +maximum data size (KB) +.TP 3n +\fBfsize\fR +maximum filesize (KB) +.TP 3n +\fBmemlock\fR +maximum locked\-in\-memory address space (KB) +.TP 3n +\fBnofile\fR +maximum number of open files +.TP 3n +\fBrss\fR +maximum resident set size (KB) +.TP 3n +\fBstack\fR +maximum stack size (KB) +.TP 3n +\fBcpu\fR +maximum CPU time (minutes) +.TP 3n +\fBnproc\fR +maximum number of processes +.TP 3n +\fBas\fR +address space limit +.TP 3n +\fBmaxlogins\fR +maximum number of logins for this user +.TP 3n +\fBmaxsyslogins\fR +maximum number of logins on system +.TP 3n +\fBpriority\fR +the priority to run user process with (negative values boost process priority) +.TP 3n +\fBlocks\fR +maximum locked files (Linux 2.4 and higher) +.TP 3n +\fBsigpending\fR +maximum number of pending signals (Linux 2.6 and higher) +.TP 3n +\fBmsqqueue\fR +maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) +.TP 3n +\fBnice\fR +maximum nice priority allowed to raise to (Linux 2.6.12 and higher) +.TP 3n +\fBrtprio\fR +maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher) +.RE +.PP +In general, individual limits have priority over group limits, so if you impose no limits for +\fIadmin\fR +group, but one of the members in this group have a limits line, the user will have its limits set according to this line. +.PP +Also, please note that all limit settings are set +\fIper login\fR. They are not global, nor are they permanent; existing only for the duration of the session. +.PP +In the +\fIlimits\fR +configuration file, the '\fB#\fR' character introduces a comment \- after which the rest of the line is ignored. +.PP +The pam_limits module does its best to report configuration problems found in its configuration file via +\fBsyslog\fR(3). +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/limits.conf\fR. +.sp +.RS 3n +.nf +* soft core 0 +* hard rss 10000 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student \- maxlogins 4 + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam_limits\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_limits was initially written by Cristian Gafton <gafton@redhat.com> diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5.xml b/Linux-PAM/modules/pam_limits/limits.conf.5.xml new file mode 100644 index 00000000..28df7381 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/limits.conf.5.xml @@ -0,0 +1,286 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="limits.conf"> + + <refmeta> + <refentrytitle>limits.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>limits.conf</refname> + <refpurpose>configuration file for the pam_limits module</refpurpose> + </refnamediv> + + <refsect1 id='limits.conf-description'> + <title>DESCRIPTION</title> + <para> + The syntax of the lines is as follows: + </para> + <para> + <replaceable><domain></replaceable> <replaceable><type></replaceable> + <replaceable><item></replaceable> <replaceable><value></replaceable> + </para> + <para> + The fields listed above should be filled as follows: + </para> + <variablelist> + <varlistentry> + <term> + <option><domain></option> + </term> + <listitem> + <itemizedlist> + <listitem> + <para> + a username + </para> + </listitem> + <listitem> + <para> + a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + This should not be confused with netgroups. + </para> + </listitem> + <listitem> + <para> + the wildcard <emphasis remap='B'>*</emphasis>, for default entry. + </para> + </listitem> + <listitem> + <para> + the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, + can also be used with <emphasis remap='b'>%group</emphasis> syntax. + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option><type></option> + </term> + <listitem> + <variablelist> + <varlistentry> + <term><option>hard</option></term> + <listitem> + <para> + for enforcing <emphasis remap='B'>hard</emphasis> resource limits. + These limits are set by the superuser and enforced by the Kernel. + The user cannot raise his requirement of system resources above such values. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>soft</option></term> + <listitem> + <para> + for enforcing <emphasis remap='B'>soft</emphasis> resource limits. + These limits are ones that the user can move up or down within the + permitted range by any pre-exisiting <emphasis remap='B'>hard</emphasis> + limits. The values specified with this token can be thought of as + <emphasis>default</emphasis> values, for normal system usage. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-</option></term> + <listitem> + <para> + for enforcing both <emphasis remap='B'>soft</emphasis> and + <emphasis remap='B'>hard</emphasis> resource limits together. + </para> + <para> + Note, if you specify a type of '-' but neglect to supply the + item and value fields then the module will never enforce any + limits on the specified user/group etc. . + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option><item></option> + </term> + <listitem> + <variablelist> + <varlistentry> + <term><option>core</option></term> + <listitem> + <para>limits the core file size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>data</option></term> + <listitem> + <para>maximum data size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>fsize</option></term> + <listitem> + <para>maximum filesize (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>memlock</option></term> + <listitem> + <para>maximum locked-in-memory address space (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nofile</option></term> + <listitem> + <para>maximum number of open files</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>rss</option></term> + <listitem> + <para>maximum resident set size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>stack</option></term> + <listitem> + <para>maximum stack size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>cpu</option></term> + <listitem> + <para>maximum CPU time (minutes)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nproc</option></term> + <listitem> + <para>maximum number of processes</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>as</option></term> + <listitem> + <para>address space limit</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>maxlogins</option></term> + <listitem> + <para>maximum number of logins for this user</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>maxsyslogins</option></term> + <listitem> + <para>maximum number of logins on system</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>priority</option></term> + <listitem> + <para>the priority to run user process with (negative + values boost process priority)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>locks</option></term> + <listitem> + <para>maximum locked files (Linux 2.4 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>sigpending</option></term> + <listitem> + <para>maximum number of pending signals (Linux 2.6 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>msqqueue</option></term> + <listitem> + <para>maximum memory used by POSIX message queues (bytes) + (Linux 2.6 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nice</option></term> + <listitem> + <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>rtprio</option></term> + <listitem> + <para>maximum realtime priority allowed for non-privileged processes + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + </variablelist> + <para> + In general, individual limits have priority over group limits, so if + you impose no limits for <emphasis>admin</emphasis> group, but one of + the members in this group have a limits line, the user will have its + limits set according to this line. + </para> + <para> + Also, please note that all limit settings are set + <emphasis>per login</emphasis>. They are not global, nor are they + permanent; existing only for the duration of the session. + </para> + <para> + In the <emphasis>limits</emphasis> configuration file, the + '<emphasis remap='B'>#</emphasis>' character introduces a comment + - after which the rest of the line is ignored. + </para> + <para> + The pam_limits module does its best to report configuration problems + found in its configuration file via <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </refsect1> + + <refsect1 id="limits.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/limits.conf</filename>. + </para> + <programlisting> +* soft core 0 +* hard rss 10000 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student - maxlogins 4 + </programlisting> + </refsect1> + + <refsect1 id="limits.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="limits.conf-author"> + <title>AUTHOR</title> + <para> + pam_limits was initially written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8 b/Linux-PAM/modules/pam_limits/pam_limits.8 new file mode 100644 index 00000000..9083e14d --- /dev/null +++ b/Linux-PAM/modules/pam_limits/pam_limits.8 @@ -0,0 +1,97 @@ +.\" Title: pam_limits +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/17/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_LIMITS" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_limits \- PAM module to limit resources +.SH "SYNOPSIS" +.HP 14 +\fBpam_limits.so\fR [change_uid] [conf=\fI/path/to/limits.conf\fR] [debug] [utmp_early] +.SH "DESCRIPTION" +.PP +The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session. Users of +\fIuid=0\fR +are affected by this limits, too. +.PP +By default limits are taken from the +\fI/etc/security/limits.conf\fR +config file. +.SH "OPTIONS" +.TP 3n +\fBchange_uid\fR +Change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this. +.TP 3n +\fBconf=\fR\fB\fI/path/to/limits.conf\fR\fR +Indicate an alternative limits.conf style configuration file to override the default. +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fButmp_early\fR +Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits.conf file. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_ABORT +Cannot get current limits. +.TP 3n +PAM_IGNORE +No limits found for this user. +.TP 3n +PAM_PERM_DENIED +New limits could not be set. +.TP 3n +PAM_SERVICE_ERR +Cannot read config file. +.TP 3n +PAM_SESSEION_ERR +Error recovering account name. +.TP 3n +PAM_SUCCESS +Limits were changed. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "FILES" +.TP 3n +\fI/etc/security/limits.conf\fR +Default configuration file +.SH "EXAMPLES" +.PP +For the services you need resources limits (login for example) put a the following line in +\fI/etc/pam.d/login\fR +as the last line for that service (usually after the pam_unix session line): +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# Resource limits imposed on login sessions via pam_limits +# +session required pam_limits.so + +.fi +.RE +.PP +Replace "login" for each service you are using this module. +.SH "SEE ALSO" +.PP + +\fBlimits.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHORS" +.PP +pam_limits was initially written by Cristian Gafton <gafton@redhat.com> diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8.xml b/Linux-PAM/modules/pam_limits/pam_limits.8.xml new file mode 100644 index 00000000..78060a20 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/pam_limits.8.xml @@ -0,0 +1,230 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_limits'> + + <refmeta> + <refentrytitle>pam_limits</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_limits-name'> + <refname>pam_limits</refname> + <refpurpose> + PAM module to limit resources + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_limits-cmdsynopsis"> + <command>pam_limits.so</command> + <arg choice="opt"> + change_uid + </arg> + <arg choice="opt"> + conf=<replaceable>/path/to/limits.conf</replaceable> + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + utmp_early + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_limits-description"> + <title>DESCRIPTION</title> + <para> + The pam_limits PAM module sets limits on the system resources that can be + obtained in a user-session. Users of <emphasis>uid=0</emphasis> are affected + by this limits, too. + </para> + <para> + By default limits are taken from the <filename>/etc/security/limits.conf</filename> + config file. + </para> + </refsect1> + + <refsect1 id="pam_limits-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>change_uid</option> + </term> + <listitem> + <para> + Change real uid to the user for who the limits are set up. Use this + option if you have problems like login not forking a shell for user + who has no processes. Be warned that something else may break when + you do this. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative limits.conf style configuration file to + override the default. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>utmp_early</option> + </term> + <listitem> + <para> + Some broken applications actually allocate a utmp entry for + the user before the user is admitted to the system. If some + of the services you are configuring PAM for do this, you can + selectively use this module argument to compensate for this + behavior and at the same time maintain system-wide consistency + with a single limits.conf file. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_limits-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_limits-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Cannot get current limits. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + No limits found for this user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + New limits could not be set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Cannot read config file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSEION_ERR</term> + <listitem> + <para> + Error recovering account name. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Limits were changed. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_limits-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/limits.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_limits-examples'> + <title>EXAMPLES</title> + <para> + For the services you need resources limits (login for example) put a + the following line in <filename>/etc/pam.d/login</filename> as the last + line for that service (usually after the pam_unix session line): + </para> + <programlisting> +#%PAM-1.0 +# +# Resource limits imposed on login sessions via pam_limits +# +session required pam_limits.so + </programlisting> + <para> + Replace "login" for each service you are using this module. + </para> + </refsect1> + + <refsect1 id="pam_limits-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_limits-authors"> + <title>AUTHORS</title> + <para> + pam_limits was initially written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_limits/pam_limits.c b/Linux-PAM/modules/pam_limits/pam_limits.c index 1482833a..20aa794a 100644 --- a/Linux-PAM/modules/pam_limits/pam_limits.c +++ b/Linux-PAM/modules/pam_limits/pam_limits.c @@ -13,11 +13,11 @@ * See end for Copyright information */ -#if !(defined(linux)) +#if !defined(linux) && !defined(__linux) #error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <unistd.h> @@ -30,6 +30,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <sys/resource.h> +#include <limits.h> #include <utmp.h> #ifndef UT_USER /* some systems have ut_name instead of ut_user */ @@ -60,6 +61,7 @@ static const char *limits_def_names[] = { }; struct user_limits_struct { + int supported; int src_soft; int src_hard; struct rlimit limit; @@ -72,7 +74,6 @@ struct pam_limit_s { int flag_numsyslogins; /* whether to limit logins only for a specific user or to count all logins */ int priority; /* the priority to run user process with */ - int supported[RLIM_NLIMITS]; struct user_limits_struct limits[RLIM_NLIMITS]; char conf_file[BUFSIZ]; int utmp_after_pam_call; @@ -91,19 +92,8 @@ struct pam_limit_s { #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_limits", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* argument parsing */ @@ -111,7 +101,9 @@ static void _pam_log(int err, const char *format, ...) #define PAM_DO_SETREUID 0x0002 #define PAM_UTMP_EARLY 0x0004 -static int _pam_parse(int argc, const char **argv, struct pam_limit_s *pl) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv, + struct pam_limit_s *pl) { int ctrl=0; @@ -129,7 +121,7 @@ static int _pam_parse(int argc, const char **argv, struct pam_limit_s *pl) } else if (!strcmp(*argv,"utmp_early")) { ctrl |= PAM_UTMP_EARLY; } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } pl->conf_file[sizeof(pl->conf_file) - 1] = '\0'; @@ -138,13 +130,6 @@ static int _pam_parse(int argc, const char **argv, struct pam_limit_s *pl) } -/* limits stuff */ -#ifdef DEFAULT_CONF_FILE -# define LIMITS_FILE DEFAULT_CONF_FILE -#else -# define LIMITS_FILE "/etc/security/limits.conf" -#endif - #define LIMITED_OK 0 /* limit setting appeared to work */ #define LIMIT_ERR 1 /* error setting a limit */ #define LOGIN_ERR 2 /* too many logins err */ @@ -155,17 +140,17 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, struct pam_limit_s *pl) { struct utmp *ut; - unsigned int count; + int count; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "checking logins for '%s' (maximum of %d)\n", - name, limit); + pam_syslog(pamh, LOG_DEBUG, + "checking logins for '%s' (maximum of %d)", name, limit); } if (limit < 0) return 0; /* no limits imposed */ if (limit == 0) /* maximum 0 logins ? */ { - _pam_log(LOG_WARNING, "No logins allowed for '%s'\n", name); + pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name); return LOGIN_ERR; } @@ -204,7 +189,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, continue; } if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP) - && !_pammodutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) { + && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) { continue; } } @@ -215,10 +200,10 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, endutent(); if (count > limit) { if (name) { - _pam_log(LOG_WARNING, "Too many logins (max %d) for %s", - limit, name); + pam_syslog(pamh, LOG_WARNING, + "Too many logins (max %d) for %s", limit, name); } else { - _pam_log(LOG_WARNING, "Too many system logins (max %d)", limit); + pam_syslog(pamh, LOG_WARNING, "Too many system logins (max %d)", limit); } return LOGIN_ERR; } @@ -235,39 +220,43 @@ static int init_limits(struct pam_limit_s *pl) for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { - if (errno == EINVAL) { - pl->supported[i] = 0; - } else { + pl->limits[i].supported = 0; + if (errno != EINVAL) { retval = !PAM_SUCCESS; } } else { - pl->supported[i] = 1; + pl->limits[i].supported = 1; pl->limits[i].src_soft = LIMITS_DEF_NONE; pl->limits[i].src_hard = LIMITS_DEF_NONE; } } - pl->priority = 0; + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); + if (pl->priority == -1 && errno != 0) + retval = !PAM_SUCCESS; pl->login_limit = -2; pl->login_limit_def = LIMITS_DEF_NONE; return retval; } -static void process_limit(int source, const char *lim_type, - const char *lim_item, const char *lim_value, - int ctrl, struct pam_limit_s *pl) +static void +process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + const char *lim_item, const char *lim_value, + int ctrl, struct pam_limit_s *pl) { int limit_item; int limit_type = 0; - long limit_value; + int int_value = 0; + rlim_t rlimit_value = 0; char *endptr; const char *value_orig = lim_value; if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "%s: processing %s %s %s for %s\n", - __FUNCTION__,lim_type,lim_item,lim_value, - limits_def_names[source]); + pam_syslog(pamh, LOG_DEBUG, "%s: processing %s %s %s for %s", + __FUNCTION__, lim_type, lim_item, lim_value, + limits_def_names[source]); if (strcmp(lim_item, "cpu") == 0) limit_item = RLIMIT_CPU; @@ -301,6 +290,14 @@ static void process_limit(int source, const char *lim_type, else if (strcmp(lim_item, "msgqueue") == 0) limit_item = RLIMIT_MSGQUEUE; #endif +#ifdef RLIMIT_NICE + else if (strcmp(lim_item, "nice") == 0) + limit_item = RLIMIT_NICE; +#endif +#ifdef RLIMIT_RTPRIO + else if (strcmp(lim_item, "rtprio") == 0) + limit_item = RLIMIT_RTPRIO; +#endif else if (strcmp(lim_item, "maxlogins") == 0) { limit_item = LIMIT_LOGIN; pl->flag_numsyslogins = 0; @@ -310,7 +307,7 @@ static void process_limit(int source, const char *lim_type, } else if (strcmp(lim_item, "priority") == 0) { limit_item = LIMIT_PRI; } else { - _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item); + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); return; } @@ -321,40 +318,61 @@ static void process_limit(int source, const char *lim_type, else if (strcmp(lim_type,"-")==0) limit_type=LIMIT_SOFT | LIMIT_HARD; else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { - _pam_log(LOG_DEBUG,"unknown limit type '%s'", lim_type); + pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type); return; } - - limit_value = strtol (lim_value, &endptr, 10); - - /* special case value when limiting logins */ - if (limit_value == 0 && value_orig == endptr) { /* no chars read */ - if (strcmp(lim_value,"-") != 0) { - _pam_log(LOG_DEBUG,"wrong limit value '%s'", lim_value); + if (limit_item != LIMIT_PRI +#ifdef RLIMIT_NICE + && limit_item != RLIMIT_NICE +#endif + && (strcmp(lim_value, "-1") == 0 + || strcmp(lim_value, "-") == 0 || strcmp(lim_value, "unlimited") == 0 + || strcmp(lim_value, "infinity") == 0)) { + int_value = -1; + rlimit_value = RLIM_INFINITY; + } else if (limit_item == LIMIT_PRI || limit_item == LIMIT_LOGIN || +#ifdef RLIMIT_NICE + limit_item == RLIMIT_NICE || +#endif + limit_item == LIMIT_NUMSYSLOGINS) { + long temp; + temp = strtol (lim_value, &endptr, 10); + temp = temp < INT_MAX ? temp : INT_MAX; + int_value = temp > INT_MIN ? temp : INT_MIN; + if (int_value == 0 && value_orig == endptr) { + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); return; - } else - if (limit_item != LIMIT_LOGIN) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, - "'-' limit value valid for maxlogins type only"); - return; - } else - limit_value = -1; - } + } + } else { +#ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); +#else + rlimit_value = strtoul (lim_value, &endptr, 10); +#endif + if (rlimit_value == 0 && value_orig == endptr) { + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); + return; + } + } /* one more special case when limiting logins */ if ((source == LIMITS_DEF_ALL || source == LIMITS_DEF_ALLGROUP) && (limit_item != LIMIT_LOGIN)) { if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, - "'%%' domain valid for maxlogins type only"); + pam_syslog(pamh, LOG_DEBUG, + "'%%' domain valid for maxlogins type only"); return; } switch(limit_item) { case RLIMIT_CPU: - limit_value *= 60; - break; + if (rlimit_value != RLIM_INFINITY) + rlimit_value *= 60; + break; case RLIMIT_FSIZE: case RLIMIT_DATA: case RLIMIT_STACK: @@ -362,8 +380,16 @@ static void process_limit(int source, const char *lim_type, case RLIMIT_RSS: case RLIMIT_MEMLOCK: case RLIMIT_AS: - limit_value *= 1024; - break; + if (rlimit_value != RLIM_INFINITY) + rlimit_value *= 1024; + break; +#ifdef RLIMIT_NICE + case RLIMIT_NICE: + if (int_value > 19) + int_value = 19; + rlimit_value = 19 - int_value; +#endif + break; } if ( (limit_item != LIMIT_LOGIN) @@ -373,7 +399,7 @@ static void process_limit(int source, const char *lim_type, if (pl->limits[limit_item].src_soft < source) { return; } else { - pl->limits[limit_item].limit.rlim_cur = limit_value; + pl->limits[limit_item].limit.rlim_cur = rlimit_value; pl->limits[limit_item].src_soft = source; } } @@ -381,7 +407,7 @@ static void process_limit(int source, const char *lim_type, if (pl->limits[limit_item].src_hard < source) { return; } else { - pl->limits[limit_item].limit.rlim_max = limit_value; + pl->limits[limit_item].limit.rlim_max = rlimit_value; pl->limits[limit_item].src_hard = source; } } @@ -389,12 +415,12 @@ static void process_limit(int source, const char *lim_type, /* recent kernels support negative priority limits (=raise priority) */ if (limit_item == LIMIT_PRI) { - pl->priority = limit_value; + pl->priority = int_value; } else { if (pl->login_limit_def < source) { return; } else { - pl->login_limit = limit_value; + pl->login_limit = int_value; pl->login_limit_def = source; } } @@ -411,10 +437,11 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, #define CONF_FILE (pl->conf_file[0])?pl->conf_file:LIMITS_FILE /* check for the LIMITS_FILE */ if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"reading settings from '%s'", CONF_FILE); + pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE); fil = fopen(CONF_FILE, "r"); if (fil == NULL) { - _pam_log (LOG_WARNING, "can not read settings from %s", CONF_FILE); + pam_syslog (pamh, LOG_WARNING, + "cannot read settings from %s: %m", CONF_FILE); return PAM_SERVICE_ERR; } #undef CONF_FILE @@ -427,7 +454,8 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, char ltype[LINE_LENGTH]; char item[LINE_LENGTH]; char value[LINE_LENGTH]; - int i,j; + int i; + size_t j; char *tptr; tptr = buf; @@ -460,8 +488,6 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]", i, domain, ltype, item, value)); - for(j=0; j < strlen(domain); j++) - domain[j]=tolower(domain[j]); for(j=0; j < strlen(ltype); j++) ltype[j]=tolower(ltype[j]); for(j=0; j < strlen(item); j++) @@ -471,48 +497,51 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, if (i == 4) { /* a complete line */ if (strcmp(uname, domain) == 0) /* this user have a limit */ - process_limit(LIMITS_DEF_USER, ltype, item, value, ctrl, pl); + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); else if (domain[0]=='@') { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "checking if %s is in group %s", - uname, domain + 1); + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", + uname, domain + 1); } - if (_pammodutil_user_in_group_nam_nam(pamh, uname, domain+1)) - process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl, + if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } else if (domain[0]=='%') { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "checking if %s is in group %s", - uname, domain + 1); + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", + uname, domain + 1); } if (strcmp(domain,"%") == 0) - process_limit(LIMITS_DEF_ALL, ltype, item, value, ctrl, + process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, pl); - else if (_pammodutil_user_in_group_nam_nam(pamh, uname, domain+1)) { + else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { strcpy(pl->login_group, domain+1); - process_limit(LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, + process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, pl); } } else if (strcmp(domain, "*") == 0) - process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ if (strcmp(uname, domain) == 0) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "no limits for '%s'", uname); + pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); } fclose(fil); return PAM_IGNORE; - } else if (domain[0] == '@' && _pammodutil_user_in_group_nam_nam(pamh, uname, domain+1)) { + } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "no limits for '%s' in group '%s'", - uname, domain+1); + pam_syslog(pamh, LOG_DEBUG, + "no limits for '%s' in group '%s'", + uname, domain+1); } fclose(fil); return PAM_IGNORE; } } else { - _pam_log(LOG_DEBUG,"invalid line '%s' - skipped", buf); + pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", buf); } } fclose(fil); @@ -527,24 +556,18 @@ static int setup_limits(pam_handle_t *pamh, int status; int retval = LIMITED_OK; - if (uid == 0) { - /* do not impose limits (+ve limits anyway) on the superuser */ - if (pl->priority > 0) { - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "user '%s' has UID 0 - no limits imposed", - uname); - } - pl->priority = 0; - } - } - for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { - if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) - pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; - if (!pl->supported[i]) { + if (!pl->limits[i].supported) { /* skip it if its not known to the system */ continue; } + if (pl->limits[i].src_soft == LIMITS_DEF_NONE && + pl->limits[i].src_hard == LIMITS_DEF_NONE) { + /* skip it if its not initialized */ + continue; + } + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; status |= setrlimit(i, &pl->limits[i].limit); } @@ -571,8 +594,9 @@ static int setup_limits(pam_handle_t *pamh, } /* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval; char *user_name; @@ -584,25 +608,25 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, memset(&pl, 0, sizeof(pl)); - ctrl = _pam_parse(argc, argv, &pl); + ctrl = _pam_parse(pamh, argc, argv, &pl); retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); + pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username"); return PAM_SESSION_ERR; } - pwd = getpwnam(user_name); + pwd = pam_modutil_getpwnam(pamh, user_name); if (!pwd) { if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "open_session username '%s' does not exist", - user_name); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_WARNING, + "open_session username '%s' does not exist", user_name); + return PAM_USER_UNKNOWN; } retval = init_limits(&pl); if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "cannot initialize"); - return PAM_IGNORE; + pam_syslog(pamh, LOG_WARNING, "cannot initialize"); + return PAM_ABORT; } retval = parse_config_file(pamh, pwd->pw_name, ctrl, &pl); @@ -611,14 +635,16 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, return PAM_SUCCESS; } if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "error parsing the configuration file"); - return PAM_IGNORE; + pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file"); + return retval; } if (ctrl & PAM_DO_SETREUID) { setreuid(pwd->pw_uid, -1); } retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, &pl); + if (retval & LOGIN_ERR) + pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); if (retval != LIMITED_OK) { return PAM_PERM_DENIED; } @@ -626,8 +652,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, return PAM_SUCCESS; } -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { /* nothing to do */ return PAM_SUCCESS; diff --git a/Linux-PAM/modules/pam_limits/tst-pam_limits b/Linux-PAM/modules/pam_limits/tst-pam_limits new file mode 100755 index 00000000..f563beb7 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/tst-pam_limits @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_limits.so diff --git a/Linux-PAM/modules/pam_listfile/Makefile b/Linux-PAM/modules/pam_listfile/Makefile deleted file mode 100644 index c5447c94..00000000 --- a/Linux-PAM/modules/pam_listfile/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_listfile - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_listfile/Makefile.am b/Linux-PAM/modules/pam_listfile/Makefile.am new file mode 100644 index 00000000..5eb5c75c --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile + +man_MANS = pam_listfile.8 +XMLS = README.xml pam_listfile.8.xml + +TESTS = tst-pam_listfile + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_listfile.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_listfile.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_listfile/Makefile.in b/Linux-PAM/modules/pam_listfile/Makefile.in new file mode 100644 index 00000000..bf08192d --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_listfile +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_listfile_la_LIBADD = +pam_listfile_la_SOURCES = pam_listfile.c +pam_listfile_la_OBJECTS = pam_listfile.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_listfile.c +DIST_SOURCES = pam_listfile.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile +man_MANS = pam_listfile.8 +XMLS = README.xml pam_listfile.8.xml +TESTS = tst-pam_listfile +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_listfile.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_listfile/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_listfile/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_listfile.la: $(pam_listfile_la_OBJECTS) $(pam_listfile_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_listfile_la_OBJECTS) $(pam_listfile_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_listfile.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_listfile.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_listfile/README b/Linux-PAM/modules/pam_listfile/README index b65e7dbb..f0aaaf7f 100644 --- a/Linux-PAM/modules/pam_listfile/README +++ b/Linux-PAM/modules/pam_listfile/README @@ -1,25 +1,96 @@ -SUMMARY: - pam_listfile: - Checks a specified item against a list in a file. - Options: - * item=[tty|user|rhost|ruser|group|shell] - * sense=[allow|deny] (action to take if found in file, - if the item is NOT found in the file, then - the opposite action is requested) - * file=/the/file/to/get/the/list/from - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * apply=[user|@group] - restrict the user class for which the restriction - apply. Note that with item=[user|ruser|group] this - does not make sense, but for item=[tty|rhost|shell] - it have a meaning. (Cristian Gafton) - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Elliot Lee <sopwith@redhat.com>, Red Hat Software. - v0.9 August 16, 1996. - -BUGS: - Bugs? +pam_listfile — deny or allow services based on an arbitrary file + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_listfile is a PAM module which provides a way to deny or allow services +based on an arbitrary file. + +The module gets the item of the type specified -- user specifies the username, +PAM_USER; tty specifies the name of the terminal over which the request has +been made, PAM_TTY; rhost specifies the name of the remote host (if any) from +which the request was made, PAM_RHOST; and ruser specifies the name of the +remote user (if available) who made the request, PAM_RUSER -- and looks for an +instance of that item in the file=filename. filename contains one line per item +listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, +causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR +is returned, causing the authorization request to fail. + +If an error is encountered (for instance, if filename does not exist, or a +poorly-constructed argument is encountered), then if onerr=succeed, PAM_SUCCESS +is returned, otherwise if onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as +appropriate) will be returned. + +An additional argument, apply=, can be used to restrict the application of the +above to a specific user (apply=username) or a given group (apply=@groupname). +This added restriction is only meaningful when used with the tty, rhost and +shell items. + +Besides this last one, all arguments should be specified; do not count on any +default behavior. + +No credentials are awarded by this module. + +OPTIONS + +item=[tty|user|rhost|ruser|group|shell] + + What is listed in the file and should be checked for. + +sense=[allow|deny] + + Action to take if found in file, if the item is NOT found in the file, then + the opposite action is requested. + +file=/path/filename + + File containing one item per line. The file needs to be a plain file and + not world writeable. + +onerr=[succeed|fail] + + What to do if something weird happens like being unable to open the file. + +apply=[user|@group] + + Restrict the user class for which the restriction apply. Note that with + item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost| + shell] it have a meaning. + +EXAMPLES + +Classic 'ftpusers' authentication can be implemented with this entry in /etc/ +pam.d/ftpd: + +# +# deny ftp-access to users listed in the /etc/ftpusers file +# +auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers + + +Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed +access to the ftp service. + +To allow login access only for certain users, you can use a /etc/pam.d/login +entry like this: + +# +# permit login to users listed in /etc/loginusers +# +auth required pam_listfile.so \ + onerr=fail item=user sense=allow file=/etc/loginusers + + +For this example to work, all users who are allowed to use the login service +should be listed in the file /etc/loginusers. Unless you are explicitly trying +to lock out root, make sure that when you do this, you leave a way for root to +log in, either by listing root in /etc/loginusers, or by listing a user who is +able to su to the root account. + +AUTHOR + +pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot +Lee <sopwith@cuc.edu>. + diff --git a/Linux-PAM/modules/pam_listfile/README.xml b/Linux-PAM/modules/pam_listfile/README.xml new file mode 100644 index 00000000..d851aef3 --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_listfile.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_listfile.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_listfile-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8 b/Linux-PAM/modules/pam_listfile/pam_listfile.8 new file mode 100644 index 00000000..2ccecd4b --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8 @@ -0,0 +1,164 @@ +.\" Title: pam_listfile +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/22/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_LISTFILE" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_listfile \- deny or allow services based on an arbitrary file +.SH "SYNOPSIS" +.HP 16 +\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] +.SH "DESCRIPTION" +.PP +pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file. +.PP +The module gets the +\fBitem\fR +of the type specified \-\- +\fIuser\fR +specifies the username, +\fIPAM_USER\fR; tty specifies the name of the terminal over which the request has been made, +\fIPAM_TTY\fR; rhost specifies the name of the remote host (if any) from which the request was made, +\fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request, +\fIPAM_RUSER\fR +\-\- and looks for an instance of that item in the +\fBfile=\fR\fB\fIfilename\fR\fR. +\fIfilename\fR +contains one line per item listed. If the item is found, then if +\fBsense=\fR\fB\fIallow\fR\fR, +\fIPAM_SUCCESS\fR +is returned, causing the authorization request to succeed; else if +\fBsense=\fR\fB\fIdeny\fR\fR, +\fIPAM_AUTH_ERR\fR +is returned, causing the authorization request to fail. +.PP +If an error is encountered (for instance, if +\fIfilename\fR +does not exist, or a poorly\-constructed argument is encountered), then if +\fIonerr=succeed\fR, +\fIPAM_SUCCESS\fR +is returned, otherwise if +\fIonerr=fail\fR, +\fIPAM_AUTH_ERR\fR +or +\fIPAM_SERVICE_ERR\fR +(as appropriate) will be returned. +.PP +An additional argument, +\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR). This added restriction is only meaningful when used with the +\fItty\fR, +\fIrhost\fR +and +\fIshell\fR +items. +.PP +Besides this last one, all arguments should be specified; do not count on any default behavior. +.PP +No credentials are awarded by this module. +.SH "OPTIONS" +.PP +.TP 3n +\fBitem=[tty|user|rhost|ruser|group|shell]\fR +What is listed in the file and should be checked for. +.TP 3n +\fBsense=[allow|deny]\fR +Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested. +.TP 3n +\fBfile=\fR\fB\fI/path/filename\fR\fR +File containing one item per line. The file needs to be a plain file and not world writeable. +.TP 3n +\fBonerr=[succeed|fail]\fR +What to do if something weird happens like being unable to open the file. +.TP 3n +\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR +Restrict the user class for which the restriction apply. Note that with +\fBitem=[user|ruser|group]\fR +this oes not make sense, but for +\fBitem=[tty|rhost|shell]\fR +it have a meaning. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_AUTH_ERR +Authentication failure. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +The rule does not apply to the +\fBapply\fR +option. +.TP 3n +PAM_SERVICE_ERR +Error in service module. +.TP 3n +PAM_SUCCESS +Success. +.SH "EXAMPLES" +.PP +Classic 'ftpusers' authentication can be implemented with this entry in +\fI/etc/pam.d/ftpd\fR: +.sp +.RS 3n +.nf +# +# deny ftp\-access to users listed in the /etc/ftpusers file +# +auth required pam_listfile.so \\ + onerr=succeed item=user sense=deny file=/etc/ftpusers + +.fi +.RE +.sp +Note, users listed in +\fI/etc/ftpusers\fR +file are (counterintuitively) +\fInot\fR +allowed access to the ftp service. +.PP +To allow login access only for certain users, you can use a +\fI/etc/pam.d/login\fR +entry like this: +.sp +.RS 3n +.nf +# +# permit login to users listed in /etc/loginusers +# +auth required pam_listfile.so \\ + onerr=fail item=user sense=allow file=/etc/loginusers + +.fi +.RE +.sp +For this example to work, all users who are allowed to use the login service should be listed in the file +\fI/etc/loginusers\fR. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in +\fI/etc/loginusers\fR, or by listing a user who is able to +\fIsu\fR +to the root account. +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot Lee <sopwith@cuc.edu>. diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml new file mode 100644 index 00000000..0e90414a --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml @@ -0,0 +1,282 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_listfile"> + + <refmeta> + <refentrytitle>pam_listfile</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_listfile-name"> + <refname>pam_listfile</refname> + <refpurpose>deny or allow services based on an arbitrary file</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_listfile-cmdsynopsis"> + <command>pam_listfile.so</command> + <arg choice="plain"> + item=[tty|user|rhost|ruser|group|shell] + </arg> + <arg choice="plain"> + sense=[allow|deny] + </arg> + <arg choice="plain"> + file=<replaceable>/path/filename</replaceable> + </arg> + <arg choice="plain"> + onerr=[succeed|fail] + </arg> + <arg choice="opt"> + apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>] + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_listfile-description"> + + <title>DESCRIPTION</title> + + <para> + pam_listfile is a PAM module which provides a way to deny or + allow services based on an arbitrary file. + </para> + <para> + The module gets the <option>item</option> of the type specified -- + <emphasis>user</emphasis> specifies the username, + <emphasis>PAM_USER</emphasis>; tty specifies the name of the terminal + over which the request has been made, <emphasis>PAM_TTY</emphasis>; + rhost specifies the name of the remote host (if any) from which the + request was made, <emphasis>PAM_RHOST</emphasis>; and ruser specifies + the name of the remote user (if available) who made the request, + <emphasis>PAM_RUSER</emphasis> -- and looks for an instance of that + item in the <option>file=<replaceable>filename</replaceable></option>. + <filename>filename</filename> contains one line per item listed. If + the item is found, then if + <option>sense=<replaceable>allow</replaceable></option>, + <emphasis>PAM_SUCCESS</emphasis> is returned, causing the authorization + request to succeed; else if + <option>sense=<replaceable>deny</replaceable></option>, + <emphasis>PAM_AUTH_ERR</emphasis> is returned, causing the authorization + request to fail. + </para> + <para> + If an error is encountered (for instance, if + <filename>filename</filename> does not exist, or a poorly-constructed + argument is encountered), then if <emphasis>onerr=succeed</emphasis>, + <emphasis>PAM_SUCCESS</emphasis> is returned, otherwise if + <emphasis>onerr=fail</emphasis>, <emphasis>PAM_AUTH_ERR</emphasis> or + <emphasis>PAM_SERVICE_ERR</emphasis> (as appropriate) will be returned. + </para> + <para> + An additional argument, <option>apply=</option>, can be used + to restrict the application of the above to a specific user + (<option>apply=<replaceable>username</replaceable></option>) + or a given group + (<option>apply=<replaceable>@groupname</replaceable></option>). + This added restriction is only meaningful when used with the + <emphasis>tty</emphasis>, <emphasis>rhost</emphasis> and + <emphasis>shell</emphasis> items. + </para> + <para> + Besides this last one, all arguments should be specified; do not + count on any default behavior. + </para> + <para> + No credentials are awarded by this module. + </para> + </refsect1> + + <refsect1 id="pam_listfile-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>item=[tty|user|rhost|ruser|group|shell]</option> + </term> + <listitem> + <para> + What is listed in the file and should be checked for. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>sense=[allow|deny]</option> + </term> + <listitem> + <para> + Action to take if found in file, if the item is NOT found in + the file, then the opposite action is requested. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>file=<replaceable>/path/filename</replaceable></option> + </term> + <listitem> + <para> + File containing one item per line. The file needs to be a plain + file and not world writeable. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>onerr=[succeed|fail]</option> + </term> + <listitem> + <para> + What to do if something weird happens like being unable to open + the file. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option> + </term> + <listitem> + <para> + Restrict the user class for which the restriction apply. Note that + with <option>item=[user|ruser|group]</option> this oes not make sense, + but for <option>item=[tty|rhost|shell]</option> it have a meaning. + </para> + </listitem> + </varlistentry> + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_listfile-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_listfile-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para>Authentication failure.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The rule does not apply to the <option>apply</option> option. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Error in service module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_listfile-examples'> + <title>EXAMPLES</title> + <para> + Classic 'ftpusers' authentication can be implemented with this entry + in <filename>/etc/pam.d/ftpd</filename>: + <programlisting> +# +# deny ftp-access to users listed in the /etc/ftpusers file +# +auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers + </programlisting> + Note, users listed in <filename>/etc/ftpusers</filename> file are + (counterintuitively) <emphasis>not</emphasis> allowed access to + the ftp service. + </para> + <para> + To allow login access only for certain users, you can use a + <filename>/etc/pam.d/login</filename> entry like this: + <programlisting> +# +# permit login to users listed in /etc/loginusers +# +auth required pam_listfile.so \ + onerr=fail item=user sense=allow file=/etc/loginusers + </programlisting> + For this example to work, all users who are allowed to use the + login service should be listed in the file + <filename>/etc/loginusers</filename>. Unless you are explicitly + trying to lock out root, make sure that when you do this, you leave + a way for root to log in, either by listing root in + <filename>/etc/loginusers</filename>, or by listing a user who is + able to <emphasis>su</emphasis> to the root account. + </para> + </refsect1> + + <refsect1 id='pam_listfile-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_listfile-author'> + <title>AUTHOR</title> + <para> + pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> + and Elliot Lee <sopwith@cuc.edu>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.c b/Linux-PAM/modules/pam_listfile/pam_listfile.c index 965c471d..1545fe03 100644 --- a/Linux-PAM/modules/pam_listfile/pam_listfile.c +++ b/Linux-PAM/modules/pam_listfile/pam_listfile.c @@ -1,16 +1,11 @@ /* - * $Id: pam_listfile.c,v 1.6 2004/09/24 13:13:20 kukuk Exp $ - * - */ - -/* * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. July 25, 1996. * log refused access error christopher mccrory <chrismcc@netus.com> 1998/7/11 * * This code began life as the pam_rootok module. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -36,23 +31,13 @@ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> - -/* some syslogging */ - -#define LOCAL_LOG_PREFIX "PAM-listfile: " - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - vsyslog(LOG_AUTH | err, format, args); - va_end(args); -} +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* checks if a user is on a list of members */ static int is_on_list(char * const *list, const char *member) @@ -79,10 +64,12 @@ static int is_on_list(char * const *list, const char *member) #define LESSER(a, b) ((a) < (b) ? (a) : (b)) -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; + const void *void_citemp; const char *citemp; char *ifname=NULL; char aline[256]; @@ -107,12 +94,13 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar memset(mybuf,'\0',sizeof(mybuf)); memset(myval,'\0',sizeof(mybuf)); junk = strchr(argv[i], '='); - if((junk == NULL) || (junk - argv[i]) >= sizeof(mybuf)) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Bad option: \"%s\"", + if((junk == NULL) || (junk - argv[i]) >= (int) sizeof(mybuf)) { + pam_syslog(pamh,LOG_ERR, "Bad option: \"%s\"", argv[i]); continue; } - strncpy(mybuf, argv[i], LESSER(junk - argv[i], sizeof(mybuf) - 1)); + strncpy(mybuf, argv[i], + LESSER(junk - argv[i], (int)sizeof(mybuf) - 1)); strncpy(myval, junk + 1, sizeof(myval) - 1); } if(!strcmp(mybuf,"onerr")) @@ -120,17 +108,24 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar onerr = PAM_SUCCESS; else if(!strcmp(myval,"fail")) onerr = PAM_SERVICE_ERR; - else + else { + if (ifname) free (ifname); return PAM_SERVICE_ERR; + } else if(!strcmp(mybuf,"sense")) if(!strcmp(myval,"allow")) sense=0; else if(!strcmp(myval,"deny")) sense=1; - else + else { + if (ifname) free (ifname); return onerr; + } else if(!strcmp(mybuf,"file")) { + if (ifname) free (ifname); ifname = (char *)malloc(strlen(myval)+1); + if (!ifname) + return PAM_BUF_ERR; strcpy(ifname,myval); } else if(!strcmp(mybuf,"item")) if(!strcmp(myval,"user")) @@ -161,86 +156,95 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar strncpy(apply_val,myval,sizeof(apply_val)-1); } } else { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Unknown option: %s",mybuf); + free(ifname); + pam_syslog(pamh,LOG_ERR, "Unknown option: %s",mybuf); return onerr; } } if(!citem) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Unknown item or item not specified"); + pam_syslog(pamh,LOG_ERR, + "Unknown item or item not specified"); + free(ifname); return onerr; } else if(!ifname) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "List filename not specified"); + pam_syslog(pamh,LOG_ERR, "List filename not specified"); return onerr; } else if(sense == 2) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Unknown sense or sense not specified"); + pam_syslog(pamh,LOG_ERR, + "Unknown sense or sense not specified"); + free(ifname); return onerr; } else if( - (apply_type==APPLY_TYPE_NONE) || + (apply_type==APPLY_TYPE_NONE) || ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0')) ) { - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX "Invalid usage for apply= parameter"); + pam_syslog(pamh,LOG_ERR, + "Invalid usage for apply= parameter"); + free (ifname); return onerr; } - + /* Check if it makes sense to use the apply= parameter */ if (apply_type != APPLY_TYPE_NULL) { if((citem==PAM_USER) || (citem==PAM_RUSER)) { - _pam_log(LOG_WARNING, - LOCAL_LOG_PREFIX "Non-sense use for apply= parameter"); + pam_syslog(pamh,LOG_WARNING, + "Non-sense use for apply= parameter"); apply_type=APPLY_TYPE_NULL; } if(extitem && (extitem==EI_GROUP)) { - _pam_log(LOG_WARNING, - LOCAL_LOG_PREFIX "Non-sense use for apply= parameter"); + pam_syslog(pamh,LOG_WARNING, + "Non-sense use for apply= parameter"); apply_type=APPLY_TYPE_NULL; } } - + /* Short-circuit - test if this session apply for this user */ { const char *user_name; int rval; - + rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name[0]) { + if((rval==PAM_SUCCESS) && user_name && user_name[0]) { /* Got it ? Valid ? */ if(apply_type==APPLY_TYPE_USER) { if(strcmp(user_name, apply_val)) { /* Does not apply to this user */ #ifdef DEBUG - _pam_log(LOG_DEBUG, - LOCAL_LOG_PREFIX "don't apply: apply=%s, user=%s", + pam_syslog(pamh,LOG_DEBUG, + "don't apply: apply=%s, user=%s", apply_val,user_name); #endif /* DEBUG */ + free(ifname); return PAM_IGNORE; } } else if(apply_type==APPLY_TYPE_GROUP) { - if(!_pammodutil_user_in_group_nam_nam(pamh,user_name,apply_val)) { + if(!pam_modutil_user_in_group_nam_nam(pamh,user_name,apply_val)) { /* Not a member of apply= group */ #ifdef DEBUG - _pam_log(LOG_DEBUG, - LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_DEBUG, + "don't apply: %s not a member of group %s", user_name,apply_val); #endif /* DEBUG */ + free(ifname); return PAM_IGNORE; } } } } - retval = pam_get_item(pamh,citem,(const void **)&citemp); + retval = pam_get_item(pamh,citem,&void_citemp); + citemp = void_citemp; if(retval != PAM_SUCCESS) { return onerr; } if((citem == PAM_USER) && !citemp) { - pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS) + retval = pam_get_user(pamh,&citemp,NULL); + if (retval != PAM_SUCCESS || !citemp) { + free(ifname); return PAM_SERVICE_ERR; + } } if((citem == PAM_TTY) && citemp) { /* Normalize the TTY name. */ @@ -250,6 +254,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar } if(!citemp || (strlen(citemp) == 0)) { + free(ifname); /* The item was NULL - we are sure not to match */ return sense?PAM_SUCCESS:PAM_AUTH_ERR; } @@ -257,21 +262,23 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar if(extitem) { switch(extitem) { case EI_GROUP: - userinfo = _pammodutil_getpwnam(pamh, citemp); + userinfo = pam_modutil_getpwnam(pamh, citemp); if (userinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getpwnam(%s) failed", + pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed", citemp); + free(ifname); return onerr; } - grpinfo = _pammodutil_getgrgid(pamh, userinfo->pw_gid); + grpinfo = pam_modutil_getgrgid(pamh, userinfo->pw_gid); if (grpinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getgrgid(%d) failed", + pam_syslog(pamh,LOG_ERR, "getgrgid(%d) failed", (int)userinfo->pw_gid); + free(ifname); return onerr; } itemlist[0] = x_strdup(grpinfo->gr_name); setgrent(); - for (i=1; (i < sizeof(itemlist)/sizeof(itemlist[0])-1) && + for (i=1; (i < (int)(sizeof(itemlist)/sizeof(itemlist[0])-1)) && (grpinfo = getgrent()); ) { if (is_on_list(grpinfo->gr_mem,citemp)) { itemlist[i++] = x_strdup(grpinfo->gr_name); @@ -284,30 +291,33 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar /* Assume that we have already gotten PAM_USER in pam_get_item() - a valid assumption since citem gets set to PAM_USER in the extitem switch */ - userinfo = _pammodutil_getpwnam(pamh, citemp); + userinfo = pam_modutil_getpwnam(pamh, citemp); if (userinfo == NULL) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "getpwnam(%s) failed", + pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed", citemp); + free(ifname); return onerr; } citemp = userinfo->pw_shell; break; default: - _pam_log(LOG_ERR, - LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_ERR, + "Internal weirdness, unknown extended item %d", extitem); + free(ifname); return onerr; } } #ifdef DEBUG - _pam_log(LOG_INFO, - LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_INFO, + "Got file = %s, item = %d, value = %s, sense = %d", ifname, citem, citemp, sense); #endif if(lstat(ifname,&fileinfo)) { - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Couldn't open %s",ifname); + pam_syslog(pamh,LOG_ERR, "Couldn't open %s",ifname); + free(ifname); return onerr; } @@ -315,9 +325,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar || !S_ISREG(fileinfo.st_mode)) { /* If the file is world writable or is not a normal file, return error */ - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_ERR, "%s is either world writable or not a normal file", ifname); + free(ifname); return PAM_AUTH_ERR; } @@ -325,8 +336,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar if(inf == NULL) { /* Check that we opened it successfully */ if (onerr == PAM_SERVICE_ERR) { /* Only report if it's an error... */ - _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Error opening %s", ifname); + pam_syslog(pamh,LOG_ERR, "Error opening %s", ifname); } + free(ifname); return onerr; } /* There should be no more errors from here on */ @@ -373,36 +385,59 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar free(ifname); if ((sense && retval) || (!sense && !retval)) { #ifdef DEBUG - _pam_log(LOG_INFO, LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_INFO, "Returning PAM_SUCCESS, retval = %d", retval); #endif return PAM_SUCCESS; } else { - const char *service, *user_name; + const void *service; + const char *user_name; #ifdef DEBUG - _pam_log(LOG_INFO,LOCAL_LOG_PREFIX + pam_syslog(pamh,LOG_INFO, "Returning PAM_AUTH_ERR, retval = %d", retval); #endif - (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); + (void) pam_get_item(pamh, PAM_SERVICE, &service); (void) pam_get_user(pamh, &user_name, NULL); - _pam_log(LOG_ALERT,LOCAL_LOG_PREFIX "Refused user %s for service %s", - user_name, service); + pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", + user_name, (const char *)service); return PAM_AUTH_ERR; } } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags, + int argc, const char **argv) { - return pam_sm_authenticate(pamh, 0, argc, argv); + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_chauthtok (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); } #ifdef PAM_STATIC @@ -414,12 +449,11 @@ struct pam_module _pam_listfile_modstruct = { pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, - NULL, - NULL, - NULL, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok, }; #endif /* PAM_STATIC */ /* end of module definition */ - diff --git a/Linux-PAM/modules/pam_listfile/tst-pam_listfile b/Linux-PAM/modules/pam_listfile/tst-pam_listfile new file mode 100755 index 00000000..f555a9f5 --- /dev/null +++ b/Linux-PAM/modules/pam_listfile/tst-pam_listfile @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_listfile.so diff --git a/Linux-PAM/modules/pam_localuser/Makefile b/Linux-PAM/modules/pam_localuser/Makefile deleted file mode 100644 index 3dc61aa0..00000000 --- a/Linux-PAM/modules/pam_localuser/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# $Id: Makefile,v 1.1 2004/09/24 11:49:37 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# - -include ../../Make.Rules - -TITLE=pam_localuser -MAN8=pam_localuser.8 - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_localuser/Makefile.am b/Linux-PAM/modules/pam_localuser/Makefile.am new file mode 100644 index 00000000..ae331755 --- /dev/null +++ b/Linux-PAM/modules/pam_localuser/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_localuser + +TESTS = tst-pam_localuser + +man_MANS = pam_localuser.8 +XMLS = README.xml pam_localuser.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_localuser.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_localuser.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_localuser/Makefile.in b/Linux-PAM/modules/pam_localuser/Makefile.in new file mode 100644 index 00000000..24daef1f --- /dev/null +++ b/Linux-PAM/modules/pam_localuser/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_localuser +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_localuser_la_LIBADD = +pam_localuser_la_SOURCES = pam_localuser.c +pam_localuser_la_OBJECTS = pam_localuser.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_localuser.c +DIST_SOURCES = pam_localuser.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_localuser +TESTS = tst-pam_localuser +man_MANS = pam_localuser.8 +XMLS = README.xml pam_localuser.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_localuser.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_localuser/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_localuser/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_localuser.la: $(pam_localuser_la_OBJECTS) $(pam_localuser_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_localuser_la_OBJECTS) $(pam_localuser_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_localuser.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_localuser.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_localuser/README b/Linux-PAM/modules/pam_localuser/README index b8cdf524..50663ead 100644 --- a/Linux-PAM/modules/pam_localuser/README +++ b/Linux-PAM/modules/pam_localuser/README @@ -1,17 +1,38 @@ -pam_localuser: - Succeeds iff the PAM_USER is listed in /etc/passwd. This seems to be a - common policy need (allowing only a subset of network-wide users, and - any locally-defined users, to access services). Simpler than using - awk to generate a file for use with pam_listfile (-F: '{print $1}'), - I guess. - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - file=FILE scan FILE instead of /etc/passwd - -MODULE SERVICES PROVIDED: - auth,account scan the FILE (/etc/passwd by default) and return - a success code if an entry is found for the user - -AUTHOR: - Nalin Dahyabhai <nalin@redhat.com> +pam_localuser — require users to be listed in /etc/passwd + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_localuser is a PAM module to help implementing site-wide login policies, +where they typically include a subset of the network's users and a few accounts +that are local to a particular workstation. Using pam_localuser and pam_wheel +or pam_listfile is an effective way to restrict access to either local users +and/or a subset of the network's users. + +This could also be implemented using pam_listfile.so and a very short awk +script invoked by cron, but it's common enough to have been separated out. + +OPTIONS + +debug + + Print debug information. + +file=/path/passwd + + Use a file other than /etc/passwd. + +EXAMPLES + +Add the following line to /etc/pam.d/su to allow only local users in group +wheel to use su. + +account sufficient pam_localuser.so +account required pam_wheel.so + + +AUTHOR + +pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. + diff --git a/Linux-PAM/modules/pam_localuser/README.xml b/Linux-PAM/modules/pam_localuser/README.xml new file mode 100644 index 00000000..4ab56d9d --- /dev/null +++ b/Linux-PAM/modules/pam_localuser/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_localuser.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_localuser.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_localuser-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_localuser/pam_localuser.8 b/Linux-PAM/modules/pam_localuser/pam_localuser.8 index ce0a9465..e88f0b57 100644 --- a/Linux-PAM/modules/pam_localuser/pam_localuser.8 +++ b/Linux-PAM/modules/pam_localuser/pam_localuser.8 @@ -1,36 +1,88 @@ -.\" Copyright 2000 Red Hat, Inc. -.TH pam_localuser 8 2000/7/21 "Red Hat" "System Administrator's Manual" - -.SH NAME +.\" Title: pam_localuser +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/> +.\" Date: 12/13/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_LOCALUSER" "8" "12/13/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" pam_localuser \- require users to be listed in /etc/passwd +.SH "SYNOPSIS" +.HP 17 +\fBpam_localuser.so\fR [debug] [file=\fI/path/passwd\fR] +.SH "DESCRIPTION" +.PP +pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network's users and a few accounts that are local to a particular workstation. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network's users. +.PP +This could also be implemented using pam_listfile.so and a very short awk script invoked by cron, but it's common enough to have been separated out. +.SH "OPTIONS" +.PP +.PP +\fBdebug\fR +.RS 3n +Print debug information. +.RE +.PP +\fBfile=\fR\fB\fI/path/passwd\fR\fR +.RS 3n +Use a file other than +\fI/etc/passwd\fR. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +All services (\fBaccount\fR, +\fBauth\fR, +\fBpassword\fR +and +\fBsession\fR) are supported. +.SH "RETURN VALUES" +.PP +.PP +PAM_SUCCESS +.RS 3n +The new localuser was set successfull. +.RE +.PP +PAM_SERVICE_ERR +.RS 3n +No username was given. +.RE +.PP +PAM_USER_UNKNOWN +.RS 3n +User not known. +.RE +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/su\fR +to allow only local users in group wheel to use su. +.sp +.RS 3n +.nf +account sufficient pam_localuser.so +account required pam_wheel.so + +.fi +.RE +.sp +.SH "FILES" +.PP +\fI/etc/passwd\fR +.RS 3n +Local user account information. +.RE +.SH "SEE ALSO" +.PP -.SH SYNOPSIS -.B account sufficient /lib/security/pam_localuser.so \fIargs\fP -.br -.B account required /lib/security/pam_wheel.so group=devel - -.SH DESCRIPTION -pam_localuser.so exists to help implement site-wide login policies, where -they typically include a subset of the network's users and a few accounts -that are local to a particular workstation. Using pam_localuser.so and -pam_wheel.so or pam_listfile.so is an effective way to restrict access to -either local users and/or a subset of the network's users. - -This could also be implemented using pam_listfile.so and a very short awk -script invoked by cron, but it's common enough to have been separated out. - -.SH ARGUMENTS -.IP debug -turns on debugging -.IP file=\fBFILE\fP -uses a file other than \fB/etc/passwd\fP. - -.SH FILES -/etc/passwd - -.SH BUGS -Let's hope not, but if you find any, please report them via the "Bug Track" -link at http://bugzilla.redhat.com/bugzilla/ - -.SH AUTHOR -Nalin Dahyabhai <nalin@redhat.com> +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. diff --git a/Linux-PAM/modules/pam_localuser/pam_localuser.8.xml b/Linux-PAM/modules/pam_localuser/pam_localuser.8.xml new file mode 100644 index 00000000..ac00ce99 --- /dev/null +++ b/Linux-PAM/modules/pam_localuser/pam_localuser.8.xml @@ -0,0 +1,173 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_localuser"> + + <refmeta> + <refentrytitle>pam_localuser</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_localuser-name"> + <refname>pam_localuser</refname> + <refpurpose>require users to be listed in /etc/passwd</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_localuser-cmdsynopsis"> + <command>pam_localuser.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + file=<replaceable>/path/passwd</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_localuser-description"> + + <title>DESCRIPTION</title> + + <para> + pam_localuser is a PAM module to help implementing site-wide login + policies, where they typically include a subset of the network's + users and a few accounts that are local to a particular workstation. + Using pam_localuser and pam_wheel or pam_listfile is an effective + way to restrict access to either local users and/or a subset of the + network's users. + </para> + <para> + This could also be implemented using pam_listfile.so and a very + short awk script invoked by cron, but it's common enough to have + been separated out. + </para> + + </refsect1> + + <refsect1 id="pam_localuser-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>file=<replaceable>/path/passwd</replaceable></option> + </term> + <listitem> + <para> + Use a file other than <filename>/etc/passwd</filename>. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_localuser-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services (<option>account</option>, <option>auth</option>, + <option>password</option> and <option>session</option>) are supported. + </para> + </refsect1> + + <refsect1 id='pam_localuser-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new localuser was set successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + No username was given. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_localuser-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/su</filename> to + allow only local users in group wheel to use su. + <programlisting> +account sufficient pam_localuser.so +account required pam_wheel.so + </programlisting> + </para> + </refsect1> + + <refsect1 id="pam_localuser-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/passwd</filename></term> + <listitem> + <para>Local user account information.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_localuser-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_localuser-author'> + <title>AUTHOR</title> + <para> + pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_localuser/pam_localuser.c b/Linux-PAM/modules/pam_localuser/pam_localuser.c index e5496089..aa43bc4c 100644 --- a/Linux-PAM/modules/pam_localuser/pam_localuser.c +++ b/Linux-PAM/modules/pam_localuser/pam_localuser.c @@ -33,7 +33,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "../../_pam_aconf.h" +#include "config.h" #include <errno.h> #include <limits.h> @@ -49,13 +49,15 @@ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#include "../../libpam/include/security/pam_modules.h" -#include "../../libpam/include/security/_pam_macros.h" +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> #define MODULE_NAME "pam_localuser" -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int i, ret = PAM_SUCCESS; FILE *fp; @@ -74,10 +76,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar if(strncmp("file=", argv[i], 5) == 0) { filename = argv[i] + 5; if(debug) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_DEBUG, "set filename to \"%s\"", - filename); - closelog(); + pam_syslog (pamh, LOG_DEBUG, + "set filename to \"%s\"", + filename); } } } @@ -85,25 +86,19 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar /* open the file */ fp = fopen(filename, "r"); if(fp == NULL) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "error opening \"%s\": %s", filename, - strerror(errno)); - closelog(); + pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", + filename); return PAM_SYSTEM_ERR; } if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "user name not specified yet"); - closelog(); + pam_syslog (pamh, LOG_ERR, "user name not specified yet"); fclose(fp); return PAM_SYSTEM_ERR; } if ((user == NULL) || (strlen(user) == 0)) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_ERR, "user name not valid"); - closelog(); + pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); return PAM_SYSTEM_ERR; } @@ -115,9 +110,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar i = strlen(name); while(fgets(line, sizeof(line), fp) != NULL) { if(debug) { - openlog(MODULE_NAME, LOG_PID, LOG_AUTHPRIV); - syslog(LOG_DEBUG, "checking \"%s\"", line); - closelog(); + pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); } if(strncmp(name, line, i) == 0) { ret = PAM_SUCCESS; @@ -125,19 +118,41 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar } } - /* okay, we're done */ + /* okay, we're done */ fclose(fp); return ret; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_chauthtok (pam_handle_t *pamh, int flags, + int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } @@ -151,9 +166,9 @@ struct pam_module _pam_localuser_modstruct = { pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, - NULL, - NULL, - NULL, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok }; #endif diff --git a/Linux-PAM/modules/pam_localuser/tst-pam_localuser b/Linux-PAM/modules/pam_localuser/tst-pam_localuser new file mode 100755 index 00000000..2bcdf6b9 --- /dev/null +++ b/Linux-PAM/modules/pam_localuser/tst-pam_localuser @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_localuser.so diff --git a/Linux-PAM/modules/pam_loginuid/Makefile.am b/Linux-PAM/modules/pam_loginuid/Makefile.am new file mode 100644 index 00000000..6f2d84b0 --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid + +man_MANS = pam_loginuid.8 + +XMLS = README.xml pam_loginuid.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBAUDIT@ +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_loginuid.la + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_loginuid.8.xml + +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_loginuid diff --git a/Linux-PAM/modules/pam_loginuid/Makefile.in b/Linux-PAM/modules/pam_loginuid/Makefile.in new file mode 100644 index 00000000..4a4edd3c --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/Makefile.in @@ -0,0 +1,667 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_loginuid +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_loginuid_la_LIBADD = +pam_loginuid_la_SOURCES = pam_loginuid.c +pam_loginuid_la_OBJECTS = pam_loginuid.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_loginuid.c +DIST_SOURCES = pam_loginuid.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid +man_MANS = pam_loginuid.8 +XMLS = README.xml pam_loginuid.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBAUDIT@ $(am__append_1) +securelib_LTLIBRARIES = pam_loginuid.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_loginuid +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_loginuid/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_loginuid/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_loginuid.la: $(pam_loginuid_la_OBJECTS) $(pam_loginuid_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_loginuid_la_OBJECTS) $(pam_loginuid_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_loginuid.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_loginuid.8.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_loginuid/README b/Linux-PAM/modules/pam_loginuid/README new file mode 100644 index 00000000..f07cffeb --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/README @@ -0,0 +1,29 @@ +pam_loginuid — Record user's login uid to the process attribute + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_loginuid module sets the loginuid process attribute for the process +that was authenticated. This is necessary for applications to be correctly +audited. This PAM module should only be used for entry point applications like: +login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point +applications besides these. You should not use it for applications like sudo or +su as that defeats the purpose by changing the loginuid to the account they +just switched to. + +EXAMPLES + +#%PAM-1.0 +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +session required pam_loginuid.so + + +AUTHOR + +pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> + diff --git a/Linux-PAM/modules/pam_loginuid/README.xml b/Linux-PAM/modules/pam_loginuid/README.xml new file mode 100644 index 00000000..3bcd38ab --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/README.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_loginuid.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_loginuid.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_loginuid-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_loginuid/pam_loginuid.8 b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8 new file mode 100644 index 00000000..ef0f95f1 --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8 @@ -0,0 +1,59 @@ +.\" Title: pam_loginuid +.\" Author: +.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 <http://docbook.sf.net/> +.\" Date: 09/06/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_LOGINUID" "8" "09/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_loginuid \- Record user's login uid to the process attribute +.SH "SYNOPSIS" +.HP 16 +\fBpam_loginuid.so\fR [require_auditd] +.SH "DESCRIPTION" +.PP +The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to. +.SH "OPTIONS" +.TP 3n +\fBrequire_auditd\fR +This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running. +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SESSION_ERR +An error occured during session management. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +#%PAM\-1.0 +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +session required pam_loginuid.so + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8), +\fBauditctl\fR(8), +\fBauditd\fR(8) +.SH "AUTHOR" +.PP +pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> diff --git a/Linux-PAM/modules/pam_loginuid/pam_loginuid.8.xml b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8.xml new file mode 100644 index 00000000..f50336d0 --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8.xml @@ -0,0 +1,125 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_loginuid"> + + <refmeta> + <refentrytitle>pam_loginuid</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_loginuid-name"> + <refname>pam_loginuid</refname> + <refpurpose>Record user's login uid to the process attribute</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_loginuid-cmdsynopsis"> + <command>pam_loginuid.so</command> + <arg choice="opt"> + require_auditd + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_loginuid-description"> + + <title>DESCRIPTION</title> + + <para> + The pam_loginuid module sets the loginuid process attribute for the + process that was authenticated. This is necessary for applications + to be correctly audited. This PAM module should only be used for entry + point applications like: login, sshd, gdm, vsftpd, crond and atd. + There are probably other entry point applications besides these. + You should not use it for applications like sudo or su as that + defeats the purpose by changing the loginuid to the account they just + switched to. + </para> + </refsect1> + + <refsect1 id="pam_loginuid-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>require_auditd</option> + </term> + <listitem> + <para> + This option, when given, will cause this module to query + the audit daemon status and deny logins if it is not running. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_loginuid-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_loginuid-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + An error occured during session management. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_loginuid-examples'> + <title>EXAMPLES</title> + <programlisting> +#%PAM-1.0 +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +session required pam_loginuid.so + </programlisting> + </refsect1> + + <refsect1 id='pam_loginuid-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_loginuid-author'> + <title>AUTHOR</title> + <para> + pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_loginuid/pam_loginuid.c b/Linux-PAM/modules/pam_loginuid/pam_loginuid.c new file mode 100644 index 00000000..13d915e3 --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/pam_loginuid.c @@ -0,0 +1,240 @@ +/* pam_loginuid.c -- + * Copyright 2005 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * + * PAM module that sets the login uid introduced in kernel 2.6.11 + */ + +#include "config.h" +#include <stdio.h> +#include <stdarg.h> +#include <syslog.h> +#include <string.h> +#include <pwd.h> +#include <unistd.h> +#include <limits.h> +#include <errno.h> + +#include <security/pam_modules.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> + +#include <fcntl.h> + +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include <sys/select.h> +#include <errno.h> +#endif + +/* + * This function writes the loginuid to the /proc system. It returns + * 0 on success and 1 on failure. + */ +static int set_loginuid(pam_handle_t *pamh, uid_t uid) +{ + int fd, count, rc = 0; + char loginuid[24]; + + count = snprintf(loginuid, sizeof(loginuid), "%d", uid); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + if (fd < 0) { + int loglevel = LOG_DEBUG; + if (errno != ENOENT) { + rc = 1; + loglevel = LOG_ERR; + } + pam_syslog(pamh, loglevel, "set_loginuid failed opening loginuid"); + return rc; + } + if (pam_modutil_write(fd, loginuid, count) != count) + rc = 1; + close(fd); + return rc; +} + +#ifdef HAVE_LIBAUDIT +/* + * This function is called only if "require_auditd" option is passed. It is + * called after loginuid has been set. The purpose is to disallow logins + * should the audit daemon not be running or crashed. It returns PAM_SUCCESS + * if the audit daemon is running and PAM_SESSION_ERR otherwise. + */ +static int check_auditd(void) +{ + int fd, retval; + + fd = audit_open(); + if (fd < 0) { + /* This is here to let people that build their own kernel + and disable the audit system get in. You get these error + codes only when the kernel doesn't have audit + compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return PAM_SUCCESS; + return PAM_SESSION_ERR; + } + retval = audit_request_status(fd); + if (retval > 0) { + struct audit_reply rep; + int i; + int timeout = 30; /* tenths of seconds */ + fd_set read_mask; + + FD_ZERO(&read_mask); + FD_SET(fd, &read_mask); + + for (i = 0; i < timeout; i++) { + struct timeval t; + int rc; + + t.tv_sec = 0; + t.tv_usec = 100000; + do { + rc = select(fd+1, &read_mask, NULL, NULL, &t); + } while (rc < 0 && errno == EINTR); + + rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0); + if (rc > 0) { + /* If we get done or error, break out */ + if (rep.type == NLMSG_DONE || + rep.type == NLMSG_ERROR) + break; + + /* If its not status, keep looping */ + if (rep.type != AUDIT_GET) + continue; + + /* Found it... */ + close(fd); + if (rep.status->pid == 0) + return PAM_SESSION_ERR; + else + return PAM_SUCCESS; + } + } + } + close(fd); + if (retval == -ECONNREFUSED) { + /* This is here to let people that build their own kernel + and disable the audit system get in. ECONNREFUSED is + issued by the kernel when there is "no on listening". */ + return PAM_SUCCESS; + } else if (retval == -EPERM && getuid() != 0) { + /* If we get this, then the kernel supports auditing + * but we don't have enough privilege to write to the + * socket. Therefore, we have already been authenticated + * and we are a common user. Just act as though auditing + * is not enabled. Any other error we take seriously. */ + return PAM_SUCCESS; + } + + return PAM_SESSION_ERR; +} +#endif + +/* + * Initialize audit session for user + */ +static int +_pam_loginuid(pam_handle_t *pamh, int flags UNUSED, +#ifdef HAVE_LIBAUDIT + int argc, const char **argv +#else + int argc UNUSED, const char **argv UNUSED +#endif +) +{ + const char *user = NULL; + struct passwd *pwd; +#ifdef HAVE_LIBAUDIT + int require_auditd = 0; +#endif + + /* get user name */ + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) + { + pam_syslog(pamh, LOG_ERR, "error recovering login user-name"); + return PAM_SESSION_ERR; + } + + /* get user info */ + if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) { + pam_syslog(pamh, LOG_ERR, + "error: login user-name '%s' does not exist", user); + return PAM_SESSION_ERR; + } + + if (set_loginuid(pamh, pwd->pw_uid)) { + pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); + return PAM_SESSION_ERR; + } + +#ifdef HAVE_LIBAUDIT + while (argc-- > 0) { + if (strcmp(*argv, "require_auditd") == 0) + require_auditd = 1; + argv++; + } + + if (require_auditd) + return check_auditd(); + else +#endif + return PAM_SUCCESS; +} + +/* + * PAM routines + * + * This is here for vsftpd which doesn't seem to run the session stack + */ +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return _pam_loginuid(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return _pam_loginuid(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +/* static module data */ +#ifdef PAM_STATIC +struct pam_module _pam_loginuid_modstruct = { + "pam_loginuid", + NULL, + NULL, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif diff --git a/Linux-PAM/modules/pam_loginuid/tst-pam_loginuid b/Linux-PAM/modules/pam_loginuid/tst-pam_loginuid new file mode 100755 index 00000000..bd1e83b7 --- /dev/null +++ b/Linux-PAM/modules/pam_loginuid/tst-pam_loginuid @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_loginuid.so diff --git a/Linux-PAM/modules/pam_mail/Makefile b/Linux-PAM/modules/pam_mail/Makefile deleted file mode 100644 index 2d9b8e9a..00000000 --- a/Linux-PAM/modules/pam_mail/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_mail - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_mail/Makefile.am b/Linux-PAM/modules/pam_mail/Makefile.am new file mode 100644 index 00000000..95a25a61 --- /dev/null +++ b/Linux-PAM/modules/pam_mail/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail + +man_MANS = pam_mail.8 +XMLS = README.xml pam_mail.8.xml + +TESTS = tst-pam_mail + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_mail.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_mail.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_mail/Makefile.in b/Linux-PAM/modules/pam_mail/Makefile.in new file mode 100644 index 00000000..bacd62ca --- /dev/null +++ b/Linux-PAM/modules/pam_mail/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_mail +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_mail_la_LIBADD = +pam_mail_la_SOURCES = pam_mail.c +pam_mail_la_OBJECTS = pam_mail.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_mail.c +DIST_SOURCES = pam_mail.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail +man_MANS = pam_mail.8 +XMLS = README.xml pam_mail.8.xml +TESTS = tst-pam_mail +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_mail.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_mail/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_mail/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_mail.la: $(pam_mail_la_OBJECTS) $(pam_mail_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_mail_la_OBJECTS) $(pam_mail_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mail.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_mail.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_mail/README b/Linux-PAM/modules/pam_mail/README index 155bd1db..a0a0b7d9 100644 --- a/Linux-PAM/modules/pam_mail/README +++ b/Linux-PAM/modules/pam_mail/README @@ -1,17 +1,71 @@ -This is the README for pam_mail -------------------------------- - -This PAM module tells the User that he has new/unread email. - -Options for: -auth: for authentication it provides pam_authenticate() and - pam_setcred() hooks. - - "debug" write more information to syslog - "dir=maildir" users mailbox is maildir/<login> - "hash=count" mail directory hash depth - "close" print message also on logout - "nopen" print message not on login - "noenv" don't set the MAIL environment variable - "empty" also print message if user has no mail +pam_mail — Inform about available mail + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_mail PAM module provides the "you have new mail" service to the user. +It can be plugged into any application that has credential or session hooks. It +gives a single message indicating the newness of any mail it finds in the +user's mail folder. This module also sets the PAM environment variable, MAIL, +to the user's mail directory. + +If the mail spool file (be it /var/mail/$USER or a pathname given with the dir= +parameter) is a directory then pam_mail assumes it is in the Maildir format. + +OPTIONS + +close + + Indicate if the user has any mail also on logout. + +debug + + Print debug information. + +dir=maildir + + Look for the users' mail in an alternative location defined by maildir/ + <login>. The default location for mail is /var/mail/<login>. Note, if the + supplied maildir is prefixed by a '~', the directory is interpreted as + indicating a file in the user's home directory. + +empty + + Also print message if user has no mail. + +hash=count + + Mail directory hash depth. For example, a hashcount of 2 would make the + mail file be /var/spool/mail/u/s/user. + +noenv + + Do not set the MAIL environment variable. + +nopen + + Don't print any mail information on login. This flag is useful to get the + MAIL environment variable set, but to not display any information about it. + +quiet + + Only report when there is new mail. + +standard + + Old style "You have..." format which doesn't show the mail spool being + used. This also implies "empty". + +EXAMPLES + +Add the following line to /etc/pam.d/login to indicate that the user has new +mail when they login to the system. + +session optional pam_mail.so standard + + +AUTHOR + +pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_mail/README.xml b/Linux-PAM/modules/pam_mail/README.xml new file mode 100644 index 00000000..4165d857 --- /dev/null +++ b/Linux-PAM/modules/pam_mail/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_mail.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mail.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mail-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_mail/pam_mail.8 b/Linux-PAM/modules/pam_mail/pam_mail.8 new file mode 100644 index 00000000..6d8a69a8 --- /dev/null +++ b/Linux-PAM/modules/pam_mail/pam_mail.8 @@ -0,0 +1,113 @@ +.\" Title: pam_mail +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_MAIL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_mail \- Inform about available mail +.SH "SYNOPSIS" +.HP 12 +\fBpam_mail.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard] +.SH "DESCRIPTION" +.PP +The pam_mail PAM module provides the "you have new mail" service to the user. It can be plugged into any application that has credential or session hooks. It gives a single message indicating the +\fInewness\fR +of any mail it finds in the user's mail folder. This module also sets the PAM environment variable, +\fBMAIL\fR, to the user's mail directory. +.PP +If the mail spool file (be it +\fI/var/mail/$USER\fR +or a pathname given with the +\fBdir=\fR +parameter) is a directory then pam_mail assumes it is in the +\fIMaildir\fR +format. +.SH "OPTIONS" +.PP +.TP 3n +\fBclose\fR +Indicate if the user has any mail also on logout. +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBdir=\fR\fB\fImaildir\fR\fR +Look for the users' mail in an alternative location defined by +\fImaildir/<login>\fR. The default location for mail is +\fI/var/mail/<login>\fR. Note, if the supplied +\fImaildir\fR +is prefixed by a '~', the directory is interpreted as indicating a file in the user's home directory. +.TP 3n +\fBempty\fR +Also print message if user has no mail. +.TP 3n +\fBhash=\fR\fB\fIcount\fR\fR +Mail directory hash depth. For example, a +\fIhashcount\fR +of 2 would make the mail file be +\fI/var/spool/mail/u/s/user\fR. +.TP 3n +\fBnoenv\fR +Do not set the +\fBMAIL\fR +environment variable. +.TP 3n +\fBnopen\fR +Don't print any mail information on login. This flag is useful to get the +\fBMAIL\fR +environment variable set, but to not display any information about it. +.TP 3n +\fBquiet\fR +Only report when there is new mail. +.TP 3n +\fBstandard\fR +Old style "You have..." format which doesn't show the mail spool being used. This also implies "empty". +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_SERVICE_ERR +Badly formed arguments. +.TP 3n +PAM_SUCCESS +Success. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to indicate that the user has new mail when they login to the system. +.sp +.RS 3n +.nf +session optional pam_mail.so standard + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_mail/pam_mail.8.xml b/Linux-PAM/modules/pam_mail/pam_mail.8.xml new file mode 100644 index 00000000..d3c481a5 --- /dev/null +++ b/Linux-PAM/modules/pam_mail/pam_mail.8.xml @@ -0,0 +1,279 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_mail"> + + <refmeta> + <refentrytitle>pam_mail</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_mail-name"> + <refname>pam_mail</refname> + <refpurpose>Inform about available mail</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_mail-cmdsynopsis"> + <command>pam_mail.so</command> + <arg choice="opt"> + close + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + dir=<replaceable>maildir</replaceable> + </arg> + <arg choice="opt"> + empty + </arg> + <arg choice="opt"> + hash=<replaceable>count</replaceable> + </arg> + <arg choice="opt"> + noenv + </arg> + <arg choice="opt"> + nopen + </arg> + <arg choice="opt"> + quit + </arg> + <arg choice="opt"> + standard + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_mail-description"> + + <title>DESCRIPTION</title> + + <para> + The pam_mail PAM module provides the "you have new mail" + service to the user. It can be plugged into any application + that has credential or session hooks. It gives a single message + indicating the <emphasis>newness</emphasis> of any mail it finds + in the user's mail folder. This module also sets the PAM + environment variable, <emphasis remap='B'>MAIL</emphasis>, to the + user's mail directory. + </para> + <para> + If the mail spool file (be it <filename>/var/mail/$USER</filename> + or a pathname given with the <option>dir=</option> parameter) is + a directory then pam_mail assumes it is in the + <emphasis remap='I'>Maildir</emphasis> format. + </para> + </refsect1> + + <refsect1 id="pam_mail-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>close</option> + </term> + <listitem> + <para> + Indicate if the user has any mail also on logout. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dir=<replaceable>maildir</replaceable></option> + </term> + <listitem> + <para> + Look for the users' mail in an alternative location defined by + <filename>maildir/<login></filename>. The default + location for mail is <filename>/var/mail/<login></filename>. + Note, if the supplied + <filename>maildir</filename> is prefixed by a '~', the + directory is interpreted as indicating a file in the user's + home directory. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>empty</option> + </term> + <listitem> + <para> + Also print message if user has no mail. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>hash=<replaceable>count</replaceable></option> + </term> + <listitem> + <para> + Mail directory hash depth. For example, a + <emphasis>hashcount</emphasis> of 2 would + make the mail file be + <filename>/var/spool/mail/u/s/user</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>noenv</option> + </term> + <listitem> + <para> + Do not set the <emphasis remap='B'>MAIL</emphasis> + environment variable. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>nopen</option> + </term> + <listitem> + <para> + Don't print any mail information on login. This flag is + useful to get the <emphasis remap='B'>MAIL</emphasis> + environment variable set, but to not display any information + about it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>quiet</option> + </term> + <listitem> + <para> + Only report when there is new mail. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>standard</option> + </term> + <listitem> + <para> + Old style "You have..." format which doesn't show the + mail spool being used. This also implies "empty". + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_mail-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <emphasis remap='B'>auth</emphasis> and + <emphasis remap='B'>account</emphasis> services are supported. + </para> + </refsect1> + + <refsect1 id='pam_mail-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Badly formed arguments. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_mail-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + indicate that the user has new mail when they login to the system. + <programlisting> +session optional pam_mail.so standard + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_mail-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_mail-author'> + <title>AUTHOR</title> + <para> + pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_mail/pam_mail.c b/Linux-PAM/modules/pam_mail/pam_mail.c index 7987cb28..7d43d5e0 100644 --- a/Linux-PAM/modules/pam_mail/pam_mail.c +++ b/Linux-PAM/modules/pam_mail/pam_mail.c @@ -1,14 +1,12 @@ /* pam_mail module */ /* - * $Id: pam_mail.c,v 1.6 2004/11/16 14:27:41 toady Exp $ - * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * $HOME additions by David Kinchlea <kinch@kinch.ark.com> 1997/1/7 * mailhash additions by Chris Adams <cadams@ro.com> 1998/7/11 */ -#include <security/_pam_aconf.h> +#include "config.h" #include <ctype.h> #include <pwd.h> @@ -21,18 +19,16 @@ #include <sys/types.h> #include <unistd.h> #include <dirent.h> +#include <errno.h> -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> +#ifdef HAVE_PATHS_H +#include <paths.h> #endif #define DEFAULT_MAIL_DIRECTORY PAM_PATH_MAILDIR #define MAIL_FILE_FORMAT "%s%s/%s" #define MAIL_ENV_NAME "MAIL" #define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s" -#define YOUR_MAIL_VERBOSE_FORMAT "You have %s mail in %s." -#define YOUR_MAIL_STANDARD_FORMAT "You have %smail." -#define NO_MAIL_STANDARD_FORMAT "No mail." /* * here, we make a definition for the externally accessible function @@ -46,20 +42,8 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-mail", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* argument parsing */ @@ -74,8 +58,14 @@ static void _log_err(int err, const char *format, ...) #define PAM_STANDARD_MAIL 0x0400 #define PAM_QUIET_MAIL 0x1000 -static int _pam_parse(int flags, int argc, const char **argv, char **maildir, - int *hashcount) +#define HAVE_NEW_MAIL 0x1 +#define HAVE_OLD_MAIL 0x2 +#define HAVE_NO_MAIL 0x3 +#define HAVE_MAIL 0x4 + +static int +_pam_parse (const pam_handle_t *pamh, int flags, int argc, + const char **argv, const char **maildir, size_t *hashcount) { int ctrl=0; @@ -97,18 +87,18 @@ static int _pam_parse(int flags, int argc, const char **argv, char **maildir, else if (!strcmp(*argv,"standard")) ctrl |= PAM_STANDARD_MAIL | PAM_EMPTY_TOO; else if (!strncmp(*argv,"dir=",4)) { - *maildir = x_strdup(4+*argv); - if (*maildir != NULL) { + *maildir = 4 + *argv; + if (**maildir != '\0') { D(("new mail directory: %s", *maildir)); ctrl |= PAM_NEW_MAIL_DIR; } else { - _log_err(LOG_CRIT, - "failed to duplicate mail directory - ignored"); + pam_syslog(pamh, LOG_ERR, + "dir= specification missing argument - ignored"); } } else if (!strncmp(*argv,"hash=",5)) { char *ep = NULL; - *hashcount = strtol(*argv+5,&ep,10); - if (!ep || (*hashcount < 0)) { + *hashcount = strtoul(*argv+5,&ep,10); + if (!ep) { *hashcount = 0; } } else if (!strcmp(*argv,"close")) { @@ -120,90 +110,56 @@ static int _pam_parse(int flags, int argc, const char **argv, char **maildir, } else if (!strcmp(*argv,"empty")) { ctrl |= PAM_EMPTY_TOO; } else { - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } if ((*hashcount != 0) && !(ctrl & PAM_NEW_MAIL_DIR)) { - *maildir = x_strdup(DEFAULT_MAIL_DIRECTORY); + *maildir = DEFAULT_MAIL_DIRECTORY; ctrl |= PAM_NEW_MAIL_DIR; } return ctrl; } -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS && conv ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (PAM_DEBUG_ARG & ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - if (retval == PAM_SUCCESS) - retval = PAM_BAD_ITEM; /* conv was NULL */ - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int get_folder(pam_handle_t *pamh, int ctrl, - char **path_mail, char **folder_p, int hashcount) +static int +get_folder(pam_handle_t *pamh, int ctrl, + const char *path_mail, char **folder_p, size_t hashcount) { int retval; const char *user, *path; - char *folder; - const struct passwd *pwd=NULL; + char *folder = NULL; + const struct passwd *pwd = NULL; retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS || user == NULL) { - _log_err(LOG_ERR, "no user specified"); - return PAM_USER_UNKNOWN; + pam_syslog(pamh, LOG_ERR, "cannot determine username"); + retval = PAM_USER_UNKNOWN; + goto get_folder_cleanup; } if (ctrl & PAM_NEW_MAIL_DIR) { - path = *path_mail; - if (*path == '~') { /* support for $HOME delivery */ - pwd = _pammodutil_getpwnam(pamh, user); + path = path_mail; + if (*path == '~') { /* support for $HOME delivery */ + pwd = pam_modutil_getpwnam(pamh, user); if (pwd == NULL) { - _log_err(LOG_ERR, "user [%s] unknown", user); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_USER_UNKNOWN; + pam_syslog(pamh, LOG_ERR, "user unknown"); + retval = PAM_USER_UNKNOWN; + goto get_folder_cleanup; } /* * "~/xxx" and "~xxx" are treated as same */ if (!*++path || (*path == '/' && !*++path)) { - _log_err(LOG_ALERT, "badly formed mail path [%s]", *path_mail); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_ABORT; + pam_syslog(pamh, LOG_ERR, + "badly formed mail path [%s]", path_mail); + retval = PAM_SERVICE_ERR; + goto get_folder_cleanup; } ctrl |= PAM_HOME_MAIL; if (hashcount != 0) { - _log_err(LOG_ALERT, "can't do hash= and home directory mail"); + pam_syslog(pamh, LOG_ERR, + "cannot do hash= and home directory mail"); } } } else { @@ -212,153 +168,188 @@ static int get_folder(pam_handle_t *pamh, int ctrl, /* put folder together */ + hashcount = hashcount < strlen(user) ? hashcount : strlen(user); + + retval = PAM_BUF_ERR; if (ctrl & PAM_HOME_MAIL) { - folder = malloc(sizeof(MAIL_FILE_FORMAT) - +strlen(pwd->pw_dir)+strlen(path)); + if (pwd == NULL) { + pwd = pam_modutil_getpwnam(pamh, user); + if (pwd == NULL) { + pam_syslog(pamh, LOG_ERR, "user unknown"); + retval = PAM_USER_UNKNOWN; + goto get_folder_cleanup; + } + } + if (asprintf(&folder, MAIL_FILE_FORMAT, pwd->pw_dir, "", path) < 0) + goto get_folder_cleanup; } else { - folder = malloc(sizeof(MAIL_FILE_FORMAT)+strlen(path)+strlen(user) - +2*hashcount); - } + int rc; + size_t i; + char *hash; - if (folder != NULL) { - if (ctrl & PAM_HOME_MAIL) { - sprintf(folder, MAIL_FILE_FORMAT, pwd->pw_dir, "", path); - } else { - int i; - char *hash = malloc(2*hashcount+1); + if ((hash = malloc(2 * hashcount + 1)) == NULL) + goto get_folder_cleanup; - if (hash) { - for (i = 0; i < hashcount; i++) { - hash[2*i] = '/'; - hash[2*i+1] = user[i]; - } - hash[2*i] = '\0'; - sprintf(folder, MAIL_FILE_FORMAT, path, hash, user); - _pam_overwrite(hash); - _pam_drop(hash); - } else { - _pam_drop(folder); - _log_err(LOG_CRIT, "out of memory for mail folder"); - return PAM_BUF_ERR; - } + for (i = 0; i < hashcount; i++) { + hash[2 * i] = '/'; + hash[2 * i + 1] = user[i]; } - D(("folder =[%s]", folder)); + hash[2 * i] = '\0'; + + rc = asprintf(&folder, MAIL_FILE_FORMAT, path, hash, user); + _pam_overwrite(hash); + _pam_drop(hash); + if (rc < 0) + goto get_folder_cleanup; } + D(("folder=[%s]", folder)); + retval = PAM_SUCCESS; /* tidy up */ - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); + get_folder_cleanup: user = NULL; - - if (folder == NULL) { - _log_err(LOG_CRIT, "out of memory for mail folder"); - return PAM_BUF_ERR; - } + path = NULL; *folder_p = folder; folder = NULL; - return PAM_SUCCESS; + if (retval == PAM_BUF_ERR) + pam_syslog(pamh, LOG_CRIT, "out of memory for mail folder"); + + return retval; } -static const char *get_mail_status(int ctrl, const char *folder) +static int +get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) { - const char *type = NULL; - static char dir[256]; + int type = 0; struct stat mail_st; - struct dirent **namelist; - int i; - if (stat(folder, &mail_st) == 0) { - if (S_ISDIR(mail_st.st_mode)) { /* Assume Maildir format */ - sprintf(dir, "%.250s/new", folder); + if (stat(folder, &mail_st) < 0) + return 0; + + if (S_ISDIR(mail_st.st_mode)) { /* Assume Maildir format */ + int i, save_errno; + char *dir; + struct dirent **namelist; + + if (asprintf(&dir, "%s/new", folder) < 0) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + goto get_mail_status_cleanup; + } + i = scandir(dir, &namelist, 0, alphasort); + save_errno = errno; + _pam_overwrite(dir); + _pam_drop(dir); + if (i < 0) { + type = 0; + namelist = NULL; + if (save_errno == ENOMEM) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + goto get_mail_status_cleanup; + } + } + type = (i > 2) ? HAVE_NEW_MAIL : 0; + while (--i >= 0) + _pam_drop(namelist[i]); + _pam_drop(namelist); + if (type == 0) { + if (asprintf(&dir, "%s/cur", folder) < 0) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + goto get_mail_status_cleanup; + } i = scandir(dir, &namelist, 0, alphasort); - if (i > 2) { - type = "new"; - while (--i) - free(namelist[i]); - } else { - while (--i >= 0) - free(namelist[i]); - sprintf(dir, "%.250s/cur", folder); - i = scandir(dir, &namelist, 0, alphasort); - if (i > 2) { - type = "old"; - while (--i) - free(namelist[i]); - } else if (ctrl & PAM_EMPTY_TOO) { - while (--i >= 0) - free(namelist[i]); - type = "no"; - } else { - type = NULL; + save_errno = errno; + _pam_overwrite(dir); + _pam_drop(dir); + if (i < 0) { + type = 0; + namelist = NULL; + if (save_errno == ENOMEM) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + goto get_mail_status_cleanup; } } + if (i > 2) + type = HAVE_OLD_MAIL; + else + type = (ctrl & PAM_EMPTY_TOO) ? HAVE_NO_MAIL : 0; + while (--i >= 0) + _pam_drop(namelist[i]); + _pam_drop(namelist); + } + } else { + if (mail_st.st_size > 0) { + if (mail_st.st_atime < mail_st.st_mtime) /* new */ + type = HAVE_NEW_MAIL; + else /* old */ + type = (ctrl & PAM_STANDARD_MAIL) ? HAVE_MAIL : HAVE_OLD_MAIL; + } else if (ctrl & PAM_EMPTY_TOO) { + type = HAVE_NO_MAIL; } else { - if (mail_st.st_size > 0) { - if (mail_st.st_atime < mail_st.st_mtime) /* new */ - type = (ctrl & PAM_STANDARD_MAIL) ? "new " : "new"; - else /* old */ - type = (ctrl & PAM_STANDARD_MAIL) ? "" : "old"; - } else if (ctrl & PAM_EMPTY_TOO) { - type = "no"; - } else { - type = NULL; - } + type = 0; } } - memset(dir, 0, 256); + get_mail_status_cleanup: memset(&mail_st, 0, sizeof(mail_st)); - D(("user has %s mail in %s folder", type, folder)); + D(("user has %d mail in %s folder", type, folder)); return type; } -static int report_mail(pam_handle_t *pamh, int ctrl - , const char *type, const char *folder) +static int +report_mail(pam_handle_t *pamh, int ctrl, int type, const char *folder) { int retval; - if (!(ctrl & PAM_MAIL_SILENT) || ((ctrl & PAM_QUIET_MAIL) && strcmp(type, "new"))) { - char *remark; - + if (!(ctrl & PAM_MAIL_SILENT) || + ((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL)) + { if (ctrl & PAM_STANDARD_MAIL) - if (!strcmp(type, "no")) - remark = malloc(strlen(NO_MAIL_STANDARD_FORMAT)+1); - else - remark = malloc(strlen(YOUR_MAIL_STANDARD_FORMAT)+strlen(type)+1); + switch (type) + { + case HAVE_NO_MAIL: + retval = pam_info (pamh, "%s", _("No mail.")); + break; + case HAVE_NEW_MAIL: + retval = pam_info (pamh, "%s", _("You have new mail.")); + break; + case HAVE_OLD_MAIL: + retval = pam_info (pamh, "%s", _("You have old mail.")); + break; + case HAVE_MAIL: + default: + retval = pam_info (pamh, "%s", _("You have mail.")); + break; + } else - remark = malloc(strlen(YOUR_MAIL_VERBOSE_FORMAT)+strlen(type)+strlen(folder)+1); - if (remark == NULL) { - retval = PAM_BUF_ERR; - } else { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - - if (ctrl & PAM_STANDARD_MAIL) - if (!strcmp(type, "no")) - sprintf(remark, NO_MAIL_STANDARD_FORMAT); - else - sprintf(remark, YOUR_MAIL_STANDARD_FORMAT, type); - else - sprintf(remark, YOUR_MAIL_VERBOSE_FORMAT, type, folder); - - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; - - retval = converse(pamh, ctrl, 1, mesg, &resp); - - _pam_overwrite(remark); - _pam_drop(remark); - if (resp) - _pam_drop_reply(resp, 1); - } - } else { + switch (type) + { + case HAVE_NO_MAIL: + retval = pam_info (pamh, _("You have no mail in folder %s."), + folder); + break; + case HAVE_NEW_MAIL: + retval = pam_info (pamh, _("You have new mail in folder %s."), + folder); + break; + case HAVE_OLD_MAIL: + retval = pam_info (pamh, _("You have old mail in folder %s."), + folder); + break; + case HAVE_MAIL: + default: + retval = pam_info (pamh, _("You have mail in folder %s."), + folder); + break; + } + } + else + { D(("keeping quiet")); retval = PAM_SUCCESS; - } + } D(("returning %s", pam_strerror(pamh, retval))); return retval; @@ -368,9 +359,9 @@ static int _do_mail(pam_handle_t *, int, int, const char **, int); /* --- authentication functions --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc, - const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_IGNORE; } @@ -408,16 +399,17 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, static int _do_mail(pam_handle_t *pamh, int flags, int argc, const char **argv, int est) { - int retval, ctrl, hashcount; - char *path_mail=NULL, *folder; - const char *type; + int retval, ctrl, type; + size_t hashcount; + char *folder = NULL; + const char *path_mail = NULL; /* * this module (un)sets the MAIL environment variable, and checks if * the user has any new mail. */ - ctrl = _pam_parse(flags, argc, argv, &path_mail, &hashcount); + ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount); /* Do we have anything to do? */ @@ -426,7 +418,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, /* which folder? */ - retval = get_folder(pamh, ctrl, &path_mail, &folder, hashcount); + retval = get_folder(pamh, ctrl, path_mail, &folder, hashcount); if (retval != PAM_SUCCESS) { D(("failed to find folder")); return retval; @@ -437,24 +429,21 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, if (!(ctrl & PAM_NO_ENV) && est) { char *tmp; - tmp = malloc(strlen(folder)+sizeof(MAIL_ENV_FORMAT)); - if (tmp != NULL) { - sprintf(tmp, MAIL_ENV_FORMAT, folder); - D(("setting env: %s", tmp)); - retval = pam_putenv(pamh, tmp); - _pam_overwrite(tmp); - _pam_drop(tmp); - if (retval != PAM_SUCCESS) { - _pam_overwrite(folder); - _pam_drop(folder); - _log_err(LOG_CRIT, "unable to set " MAIL_ENV_NAME " variable"); - return retval; - } - } else { - _log_err(LOG_CRIT, "no memory for " MAIL_ENV_NAME " variable"); - _pam_overwrite(folder); - _pam_drop(folder); - return retval; + if (asprintf(&tmp, MAIL_ENV_FORMAT, folder) < 0) { + pam_syslog(pamh, LOG_CRIT, + "no memory for " MAIL_ENV_NAME " variable"); + retval = PAM_BUF_ERR; + goto do_mail_cleanup; + } + D(("setting env: %s", tmp)); + retval = pam_putenv(pamh, tmp); + _pam_overwrite(tmp); + _pam_drop(tmp); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_CRIT, + "unable to set " MAIL_ENV_NAME " variable"); + retval = PAM_BUF_ERR; + goto do_mail_cleanup; } } else { D(("not setting " MAIL_ENV_NAME " variable")); @@ -466,10 +455,10 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, if ((est && !(ctrl & PAM_NO_LOGIN)) || (!est && (ctrl & PAM_LOGOUT_TOO))) { - type = get_mail_status(ctrl, folder); - if (type != NULL) { + type = get_mail_status(pamh, ctrl, folder); + if (type != 0) { retval = report_mail(pamh, ctrl, type, folder); - type = NULL; + type = 0; } } @@ -477,7 +466,8 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, if ( ! est && ! (ctrl & PAM_NO_ENV) ) (void) pam_putenv(pamh, MAIL_ENV_NAME); - _pam_overwrite(folder); /* clean up */ + do_mail_cleanup: + _pam_overwrite(folder); _pam_drop(folder); /* indicate success or failure */ diff --git a/Linux-PAM/modules/pam_mail/tst-pam_mail b/Linux-PAM/modules/pam_mail/tst-pam_mail new file mode 100755 index 00000000..99fb7ed0 --- /dev/null +++ b/Linux-PAM/modules/pam_mail/tst-pam_mail @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_mail.so diff --git a/Linux-PAM/modules/pam_mkhomedir/Makefile b/Linux-PAM/modules/pam_mkhomedir/Makefile deleted file mode 100644 index f017f4a4..00000000 --- a/Linux-PAM/modules/pam_mkhomedir/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.3 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_mkhomedir - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_mkhomedir/Makefile.am b/Linux-PAM/modules/pam_mkhomedir/Makefile.am new file mode 100644 index 00000000..1feea688 --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/Makefile.am @@ -0,0 +1,33 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir + +man_MANS = pam_mkhomedir.8 + +XMLS = README.xml pam_mkhomedir.8.xml + +TESTS = tst-pam_mkhomedir + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_mkhomedir.la +pam_mkhomedir_la_SOURCES = pam_mkhomedir.c + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_mkhomedir.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_mkhomedir/Makefile.in b/Linux-PAM/modules/pam_mkhomedir/Makefile.in new file mode 100644 index 00000000..2d4a5fc3 --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/Makefile.in @@ -0,0 +1,666 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_mkhomedir +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_mkhomedir_la_LIBADD = +am_pam_mkhomedir_la_OBJECTS = pam_mkhomedir.lo +pam_mkhomedir_la_OBJECTS = $(am_pam_mkhomedir_la_OBJECTS) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(pam_mkhomedir_la_SOURCES) +DIST_SOURCES = $(pam_mkhomedir_la_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir +man_MANS = pam_mkhomedir.8 +XMLS = README.xml pam_mkhomedir.8.xml +TESTS = tst-pam_mkhomedir +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_mkhomedir.la +pam_mkhomedir_la_SOURCES = pam_mkhomedir.c +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_mkhomedir/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_mkhomedir/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_mkhomedir.la: $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mkhomedir.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_mkhomedir.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_mkhomedir/README b/Linux-PAM/modules/pam_mkhomedir/README index 2a3e705e..64810060 100644 --- a/Linux-PAM/modules/pam_mkhomedir/README +++ b/Linux-PAM/modules/pam_mkhomedir/README @@ -1,25 +1,36 @@ -PAM Make Home Dir module - -This module will create a users home directory if it does not exist -when the session begins. This allows users to be present in central -database (such as nis, kerb or ldap) without using a distributed -file system or pre-creating a large number of directories. - -Here is a sample /etc/pam.d/login file: - - auth requisite pam_securetty.so - auth sufficient pam_ldap.so - auth required pam_unix.so - auth optional pam_group.so - auth optional pam_mail.so - account requisite pam_time.so - account sufficient pam_ldap.so - account required pam_unix.so - session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 - session required pam_unix.so - session optional pam_lastlog.so - password required pam_unix.so - -Released under the GNU LGPL version 2 or later -Originally written by Jason Gunthorpe <jgg@debian.org> Feb 1999 +pam_mkhomedir — PAM module to create users home directory + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_mkhomedir PAM module will create a users home directory if it does not +exist when the session begins. This allows users to be present in central +database (such as NIS, kerberos or LDAP) without using a distributed file +system or pre-creating a large number of directories. The skeleton directory +(usually /etc/skel/) is used to copy default files and also set's a umask for +the creation. + +The new users home directory will not be removed after logout of the user. + +EXAMPLES + +A sample /etc/pam.d/login file: + + auth requisite pam_securetty.so + auth sufficient pam_ldap.so + auth required pam_unix.so + auth required pam_nologin.so + account sufficient pam_ldap.so + account required pam_unix.so + password required pam_unix.so + session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 + session required pam_unix.so + session optional pam_lastlog.so + session optional pam_mail.so standard + + +AUTHOR + +pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. diff --git a/Linux-PAM/modules/pam_mkhomedir/README.xml b/Linux-PAM/modules/pam_mkhomedir/README.xml new file mode 100644 index 00000000..978cbe77 --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/README.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_mkhomedir.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mkhomedir.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mkhomedir-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8 b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8 new file mode 100644 index 00000000..1364e01f --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8 @@ -0,0 +1,91 @@ +.\" Title: pam_mkhomedir +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/02/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_MKHOMEDIR" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_mkhomedir \- PAM module to create users home directory +.SH "SYNOPSIS" +.HP 17 +\fBpam_mkhomedir.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] +.SH "DESCRIPTION" +.PP +The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories. The skeleton directory (usually +\fI/etc/skel/\fR) is used to copy default files and also set's a umask for the creation. +.PP +The new users home directory will not be removed after logout of the user. +.SH "OPTIONS" +.TP 3n +\fBsilent\fR +Don't print informative messages. +.TP 3n +\fBumask=\fR\fB\fImask\fR\fR +The user file\-creation mask is set to +\fImask\fR. The default value of mask is 0022. +.TP 3n +\fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR +Indicate an alternative +\fIskel\fR +directory to override the default +\fI/etc/skel\fR. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_CRED_INSUFFICIENT +Insufficient credentials to access authentication data. +.TP 3n +PAM_PERM_DENIED +Not enough permissions to create the new directory or read the skel directory. +.TP 3n +PAM_USER_UNKNOWN +User not known to the underlying authentication module. +.TP 3n +PAM_SUCCESS +Environment variables were set. +.SH "FILES" +.TP 3n +\fI/etc/skel\fR +Default skel directory +.SH "EXAMPLES" +.PP +A sample /etc/pam.d/login file: +.sp +.RS 3n +.nf + auth requisite pam_securetty.so + auth sufficient pam_ldap.so + auth required pam_unix.so + auth required pam_nologin.so + account sufficient pam_ldap.so + account required pam_unix.so + password required pam_unix.so + session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 + session required pam_unix.so + session optional pam_lastlog.so + session optional pam_mail.so standard + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHOR" +.PP +pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. diff --git a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8.xml new file mode 100644 index 00000000..3c40de15 --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8.xml @@ -0,0 +1,203 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_mkhomedir'> + + <refmeta> + <refentrytitle>pam_mkhomedir</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_mkhomedir-name'> + <refname>pam_mkhomedir</refname> + <refpurpose> + PAM module to create users home directory + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_mkhomedir-cmdsynopsis"> + <command>pam_mkhomedir.so</command> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + umask=<replaceable>mode</replaceable> + </arg> + <arg choice="opt"> + skel=<replaceable>skeldir</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_mkhomedir-description"> + <title>DESCRIPTION</title> + <para> + The pam_mkhomedir PAM module will create a users home directory + if it does not exist when the session begins. This allows users + to be present in central database (such as NIS, kerberos or LDAP) + without using a distributed file system or pre-creating a large + number of directories. The skeleton directory (usually + <filename>/etc/skel/</filename>) is used to copy default files + and also set's a umask for the creation. + </para> + <para> + The new users home directory will not be removed after logout + of the user. + </para> + </refsect1> + + <refsect1 id="pam_mkhomedir-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>umask=<replaceable>mask</replaceable></option> + </term> + <listitem> + <para> + The user file-creation mask is set to + <replaceable>mask</replaceable>. The default value of mask is + 0022. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>skel=<replaceable>/path/to/skel/directory</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative <filename>skel</filename> directory + to override the default <filename>/etc/skel</filename>. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_mkhomedir-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_mkhomedir-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_INSUFFICIENT</term> + <listitem> + <para> + Insufficient credentials to access authentication data. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Not enough permissions to create the new directory + or read the skel directory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known to the underlying authentication module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Environment variables were set. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_mkhomedir-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/skel</filename></term> + <listitem> + <para>Default skel directory</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_mkhomedir-examples'> + <title>EXAMPLES</title> + <para> + A sample /etc/pam.d/login file: + <programlisting> + auth requisite pam_securetty.so + auth sufficient pam_ldap.so + auth required pam_unix.so + auth required pam_nologin.so + account sufficient pam_ldap.so + account required pam_unix.so + password required pam_unix.so + session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 + session required pam_unix.so + session optional pam_lastlog.so + session optional pam_mail.so standard + </programlisting> + </para> + </refsect1> + + + <refsect1 id="pam_mkhomedir-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_mkhomedir-author"> + <title>AUTHOR</title> + <para> + pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c index f63177bf..e5901a8f 100644 --- a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c @@ -10,16 +10,16 @@ auth requisite pam_securetty.so auth sufficient pam_ldap.so - auth required pam_pwdb.so + auth required pam_unix.so auth optional pam_group.so auth optional pam_mail.so account requisite pam_time.so account sufficient pam_ldap.so - account required pam_pwdb.so + account required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 - session required pam_pwdb.so + session required pam_unix.so session optional pam_lastlog.so - password required pam_pwdb.so + password required pam_unix.so Released under the GNU LGPL version 2 or later Originally written by Jason Gunthorpe <jgg@debian.org> Feb 1999 @@ -27,18 +27,20 @@ <morgan@parc.power.net> 1996 */ -/* I want snprintf dammit */ -#define _GNU_SOURCE 1 +#include "config.h" + #include <stdarg.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <pwd.h> +#include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <dirent.h> +#include <syslog.h> /* * here, we make a definition for the externally accessible function @@ -51,7 +53,8 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* argument parsing */ @@ -61,19 +64,8 @@ static unsigned int UMask = 0022; static char SkelDir[BUFSIZ] = "/etc/skel"; /* THIS MODULE IS NOT THREAD SAFE */ -/* some syslogging */ -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-mkhomedir", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static int _pam_parse(int flags, int argc, const char **argv) +static int +_pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv) { int ctrl = 0; @@ -92,7 +84,7 @@ static int _pam_parse(int flags, int argc, const char **argv) strncpy(SkelDir,*argv+5,sizeof(SkelDir)); SkelDir[sizeof(SkelDir)-1] = '\0'; } else { - _log_err(LOG_ERR, "unknown option; %s", *argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -100,119 +92,75 @@ static int _pam_parse(int flags, int argc, const char **argv) return ctrl; } -/* This common function is used to send a message to the applications - conversion function. Our only use is to ask the application to print - an informative message that we are creating a home directory */ -static int converse(pam_handle_t * pamh, int ctrl, int nargs - ,struct pam_message **message - ,struct pam_response **response) +static int +rec_mkdir (const char *dir, mode_t mode) { - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - if (retval == PAM_SUCCESS && conv) - { - - retval = conv->conv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (ctrl & MKHOMEDIR_DEBUG)) - { - _log_err(LOG_DEBUG, "conversation failure [%s]" - ,pam_strerror(pamh, retval)); - } - - } - else - { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - if (retval == PAM_SUCCESS) - retval = PAM_BAD_ITEM; /* conv was NULL */ - } + char *cp; + char *parent = strdup (dir); - D(("ready to return from module conversation")); + if (parent == NULL) + return 1; - return retval; /* propagate error status */ -} + cp = strrchr (parent, '/'); -/* Ask the application to display a short text string for us. */ -static int make_remark(pam_handle_t * pamh, int ctrl, const char *remark) -{ - int retval; + if (cp != NULL && cp != parent) + { + struct stat st; - if ((ctrl & MKHOMEDIR_QUIET) != MKHOMEDIR_QUIET) - { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp = NULL; + *cp++ = '\0'; + if (stat (parent, &st) == -1 && errno == ENOENT) + if (rec_mkdir (parent, mode) != 0) + { + free (parent); + return 1; + } + } - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; + free (parent); - retval = converse(pamh, ctrl, 1, mesg, &resp); + if (mkdir (dir, mode) != 0 && errno != EEXIST) + return 1; - msg[0].msg = NULL; - if (resp) - { - _pam_drop_reply(resp, 1); - } - } - else - { - D(("keeping quiet")); - retval = PAM_SUCCESS; - } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; + return 0; } /* Do the actual work of creating a home dir */ -static int create_homedir(pam_handle_t * pamh, int ctrl, - const struct passwd *pwd, - const char *source, const char *dest) +static int +create_homedir (pam_handle_t * pamh, int ctrl, + const struct passwd *pwd, + const char *source, const char *dest) { char remark[BUFSIZ]; DIR *D; struct dirent *Dir; + int retval = PAM_AUTH_ERR; /* Mention what is happening, if the notification fails that is OK */ - if (snprintf(remark,sizeof(remark),"Creating directory '%s'.", dest) == -1) - return PAM_PERM_DENIED; - - make_remark(pamh, ctrl, remark); + if ((ctrl & MKHOMEDIR_QUIET) != MKHOMEDIR_QUIET) + pam_info(pamh, _("Creating directory '%s'."), dest); /* Create the new directory */ - if (mkdir(dest,0700) != 0) - { - _log_err(LOG_DEBUG, "unable to create directory %s",dest); - return PAM_PERM_DENIED; - } - if (chmod(dest,0777 & (~UMask)) != 0 || - chown(dest,pwd->pw_uid,pwd->pw_gid) != 0) + if (rec_mkdir (dest,0755) != 0) { - _log_err(LOG_DEBUG, "unable to change perms on directory %s",dest); + pam_error(pamh, _("Unable to create directory %s: %m"), dest); + pam_syslog(pamh, LOG_ERR, "unable to create directory %s: %m", dest); return PAM_PERM_DENIED; } /* See if we need to copy the skel dir over. */ if ((source == NULL) || (strlen(source) == 0)) { - return PAM_SUCCESS; + retval = PAM_SUCCESS; + goto go_out; } /* Scan the directory */ - D = opendir(source); + D = opendir (source); if (D == 0) { - _log_err(LOG_DEBUG, "unable to read directory %s",source); - return PAM_PERM_DENIED; + pam_syslog(pamh, LOG_DEBUG, "unable to read directory %s: %m", source); + retval = PAM_PERM_DENIED; + goto go_out; } for (Dir = readdir(D); Dir != 0; Dir = readdir(D)) @@ -240,10 +188,16 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, nslen = slen + strlen(Dir->d_name) + 2; if (nslen <= 0) - return PAM_BUF_ERR; + { + retval = PAM_BUF_ERR; + goto go_out; + } - if ( (newsource = malloc(nslen)) == NULL ) - return PAM_BUF_ERR; + if ((newsource = malloc (nslen)) == NULL) + { + retval = PAM_BUF_ERR; + goto go_out; + } sprintf(newsource, "%s/%s", source, Dir->d_name); #else @@ -253,46 +207,52 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, if (lstat(newsource,&St) != 0) #ifndef PATH_MAX { - free(newsource); + free(newsource); newsource = NULL; continue; } #else - continue; + continue; #endif /* We'll need the new file's name. */ #ifndef PATH_MAX - ndlen = dlen + strlen(Dir->d_name)+2; - - if (ndlen <= 0) - return PAM_BUF_ERR; - - if ( (newdest = malloc(ndlen)) == NULL ) { - free(newsource); - return PAM_BUF_ERR; - } - - sprintf(newdest, "%s/%s", dest, Dir->d_name); + ndlen = dlen + strlen(Dir->d_name)+2; + + if (ndlen <= 0) + { + retval = PAM_BUF_ERR; + goto go_out; + } + + if ((newdest = malloc(ndlen)) == NULL) + { + free (newsource); + retval = PAM_BUF_ERR; + goto go_out; + } + + sprintf (newdest, "%s/%s", dest, Dir->d_name); #else - snprintf(newdest,sizeof(newdest),"%s/%s",dest,Dir->d_name); + snprintf (newdest,sizeof (newdest),"%s/%s",dest,Dir->d_name); #endif /* If it's a directory, recurse. */ if (S_ISDIR(St.st_mode)) { - int retval = create_homedir(pamh, ctrl, pwd, newsource, newdest); + retval = create_homedir (pamh, ctrl, pwd, newsource, newdest); #ifndef PATH_MAX free(newsource); newsource = NULL; free(newdest); newdest = NULL; #endif - if (retval != PAM_SUCCESS) { - closedir(D); - return retval; - } + if (retval != PAM_SUCCESS) + { + closedir(D); + goto go_out; + } continue; } @@ -335,9 +295,9 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, { if (lchown(newdest,pwd->pw_uid,pwd->pw_gid) != 0) { + pam_syslog(pamh, LOG_DEBUG, + "unable to change perms on link %s: %m", newdest); closedir(D); - _log_err(LOG_DEBUG, "unable to change perms on link %s", - newdest); #ifndef PATH_MAX free(pointed); free(newsource); @@ -371,8 +331,9 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, /* Open the source file */ if ((SrcFd = open(newsource,O_RDONLY)) < 0 || fstat(SrcFd,&St) != 0) { + pam_syslog(pamh, LOG_DEBUG, + "unable to open src file %s: %m", newsource); closedir(D); - _log_err(LOG_DEBUG, "unable to open src file %s",newsource); #ifndef PATH_MAX free(newsource); newsource = NULL; @@ -381,14 +342,28 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, return PAM_PERM_DENIED; } - stat(newsource,&St); + if (stat(newsource,&St) != 0) + { + pam_syslog(pamh, LOG_DEBUG, "unable to stat src file %s: %m", + newsource); + close(SrcFd); + closedir(D); + +#ifndef PATH_MAX + free(newsource); newsource = NULL; + free(newdest); newdest = NULL; +#endif + + return PAM_PERM_DENIED; + } /* Open the dest file */ if ((DestFd = open(newdest,O_WRONLY | O_TRUNC | O_CREAT,0600)) < 0) { + pam_syslog(pamh, LOG_DEBUG, + "unable to open dest file %s: %m", newdest); close(SrcFd); closedir(D); - _log_err(LOG_DEBUG, "unable to open dest file %s",newdest); #ifndef PATH_MAX free(newsource); newsource = NULL; @@ -403,10 +378,11 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, if (fchmod(DestFd,(St.st_mode | 0222) & (~UMask)) != 0 || fchown(DestFd,pwd->pw_uid,pwd->pw_gid) != 0) { + pam_syslog(pamh, LOG_DEBUG, + "unable to change perms on copy %s: %m", newdest); close(SrcFd); close(DestFd); closedir(D); - _log_err(LOG_DEBUG, "unable to chang perms on copy %s",newdest); #ifndef PATH_MAX free(newsource); newsource = NULL; @@ -419,22 +395,22 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, /* Copy the file */ do { - Res = _pammodutil_read(SrcFd,remark,sizeof(remark)); + Res = pam_modutil_read(SrcFd,remark,sizeof(remark)); if (Res == 0) continue; if (Res > 0) { - if (_pammodutil_write(DestFd,remark,Res) == Res) + if (pam_modutil_write(DestFd,remark,Res) == Res) continue; } - /* If we get here, pammodutil_read returned a -1 or - _pammodutil_write returned something unexpected. */ + /* If we get here, pam_modutil_read returned a -1 or + pam_modutil_write returned something unexpected. */ + pam_syslog(pamh, LOG_DEBUG, "unable to perform IO: %m"); close(SrcFd); close(DestFd); closedir(D); - _log_err(LOG_DEBUG, "unable to perform IO"); #ifndef PATH_MAX free(newsource); newsource = NULL; @@ -455,33 +431,45 @@ static int create_homedir(pam_handle_t * pamh, int ctrl, } closedir(D); - return PAM_SUCCESS; + retval = PAM_SUCCESS; + + go_out: + + if (chmod(dest,0777 & (~UMask)) != 0 || + chown(dest,pwd->pw_uid,pwd->pw_gid) != 0) + { + pam_syslog(pamh, LOG_DEBUG, + "unable to change perms on directory %s: %m", dest); + return PAM_PERM_DENIED; + } + + return retval; } /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, + const char **argv) { int retval, ctrl; - const char *user; + const void *user; const struct passwd *pwd; struct stat St; /* Parse the flag values */ - ctrl = _pam_parse(flags, argc, argv); + ctrl = _pam_parse(pamh, flags, argc, argv); /* Determine the user name so we can get the home directory */ - retval = pam_get_item(pamh, PAM_USER, (const void **) &user); - if (retval != PAM_SUCCESS || user == NULL || *user == '\0') + retval = pam_get_item(pamh, PAM_USER, &user); + if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0') { - _log_err(LOG_NOTICE, "user unknown"); + pam_syslog(pamh, LOG_NOTICE, "user unknown"); return PAM_USER_UNKNOWN; } /* Get the password entry */ - pwd = _pammodutil_getpwnam (pamh, user); + pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) { D(("couldn't identify user %s", user)); @@ -498,8 +486,8 @@ int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc /* Ignore */ PAM_EXTERN -int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc - ,const char **argv) +int pam_sm_close_session (pam_handle_t * pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_mkhomedir/tst-pam_mkhomedir b/Linux-PAM/modules/pam_mkhomedir/tst-pam_mkhomedir new file mode 100755 index 00000000..5447883f --- /dev/null +++ b/Linux-PAM/modules/pam_mkhomedir/tst-pam_mkhomedir @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_mkhomedir.so diff --git a/Linux-PAM/modules/pam_motd/Makefile b/Linux-PAM/modules/pam_motd/Makefile deleted file mode 100644 index fb83807a..00000000 --- a/Linux-PAM/modules/pam_motd/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_motd - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_motd/Makefile.am b/Linux-PAM/modules/pam_motd/Makefile.am new file mode 100644 index 00000000..d6e1bafa --- /dev/null +++ b/Linux-PAM/modules/pam_motd/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_motd + +man_MANS = pam_motd.8 +XMLS = README.xml pam_motd.8.xml + +TESTS = tst-pam_motd + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_motd.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_motd.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_motd/Makefile.in b/Linux-PAM/modules/pam_motd/Makefile.in new file mode 100644 index 00000000..24235722 --- /dev/null +++ b/Linux-PAM/modules/pam_motd/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_motd +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_motd_la_LIBADD = +pam_motd_la_SOURCES = pam_motd.c +pam_motd_la_OBJECTS = pam_motd.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_motd.c +DIST_SOURCES = pam_motd.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_motd +man_MANS = pam_motd.8 +XMLS = README.xml pam_motd.8.xml +TESTS = tst-pam_motd +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_motd.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_motd/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_motd/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_motd.la: $(pam_motd_la_OBJECTS) $(pam_motd_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_motd_la_OBJECTS) $(pam_motd_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_motd.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_motd.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_motd/README b/Linux-PAM/modules/pam_motd/README new file mode 100644 index 00000000..414ad6f6 --- /dev/null +++ b/Linux-PAM/modules/pam_motd/README @@ -0,0 +1,27 @@ +pam_motd — Display the motd file + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_motd is a PAM module that can be used to display arbitrary motd (message of +the day) files after a succesful login. By default the /etc/motd file is shown. +The message size is limited to 64KB. + +OPTIONS + +motd=/path/filename + + The /path/filename file is displayed as message of the day. + +EXAMPLES + +The suggested usage for /etc/pam.d/login is: + +session optional pam_motd.so motd=/etc/motd + + +AUTHOR + +pam_motd was written by Ben Collins <bcollins@debian.org>. + diff --git a/Linux-PAM/modules/pam_motd/README.xml b/Linux-PAM/modules/pam_motd/README.xml new file mode 100644 index 00000000..779e4d17 --- /dev/null +++ b/Linux-PAM/modules/pam_motd/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_motd.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_motd.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_motd-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_motd/pam_motd.8 b/Linux-PAM/modules/pam_motd/pam_motd.8 new file mode 100644 index 00000000..74bfb586 --- /dev/null +++ b/Linux-PAM/modules/pam_motd/pam_motd.8 @@ -0,0 +1,64 @@ +.\" Title: pam_motd +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/> +.\" Date: 10/26/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_MOTD" "8" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_motd \- Display the motd file +.SH "SYNOPSIS" +.HP 12 +\fBpam_motd.so\fR [motd=\fI/path/filename\fR] +.SH "DESCRIPTION" +.PP +pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login. By default the +\fI/etc/motd\fR +file is shown. The message size is limited to 64KB. +.SH "OPTIONS" +.PP +\fBmotd=\fR\fB\fI/path/filename\fR\fR +.RS 3n +The +\fI/path/filename\fR +file is displayed as message of the day. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.PP +PAM_IGNORE +.RS 3n +This is the only return value of this module. +.RE +.SH "EXAMPLES" +.PP +The suggested usage for +\fI/etc/pam.d/login\fR +is: +.sp +.RS 3n +.nf +session optional pam_motd.so motd=/etc/motd + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBmotd\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_motd was written by Ben Collins <bcollins@debian.org>. diff --git a/Linux-PAM/modules/pam_motd/pam_motd.8.xml b/Linux-PAM/modules/pam_motd/pam_motd.8.xml new file mode 100644 index 00000000..7bd6798c --- /dev/null +++ b/Linux-PAM/modules/pam_motd/pam_motd.8.xml @@ -0,0 +1,114 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_motd"> + + <refmeta> + <refentrytitle>pam_motd</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_motd-name"> + <refname>pam_motd</refname> + <refpurpose>Display the motd file</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_motd-cmdsynopsis"> + <command>pam_motd.so</command> + <arg choice="opt"> + motd=<replaceable>/path/filename</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_motd-description"> + + <title>DESCRIPTION</title> + + <para> + pam_motd is a PAM module that can be used to display + arbitrary motd (message of the day) files after a succesful + login. By default the <filename>/etc/motd</filename> file is + shown. The message size is limited to 64KB. + </para> + + </refsect1> + + <refsect1 id="pam_motd-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>motd=<replaceable>/path/filename</replaceable></option> + </term> + <listitem> + <para> + The <filename>/path/filename</filename> file is displayed + as message of the day. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_motd-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_motd-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + This is the only return value of this module. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_motd-examples'> + <title>EXAMPLES</title> + <para> + The suggested usage for <filename>/etc/pam.d/login</filename> is: + <programlisting> +session optional pam_motd.so motd=/etc/motd + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_motd-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_motd-author'> + <title>AUTHOR</title> + <para> + pam_motd was written by Ben Collins <bcollins@debian.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_motd/pam_motd.c b/Linux-PAM/modules/pam_motd/pam_motd.c index ce695f92..abf10a2f 100644 --- a/Linux-PAM/modules/pam_motd/pam_motd.c +++ b/Linux-PAM/modules/pam_motd/pam_motd.c @@ -4,13 +4,13 @@ * Modified for pam_motd by Ben Collins <bcollins@debian.org> * * Based off of: - * $Id: pam_motd.c,v 1.3 2004/09/22 09:37:49 kukuk Exp $ - * + * $Id: pam_motd.c,v 1.12 2005/10/04 11:35:18 ldv Exp $ + * * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 * */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <string.h> @@ -20,8 +20,10 @@ #include <sys/types.h> #include <sys/stat.h> #include <pwd.h> +#include <syslog.h> #include <security/_pam_macros.h> +#include <security/pam_ext.h> /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module @@ -33,82 +35,77 @@ #define DEFAULT_MOTD "/etc/motd" #include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> /* --- session management functions (only) --- */ -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_IGNORE; } +static char default_motd[] = DEFAULT_MOTD; + PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) { - int retval = PAM_IGNORE; - int fd; - char *mtmp=NULL; - const char *motd_path=NULL; - struct pam_conv *conversation; - struct pam_message message; - struct pam_message *pmessage = &message; - struct pam_response *resp = NULL; - struct stat st; - - if (flags & PAM_SILENT) { + int retval = PAM_IGNORE; + int fd; + const char *motd_path = NULL; + char *mtmp = NULL; + + if (flags & PAM_SILENT) { return retval; - } + } for (; argc-- > 0; ++argv) { if (!strncmp(*argv,"motd=",5)) { - motd_path = (char *) strdup(5+*argv); - if (motd_path != NULL) { - D(("set motd path: %s (and a memory leak)", motd_path)); - } else { - D(("failed to duplicate motd path - ignored")); - } + motd_path = 5 + *argv; + if (*motd_path != '\0') { + D(("set motd path: %s", motd_path)); + } else { + motd_path = NULL; + pam_syslog(pamh, LOG_ERR, + "motd= specification missing argument - ignored"); + } } - } - - if (motd_path == NULL) - motd_path = DEFAULT_MOTD; - - message.msg_style = PAM_TEXT_INFO; - - if ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { - /* fill in message buffer with contents of motd */ - if ((fstat(fd, &st) < 0) || !st.st_size) { - close(fd); - return retval; - } - message.msg = mtmp = malloc(st.st_size+1); - /* if malloc failed... */ - if (!message.msg) { - close(fd); - return retval; - } - if (_pammodutil_read(fd, mtmp, st.st_size) == st.st_size) { - if (mtmp[st.st_size-1] == '\n') - mtmp[st.st_size-1] = '\0'; - else - mtmp[st.st_size] = '\0'; - close(fd); - - /* Use conversation function to give user contents of motd */ - if (pam_get_item(pamh, PAM_CONV, (const void **)&conversation) == - PAM_SUCCESS && conversation) { - conversation->conv(1, (const struct pam_message **)&pmessage, - &resp, conversation->appdata_ptr); - if (resp) - _pam_drop_reply(resp, 1); - } - } - free(mtmp); - } + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + + if (motd_path == NULL) + motd_path = default_motd; + + while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { + struct stat st; + + /* fill in message buffer with contents of motd */ + if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) + break; + + if (!(mtmp = malloc(st.st_size+1))) + break; + + if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) + break; + + if (mtmp[st.st_size-1] == '\n') + mtmp[st.st_size-1] = '\0'; + else + mtmp[st.st_size] = '\0'; + + pam_info (pamh, "%s", mtmp); + break; + } + + _pam_drop (mtmp); + + if (fd >= 0) + close(fd); return retval; } diff --git a/Linux-PAM/modules/pam_motd/tst-pam_motd b/Linux-PAM/modules/pam_motd/tst-pam_motd new file mode 100755 index 00000000..155e2304 --- /dev/null +++ b/Linux-PAM/modules/pam_motd/tst-pam_motd @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_motd.so diff --git a/Linux-PAM/modules/pam_namespace/Makefile.am b/Linux-PAM/modules/pam_namespace/Makefile.am new file mode 100644 index 00000000..bbcb2f70 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/Makefile.am @@ -0,0 +1,39 @@ +# +# Copyright (c) 2006 Red Hat, Inc. +# + +CLEANFILES = *~ +MAN5 = namespace.conf.5 +MAN8 = pam_namespace.8 + +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif + +EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace + +noinst_HEADERS = md5.h + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_NAMESPACE_CONFIG=\"$(SCONFIGDIR)/namespace.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_UNSHARE +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c pam_namespace.h md5.c md5.h + +secureconf_DATA = namespace.conf +secureconf_SCRIPTS = namespace.init +TESTS = tst-pam_namespace +man_MANS = $(MAN5) $(MAN8) +endif diff --git a/Linux-PAM/modules/pam_namespace/Makefile.in b/Linux-PAM/modules/pam_namespace/Makefile.in new file mode 100644 index 00000000..8beee4ce --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/Makefile.in @@ -0,0 +1,772 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006 Red Hat, Inc. +# + + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_namespace +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_namespace_la_LIBADD = +am__pam_namespace_la_SOURCES_DIST = pam_namespace.c pam_namespace.h \ + md5.c md5.h +@HAVE_UNSHARE_TRUE@am_pam_namespace_la_OBJECTS = pam_namespace.lo \ +@HAVE_UNSHARE_TRUE@ md5.lo +pam_namespace_la_OBJECTS = $(am_pam_namespace_la_OBJECTS) +@HAVE_UNSHARE_TRUE@am_pam_namespace_la_rpath = -rpath $(securelibdir) +secureconfSCRIPT_INSTALL = $(INSTALL_SCRIPT) +SCRIPTS = $(secureconf_SCRIPTS) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(pam_namespace_la_SOURCES) +DIST_SOURCES = $(am__pam_namespace_la_SOURCES_DIST) +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +MAN5 = namespace.conf.5 +MAN8 = pam_namespace.8 +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace +noinst_HEADERS = md5.h +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_NAMESPACE_CONFIG=\"$(SCONFIGDIR)/namespace.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ $(am__append_1) +@HAVE_UNSHARE_TRUE@securelib_LTLIBRARIES = pam_namespace.la +@HAVE_UNSHARE_TRUE@pam_namespace_la_SOURCES = pam_namespace.c pam_namespace.h md5.c md5.h +@HAVE_UNSHARE_TRUE@secureconf_DATA = namespace.conf +@HAVE_UNSHARE_TRUE@secureconf_SCRIPTS = namespace.init +@HAVE_UNSHARE_TRUE@TESTS = tst-pam_namespace +@HAVE_UNSHARE_TRUE@man_MANS = $(MAN5) $(MAN8) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_namespace/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_namespace/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_namespace.la: $(pam_namespace_la_OBJECTS) $(pam_namespace_la_DEPENDENCIES) + $(LINK) $(am_pam_namespace_la_rpath) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) +install-secureconfSCRIPTS: $(secureconf_SCRIPTS) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_SCRIPTS)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f $$d$$p; then \ + f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ + echo " $(secureconfSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + else :; fi; \ + done + +uninstall-secureconfSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_SCRIPTS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-secureconfSCRIPTS install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-secureconfSCRIPTS uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-secureconfSCRIPTS \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-secureconfDATA \ + uninstall-secureconfSCRIPTS uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_namespace/README b/Linux-PAM/modules/pam_namespace/README new file mode 100644 index 00000000..c47ba232 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/README @@ -0,0 +1,129 @@ +pam_namespace — PAM module for configuring namespace for a session + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + + +pam_namespace module: +Setup a private namespace with polyinstantiated directories. + +THEORY OF OPERATION: +The pam namespace module consults /etc/security/namespace.conf +configuration file and sets up a private namespace with polyinstantiated +directories for a session managed by PAM. A skeleton namespace.conf +installed by default provides example for polyinstantiating /tmp, /var/tmp +and users' home directory. + +If an executable script /etc/security/namespace.init exists, it +is used to initialize the namespace every time a new instance directory +is setup. The script receives the polyinstantiated directory path +and the instance directory path as its arguments. + +Each line in namespace.conf describes a limit for a user in the form: + +<polydir> <instance_prefix> <method> <list_of_uids> + +Where: +<polydir> - is the absolute pathname of the directory to polyinstantiate + Special entry $HOME is supported to designate user's home directory. + This field cannot be blank. + +<instance_prefix> - is the string prefix used to build the pathname for the + instantiation of <polydir>. The directory security context, or + optionally its md5sum string (32 hex characters), is appended to + the prefix to generate the final instance directory path. + This directory is created if it did not exist already, and is then + bind mounted on the <polydir> to provide an instance of <polydir> + based on the <method> column. The special string $HOME is replaced with + the user's home directory, and $USER with the username. + This field cannot be blank. + +<method> - is the method used for polyinstantiation. It can take 3 different + values; "user" for polyinstantiation based on user name, "context" + for polyinstantiation based on process security context, and "both" + for polyinstantiation based on both user name and security context. + Methods "context" and "both" are only available with SELinux. This + field cannot be blank. + +<list_of_uids> - is a comma separated list of user names for whom the + polyinstantiation is not performed. If left blank, polyinstantiation + will be performed for all users. + +EXAMPLE /etc/security/namespace.conf configuration file: +======================================================= +# Following three lines will polyinstantiate /tmp, /var/tmp and user's home +# directories. /tmp and /var/tmp will be polyinstantiated based on both +# security context as well as user name, whereas home directory will +# be polyinstantiated based on security context only. Polyinstantiation +# will not be performed for user root and adm for directories /tmp and +# /var/tmp, whereas home directories will be polyinstantiated for all +# users. The user name and/or context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. +# +/tmp /tmp-inst/ both root,adm +/var/tmp /var/tmp/tmp-inst/ both root,adm +$HOME $HOME/$USER.inst/inst- context + +ARGUMENTS RECOGNIZED: + debug + Verbose logging by syslog + + unmnt_remnt + For programs such as su and newrole, the login session has + already setup a polyinstantiated namespace. For these programs, + polyinstantiation is performed based on new user id or security + context, however the command first needs to undo the + polyinstantiation performed by login. This argument instructs + the command to first undo previous polyinstantiation before + proceeding with new polyinstantiation based on new id/context. + + unmnt_only + For trusted programs that want to undo any existing bind mounts + and process instance directories on their own, this argument + allows them to unmount currently mounted instance directories. + + require_selinux + If selinux is not enabled, return failure. + + gen_hash + Instead of using the security context string for the instance + name, generate and use its md5 hash. + + ignore_config_error + If a line in the configuration file corresponding to a + polyinstantiated directory contains format error, skip that + line process the next line. Without this option, pam will return + an error to the calling program resulting in termination + of the session. + + ignore_instance_parent_mode + Instance parent directories by default are expected to have + the restrictive mode of 000. Using this option, an administrator + can choose to ignore the mode of the instance parent. + +MODULE SERVICES PROVIDED: + session open_session and close_session + +USAGE: + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + + session required pam_namespace.so [arguments] + + This module also depends on pam_selinux.so setting the context. + + + diff --git a/Linux-PAM/modules/pam_namespace/README.xml b/Linux-PAM/modules/pam_namespace/README.xml new file mode 100644 index 00000000..98ab7532 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/README.xml @@ -0,0 +1,139 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +"http://www.docbook.org/xml/4.4/docbookx.dtd"> +<article> + <articleinfo> + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + </title> + </articleinfo> + <section> + <programlisting><![CDATA[ + +pam_namespace module: +Setup a private namespace with polyinstantiated directories. + +THEORY OF OPERATION: +The pam namespace module consults /etc/security/namespace.conf +configuration file and sets up a private namespace with polyinstantiated +directories for a session managed by PAM. A skeleton namespace.conf +installed by default provides example for polyinstantiating /tmp, /var/tmp +and users' home directory. + +If an executable script /etc/security/namespace.init exists, it +is used to initialize the namespace every time a new instance directory +is setup. The script receives the polyinstantiated directory path +and the instance directory path as its arguments. + +Each line in namespace.conf describes a limit for a user in the form: + +<polydir> <instance_prefix> <method> <list_of_uids> + +Where: +<polydir> - is the absolute pathname of the directory to polyinstantiate + Special entry $HOME is supported to designate user's home directory. + This field cannot be blank. + +<instance_prefix> - is the string prefix used to build the pathname for the + instantiation of <polydir>. The directory security context, or + optionally its md5sum string (32 hex characters), is appended to + the prefix to generate the final instance directory path. + This directory is created if it did not exist already, and is then + bind mounted on the <polydir> to provide an instance of <polydir> + based on the <method> column. The special string $HOME is replaced with + the user's home directory, and $USER with the username. + This field cannot be blank. + +<method> - is the method used for polyinstantiation. It can take 3 different + values; "user" for polyinstantiation based on user name, "context" + for polyinstantiation based on process security context, and "both" + for polyinstantiation based on both user name and security context. + Methods "context" and "both" are only available with SELinux. This + field cannot be blank. + +<list_of_uids> - is a comma separated list of user names for whom the + polyinstantiation is not performed. If left blank, polyinstantiation + will be performed for all users. + +EXAMPLE /etc/security/namespace.conf configuration file: +======================================================= +# Following three lines will polyinstantiate /tmp, /var/tmp and user's home +# directories. /tmp and /var/tmp will be polyinstantiated based on both +# security context as well as user name, whereas home directory will +# be polyinstantiated based on security context only. Polyinstantiation +# will not be performed for user root and adm for directories /tmp and +# /var/tmp, whereas home directories will be polyinstantiated for all +# users. The user name and/or context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. +# +/tmp /tmp-inst/ both root,adm +/var/tmp /var/tmp/tmp-inst/ both root,adm +$HOME $HOME/$USER.inst/inst- context + +ARGUMENTS RECOGNIZED: + debug + Verbose logging by syslog + + unmnt_remnt + For programs such as su and newrole, the login session has + already setup a polyinstantiated namespace. For these programs, + polyinstantiation is performed based on new user id or security + context, however the command first needs to undo the + polyinstantiation performed by login. This argument instructs + the command to first undo previous polyinstantiation before + proceeding with new polyinstantiation based on new id/context. + + unmnt_only + For trusted programs that want to undo any existing bind mounts + and process instance directories on their own, this argument + allows them to unmount currently mounted instance directories. + + require_selinux + If selinux is not enabled, return failure. + + gen_hash + Instead of using the security context string for the instance + name, generate and use its md5 hash. + + ignore_config_error + If a line in the configuration file corresponding to a + polyinstantiated directory contains format error, skip that + line process the next line. Without this option, pam will return + an error to the calling program resulting in termination + of the session. + + ignore_instance_parent_mode + Instance parent directories by default are expected to have + the restrictive mode of 000. Using this option, an administrator + can choose to ignore the mode of the instance parent. + +MODULE SERVICES PROVIDED: + session open_session and close_session + +USAGE: + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + + session required pam_namespace.so [arguments] + + This module also depends on pam_selinux.so setting the context. +]]> + </programlisting> + </section> +</article> + diff --git a/Linux-PAM/modules/pam_namespace/md5.c b/Linux-PAM/modules/pam_namespace/md5.c new file mode 100644 index 00000000..9a060d27 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/md5.c @@ -0,0 +1,260 @@ +/* + * $Id: md5.c,v 1.1 2006/06/27 13:07:43 t8m Exp $ + * + * This code implements the MD5 message-digest algorithm. + * The algorithm is due to Ron Rivest. This code was + * written by Colin Plumb in 1993, no copyright is claimed. + * This code is in the public domain; do with it what you wish. + * + * Equivalent code is available from RSA Data Security, Inc. + * This code has been tested against that, and is equivalent, + * except that you don't need to include two pages of legalese + * with every copy. + * + * To compute the message digest of a chunk of bytes, declare an + * MD5Context structure, pass it to MD5Init, call MD5Update as + * needed on buffers full of bytes, and then call MD5Final, which + * will fill a supplied 16-byte array with the digest. + * + */ + +#include <string.h> +#include "md5.h" + +#define MD5Name(x) x + +#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) +#define byteReverse(buf, len) /* Nothing */ +#else +static void byteReverse(unsigned char *buf, unsigned longs); + +/* + * Note: this code is harmless on little-endian machines. + */ +static void byteReverse(unsigned char *buf, unsigned longs) +{ + uint32 t; + do { + t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | + ((unsigned) buf[1] << 8 | buf[0]); + *(uint32 *) buf = t; + buf += 4; + } while (--longs); +} +#endif + +/* + * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious + * initialization constants. + */ +void MD5Name(MD5Init)(struct MD5Context *ctx) +{ + ctx->buf[0] = 0x67452301U; + ctx->buf[1] = 0xefcdab89U; + ctx->buf[2] = 0x98badcfeU; + ctx->buf[3] = 0x10325476U; + + ctx->bits[0] = 0; + ctx->bits[1] = 0; +} + +/* + * Update context to reflect the concatenation of another buffer full + * of bytes. + */ +void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len) +{ + uint32 t; + + /* Update bitcount */ + + t = ctx->bits[0]; + if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) + ctx->bits[1]++; /* Carry from low to high */ + ctx->bits[1] += len >> 29; + + t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ + + /* Handle any leading odd-sized chunks */ + + if (t) { + unsigned char *p = (unsigned char *) ctx->in + t; + + t = 64 - t; + if (len < t) { + memcpy(p, buf, len); + return; + } + memcpy(p, buf, t); + byteReverse(ctx->in, 16); + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + buf += t; + len -= t; + } + /* Process data in 64-byte chunks */ + + while (len >= 64) { + memcpy(ctx->in, buf, 64); + byteReverse(ctx->in, 16); + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + buf += 64; + len -= 64; + } + + /* Handle any remaining bytes of data. */ + + memcpy(ctx->in, buf, len); +} + +/* + * Final wrapup - pad to 64-byte boundary with the bit pattern + * 1 0* (64-bit count of bits processed, MSB-first) + */ +void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) +{ + unsigned count; + unsigned char *p; + + /* Compute number of bytes mod 64 */ + count = (ctx->bits[0] >> 3) & 0x3F; + + /* Set the first char of padding to 0x80. This is safe since there is + always at least one byte free */ + p = ctx->in + count; + *p++ = 0x80; + + /* Bytes of padding needed to make 64 bytes */ + count = 64 - 1 - count; + + /* Pad out to 56 mod 64 */ + if (count < 8) { + /* Two lots of padding: Pad the first block to 64 bytes */ + memset(p, 0, count); + byteReverse(ctx->in, 16); + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + + /* Now fill the next block with 56 bytes */ + memset(ctx->in, 0, 56); + } else { + /* Pad block to 56 bytes */ + memset(p, 0, count - 8); + } + byteReverse(ctx->in, 14); + + /* Append length in bits and transform */ + ((uint32 *) ctx->in)[14] = ctx->bits[0]; + ((uint32 *) ctx->in)[15] = ctx->bits[1]; + + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse((unsigned char *) ctx->buf, 4); + memcpy(digest, ctx->buf, 16); + memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ +} + +/* The four core functions - F1 is optimized somewhat */ + +/* #define F1(x, y, z) (x & y | ~x & z) */ +#define F1(x, y, z) (z ^ (x & (y ^ z))) +#define F2(x, y, z) F1(z, x, y) +#define F3(x, y, z) (x ^ y ^ z) +#define F4(x, y, z) (y ^ (x | ~z)) + +/* This is the central step in the MD5 algorithm. */ +#define MD5STEP(f, w, x, y, z, data, s) \ + ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) + +/* + * The core of the MD5 algorithm, this alters an existing MD5 hash to + * reflect the addition of 16 longwords of new data. MD5Update blocks + * the data and converts bytes into longwords for this routine. + */ +void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16]) +{ + register uint32 a, b, c, d; + + a = buf[0]; + b = buf[1]; + c = buf[2]; + d = buf[3]; + + MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); + MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); + MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); + MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); + MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); + MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); + MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); + MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); + MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); + MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); + + MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); + MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); + MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); + MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); + MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); + MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); + MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); + MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); + MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); + MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); + + MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); + MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); + MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); + MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); + MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); + MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); + MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); + MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); + MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); + MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); + + MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); + MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); + MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); + MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); + MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); + MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); + MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); + MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); + MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); + MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); + + buf[0] += a; + buf[1] += b; + buf[2] += c; + buf[3] += d; +} + +void MD5Name(MD5)(unsigned const char *buf, unsigned len, unsigned char digest[16]) +{ + struct MD5Context ctx; + MD5Name(MD5Init)(&ctx); + MD5Name(MD5Update)(&ctx, buf, len); + MD5Name(MD5Final)(digest, &ctx); +} diff --git a/Linux-PAM/modules/pam_namespace/md5.h b/Linux-PAM/modules/pam_namespace/md5.h new file mode 100644 index 00000000..73f85833 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/md5.h @@ -0,0 +1,28 @@ + +#ifndef MD5_H +#define MD5_H + +typedef unsigned int uint32; + +struct MD5Context { + uint32 buf[4]; + uint32 bits[2]; + unsigned char in[64]; +}; + +#define MD5_DIGEST_LENGTH 16 + +void MD5Init(struct MD5Context *); +void MD5Update(struct MD5Context *, unsigned const char *, unsigned); +void MD5Final(unsigned char digest[MD5_DIGEST_LENGTH], struct MD5Context *); +void MD5Transform(uint32 buf[4], uint32 const in[MD5_DIGEST_LENGTH]); +void MD5(unsigned const char *, unsigned, unsigned char digest[MD5_DIGEST_LENGTH]); + + +/* + * This is needed to make RSAREF happy on some MS-DOS compilers. + */ + +typedef struct MD5Context MD5_CTX; + +#endif /* MD5_H */ diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf b/Linux-PAM/modules/pam_namespace/namespace.conf new file mode 100644 index 00000000..c7305ffe --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/namespace.conf @@ -0,0 +1,30 @@ +# /etc/security/namespace.conf +# +# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. +# +# Uncommenting the following three lines will polyinstantiate +# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will +# be polyinstantiated based on both security context as well as user +# name, whereas home directory will be polyinstantiated based on +# security context only. Polyinstantion will not be performed for +# user root and adm for directories /tmp and /var/tmp, whereas home +# directories will be polyinstantiated for all users. The user name +# and/or context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. +# +#/tmp /tmp-inst/ both root,adm +#/var/tmp /var/tmp/tmp-inst/ both root,adm +#$HOME $HOME/$USER.inst/inst- context diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5 b/Linux-PAM/modules/pam_namespace/namespace.conf.5 new file mode 100644 index 00000000..ff325a21 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5 @@ -0,0 +1,96 @@ +.\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "NAMESPACE.CONF" 5 "" "" "" +.SH NAME +namespace.conf \- the namespace configuration file +.SH "DESCRIPTION" + +.PP +This module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&. + +.PP +The \fI/etc/security/namespace\&.conf\fR file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&. + +.PP +When someone logs in, the file \fInamespace\&.conf\fR is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows: + +.PP + \fIpolydir\fR \fI instance_prefix\fR \fI method\fR \fI list_of_uids\fR + +.PP +The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. Special entry $HOME is supported to designate user's home directory\&. This field cannot be blank\&. + +.PP +The second field, \fIinstance_prefix\fR is the string prefix used to build the pathname for the instantiation of <polydir>\&. The directory security context, or optionally its md5sum string (32 hex characters), is appended to the prefix to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string $HOME is replaced with the user's home directory, and $USER with the username\&. This field cannot be blank\&. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000\&. The requirement that the instance parent be of mode 000 can be overridden with the command line option <ignore_instance_parent_mode> + +.PP +The third field, \fImethod\fR, is the method used for polyinstantiation\&. It can take 3 different values; "user" for polyinstantiation based on user name, "context" for polyinstantiation based on process security context, and "both" for polyinstantiation based on both user name and security context\&. Methods "context" and "both" are only available with SELinux\&. This field cannot be blank\&. + +.PP +The fourth field, \fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&. + +.SH "EXAMPLES" + +.PP +These are some example lines which might be specified in \fI/etc/security/namespace\&.conf\fR\&. + +.nf + + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user's home directories\&. /tmp and /var/tmp + # will be polyinstantiated based on both security context + # as well as user name, whereas home directory will be + # polyinstantiated based on security context only\&. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users\&. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory\&. In the examples below, + # instances of /tmp will be created in /tmp\-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated\&. + # + /tmp /tmp\-inst/ both root,adm + /var/tmp /var/tmp/tmp\-inst/ both root,adm + $HOME $HOME/$USER\&.inst/inst\- context + +.fi + +.PP +For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group: + +.PP +session required pam_namespace\&.so [arguments] + +.PP +This module also depends on pam_selinux\&.so setting the context\&. + +.SH "SEE ALSO" + +.PP + \fBpam_namespace\fR(8), \fBpam\&.d\fR(5), \fBpam\fR(8) + +.SH "AUTHORS" + +.PP +The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. + diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml new file mode 100644 index 00000000..36a1a085 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml @@ -0,0 +1,151 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="namespace.conf"> + + <refmeta> + <refentrytitle>namespace.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>namespace.conf</refname> + <refpurpose>the namespace configuration file</refpurpose> + </refnamediv> + + + <refsect1 id='namespace.conf-description'> + <title>DESCRIPTION</title> + + <para> + This module allows setup of private namespaces with polyinstantiated + directories. Directories can be polyinstantiated based on user name + or, in the case of SELinux, user name, security context or both. If an + executable script <filename>/etc/security/namespace.init</filename> + exists, it is used to initialize the namespace every time a new instance + directory is setup. The script receives the polyinstantiated + directory path and the instance directory path as its arguments. + </para> + + <para> + The <filename>/etc/security/namespace.conf</filename> file specifies + which directories are polyinstantiated, how they are polyinstantiated, + how instance directories would be named, and any users for whom + polyinstantiation would not be performed. + </para> + + <para> + When someone logs in, the file <filename>namespace.conf</filename> is + scanned where each non comment line represents one polyinstantiated + directory with space separated fields as follows: + </para> + + <para> + <replaceable>polydir</replaceable> <replaceable> instance_prefix</replaceable> <replaceable> method</replaceable> <replaceable> list_of_uids</replaceable> + </para> + + <para> + The first field, <replaceable>polydir</replaceable>, is the absolute + pathname of the directory to polyinstantiate. Special entry $HOME is + supported to designate user's home directory. This field cannot be + blank. + </para> + + <para> + The second field, <replaceable>instance_prefix</replaceable> is + the string prefix used to build the pathname for the instantiation + of <polydir>. The directory security context, or optionally its + md5sum string (32 hex characters), is appended to the prefix to + generate the final instance directory path. This directory is + created if it did not exist already, and is then bind mounted on the + <polydir> to provide an instance of <polydir> based on the + <method> column. The special string $HOME is replaced with the + user's home directory, and $USER with the username. This field cannot + be blank. The directory where polyinstantiated instances are to be + created, must exist and must have, by default, the mode of 000. The + requirement that the instance parent be of mode 000 can be overridden + with the command line option <ignore_instance_parent_mode> + </para> + + <para> + The third field, <replaceable>method</replaceable>, is the method + used for polyinstantiation. It can take 3 different values; "user" + for polyinstantiation based on user name, "context" for + polyinstantiation based on process security context, and "both" + for polyinstantiation based on both user name and security context. + Methods "context" and "both" are only available with SELinux. This + field cannot be blank. + </para> + + <para> + The fourth field, <replaceable>list_of_uids</replaceable>, is + a comma separated list of user names for whom the polyinstantiation + is not performed. If left blank, polyinstantiation will be performed + for all users. + </para> + + </refsect1> + + <refsect1 id="namespace.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/namespace.conf</filename>. + </para> + + <literallayout> + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user's home directories. /tmp and /var/tmp + # will be polyinstantiated based on both security context + # as well as user name, whereas home directory will be + # polyinstantiated based on security context only. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory. In the examples below, + # instances of /tmp will be created in /tmp-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated. + # + /tmp /tmp-inst/ both root,adm + /var/tmp /var/tmp/tmp-inst/ both root,adm + $HOME $HOME/$USER.inst/inst- context + </literallayout> + + <para> + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + </para> + + <para> + session required pam_namespace.so [arguments] + </para> + + <para> + This module also depends on pam_selinux.so setting the context. + </para> + + </refsect1> + + <refsect1 id="namespace.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="namespace.conf-author"> + <title>AUTHORS</title> + <para> + The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_namespace/namespace.init b/Linux-PAM/modules/pam_namespace/namespace.init new file mode 100755 index 00000000..62f8e6e4 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/namespace.init @@ -0,0 +1,24 @@ +#!/bin/sh +# This is only a boilerplate for the instance initialization script. +# It receives polydir path as $1 and the instance path as $2. +# +# If you intend to polyinstantiate /tmp and you also want to use the X windows +# environment, you will have to use this script to bind mount the socket that +# is used by the X server to communicate with its clients. X server places +# this socket in /tmp/.X11-unix directory, which will get obscured by +# polyinstantiation. Uncommenting the following lines will bind mount +# the relevant directory at an alternative location (/.tmp/.X11-unix) such +# that the X server, window manager and X clients, can still find the +# socket X0 at the polyinstanted /tmp/.X11-unix. +# +#if [ $1 = /tmp ]; then +# if [ ! -f /.tmp/.X11-unix ]; then +# mkdir -p /.tmp/.X11-unix +# fi +# mount --bind /tmp/.X11-unix /.tmp/.X11-unix +# cp -fp -- /tmp/.X0-lock "$2/.X0-lock" +# mkdir -- "$2/.X11-unix" +# ln -fs -- /.tmp/.X11-unix/X0 "$2/.X11-unix/X0" +#fi + +exit 0 diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8 b/Linux-PAM/modules/pam_namespace/pam_namespace.8 new file mode 100644 index 00000000..126cfc88 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8 @@ -0,0 +1,110 @@ +.\" Title: pam_namespace +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/27/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_NAMESPACE" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_namespace \- PAM module for configuring namespace for a session +.SH "SYNOPSIS" +.HP 17 +\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] +.SH "DESCRIPTION" +.PP +The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script +\fI/etc/security/namespace.init\fR +exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments. +.PP +The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +A lot of debug information is logged using syslog +.TP 3n +\fBunmnt_remnt\fR +For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context +.TP 3n +\fBunmnt_only\fR +For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories +.TP 3n +\fBrequire_selinux\fR +If selinux is not enabled, return failure +.TP 3n +\fBgen_hash\fR +Instead of using the security context string for the instance name, generate and use its md5 hash. +.TP 3n +\fBignore_config_error\fR +If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session. +.TP 3n +\fBignore_instance_parent_mode\fR +Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism. +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +Namespace setup was successful. +.TP 3n +PAM_SERVICE_ERR +Unexpected system error occurred while setting up namespace. +.TP 3n +PAM_SESSION_ERR +Unexpected namespace configuration error occurred. +.SH "FILES" +.TP 3n +\fI/etc/security/namespace.conf\fR +Configuration file +.SH "EXAMPLES" +.PP +For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group: +.PP +session required pam_namespace.so [arguments] +.PP +To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: +.PP +/usr/sbin/gdm\-safe\-restart +.PP +This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script +\fI/etc/security/namespace.init\fR +to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script +\fI/etc/security/namespace.init\fR. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: +.PP + +.sp +.RS 3n +.nf + 1. Disable the use of font server by commenting out "FontPath" + line in /etc/X11/xorg.conf. If you do want to use the font server + then you will have to augment the instance initialization + script to appropriately provide /tmp/.font\-unix from the + polyinstantiated /tmp. + 2. Ensure that the gdm service is setup to use pam_namespace, + as described above, by modifying /etc/pam.d/gdm. + 3. Ensure that the display manager is configured to restart X server + with each new session. This default setup can be verified by + making sure that /usr/share/gdm/defaults.conf contains + "AlwaysRestartServer=true", and it is not overridden by + /etc/gdm/custom.conf. + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBnamespace.conf\fR(5), +\fBpam.d\fR(8), +\fBmount\fR(8), +\fBpam\fR(8). +.SH "AUTHORS" +.PP +The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml new file mode 100644 index 00000000..4c93ecf0 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml @@ -0,0 +1,317 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_namespace'> + + <refmeta> + <refentrytitle>pam_namespace</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_namespace-name'> + <refname>pam_namespace</refname> + <refpurpose> + PAM module for configuring namespace for a session + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <command>pam_namespace.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + unmnt_remnt + </arg> + <arg choice="opt"> + unmnt_only + </arg> + <arg choice="opt"> + require_selinux + </arg> + <arg choice="opt"> + gen_hash + </arg> + <arg choice="opt"> + ignore_config_error + </arg> + <arg choice="opt"> + ignore_instance_parent_mode + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_namespace-description"> + <title>DESCRIPTION</title> + <para> + The pam_namespace PAM module sets up a private namespace for a session + with polyinstantiated directories. A polyinstantiated directory + provides a different instance of itself based on user name, or when + using SELinux, user name, security context or both. If an executable + script <filename>/etc/security/namespace.init</filename> exists, it + is used to initialize the namespace every time a new instance + directory is setup. The script receives the polyinstantiated + directory path and the instance directory path as its arguments. + </para> + + <para> + The pam_namespace module disassociates the session namespace from + the parent namespace. Any mounts/unmounts performed in the parent + namespace, such as mounting of devices, are not reflected in the + session namespace. To propagate selected mount/unmount events from + the parent namespace into the disassociated session namespace, an + administrator may use the special shared-subtree feature. For + additional information on shared-subtree feature, please refer to + the mount(8) man page and the shared-subtree description at + http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092. + </para> + + </refsect1> + + <refsect1 id="pam_namespace-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + A lot of debug information is logged using syslog + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>unmnt_remnt</option> + </term> + <listitem> + <para> + For programs such as su and newrole, the login + session has already setup a polyinstantiated + namespace. For these programs, polyinstantiation + is performed based on new user id or security + context, however the command first needs to + undo the polyinstantiation performed by login. + This argument instructs the command to + first undo previous polyinstantiation before + proceeding with new polyinstantiation based on + new id/context + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>unmnt_only</option> + </term> + <listitem> + <para> + For trusted programs that want to undo any + existing bind mounts and process instance + directories on their own, this argument allows + them to unmount currently mounted instance + directories + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>require_selinux</option> + </term> + <listitem> + <para> + If selinux is not enabled, return failure + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>gen_hash</option> + </term> + <listitem> + <para> + Instead of using the security context string + for the instance name, generate and use its + md5 hash. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ignore_config_error</option> + </term> + <listitem> + <para> + If a line in the configuration file corresponding + to a polyinstantiated directory contains format + error, skip that line process the next line. + Without this option, pam will return an error + to the calling program resulting in termination + of the session. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ignore_instance_parent_mode</option> + </term> + <listitem> + <para> + Instance parent directories by default are expected to have + the restrictive mode of 000. Using this option, an administrator + can choose to ignore the mode of the instance parent. This option + should be used with caution as it will reduce security and + isolation goals of the polyinstantiation mechanism. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_namespace-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Namespace setup was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Unexpected system error occurred while setting up namespace. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Unexpected namespace configuration error occurred. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/namespace.conf</filename></term> + <listitem> + <para>Configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_namespace-examples"> + <title>EXAMPLES</title> + + <para> + For the <service>s you need polyinstantiation (login for example) + put the following line in /etc/pam.d/<service> as the last line for + session group: + </para> + + <para> + session required pam_namespace.so [arguments] + </para> + + <para> + To use polyinstantiation with graphical display manager gdm, insert the + following line, before exit 0, in /etc/gdm/PostSession/Default: + </para> + + <para> + /usr/sbin/gdm-safe-restart + </para> + + <para> + This allows gdm to restart after each session and appropriately adjust + namespaces of display manager and the X server. If polyinstantiation + of /tmp is desired along with the graphical environment, then additional + configuration changes are needed to address the interaction of X server + and font server namespaces with their use of /tmp to create + communication sockets. Please use the initialization script + <filename>/etc/security/namespace.init</filename> to ensure that + the X server and its clients can appropriately access the + communication socket X0. Please refer to the sample instructions + provided in the comment section of the instance initialization script + <filename>/etc/security/namespace.init</filename>. In addition, + perform the following changes to use graphical environment with + polyinstantiation of /tmp: + </para> + + <para> + <literallayout> + 1. Disable the use of font server by commenting out "FontPath" + line in /etc/X11/xorg.conf. If you do want to use the font server + then you will have to augment the instance initialization + script to appropriately provide /tmp/.font-unix from the + polyinstantiated /tmp. + 2. Ensure that the gdm service is setup to use pam_namespace, + as described above, by modifying /etc/pam.d/gdm. + 3. Ensure that the display manager is configured to restart X server + with each new session. This default setup can be verified by + making sure that /usr/share/gdm/defaults.conf contains + "AlwaysRestartServer=true", and it is not overridden by + /etc/gdm/custom.conf. + </literallayout> + </para> + + </refsect1> + + <refsect1 id="pam_namespace-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>namespace.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_namespace-authors"> + <title>AUTHORS</title> + <para> + The namespace setup scheme was designed by Stephen Smalley, Janak Desai + and Chad Sellers. + The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.c b/Linux-PAM/modules/pam_namespace/pam_namespace.c new file mode 100644 index 00000000..e4e4a5d8 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.c @@ -0,0 +1,1337 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default namespace after + * establishing a session via PAM. + * + * (C) Copyright IBM Corporation 2005 + * (C) Copyright Red Hat 2006 + * All Rights Reserved. + * + * Written by: Janak Desai <janak@us.ibm.com> + * With Revisions by: Steve Grubb <sgrubb@redhat.com> + * Derived from a namespace setup patch by Chad Sellers <cdselle@tycho.nsa.gov> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * on the rights to use, copy, modify, merge, publish, distribute, sub + * license, and/or sell copies of the Software, and to permit persons to whom + * the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL + * IBM AND/OR THEIR SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "pam_namespace.h" + +/* + * Copies the contents of ent into pent + */ +static int copy_ent(const struct polydir_s *ent, struct polydir_s *pent) +{ + unsigned int i; + + strcpy(pent->dir, ent->dir); + strcpy(pent->instance_prefix, ent->instance_prefix); + pent->method = ent->method; + pent->num_uids = ent->num_uids; + if (ent->num_uids) { + uid_t *pptr, *eptr; + + pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t)); + if (!(pent->uid)) { + return -1; + } + for (i = 0, pptr = pent->uid, eptr = ent->uid; i < ent->num_uids; + i++, eptr++, pptr++) + *pptr = *eptr; + } else + pent->uid = NULL; + return 0; +} + +/* + * Adds an entry for a polyinstantiated directory to the linked list of + * polyinstantiated directories. It is called from process_line() while + * parsing the namespace configuration file. + */ +static int add_polydir_entry(struct instance_data *idata, + const struct polydir_s *ent) +{ + struct polydir_s *pent; + int rc = 0; + + /* + * Allocate an entry to hold information about a directory to + * polyinstantiate, populate it with information from 2nd argument + * and add the entry to the linked list of polyinstantiated + * directories. + */ + pent = (struct polydir_s *) malloc(sizeof(struct polydir_s)); + if (!pent) { + rc = -1; + goto out; + } + /* Make copy */ + rc = copy_ent(ent,pent); + if(rc < 0) + goto out_clean; + + /* Now attach to linked list */ + pent->next = NULL; + if (idata->polydirs_ptr == NULL) + idata->polydirs_ptr = pent; + else { + struct polydir_s *tail; + + tail = idata->polydirs_ptr; + while (tail->next) + tail = tail->next; + tail->next = pent; + } + goto out; +out_clean: + free(pent); +out: + return rc; +} + + +/* + * Deletes all the entries in the linked list. + */ +static void del_polydir_list(struct polydir_s *polydirs_ptr) +{ + struct polydir_s *dptr = polydirs_ptr; + + while (dptr) { + struct polydir_s *tptr = dptr; + dptr = dptr->next; + free(tptr->uid); + free(tptr); + } +} + + +/* + * Called from parse_config_file, this function processes a single line + * of the namespace configuration file. It skips over comments and incomplete + * or malformed lines. It processes a valid line with information on + * polyinstantiating a directory by populating appropriate fields of a + * polyinstatiated directory structure and then calling add_polydir_entry to + * add that entry to the linked list of polyinstantiated directories. + */ +static int process_line(char *line, const char *home, + struct instance_data *idata) +{ + const char *dir, *instance_prefix; + const char *method, *uids; + char *tptr; + struct polydir_s poly; + int retval = 0; + + poly.uid = NULL; + poly.num_uids = 0; + + /* + * skip the leading white space + */ + while (*line && isspace(*line)) + line++; + + /* + * Rip off the comments + */ + tptr = strchr(line,'#'); + if (tptr) + *tptr = '\0'; + + /* + * Rip off the newline char + */ + tptr = strchr(line,'\n'); + if (tptr) + *tptr = '\0'; + + /* + * Anything left ? + */ + if (line[0] == 0) + return 0; + + /* + * Initialize and scan the five strings from the line from the + * namespace configuration file. + */ + dir = strtok_r(line, " \t", &tptr); + if (dir == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); + goto skipping; + } + instance_prefix = strtok_r(NULL, " \t", &tptr); + if (instance_prefix == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); + goto skipping; + } + method = strtok_r(NULL, " \t", &tptr); + if (method == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method"); + goto skipping; + } + + /* + * Only the uids field is allowed to be blank, to indicate no + * override users for polyinstantiation of that directory. If + * any of the other fields are blank, the line is incomplete so + * skip it. + */ + uids = strtok_r(NULL, " \t", &tptr); + + /* + * If the directory being polyinstantiated is the home directory + * of the user who is establishing a session, we have to swap + * the "$HOME" string with the user's home directory that is + * passed in as an argument. + */ + if (strcmp(dir, "$HOME") == 0) { + dir = home; + } + + /* + * Expand $HOME and $USER in instance dir prefix + */ + if ((tptr = strstr(instance_prefix, "$USER")) != 0) { + /* FIXME: should only support this if method is USER or BOTH */ + char *expanded = alloca(strlen(idata->user) + strlen(instance_prefix)-5+1); + *tptr = 0; + sprintf(expanded, "%s%s%s", instance_prefix, idata->user, tptr+5); + instance_prefix = expanded; + } + if ((tptr = strstr(instance_prefix, "$HOME")) != 0) { + char *expanded = alloca(strlen(home)+strlen(instance_prefix)-5+1); + *tptr = 0; + sprintf(expanded, "%s%s%s", instance_prefix, home, tptr+5); + instance_prefix = expanded; + } + + /* + * Ensure that all pathnames are absolute path names. + */ + if ((dir[0] != '/') || (instance_prefix[0] != '/')) { + pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must start with '/'"); + goto skipping; + } + if (strstr(dir, "..") || strstr(instance_prefix, "..")) { + pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must not contain '..'"); + goto skipping; + } + + /* + * Populate polyinstantiated directory structure with appropriate + * pathnames and the method with which to polyinstantiate. + */ + if (strlen(dir) >= sizeof(poly.dir) + || strlen(instance_prefix) >= sizeof(poly.instance_prefix)) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + } + strcpy(poly.dir, dir); + strcpy(poly.instance_prefix, instance_prefix); + if (strcmp(method, "user") == 0) + poly.method = USER; +#ifdef WITH_SELINUX + else if (strcmp(method, "context") == 0) { + if (idata->flags & PAMNS_CTXT_BASED_INST) + poly.method = CONTEXT; + else + poly.method = USER; + } else if (strcmp(method, "both") == 0) { + if (idata->flags & PAMNS_CTXT_BASED_INST) + poly.method = BOTH; + else + poly.method = USER; + } + +#endif + else { + pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); + goto skipping; + } + + /* + * If the line in namespace.conf for a directory to polyinstantiate + * contains a list of override users (users for whom polyinstantiation + * is not performed), read the user ids, convert names into uids, and + * add to polyinstantiated directory structure. + */ + if (uids) { + uid_t *uidptr; + const char *ustr, *sstr; + int count, i; + + for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) + sstr = strchr(ustr, ','); + + poly.num_uids = count; + poly.uid = (uid_t *) malloc(count * sizeof (uid_t)); + uidptr = poly.uid; + if (uidptr == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "out of memory"); + goto skipping; + } + + ustr = uids; + for (i = 0; i < count; i++) { + struct passwd *pwd; + + tptr = strchr(ustr, ','); + if (tptr) + *tptr = '\0'; + + pwd = pam_modutil_getpwnam(idata->pamh, ustr); + *uidptr = pwd->pw_uid; + if (i < count - 1) { + ustr = tptr + 1; + uidptr++; + } + } + } + + /* + * Add polyinstantiated directory structure to the linked list + * of all polyinstantiated directory structures. + */ + if (add_polydir_entry(idata, &poly) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Allocation Error"); + retval = PAM_SERVICE_ERR; + } + free(poly.uid); + + goto out; + +skipping: + if (idata->flags & PAMNS_IGN_CONFIG_ERR) + retval = 0; + else + retval = PAM_SERVICE_ERR; +out: + return retval; +} + + +/* + * Parses /etc/security/namespace.conf file to build a linked list of + * polyinstantiated directory structures of type polydir_s. Each entry + * in the linked list contains information needed to polyinstantiate + * one directory. + */ +static int parse_config_file(struct instance_data *idata) +{ + FILE *fil; + char *home; + struct passwd *cpwd; + char *line = NULL; + int retval; + size_t len = 0; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s", + PAM_NAMESPACE_CONFIG); + + /* + * Extract the user's home directory to resolve $HOME entries + * in the namespace configuration file. + */ + cpwd = pam_modutil_getpwnam(idata->pamh, idata->user); + if (!cpwd) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting home dir for '%s'", idata->user); + return PAM_SESSION_ERR; + } + home = strdupa(cpwd->pw_dir); + + /* + * Open configuration file, read one line at a time and call + * process_line to process each line. + */ + fil = fopen(PAM_NAMESPACE_CONFIG, "r"); + if (fil == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Error opening config file"); + return PAM_SERVICE_ERR; + } + + /* Use unlocked IO */ + __fsetlocking(fil, FSETLOCKING_BYCALLER); + + /* loop reading the file */ + while (getline(&line, &len, fil) > 0) { + retval = process_line(line, home, idata); + if (retval) { + pam_syslog(idata->pamh, LOG_ERR, + "Error processing conf file line %s", line); + fclose(fil); + free(line); + return PAM_SERVICE_ERR; + } + } + fclose(fil); + free(line); + + /* All done...just some debug stuff */ + if (idata->flags & PAMNS_DEBUG) { + struct polydir_s *dptr = idata->polydirs_ptr; + uid_t *iptr; + uid_t i; + + pam_syslog(idata->pamh, LOG_DEBUG, + dptr?"Configured poly dirs:":"No configured poly dirs"); + while (dptr) { + pam_syslog(idata->pamh, LOG_DEBUG, "dir='%s' iprefix='%s' meth=%d", + dptr->dir, dptr->instance_prefix, dptr->method); + for (i = 0, iptr = dptr->uid; i < dptr->num_uids; i++, iptr++) + pam_syslog(idata->pamh, LOG_DEBUG, "override user %d ", *iptr); + dptr = dptr->next; + } + } + + return PAM_SUCCESS; +} + + +/* + * This funtion returns true if a given uid is present in the polyinstantiated + * directory's list of override uids. If the uid is one of the override + * uids for the polyinstantiated directory, polyinstantiation is not + * performed for that user for that directory. + */ +static int ns_override(struct polydir_s *polyptr, struct instance_data *idata) +{ + unsigned int i; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Checking for ns override in dir %s for uid %d", + polyptr->dir, idata->uid); + + for (i = 0; i < polyptr->num_uids; i++) { + if (idata->uid == polyptr->uid[i]) { + return 1; + } + } + + return 0; +} + +#ifdef WITH_SELINUX +static int form_context(const struct polydir_s *polyptr, + security_context_t *i_context, security_context_t *origcon, + struct instance_data *idata) +{ + int rc = PAM_SUCCESS; + security_context_t scon = NULL; + security_class_t tclass; + + /* + * Get the security context of the directory to polyinstantiate. + */ + rc = getfilecon(polyptr->dir, origcon); + if (rc < 0 || *origcon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting poly dir context, %m"); + return PAM_SESSION_ERR; + } + + /* + * If polyinstantiating based on security context, get current + * process security context, get security class for directories, + * and ask the policy to provide security context of the + * polyinstantiated instance directory. + */ + if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) { + rc = getexeccon(&scon); + if (rc < 0 || scon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting exec context, %m"); + return PAM_SESSION_ERR; + } + tclass = string_to_security_class("dir"); + + if (security_compute_member(scon, *origcon, tclass, + i_context) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error computing poly dir member context"); + freecon(scon); + return PAM_SESSION_ERR; + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "member context returned by policy %s", *i_context); + freecon(scon); + } + return PAM_SUCCESS; +} +#endif + +/* + * poly_name returns the name of the polyinstantiated instance directory + * based on the method used for polyinstantiation (user, context or both) + * In addition, the function also returns the security contexts of the + * original directory to polyinstantiate and the polyinstantiated instance + * directory. + */ +#ifdef WITH_SELINUX +static int poly_name(const struct polydir_s *polyptr, char **i_name, + security_context_t *i_context, security_context_t *origcon, + struct instance_data *idata) +#else +static int poly_name(const struct polydir_s *polyptr, char **i_name, + struct instance_data *idata) +#endif +{ + int rc; + +# ifdef WITH_SELINUX + rc = form_context(polyptr, i_context, origcon, idata); +#endif + rc = PAM_SUCCESS; + + /* + * Set the name of the polyinstantiated instance dir based on the + * polyinstantiation method. + */ + switch (polyptr->method) { + case USER: + if (asprintf(i_name, "%s", idata->user) < 0) { + *i_name = NULL; + rc = PAM_SESSION_ERR; + } + break; + +#ifdef WITH_SELINUX + case CONTEXT: + if (asprintf(i_name, "%s", *i_context) < 0) { + *i_name = NULL; + rc = PAM_SESSION_ERR; + } + break; + + case BOTH: + if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { + *i_name = NULL; + rc = PAM_SESSION_ERR; + } + break; +#endif /* WITH_SELINUX */ + + default: + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); + rc = PAM_SESSION_ERR; + } + + if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS) + pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); + + return rc; +} + +static int check_inst_parent(char *ipath, struct instance_data *idata) +{ + struct stat instpbuf; + char *inst_parent, *trailing_slash; + /* + * stat the instance parent path to make sure it exists + * and is a directory. Check that its mode is 000 (unless the + * admin explicitly instructs to ignore the instance parent + * mode by the "ignore_instance_parent_mode" argument). + */ + inst_parent = (char *) malloc(strlen(ipath)+1); + if (!inst_parent) { + pam_syslog(idata->pamh, LOG_ERR, "Error allocating pathname string"); + return PAM_SESSION_ERR; + } + + strcpy(inst_parent, ipath); + trailing_slash = strrchr(inst_parent, '/'); + if (trailing_slash) + *trailing_slash = '\0'; + + if (stat(inst_parent, &instpbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent); + free(inst_parent); + return PAM_SESSION_ERR; + } + + /* + * Make sure we are dealing with a directory + */ + if (!S_ISDIR(instpbuf.st_mode)) { + pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir", + inst_parent); + free(inst_parent); + return PAM_SESSION_ERR; + } + + if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { + if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) { + pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000", + inst_parent); + free(inst_parent); + return PAM_SESSION_ERR; + } + } + free(inst_parent); + return PAM_SUCCESS; +} + +/* +* Check to see if there is a namespace initialization script in +* the /etc/security directory. If such a script exists +* execute it and pass directory to polyinstantiate and instance +* directory as arguments. +*/ +static int inst_init(const struct polydir_s *polyptr, char *ipath, + struct instance_data *idata) +{ + pid_t rc, pid; + sighandler_t osighand = NULL; + int status; + + osighand = signal(SIGCHLD, SIG_DFL); + if (osighand == SIG_ERR) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); + rc = PAM_SESSION_ERR; + goto out; + } + + if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) { + if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, + "Namespace init script not executable"); + rc = PAM_SESSION_ERR; + goto out; + } else { + pid = fork(); + if (pid == 0) { +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setexeccon(NULL) < 0) + exit(1); + } +#endif + if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT, + polyptr->dir, ipath, (char *)NULL) < 0) + exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); + if (rc == (pid_t)-1) { + pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m"); + rc = PAM_SESSION_ERR; + goto out; + } + if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error initializing instance"); + rc = PAM_SESSION_ERR; + goto out; + } + } else if (pid < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Cannot fork to run namespace init script, %m"); + rc = PAM_SESSION_ERR; + goto out; + } + } + } + rc = PAM_SUCCESS; +out: + (void) signal(SIGCHLD, osighand); + + return rc; +} + +/* + * Create polyinstantiated instance directory (ipath). + */ +#ifdef WITH_SELINUX +static int create_dirs(const struct polydir_s *polyptr, char *ipath, + security_context_t icontext, security_context_t ocontext, + struct instance_data *idata) +#else +static int create_dirs(const struct polydir_s *polyptr, char *ipath, + struct instance_data *idata) +#endif +{ + struct stat statbuf, newstatbuf; + int rc, fd; + + /* + * stat the directory to polyinstantiate, so its owner-group-mode + * can be propagated to instance directory + */ + rc = PAM_SUCCESS; + if (stat(polyptr->dir, &statbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; + } + + /* + * Make sure we are dealing with a directory + */ + if (!S_ISDIR(statbuf.st_mode)) { + pam_syslog(idata->pamh, LOG_ERR, "poly dir %s is not a dir", + polyptr->dir); + return PAM_SESSION_ERR; + } + + /* + * Check to make sure instance parent is valid. + */ + if (check_inst_parent(ipath, idata)) + return PAM_SESSION_ERR; + + /* + * Create instance directory and set its security context to the context + * returned by the security policy. Set its mode and ownership + * attributes to match that of the original directory that is being + * polyinstantiated. + */ + if (mkdir(ipath, S_IRUSR) < 0) { + if (errno == EEXIST) + goto inst_init; + else { + pam_syslog(idata->pamh, LOG_ERR, "Error creating %s, %m", + ipath); + return PAM_SESSION_ERR; + } + } + + /* Open a descriptor to it to prevent races */ + fd = open(ipath, O_DIRECTORY | O_RDONLY); + if (fd < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error opening %s, %m", ipath); + rmdir(ipath); + return PAM_SESSION_ERR; + } +#ifdef WITH_SELINUX + /* If SE Linux is disabled, no need to label it */ + if (idata->flags & PAMNS_SELINUX_ENABLED) { + /* If method is USER, icontext is NULL */ + if (icontext) { + if (fsetfilecon(fd, icontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error setting context of %s to %s", ipath, icontext); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } else { + if (fsetfilecon(fd, ocontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error setting context of %s to %s", ipath, ocontext); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } + } +#endif + if (fstat(fd, &newstatbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + ipath); + rmdir(ipath); + return PAM_SESSION_ERR; + } + if (newstatbuf.st_uid != statbuf.st_uid || + newstatbuf.st_gid != statbuf.st_gid) { + if (fchown(fd, statbuf.st_uid, statbuf.st_gid) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing owner for %s, %m", + ipath); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + } + if (fchmod(fd, statbuf.st_mode & 07777) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error changing mode for %s, %m", + ipath); + close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } + close(fd); + + /* + * Check to see if there is a namespace initialization script in + * the /etc/security directory. If such a script exists + * execute it and pass directory to polyinstantiate and instance + * directory as arguments. + */ + +inst_init: + rc = inst_init(polyptr, ipath, idata); + return rc; +} + + +/* + * md5hash generates a hash of the passed in instance directory name. + */ +static int md5hash(char **instname, struct instance_data *idata) +{ + int i; + char *md5inst = NULL; + char *to; + unsigned char inst_digest[MD5_DIGEST_LENGTH]; + + /* + * Create MD5 hashes for instance pathname. + */ + + MD5((unsigned char *)*instname, strlen(*instname), inst_digest); + + if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); + return PAM_SESSION_ERR; + } + + to = md5inst; + for (i = 0; i < MD5_DIGEST_LENGTH; i++) { + snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); + to += 3; + } + + free(*instname); + *instname = md5inst; + + return PAM_SUCCESS; +} + +/* + * This function performs the namespace setup for a particular directory + * that is being polyinstantiated. It creates an MD5 hash of instance + * directory, calls create_dirs to create it with appropriate + * security attributes, and performs bind mount to setup the process + * namespace. + */ +static int ns_setup(const struct polydir_s *polyptr, + struct instance_data *idata) +{ + int retval = 0; + char *inst_dir = NULL; + char *instname = NULL; + char *dir; +#ifdef WITH_SELINUX + security_context_t instcontext = NULL, origcontext = NULL; +#endif + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Set namespace for directory %s", polyptr->dir); + + dir = strrchr(polyptr->dir, '/'); + if (dir && strlen(dir) > 1) + dir++; + + /* + * Obtain the name of instance pathname based on the + * polyinstantiation method and instance context returned by + * security policy. + */ +#ifdef WITH_SELINUX + retval = poly_name(polyptr, &instname, &instcontext, + &origcontext, idata); +#else + retval = poly_name(polyptr, &instname, idata); +#endif + + if (retval) { + pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); + goto error_out; + } else { +#ifdef WITH_SELINUX + if ((idata->flags & PAMNS_DEBUG) && + (idata->flags & PAMNS_SELINUX_ENABLED)) + pam_syslog(idata->pamh, LOG_DEBUG, "Inst ctxt %s Orig ctxt %s", + instcontext, origcontext); +#endif + } + + if (idata->flags & PAMNS_GEN_HASH) { + retval = md5hash(&instname, idata); + if (retval < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash"); + goto error_out; + } + } + + if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) + goto error_out; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "instance_dir %s", + inst_dir); + + /* + * Create instance directory with appropriate security + * contexts, owner, group and mode bits. + */ +#ifdef WITH_SELINUX + retval = create_dirs(polyptr, inst_dir, instcontext, + origcontext, idata); +#else + retval = create_dirs(polyptr, inst_dir, idata); +#endif + + if (retval < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error creating instance dir"); + goto error_out; + } + + /* + * Bind mount instance directory on top of the polyinstantiated + * directory to provide an instance of polyinstantiated directory + * based on polyinstantiated method. + */ + if (mount(inst_dir, polyptr->dir, NULL, MS_BIND, NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting %s on %s, %m", + inst_dir, polyptr->dir); + goto error_out; + } + + goto cleanup; + + /* + * various error exit points. Free allocated memory and set return + * value to indicate a pam session error. + */ +error_out: + retval = PAM_SESSION_ERR; + +cleanup: + free(inst_dir); + free(instname); +#ifdef WITH_SELINUX + freecon(instcontext); + freecon(origcontext); +#endif + return retval; +} + + +/* + * This function checks to see if the current working directory is + * inside the directory passed in as the first argument. + */ +static int cwd_in(char *dir, struct instance_data *idata) +{ + int retval = 0; + char cwd[PATH_MAX]; + + if (getcwd(cwd, PATH_MAX) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Can't get current dir, %m"); + return -1; + } + + if (strncmp(cwd, dir, strlen(dir)) == 0) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "cwd is inside %s", dir); + retval = 1; + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "cwd is outside %s", dir); + } + + return retval; +} + + +/* + * This function checks to see if polyinstantiation is needed for any + * of the directories listed in the configuration file. If needed, + * cycles through all polyinstantiated directory entries and calls + * ns_setup to setup polyinstantiation for each one of them. + */ +static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) +{ + int retval = 0, need_poly = 0, changing_dir = 0; + char *cptr, *fptr, poly_parent[PATH_MAX]; + struct polydir_s *pptr; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", + getpid()); + + /* + * Cycle through all polyinstantiated directory entries to see if + * polyinstantiation is needed at all. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (ns_override(pptr, idata)) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Overriding poly for user %d for dir %s", + idata->uid, pptr->dir); + continue; + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Need poly ns for user %d for dir %s", + idata->uid, pptr->dir); + need_poly = 1; + break; + } + } + + /* + * If polyinstnatiation is needed, call the unshare system call to + * disassociate from the parent namespace. + */ + if (need_poly) { + if (unshare(CLONE_NEWNS) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to unshare from parent namespace, %m"); + return PAM_SESSION_ERR; + } + } else + return PAM_SUCCESS; + + /* + * Again cycle through all polyinstantiated directories, this time, + * call ns_setup to setup polyinstantiation for a particular entry. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (ns_override(pptr, idata)) + continue; + else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Setting poly ns for user %d for dir %s", + idata->uid, pptr->dir); + + if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) { + /* + * Check to see if process current directory is in the + * bind mounted instance_parent directory that we are trying to + * umount + */ + if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) { + return PAM_SESSION_ERR; + } else if (changing_dir) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd"); + + /* + * Change current working directory to the parent of + * the mount point, that is parent of the orig + * directory where original contents of the polydir + * are available from + */ + strcpy(poly_parent, pptr->dir); + fptr = strchr(poly_parent, '/'); + cptr = strrchr(poly_parent, '/'); + if (fptr && cptr && (fptr == cptr)) + strcpy(poly_parent, "/"); + else if (cptr) + *cptr = '\0'; + if (chdir(poly_parent) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Can't chdir to %s, %m", poly_parent); + } + } + + if (umount(pptr->dir) < 0) { + int saved_errno = errno; + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->dir); + if (saved_errno != EINVAL) + return PAM_SESSION_ERR; + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", + pptr->dir); + } + + if (unmnt != UNMNT_ONLY) { + retval = ns_setup(pptr, idata); + if (retval != PAM_SUCCESS) + break; + } + } + } + + return retval; +} + + +/* + * Orig namespace. This function is called from when closing a pam + * session. If authorized, it unmounts instance directory. + */ +static int orig_namespace(struct instance_data *idata) +{ + struct polydir_s *pptr; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "orig namespace for pid %d", + getpid()); + + /* + * Cycle through all polyinstantiated directories from the namespace + * configuration file to see if polyinstantiation was performed for + * this user for each of the entry. If it was, try and unmount + * appropriate polyinstantiated instance directories. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (ns_override(pptr, idata)) + continue; + else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Unmounting instance dir for user %d & dir %s", + idata->uid, pptr->dir); + + if (umount(pptr->dir) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->dir); + return PAM_SESSION_ERR; + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded", + pptr->dir); + } + } + return 0; +} + + +#ifdef WITH_SELINUX +/* + * This function checks if the calling program has requested context + * change by calling setexeccon(). If context change is not requested + * then it does not make sense to polyinstantiate based on context. + * The return value from this function is used when selecting the + * polyinstantiation method. If context change is not requested then + * the polyinstantiation method is set to USER, even if the configuration + * file lists the method as "context" or "both". + */ +static int ctxt_based_inst_needed(void) +{ + security_context_t scon = NULL; + int rc = 0; + + rc = getexeccon(&scon); + if (rc < 0 || scon == NULL) + return 0; + else { + freecon(scon); + return 1; + } +} +#endif + + +/* + * Entry point from pam_open_session call. + */ +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, retval; + struct instance_data idata; + char *user_name; + struct passwd *pwd; + enum unmnt_op unmnt = NO_UNMNT; + + /* init instance data */ + idata.flags = 0; + idata.polydirs_ptr = NULL; + idata.pamh = pamh; +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + idata.flags |= PAMNS_SELINUX_ENABLED; + if (ctxt_based_inst_needed()) + idata.flags |= PAMNS_CTXT_BASED_INST; +#endif + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) + idata.flags |= PAMNS_DEBUG; + if (strcmp(argv[i], "gen_hash") == 0) + idata.flags |= PAMNS_GEN_HASH; + if (strcmp(argv[i], "ignore_config_error") == 0) + idata.flags |= PAMNS_IGN_CONFIG_ERR; + if (strcmp(argv[i], "ignore_instance_parent_mode") == 0) + idata.flags |= PAMNS_IGN_INST_PARENT_MODE; + if (strcmp(argv[i], "unmnt_remnt") == 0) + unmnt = UNMNT_REMNT; + if (strcmp(argv[i], "unmnt_only") == 0) + unmnt = UNMNT_ONLY; + if (strcmp(argv[i], "require_selinux") == 0) { + if (~(idata.flags & PAMNS_SELINUX_ENABLED)) { + pam_syslog(idata.pamh, LOG_ERR, + "selinux_required option given and selinux is disabled"); + return PAM_SESSION_ERR; + } + } + } + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "open_session - start"); + + /* + * Lookup user and fill struct items + */ + retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); + if ( user_name == NULL || retval != PAM_SUCCESS ) { + pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); + return PAM_SESSION_ERR; + } + + pwd = pam_modutil_getpwnam(idata.pamh, user_name); + if (!pwd) { + pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_SESSION_ERR; + } + + /* + * Add the user info to the instance data so we can refer to them later. + */ + idata.user[0] = 0; + strncat(idata.user, user_name, sizeof(idata.user) - 1); + idata.uid = pwd->pw_uid; + + /* + * Parse namespace configuration file which lists directories to + * polyinstantiate, directory where instance directories are to + * be created and the method used for polyinstantiation. + */ + retval = parse_config_file(&idata); + if (retval != PAM_SUCCESS) { + del_polydir_list(idata.polydirs_ptr); + return PAM_SESSION_ERR; + } + + if (idata.polydirs_ptr) { + retval = setup_namespace(&idata, unmnt); + if (idata.flags & PAMNS_DEBUG) { + if (retval) + pam_syslog(idata.pamh, LOG_DEBUG, + "namespace setup failed for pid %d", getpid()); + else + pam_syslog(idata.pamh, LOG_DEBUG, + "namespace setup ok for pid %d", getpid()); + } + } else if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate"); + + del_polydir_list(idata.polydirs_ptr); + return retval; +} + + +/* + * Entry point from pam_close_session call. + */ +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, retval; + struct instance_data idata; + char *user_name; + struct passwd *pwd; + + /* init instance data */ + idata.flags = 0; + idata.polydirs_ptr = NULL; + idata.pamh = pamh; +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + idata.flags |= PAMNS_SELINUX_ENABLED; + if (ctxt_based_inst_needed()) + idata.flags |= PAMNS_CTXT_BASED_INST; +#endif + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) + idata.flags |= PAMNS_DEBUG; + if (strcmp(argv[i], "ignore_config_error") == 0) + idata.flags |= PAMNS_IGN_CONFIG_ERR; + } + + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); + + /* + * Lookup user and fill struct items + */ + retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); + if ( user_name == NULL || retval != PAM_SUCCESS ) { + pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); + return PAM_SESSION_ERR; + } + + pwd = pam_modutil_getpwnam(idata.pamh, user_name); + if (!pwd) { + pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_SESSION_ERR; + } + + /* + * Add the user info to the instance data so we can refer to them later. + */ + idata.user[0] = 0; + strncat(idata.user, user_name, sizeof(idata.user) - 1); + idata.uid = pwd->pw_uid; + + /* + * Parse namespace configuration file which lists directories that + * are polyinstantiated, directories where instance directories are + * created and the method used for polyinstantiation. + */ + retval = parse_config_file(&idata); + if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) { + del_polydir_list(idata.polydirs_ptr); + return PAM_SESSION_ERR; + } + + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", + getpid()); + + retval = orig_namespace(&idata); + if (idata.flags & PAMNS_DEBUG) { + if (retval) + pam_syslog(idata.pamh, LOG_DEBUG, + "resetting namespace failed for pid %d", getpid()); + else + pam_syslog(idata.pamh, LOG_DEBUG, + "resetting namespace ok for pid %d", getpid()); + } + del_polydir_list(idata.polydirs_ptr); + return PAM_SUCCESS; +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_namespace_modstruct = { + "pam_namespace", + NULL, + NULL, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.h b/Linux-PAM/modules/pam_namespace/pam_namespace.h new file mode 100644 index 00000000..c918cff3 --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.h @@ -0,0 +1,135 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default namespace after + * establishing a session via PAM. + * + * (C) Copyright IBM Corporation 2005 + * (C) Copyright Red Hat 2006 + * All Rights Reserved. + * + * Written by: Janak Desai <janak@us.ibm.com> + * With Revisions by: Steve Grubb <sgrubb@redhat.com> + * Derived from a namespace setup patch by Chad Sellers <cdselle@tycho.nsa.gov> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * on the rights to use, copy, modify, merge, publish, distribute, sub + * license, and/or sell copies of the Software, and to permit persons to whom + * the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL + * IBM AND/OR THEIR SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#if !(defined(linux)) +#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! +#endif + +#include "config.h" + +#include <stdio.h> +#include <stdio_ext.h> +#include <unistd.h> +#include <string.h> +#include <ctype.h> +#include <stdlib.h> +#include <errno.h> +#include <syslog.h> +#include <dlfcn.h> +#include <stdarg.h> +#include <pwd.h> +#include <limits.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/resource.h> +#include <sys/mount.h> +#include <sys/wait.h> +#include <libgen.h> +#include <fcntl.h> +#include <sched.h> +#include "security/pam_modules.h" +#include "security/pam_modutil.h" +#include "security/pam_ext.h" +#include "md5.h" + +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#endif + +#ifndef CLONE_NEWNS +#define CLONE_NEWNS 0x00020000 /* Flag to create new namespace */ +#endif + +/* + * Module defines + */ +#ifndef PAM_NAMESPACE_CONFIG +#define PAM_NAMESPACE_CONFIG "/etc/security/namespace.conf" +#endif + +#ifndef NAMESPACE_INIT_SCRIPT +#define NAMESPACE_INIT_SCRIPT "/etc/security/namespace.init" +#endif + +#define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ +#define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ +#define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */ +#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ +#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ +#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ + +/* + * Polyinstantiation method options, based on user, security context + * or both + */ +enum polymethod { + USER, + CONTEXT, + BOTH, +}; + +/* + * Depending on the application using this namespace module, we + * may need to unmount priviously bind mounted instance directory. + * Applications such as login and sshd, that establish a new + * session unmount of instance directory is not needed. For applications + * such as su and newrole, that switch the identity, this module + * has to unmount previous instance directory first and re-mount + * based on the new indentity. For other trusted applications that + * just want to undo polyinstantiation, only unmount of previous + * instance directory is needed. + */ +enum unmnt_op { + NO_UNMNT, + UNMNT_REMNT, + UNMNT_ONLY, +}; + +/* + * Structure that holds information about a directory to polyinstantiate + */ +struct polydir_s { + char dir[PATH_MAX]; /* directory to polyinstantiate */ + char instance_prefix[PATH_MAX]; /* prefix for instance dir path name */ + enum polymethod method; /* method used to polyinstantiate */ + unsigned int num_uids; /* number of override uids */ + uid_t *uid; /* list of override uids */ + struct polydir_s *next; /* pointer to the next polydir entry */ +}; + +struct instance_data { + pam_handle_t *pamh; /* The pam handle for this instance */ + struct polydir_s *polydirs_ptr; /* The linked list pointer */ + char user[LOGIN_NAME_MAX]; /* User name */ + uid_t uid; /* The uid of the user */ + unsigned long flags; /* Flags for debug, selinux etc */ +}; diff --git a/Linux-PAM/modules/pam_namespace/tst-pam_namespace b/Linux-PAM/modules/pam_namespace/tst-pam_namespace new file mode 100755 index 00000000..c929dfcf --- /dev/null +++ b/Linux-PAM/modules/pam_namespace/tst-pam_namespace @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_namespace.so diff --git a/Linux-PAM/modules/pam_nologin/Makefile b/Linux-PAM/modules/pam_nologin/Makefile deleted file mode 100644 index 2ad38ffd..00000000 --- a/Linux-PAM/modules/pam_nologin/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_nologin - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_nologin/Makefile.am b/Linux-PAM/modules/pam_nologin/Makefile.am new file mode 100644 index 00000000..dc5fe58f --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin + +TESTS = tst-pam_nologin + +man_MANS = pam_nologin.8 +XMLS = README.xml pam_nologin.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_nologin.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_nologin.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_nologin/Makefile.in b/Linux-PAM/modules/pam_nologin/Makefile.in new file mode 100644 index 00000000..162e0f49 --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_nologin +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_nologin_la_LIBADD = +pam_nologin_la_SOURCES = pam_nologin.c +pam_nologin_la_OBJECTS = pam_nologin.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_nologin.c +DIST_SOURCES = pam_nologin.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin +TESTS = tst-pam_nologin +man_MANS = pam_nologin.8 +XMLS = README.xml pam_nologin.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_nologin.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_nologin/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_nologin/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_nologin.la: $(pam_nologin_la_OBJECTS) $(pam_nologin_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_nologin_la_OBJECTS) $(pam_nologin_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_nologin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_nologin.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_nologin/README b/Linux-PAM/modules/pam_nologin/README index 5de704c3..3ffa591d 100644 --- a/Linux-PAM/modules/pam_nologin/README +++ b/Linux-PAM/modules/pam_nologin/README @@ -1,23 +1,41 @@ -# $Id: README,v 1.2 2002/06/27 05:43:28 agmorgan Exp $ -# +pam_nologin — Prevent non-root users from login -This module always lets root in; it lets other users in only if the file -/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's -contents are displayed to the user. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -The default return value for this module is PAM_IGNORE, you can -override this with the successok module argument. +DESCRIPTION -module services provided: +pam_nologin is a PAM module that prevents users from logging into the system +when /etc/nologin exists. The contents of the /etc/nologin file are displayed +to the user. The pam_nologin module has no effect on the root user's ability to +log in. - auth _authenticate and _setcred - account _acct_mgmt +OPTIONS -optional arguments: +file=/path/nologin - file=<alternative-nologin-pathname> - choose a different file - successok - return PAM_SUCCESS if no file + Use this file instead the default /etc/nologin. -[Original README by Michael K. Johnson] +successok + Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. + +EXAMPLES + +The suggested usage for /etc/pam.d/login is: + +auth required pam_nologin.so + + +NOTES + +In order to make this module effective, all login methods should be secured by +it. It should be used as a required method listed before any sufficient methods +in order to get standard Unix nologin semantics. Note, the use of successok +module argument causes the module to return PAM_SUCCESS and as such would break +such a configuration - failing sufficient modules would lead to a successful +login because the nologin module succeeded. + +AUTHOR + +pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. diff --git a/Linux-PAM/modules/pam_nologin/README.xml b/Linux-PAM/modules/pam_nologin/README.xml new file mode 100644 index 00000000..bc0808e7 --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/README.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_nologin.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_nologin-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-note"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_nologin/pam_nologin.8 b/Linux-PAM/modules/pam_nologin/pam_nologin.8 new file mode 100644 index 00000000..5e502266 --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/pam_nologin.8 @@ -0,0 +1,96 @@ +.\" Title: pam_nologin +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/04/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_NOLOGIN" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_nologin \- Prevent non\-root users from login +.SH "SYNOPSIS" +.HP 15 +\fBpam_nologin.so\fR [file=\fI/path/nologin\fR] [successok] +.SH "DESCRIPTION" +.PP +pam_nologin is a PAM module that prevents users from logging into the system when +\fI/etc/nologin\fR +exists. The contents of the +\fI/etc/nologin\fR +file are displayed to the user. The pam_nologin module has no effect on the root user's ability to log in. +.SH "OPTIONS" +.TP 3n +\fBfile=\fR\fB\fI/path/nologin\fR\fR +Use this file instead the default +\fI/etc/nologin\fR. +.TP 3n +\fBsuccessok\fR +Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBacct\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +The user is not root and +\fI/etc/nologin\fR +exists, so the user is not permitted to log in. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +This is the default return value. +.TP 3n +PAM_SUCCESS +Success: either the user is root or the +\fI/etc/nologin\fR +file does not exist. +.TP 3n +PAM_USER_UNKNOWN +User not known to the underlying authentication module. +.SH "EXAMPLES" +.PP +The suggested usage for +\fI/etc/pam.d/login\fR +is: +.sp +.RS 3n +.nf +auth required pam_nologin.so + +.fi +.RE +.sp +.SH "NOTES" +.PP +In order to make this module effective, all login methods should be secured by it. It should be used as a +\fIrequired\fR +method listed before any +\fIsufficient\fR +methods in order to get standard Unix nologin semantics. Note, the use of +\fBsuccessok\fR +module argument causes the module to return +\fIPAM_SUCCESS\fR +and as such would break such a configuration \- failing +\fIsufficient\fR +modules would lead to a successful login because the nologin module +\fIsucceeded\fR. +.SH "SEE ALSO" +.PP + +\fBnologin\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. diff --git a/Linux-PAM/modules/pam_nologin/pam_nologin.8.xml b/Linux-PAM/modules/pam_nologin/pam_nologin.8.xml new file mode 100644 index 00000000..9710df9d --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/pam_nologin.8.xml @@ -0,0 +1,174 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_nologin"> + + <refmeta> + <refentrytitle>pam_nologin</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_nologin-name"> + <refname>pam_nologin</refname> + <refpurpose>Prevent non-root users from login</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_nologin-cmdsynopsis"> + <command>pam_nologin.so</command> + <arg choice="opt"> + file=<replaceable>/path/nologin</replaceable> + </arg> + <arg choice="opt"> + successok + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_nologin-description"> + + <title>DESCRIPTION</title> + + <para> + pam_nologin is a PAM module that prevents users from logging into + the system when <filename>/etc/nologin</filename> exists. The contents + of the <filename>/etc/nologin</filename> file are displayed to the + user. The pam_nologin module has no effect on the root user's ability + to log in. + </para> + </refsect1> + + <refsect1 id="pam_nologin-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>file=<replaceable>/path/nologin</replaceable></option> + </term> + <listitem> + <para> + Use this file instead the default + <filename>/etc/nologin</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>successok</option> + </term> + <listitem> + <para> + Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_nologin-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <option>auth</option> and <option>acct</option> services are + supported. + </para> + </refsect1> + + <refsect1 id='pam_nologin-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The user is not root and <filename>/etc/nologin</filename> + exists, so the user is not permitted to log in. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para>Memory buffer error.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + This is the default return value. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success: either the user is root or the + <filename>/etc/nologin</filename> file does not exist. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known to the underlying authentication module. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_nologin-examples'> + <title>EXAMPLES</title> + <para> + The suggested usage for <filename>/etc/pam.d/login</filename> is: + <programlisting> +auth required pam_nologin.so + </programlisting> + </para> + </refsect1> + <refsect1 id='pam_nologin-note'> + <title>NOTES</title> + <para> + In order to make this module effective, all login methods should be + secured by it. It should be used as a <emphasis>required</emphasis> + method listed before any <emphasis>sufficient</emphasis> methods in + order to get standard Unix nologin semantics. Note, the use of + <option>successok</option> module argument causes the module to + return <emphasis>PAM_SUCCESS</emphasis> and as such would break + such a configuration - failing <emphasis>sufficient</emphasis> modules + would lead to a successful login because the nologin module + <emphasis>succeeded</emphasis>. + </para> + </refsect1> + + <refsect1 id='pam_nologin-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>nologin</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_nologin-author'> + <title>AUTHOR</title> + <para> + pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_nologin/pam_nologin.c b/Linux-PAM/modules/pam_nologin/pam_nologin.c index 8e7e124a..570d9dc3 100644 --- a/Linux-PAM/modules/pam_nologin/pam_nologin.c +++ b/Linux-PAM/modules/pam_nologin/pam_nologin.c @@ -1,18 +1,21 @@ /* pam_nologin module */ /* - * $Id: pam_nologin.c,v 1.6 2005/01/07 15:31:26 t8m Exp $ + * $Id: pam_nologin.c,v 1.11 2005/09/22 22:16:02 ldv Exp $ * * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 * */ +#include "config.h" + #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> +#include <syslog.h> #include <pwd.h> #include <security/_pam_macros.h> @@ -27,8 +30,8 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> - -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* * parse some command line options @@ -38,8 +41,8 @@ struct opt_s { const char *nologin_file; }; -static void parse_args(pam_handle_t *pamh, int argc, const char **argv, - struct opt_s *opts) +static void +parse_args(pam_handle_t *pamh, int argc, const char **argv, struct opt_s *opts) { int i; @@ -51,11 +54,10 @@ static void parse_args(pam_handle_t *pamh, int argc, const char **argv, for (i=0; i<argc; ++i) { if (!strcmp("successok", argv[i])) { opts->retval_when_nofile = PAM_SUCCESS; - } else if (!memcmp("file=", argv[i], 5)) { + } else if (!strncmp("file=", argv[i], 5)) { opts->nologin_file = argv[i] + 5; } else { - /* XXX - ignore for now. Later, we'll use the logging - function in pammodutils */ + pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]); } } } @@ -67,41 +69,28 @@ static void parse_args(pam_handle_t *pamh, int argc, const char **argv, static int perform_check(pam_handle_t *pamh, struct opt_s *opts) { const char *username; - int retval = PAM_SUCCESS; + int retval = opts->retval_when_nofile; int fd; - retval = opts->retval_when_nofile; - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { + pam_syslog(pamh, LOG_WARNING, "cannot determine username"); return PAM_USER_UNKNOWN; } if ((fd = open(opts->nologin_file, O_RDONLY, 0)) >= 0) { char *mtmp=NULL; + int msg_style = PAM_TEXT_INFO; struct passwd *user_pwd; - struct pam_conv *conversation; - struct pam_message message; - struct pam_message *pmessage = &message; - struct pam_response *resp = NULL; struct stat st; - user_pwd = _pammodutil_getpwnam(pamh, username); + user_pwd = pam_modutil_getpwnam(pamh, username); if (user_pwd == NULL) { - retval = PAM_USER_UNKNOWN; - message.msg_style = PAM_ERROR_MSG; - + msg_style = PAM_ERROR_MSG; } else if (user_pwd->pw_uid) { - retval = PAM_AUTH_ERR; - message.msg_style = PAM_ERROR_MSG; - - } else { - - /* root can still log in; lusers cannot */ - message.msg_style = PAM_TEXT_INFO; - + msg_style = PAM_ERROR_MSG; } /* fill in message buffer with contents of /etc/nologin */ @@ -110,31 +99,16 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) goto clean_up_fd; } - message.msg = mtmp = malloc(st.st_size+1); - if (!message.msg) { - /* if malloc failed... */ + mtmp = malloc(st.st_size+1); + if (!mtmp) { + pam_syslog(pamh, LOG_ERR, "out of memory"); retval = PAM_BUF_ERR; goto clean_up_fd; } - if (_pammodutil_read(fd, mtmp, st.st_size) == st.st_size) { - mtmp[st.st_size] = '\000'; - - /* - * Use conversation function to give user contents - * of /etc/nologin - */ - - if (pam_get_item(pamh, PAM_CONV, (const void **)&conversation) - == PAM_SUCCESS && conversation && conversation->conv) { - (void) conversation->conv(1, - (const struct pam_message **)&pmessage, - &resp, conversation->appdata_ptr); - - if (resp) { - _pam_drop_reply(resp, 1); - } - } + if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { + mtmp[st.st_size] = '\0'; + (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); } else retval = PAM_SYSTEM_ERR; @@ -151,9 +125,9 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) /* --- authentication management functions --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { struct opt_s opts; @@ -162,9 +136,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, return perform_check(pamh, &opts); } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc, const char **argv) { struct opt_s opts; @@ -175,9 +149,9 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, /* --- account management function --- */ -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { struct opt_s opts; diff --git a/Linux-PAM/modules/pam_nologin/tst-pam_nologin b/Linux-PAM/modules/pam_nologin/tst-pam_nologin new file mode 100755 index 00000000..caa91b67 --- /dev/null +++ b/Linux-PAM/modules/pam_nologin/tst-pam_nologin @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_nologin.so diff --git a/Linux-PAM/modules/pam_permit/Makefile b/Linux-PAM/modules/pam_permit/Makefile deleted file mode 100644 index 49f3b3dd..00000000 --- a/Linux-PAM/modules/pam_permit/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:04 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_permit - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_permit/Makefile.am b/Linux-PAM/modules/pam_permit/Makefile.am new file mode 100644 index 00000000..76e24472 --- /dev/null +++ b/Linux-PAM/modules/pam_permit/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_permit + +man_MANS = pam_permit.8 +XMLS = README.xml pam_permit.8.xml + +TESTS = tst-pam_permit + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_permit.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_permit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_permit/Makefile.in b/Linux-PAM/modules/pam_permit/Makefile.in new file mode 100644 index 00000000..43df7fdb --- /dev/null +++ b/Linux-PAM/modules/pam_permit/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_permit +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_permit_la_LIBADD = +pam_permit_la_SOURCES = pam_permit.c +pam_permit_la_OBJECTS = pam_permit.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_permit.c +DIST_SOURCES = pam_permit.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_permit +man_MANS = pam_permit.8 +XMLS = README.xml pam_permit.8.xml +TESTS = tst-pam_permit +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_permit.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_permit/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_permit/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_permit.la: $(pam_permit_la_OBJECTS) $(pam_permit_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_permit_la_OBJECTS) $(pam_permit_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_permit.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_permit.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_permit/README b/Linux-PAM/modules/pam_permit/README index 52e7364e..e09ec9cf 100644 --- a/Linux-PAM/modules/pam_permit/README +++ b/Linux-PAM/modules/pam_permit/README @@ -1,4 +1,30 @@ -# $Id: README,v 1.1.1.1 2000/06/20 22:11:46 agmorgan Exp $ -# +pam_permit — The promiscuous module + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_permit is a PAM module that always permit access. It does nothing else. + +In the case of authentication, the user's name will be set to nobody if the +application didn't set one. Many applications and PAM modules become confused +if this name is unknown. + +This module is very dangerous. It should be used with extreme caution. + +OPTIONS + +This module does not recognice any options. + +EXAMPLES + +Add this line to your other login entries to disable account management, but +continue to permit users to log in. + +account required pam_permit.so + + +AUTHOR + +pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. -this module always returns PAM_SUCCESS, it ignores all options. diff --git a/Linux-PAM/modules/pam_permit/README.xml b/Linux-PAM/modules/pam_permit/README.xml new file mode 100644 index 00000000..acb38b51 --- /dev/null +++ b/Linux-PAM/modules/pam_permit/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_permit.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_permit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_permit-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_permit/pam_permit.8 b/Linux-PAM/modules/pam_permit/pam_permit.8 new file mode 100644 index 00000000..ce3c3290 --- /dev/null +++ b/Linux-PAM/modules/pam_permit/pam_permit.8 @@ -0,0 +1,62 @@ +.\" Title: pam_permit +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/04/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_PERMIT" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_permit \- The promiscuous module +.SH "SYNOPSIS" +.HP 14 +\fBpam_permit.so\fR +.SH "DESCRIPTION" +.PP +pam_permit is a PAM module that always permit access. It does nothing else. +.PP +In the case of authentication, the user's name will be set to +\fInobody\fR +if the application didn't set one. Many applications and PAM modules become confused if this name is unknown. +.PP +This module is very dangerous. It should be used with extreme caution. +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +This module always returns this value. +.SH "EXAMPLES" +.PP +Add this line to your other login entries to disable account management, but continue to permit users to log in. +.sp +.RS 3n +.nf +account required pam_permit.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_permit/pam_permit.8.xml b/Linux-PAM/modules/pam_permit/pam_permit.8.xml new file mode 100644 index 00000000..3992f43f --- /dev/null +++ b/Linux-PAM/modules/pam_permit/pam_permit.8.xml @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_permit"> + + <refmeta> + <refentrytitle>pam_permit</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_permit-name"> + <refname>pam_permit</refname> + <refpurpose>The promiscuous module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_permit-cmdsynopsis"> + <command>pam_permit.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_permit-description"> + + <title>DESCRIPTION</title> + + <para> + pam_permit is a PAM module that always permit access. It does + nothing else. + </para> + <para> + In the case of authentication, the user's name will be set to + <emphasis>nobody</emphasis> if the application didn't set one. + Many applications and PAM modules become confused if this name + is unknown. + </para> + <para> + This module is very dangerous. It should be used with extreme + caution. + </para> + </refsect1> + + <refsect1 id="pam_permit-options"> + + <title>OPTIONS</title> + <para> This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_permit-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_permit-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + This module always returns this value. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_permit-examples'> + <title>EXAMPLES</title> + <para> + Add this line to your other login entries to disable account + management, but continue to permit users to log in. + <programlisting> +account required pam_permit.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_permit-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_permit-author'> + <title>AUTHOR</title> + <para> + pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_permit/pam_permit.c b/Linux-PAM/modules/pam_permit/pam_permit.c index 08d464b8..d85f8d75 100644 --- a/Linux-PAM/modules/pam_permit/pam_permit.c +++ b/Linux-PAM/modules/pam_permit/pam_permit.c @@ -1,12 +1,14 @@ /* pam_permit module */ /* - * $Id: pam_permit.c,v 1.3 2004/09/22 09:37:49 kukuk Exp $ + * $Id: pam_permit.c,v 1.4 2005/09/17 08:50:29 t8m Exp $ * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 * */ +#include "config.h" + #define DEFAULT_USER "nobody" #include <stdio.h> @@ -28,9 +30,9 @@ /* --- authentication management functions --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { int retval; const char *user=NULL; @@ -54,43 +56,43 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } /* --- account management functions --- */ -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } /* --- password management --- */ -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } /* --- session management --- */ -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_permit/tst-pam_permit b/Linux-PAM/modules/pam_permit/tst-pam_permit new file mode 100755 index 00000000..8adb427f --- /dev/null +++ b/Linux-PAM/modules/pam_permit/tst-pam_permit @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_permit.so diff --git a/Linux-PAM/modules/pam_pwdb/BUGS b/Linux-PAM/modules/pam_pwdb/BUGS deleted file mode 100644 index d51686e5..00000000 --- a/Linux-PAM/modules/pam_pwdb/BUGS +++ /dev/null @@ -1,3 +0,0 @@ -$Id: BUGS,v 1.2 2000/12/04 19:02:34 baggins Exp $ - -As of Linux-PAM-0.52 this is new. No known bugs yet. diff --git a/Linux-PAM/modules/pam_pwdb/CHANGELOG b/Linux-PAM/modules/pam_pwdb/CHANGELOG deleted file mode 100644 index a3614031..00000000 --- a/Linux-PAM/modules/pam_pwdb/CHANGELOG +++ /dev/null @@ -1,10 +0,0 @@ -$Id: CHANGELOG,v 1.1.1.1 2000/06/20 22:11:46 agmorgan Exp $ - -Tue Apr 23 12:28:09 EDT 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu) - - * PAM_DISALLOW_NULL_AUTHTOK implemented in the authentication module - * pam_sm_open_session() and pam_sm_close_session() implemented - A new "trace" flag added to flags of /etc/pam.conf. Using this - flag system administrator is able to make pam_unix module provide - very extensive audit trail sent so syslog with LOG_AUTHPRIV level. - * pam_sm_set_cred() is done diff --git a/Linux-PAM/modules/pam_pwdb/Makefile b/Linux-PAM/modules/pam_pwdb/Makefile deleted file mode 100644 index 228c6704..00000000 --- a/Linux-PAM/modules/pam_pwdb/Makefile +++ /dev/null @@ -1,127 +0,0 @@ -# $Id: Makefile,v 1.3 2004/09/28 13:48:47 kukuk Exp $ -# -# This Makefile controls a build process of the pam_unix module -# for Linux-PAM. You should not modify this Makefile. -# -# rewritten to compile new module Andrew Morgan -# <morgan@parc.power.net> 1996/11/6 -# - -include ../../Make.Rules - -ifeq ($(HAVE_LIBPWDB),yes) - -EXTRALS += -lpwdb -EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\" - -ifeq ($(HAVE_LIBCRYPT),yes) - EXTRALS += -lcrypt -endif -ifeq ($(HAVE_LIBNSL),yes) - EXTRALS += -lnsl -endif - -TITLE=pam_pwdb -CHKPWD=pwdb_chkpwd - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) -LIBDEPS = pam_unix_acct.-c pam_unix_auth.-c pam_unix_passwd.-c \ - pam_unix_sess.-c pam_unix_pwupd.-c support.-c bigcrypt.-c - -PLUS += md5_good.o md5_broken.o md5_crypt_good.o md5_crypt_broken.o -CFLAGS += $(EXTRAS) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -all: info dirs $(PLUS) $(LIBSHARED) $(LIBSTATIC) register $(CHKPWD) - -dynamic/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -info: - @echo - @echo "*** Building PAM_pwdb module..." - @echo - -$(CHKPWD): pwdb_chkpwd.o md5_good.o md5_broken.o \ - md5_crypt_good.o md5_crypt_broken.o - $(CC) $(CFLAGS) -o $(CHKPWD) $^ $(LDFLAGS) -lpwdb $(EXTRALS) - -pwdb_chkpwd.o: pwdb_chkpwd.c pam_unix_md.-c bigcrypt.-c - -md5_good.o: md5.c - $(CC) $(CFLAGS) $(CPPFLAGS) -DHIGHFIRST -D'MD5Name(x)=Good##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_broken.o: md5.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_crypt_good.o: md5_crypt.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Good##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_crypt_broken.o: md5_crypt.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \ - $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - @$(MKDIR) ./dynamic -endif -#ifdef STATIC -# @$(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(PLUS) $(EXTRALS) -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) $(PLUS) $(EXTRALS) -#endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) - $(INSTALL) -m 4555 $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(SUPLEMENTED)/$(CHKPWD) - -clean: - rm -f $(CHKPWD) $(LIBOBJD) $(LIBOBJS) $(MOREDELS) core *~ *.o *.so - rm -f *.a *.o *.so *.bak - rm -fr dynamic static - -else - -include ../dont_makefile - -endif diff --git a/Linux-PAM/modules/pam_pwdb/README b/Linux-PAM/modules/pam_pwdb/README deleted file mode 100644 index 4f420855..00000000 --- a/Linux-PAM/modules/pam_pwdb/README +++ /dev/null @@ -1,41 +0,0 @@ -This is the pam_unix module. It has been significantly rewritten since -.51 was released (due mostly to the efforts of Cristian Gafton), and -now takes more options and correctly updates vanilla UNIX/shadow/md5 -passwords. - -[Please read the source and make a note of all the warnings there, as -the license suggests -- use at your own risk.] - -So far as I am concerned this module is now pretty stable. If you find -any bugs, PLEASE tell me! <morgan@linux.kernel.org> - -Options recognized by this module are as follows: - - debug - log more debugging info - audit - a little more extreme than debug - use_first_pass - don't prompt the user for passwords - take them from PAM_ items instead - try_first_pass - don't prompt the user for the passwords - unless PAM_(OLD)AUTHTOK is unset - use_authtok - like try_first_pass, but *fail* if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't set the PAM_ items with the passwords - used by this module. - shadow - try to maintian a shadow based system. - unix - when changing passwords, they are placed - in the /etc/passwd file - md5 - when a user changes their password next, - encrypt it with the md5 algorithm. - bigcrypt - when a user changes their password next, - excrypt it with the DEC C2-algorithm(0). - nodelay - used to prevent failed authentication - resulting in a delay of about 1 second. - -There is some support for building a shadow file on-the-fly from an -/etc/passwd file. This is VERY alpha. If you want to play with it you -should read the source to find the appropriate #define that you will -need. - ---------------------- -Andrew Morgan <morgan@linux.kernel.org> diff --git a/Linux-PAM/modules/pam_pwdb/TODO b/Linux-PAM/modules/pam_pwdb/TODO deleted file mode 100644 index 520a262e..00000000 --- a/Linux-PAM/modules/pam_pwdb/TODO +++ /dev/null @@ -1,34 +0,0 @@ -$Id: TODO,v 1.1.1.1 2000/06/20 22:11:47 agmorgan Exp $ - - * get NIS working - * .. including "nonis" argument - * add helper binary - -Wed Sep 4 23:40:09 PDT 1996 Andrew G. Morgan - - * verify that it works for everyone - * look more seriously at the issue of generating a shadow - system on the fly - * add some more password flavors - -Thu Aug 29 06:26:42 PDT 1996 Andrew G. Morgan - - * check that complete rewrite works! ;^) - * complete shadow support to the password changing code. - Also some code needed here for session managment? - (both pam.conf argument to turn it on/off, and some - conditional compilation.) - * md5 passwords... - * make the exclusive nature of the arguments work. That is, - only recognize the flags when appropriate. - -Wed May 8 19:08:49 EDT 1996 Alexander O. Yuriev - - * support.c should go. - -Tue Apr 23 21:43:55 EDT 1996 Alexander O. Yuriev - - * pam_sm_chauth_tok() should be written - * QUICK FIX: pam_sm_setcred() probably returns incorrect error code - - diff --git a/Linux-PAM/modules/pam_pwdb/bigcrypt.-c b/Linux-PAM/modules/pam_pwdb/bigcrypt.-c deleted file mode 100644 index 321f2491..00000000 --- a/Linux-PAM/modules/pam_pwdb/bigcrypt.-c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * This function implements the "bigcrypt" algorithm specifically for - * Linux-PAM. - * - * This algorithm is algorithm 0 (default) shipped with the C2 secure - * implementation of Digital UNIX. - * - * Disclaimer: This work is not based on the source code to Digital - * UNIX, nor am I connected to Digital Equipment Corp, in any way - * other than as a customer. This code is based on published - * interfaces and reasonable guesswork. - * - * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 - * characters or less. Each block is encrypted using the standard UNIX - * libc crypt function. The result of the encryption for one block - * provides the salt for the suceeding block. - * - * Restrictions: The buffer used to hold the encrypted result is - * statically allocated. (see MAX_PASS_LEN below). This is necessary, - * as the returned pointer points to "static data that are overwritten - * by each call", (XPG3: XSI System Interface + Headers pg 109), and - * this is a drop in replacement for crypt(); - * - * Andy Phillips <atp@mssl.ucl.ac.uk> - */ - -/* - * Max cleartext password length in segments of 8 characters this - * function can deal with (16 segments of 8 chars= max 128 character - * password). - */ - -#define MAX_PASS_LEN 16 -#define SEGMENT_SIZE 8 -#define SALT_SIZE 2 -#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE) -#define ESEGMENT_SIZE 11 -#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1) - -static char *bigcrypt(const char *key, const char *salt) -{ - static char dec_c2_cryptbuf[CBUF_SIZE]; /* static storage area */ - - unsigned long int keylen,n_seg,j; - char *cipher_ptr,*plaintext_ptr,*tmp_ptr,*salt_ptr; - char keybuf[KEYBUF_SIZE+1]; - - D(("called with key='%s', salt='%s'.", key, salt)); - - /* reset arrays */ - memset(keybuf, 0, KEYBUF_SIZE+1); - memset(dec_c2_cryptbuf, 0, CBUF_SIZE); - - /* fill KEYBUF_SIZE with key */ - strncpy(keybuf, key, KEYBUF_SIZE); - - /* deal with case that we are doing a password check for a - conventially encrypted password: the salt will be - SALT_SIZE+ESEGMENT_SIZE long. */ - if (strlen(salt) == (SALT_SIZE+ESEGMENT_SIZE)) - keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */ - - keylen = strlen(keybuf); - - if (!keylen) { - n_seg = 1; - } else { - /* work out how many segments */ - n_seg = 1 + ((keylen-1)/SEGMENT_SIZE); - } - - if (n_seg > MAX_PASS_LEN) - n_seg = MAX_PASS_LEN; /* truncate at max length */ - - /* set up some pointers */ - cipher_ptr = dec_c2_cryptbuf; - plaintext_ptr = keybuf; - - /* do the first block with supplied salt */ - tmp_ptr = crypt(plaintext_ptr,salt); /* libc crypt() */ - - /* and place in the static area */ - strncpy(cipher_ptr, tmp_ptr, 13); - cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; - plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ - - /* change the salt (1st 2 chars of previous block) - this was found - by dowsing */ - - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - - /* so far this is identical to "return crypt(key, salt);", if - there is more than one block encrypt them... */ - - if (n_seg > 1) { - for (j=2; j <= n_seg; j++) { - - tmp_ptr = crypt(plaintext_ptr, salt_ptr); - - /* skip the salt for seg!=0 */ - strncpy(cipher_ptr, (tmp_ptr+SALT_SIZE), ESEGMENT_SIZE); - - cipher_ptr += ESEGMENT_SIZE; - plaintext_ptr += SEGMENT_SIZE; - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - } - } - - D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); - - /* this is the <NUL> terminated encrypted password */ - - return dec_c2_cryptbuf; -} diff --git a/Linux-PAM/modules/pam_pwdb/md5.c b/Linux-PAM/modules/pam_pwdb/md5.c deleted file mode 100644 index 44282941..00000000 --- a/Linux-PAM/modules/pam_pwdb/md5.c +++ /dev/null @@ -1,255 +0,0 @@ -/* $Id: md5.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ - * - * This code implements the MD5 message-digest algorithm. - * The algorithm is due to Ron Rivest. This code was - * written by Colin Plumb in 1993, no copyright is claimed. - * This code is in the public domain; do with it what you wish. - * - * Equivalent code is available from RSA Data Security, Inc. - * This code has been tested against that, and is equivalent, - * except that you don't need to include two pages of legalese - * with every copy. - * - * To compute the message digest of a chunk of bytes, declare an - * MD5Context structure, pass it to MD5Init, call MD5Update as - * needed on buffers full of bytes, and then call MD5Final, which - * will fill a supplied 16-byte array with the digest. - * - */ - -#include <string.h> -#include "md5.h" - -#ifndef HIGHFIRST -#define byteReverse(buf, len) /* Nothing */ -#else -static void byteReverse(unsigned char *buf, unsigned longs); - -#ifndef ASM_MD5 -/* - * Note: this code is harmless on little-endian machines. - */ -static void byteReverse(unsigned char *buf, unsigned longs) -{ - uint32 t; - do { - t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - *(uint32 *) buf = t; - buf += 4; - } while (--longs); -} -#endif -#endif - -/* - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -void MD5Name(MD5Init)(struct MD5Context *ctx) -{ - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; - - ctx->bits[0] = 0; - ctx->bits[1] = 0; -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len) -{ - uint32 t; - - /* Update bitcount */ - - t = ctx->bits[0]; - if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) - ctx->bits[1]++; /* Carry from low to high */ - ctx->bits[1] += len >> 29; - - t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ - - /* Handle any leading odd-sized chunks */ - - if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; - - t = 64 - t; - if (len < t) { - memcpy(p, buf, len); - return; - } - memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - buf += t; - len -= t; - } - /* Process data in 64-byte chunks */ - - while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - - memcpy(ctx->in, buf, len); -} - -/* - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) -{ - unsigned count; - unsigned char *p; - - /* Compute number of bytes mod 64 */ - count = (ctx->bits[0] >> 3) & 0x3F; - - /* Set the first char of padding to 0x80. This is safe since there is - always at least one byte free */ - p = ctx->in + count; - *p++ = 0x80; - - /* Bytes of padding needed to make 64 bytes */ - count = 64 - 1 - count; - - /* Pad out to 56 mod 64 */ - if (count < 8) { - /* Two lots of padding: Pad the first block to 64 bytes */ - memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - - /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); - } else { - /* Pad block to 56 bytes */ - memset(p, 0, count - 8); - } - byteReverse(ctx->in, 14); - - /* Append length in bits and transform */ - ((uint32 *) ctx->in)[14] = ctx->bits[0]; - ((uint32 *) ctx->in)[15] = ctx->bits[1]; - - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ -} - -#ifndef ASM_MD5 - -/* The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) - -/* This is the central step in the MD5 algorithm. */ -#define MD5STEP(f, w, x, y, z, data, s) \ - ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) - -/* - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16]) -{ - register uint32 a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -#endif diff --git a/Linux-PAM/modules/pam_pwdb/md5.h b/Linux-PAM/modules/pam_pwdb/md5.h deleted file mode 100644 index 75c4dbac..00000000 --- a/Linux-PAM/modules/pam_pwdb/md5.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef MD5_H -#define MD5_H - -typedef unsigned int uint32; - -struct MD5Context { - uint32 buf[4]; - uint32 bits[2]; - unsigned char in[64]; -}; - -void GoodMD5Init(struct MD5Context *); -void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned); -void GoodMD5Final(unsigned char digest[16], struct MD5Context *); -void GoodMD5Transform(uint32 buf[4], uint32 const in[16]); -void BrokenMD5Init(struct MD5Context *); -void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned); -void BrokenMD5Final(unsigned char digest[16], struct MD5Context *); -void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]); - -char *Goodcrypt_md5(const char *pw, const char *salt); -char *Brokencrypt_md5(const char *pw, const char *salt); - -/* -* This is needed to make RSAREF happy on some MS-DOS compilers. -*/ - -typedef struct MD5Context MD5_CTX; - -#endif /* MD5_H */ diff --git a/Linux-PAM/modules/pam_pwdb/md5_crypt.c b/Linux-PAM/modules/pam_pwdb/md5_crypt.c deleted file mode 100644 index 826087f2..00000000 --- a/Linux-PAM/modules/pam_pwdb/md5_crypt.c +++ /dev/null @@ -1,138 +0,0 @@ -/* $Id: md5_crypt.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ - * - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp - * ---------------------------------------------------------------------------- - * - * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp - * - */ - -#include <string.h> -#include "md5.h" - -static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -static void -to64(char *s, unsigned long v, int n) -{ - while (--n >= 0) { - *s++ = itoa64[v&0x3f]; - v >>= 6; - } -} - -/* - * UNIX password - * - * Use MD5 for what it is best at... - */ - -char * MD5Name(crypt_md5)(const char *pw, const char *salt) -{ - const char *magic = "$1$"; - /* This string is magic for this algorithm. Having - * it this way, we can get get better later on */ - static char passwd[120], *p; - static const char *sp,*ep; - unsigned char final[16]; - int sl,pl,i,j; - MD5_CTX ctx,ctx1; - unsigned long l; - - /* Refine the Salt first */ - sp = salt; - - /* If it starts with the magic string, then skip that */ - if(!strncmp(sp,magic,strlen(magic))) - sp += strlen(magic); - - /* It stops at the first '$', max 8 chars */ - for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) - continue; - - /* get the length of the true salt */ - sl = ep - sp; - - MD5Name(MD5Init)(&ctx); - - /* The password first, since that is what is most unknown */ - MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw)); - - /* Then our magic string */ - MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic)); - - /* Then the raw salt */ - MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl); - - /* Then just as many characters of the MD5(pw,salt,pw) */ - MD5Name(MD5Init)(&ctx1); - MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl); - MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Name(MD5Final)(final,&ctx1); - for(pl = strlen(pw); pl > 0; pl -= 16) - MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - /* Then something really weird... */ - for (j=0,i = strlen(pw); i ; i >>= 1) - if(i&1) - MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1); - else - MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1); - - /* Now make the output string */ - strcpy(passwd,magic); - strncat(passwd,sp,sl); - strcat(passwd,"$"); - - MD5Name(MD5Final)(final,&ctx); - - /* - * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would - * need 30 seconds to build a 1000 entry dictionary... - */ - for(i=0;i<1000;i++) { - MD5Name(MD5Init)(&ctx1); - if(i & 1) - MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); - else - MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16); - - if(i % 3) - MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl); - - if(i % 7) - MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); - - if(i & 1) - MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16); - else - MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Name(MD5Final)(final,&ctx1); - } - - p = passwd + strlen(passwd); - - l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; - l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; - l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; - l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; - l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; - l = final[11] ; to64(p,l,2); p += 2; - *p = '\0'; - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - return passwd; -} - diff --git a/Linux-PAM/modules/pam_pwdb/pam_pwdb.c b/Linux-PAM/modules/pam_pwdb/pam_pwdb.c deleted file mode 100644 index 8c75ac23..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_pwdb.c +++ /dev/null @@ -1,248 +0,0 @@ -/* - * $Id: pam_pwdb.c,v 1.3 2000/11/19 23:54:04 agmorgan Exp $ - * - * This is the single file that will be compiled for pam_unix. - * it includes each of the modules that have beed defined in the .-c - * files in this directory. - * - * It is a little ugly to do it this way, but it is a simple way of - * defining static functions only once, and yet keeping the separate - * files modular. If you can think of something better, please email - * Andrew Morgan <morgan@linux.kernel.org> - * - * See the end of this file for Copyright information. - */ - -static const char rcsid[] = -"$Id: pam_pwdb.c,v 1.3 2000/11/19 23:54:04 agmorgan Exp $\n" -" - PWDB Pluggable Authentication module. <morgan@linux.kernel.org>" -; - -/* #define DEBUG */ - -#include <security/_pam_aconf.h> - -#include <sys/types.h> -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> -#include <errno.h> -#include <string.h> -#include <syslog.h> -#include <time.h> /* for time() */ -#include <fcntl.h> -#include <ctype.h> - -#include <sys/time.h> -#include <unistd.h> - -#include <pwdb/pwdb_public.h> - -/* indicate the following groups are defined */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - -#include "./support.-c" - -/* - * PAM framework looks for these entry-points to pass control to the - * authentication module. - */ - -#include "./pam_unix_auth.-c" - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_auth( pamh, ctrl ); - pwdb_end(); - - if ( on(UNIX_LIKE_AUTH, ctrl) ) { - D(("recording return code for next time [%d]", retval)); - pam_set_data(pamh, "pwdb_setcred_return", (void *) retval, NULL); - } - - D(("done. [%s]", pam_strerror(pamh, retval))); - - return retval; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_set_credentials(pamh, ctrl); - pwdb_end(); - - if ( on(UNIX_LIKE_AUTH, ctrl) ) { - int *pretval = &retval; - - D(("recovering return code from auth call")); - pam_get_data(pamh, "pwdb_setcred_return", (const void **) pretval); - D(("recovered data indicates that old retval was %d", retval)); - } - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * account management module. - */ - -#include "./pam_unix_acct.-c" - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_acct_mgmt(pamh, ctrl); - pwdb_end(); - - D(("done.")); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * session module. - */ - -#include "./pam_unix_sess.-c" - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_open_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_close_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * password changing module. - */ - -#include "./pam_unix_passwd.-c" - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_chauthtok(pamh, ctrl); - pwdb_end(); - - D(("done.")); - - return retval; -} - -/* static module data */ - -#ifdef PAM_STATIC -struct pam_module _pam_pwdb_modstruct = { - "pam_pwdb", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif - -/* - * Copyright (c) Andrew G. Morgan, 1996. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_acct.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_acct.-c deleted file mode 100644 index adcb6538..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_acct.-c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * $Id: pam_unix_acct.-c,v 1.2 2000/12/04 19:02:34 baggins Exp $ - * - * See end of file for copyright information - */ - -static const char rcsid_acct[] = -"$Id: pam_unix_acct.-c,v 1.2 2000/12/04 19:02:34 baggins Exp $\n" -" - PAM_PWDB account management <gafton@redhat.com>"; - -/* the shadow suite has accout managment.. */ - -static int _shadow_acct_mgmt_exp(pam_handle_t *pamh, unsigned int ctrl, - const struct pwdb *pw, const char *uname) -{ - const struct pwdb_entry *pwe = NULL; - time_t curdays; - int last_change, max_change; - int retval; - - D(("called.")); - - /* Now start the checks */ - - curdays = time(NULL)/(60*60*24); /* today */ - - /* First: has account expired ? (CG) - * - expire < curdays - * - or (last_change + max_change + defer_change) < curdays - * - in both cases, deny access - */ - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "expire", &pwe); - if (retval == PWDB_SUCCESS) { - int expire; - - expire = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); /* no longer needed */ - - if ((curdays > expire) && (expire > 0)) { - - _log_err(LOG_NOTICE - , "acct: account %s has expired (account expired)" - , uname); - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your account has expired; " - "please contact your system administrator"); - - D(("account expired")); - return PAM_ACCT_EXPIRED; - } - } - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "last_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - last_change = *( (const int *) pwe->value ); - } else { - last_change = curdays; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "max_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - max_change = *( (const int *) pwe->value ); - } else { - max_change = -1; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "defer_change", &pwe); - if (retval == PWDB_SUCCESS) { - int defer_change; - - defer_change = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); - - if ((curdays > (last_change + max_change + defer_change)) - && (max_change != -1) && (defer_change != -1) - && (last_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE, "acct: account %s has expired " - "(failed to change password)", uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; " - "please see your system administrator"); - - D(("account expired2")); - return PAM_ACCT_EXPIRED; - } - } - - /* Now test if the password is expired, but the user still can - * change their password. (CG) - * - last_change = 0 - * - last_change + max_change < curdays - */ - - D(("when was the last change")); - if (last_change == 0) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE - , "acct: expired password for user %s (root enforced)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "You are required to change your password immediately" - ); - - D(("need a new password")); - return PAM_NEW_AUTHTOK_REQD; - } - - if (((last_change + max_change) < curdays) && - (max_change < 99999) && (max_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: expired password for user %s (password aged)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; please change it!"); - - D(("need a new password 2")); - return PAM_NEW_AUTHTOK_REQD; - } - - /* - * Now test if the password is about to expire (CG) - * - last_change + max_change - curdays <= warn_change - */ - - retval = pwdb_get_entry(pw, "warn_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - int warn_days, daysleft; - - daysleft = last_change + max_change - curdays; - warn_days = *((const int *) pwe->value); - (void) pwdb_entry_delete(&pwe); - - if ((daysleft <= warn_days) && (warn_days > 0)) { - char *s; - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: password for user %s will expire in %d days" - , uname, daysleft); - } - -#define LocalComment "Warning: your password will expire in %d day%s" - if ((s = (char *) malloc(30+sizeof(LocalComment))) == NULL) { - _log_err(LOG_CRIT, "malloc failure in " __FILE__); - retval = PAM_BUF_ERR; - } else { - - sprintf(s, LocalComment, daysleft, daysleft == 1 ? "":"s"); - - make_remark(pamh, ctrl, PAM_TEXT_INFO, s); - free(s); - } -#undef LocalComment - } - } else { - retval = PAM_SUCCESS; - } - - D(("all done")); - return retval; -} - - -/* - * this function checks for the account details. The user may not be - * permitted to log in at this time etc.. Within the context of - * vanilla Unix, this function simply does nothing. The shadow suite - * added password/account expiry, but PWDB takes care of this - * transparently. - */ - -static int _unix_acct_mgmt(pam_handle_t *pamh, unsigned int ctrl) -{ - const struct pwdb *pw = NULL; - - char *uname=NULL; - int retval; - - D(("called.")); - - /* identify user */ - - retval = pam_get_item(pamh,PAM_USER,(const void **)&uname); - D(("user = `%s'", uname)); - if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT - , "acct; could not identify user (from uid=%d)" - , getuid()); - return PAM_USER_UNKNOWN; - } - - /* get database information for user */ - - retval = pwdb_locate("user", PWDB_DEFAULT, uname, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL) { - - _log_err(LOG_ALERT, "acct; %s (%s from uid=%d)" - , pwdb_strerror(retval), uname, getuid()); - if ( pw ) { - (void) pwdb_delete(&pw); - } - return PAM_USER_UNKNOWN; - } - - /* now check the user's times etc.. */ - - retval = _shadow_acct_mgmt_exp(pamh, ctrl, pw, uname); - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "expiry check failed for '%s'", uname); - } - - /* Done with pw */ - - (void) pwdb_delete(&pw); - - /* all done */ - - D(("done.")); - return retval; -} - -/* - * Copyright (c) Elliot Lee, 1996. - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996. - * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_auth.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_auth.-c deleted file mode 100644 index 31230394..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_auth.-c +++ /dev/null @@ -1,131 +0,0 @@ -/* - * $Id: pam_unix_auth.-c,v 1.1.1.1 2000/06/20 22:11:49 agmorgan Exp $ - * - * See end of file for Copyright information. - */ - -static const char rcsid_auth[] = -"$Id: pam_unix_auth.-c,v 1.1.1.1 2000/06/20 22:11:49 agmorgan Exp $: pam_unix_auth.-c,v 1.2 1996/09/05 06:46:53 morgan Exp morgan $\n" -" - PAM_PWDB authentication functions. <morgan@parc.power.net>"; - -/* - * _unix_auth() is a front-end for UNIX/shadow authentication - * - * First, obtain the password from the user. Then use a - * routine in 'support.-c' to authenticate the user. - */ - -#define _UNIX_AUTHTOK "-UN*X-PASS" - -static int _unix_auth(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - const char *name, *p; - - D(("called.")); - - /* get the user'name' */ - - retval = _unix_get_user(pamh, ctrl, NULL, &name); - if (retval != PAM_SUCCESS ) { - if (retval != PAM_CONV_AGAIN) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "auth could not identify user"); - } - } else { - D(("pam_get_user/conv() function is not ready yet")); - /* it is safe to resume this function so we translate this - retval to the value that indicates we're happy to resume. */ - retval = PAM_INCOMPLETE; - } - return retval; - } - - /* if this user does not have a password... */ - - if ( _unix_blankpasswd(ctrl, name) ) { - D(("user '%s' has blank passwd", name)); - name = NULL; - return PAM_SUCCESS; - } - - /* get this user's authentication token */ - - retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL - , _UNIX_AUTHTOK, &p); - if (retval != PAM_SUCCESS) { - if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_CRIT, "auth could not identify password for [%s]" - , name); - } else { - D(("conversation function is not ready yet")); - /* it is safe to resume this function so we translate this - retval to the value that indicates we're happy to resume. */ - retval = PAM_INCOMPLETE; - } - name = NULL; - return retval; - } - D(("user=%s, password=[%s]", name, p)); - - /* verify the password of this user */ - retval = _unix_verify_password(pamh, name, p, ctrl); - name = p = NULL; - - D(("done [%d]", retval)); - - return retval; -} - -/* - * This function is for setting unix credentials. Sun has indicated - * that there are *NO* authentication credentials for unix. The - * obvious credentials would be the group membership of the user as - * listed in the /etc/group file. However, Sun indicates that it is - * the responsibility of the application to set these. - */ - -static int _unix_set_credentials(pam_handle_t *pamh, unsigned int ctrl) -{ - D(("called <empty function> returning.")); - - return PAM_SUCCESS; -} - -/******************************************************************** - * Copyright (c) Alexander O. Yuriev, 1996. - * Copyright (c) Andrew G. Morgan <morgan@parc.power.net> 1996 - * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996, 1997 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_md.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_md.-c deleted file mode 100644 index 65476732..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_md.-c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * This function is a front-end for the message digest algorithms used - * to compute the user's encrypted passwords. No reversible encryption - * is used here and I intend to keep it that way. - * - * While there are many sources of encryption outside the United - * States, it *may* be illegal to re-export reversible encryption - * computer code. Until such time as it is legal to export encryption - * software freely from the US, please do not send me any. (AGM) - */ - -/* this should have been defined in a header file.. Why wasn't it? AGM */ -extern char *crypt(const char *key, const char *salt); - -#include "md5.h" -#include "bigcrypt.-c" - -struct cfns { - const char *salt; - int len; - char * (* mdfn)(const char *key, const char *salt); -}; - -/* array of non-standard digest algorithms available */ - -#define N_MDS 1 -const static struct cfns cfn_list[N_MDS] = { - { "$1$", 3, Goodcrypt_md5 }, -}; - -static char *_pam_md(const char *key, const char *salt) -{ - char *x,*e=NULL; - int i; - - D(("called with key='%s', salt='%s'", key, salt)); - - /* check for non-standard salts */ - - for (i=0; i<N_MDS; ++i) { - if ( !strncmp(cfn_list[i].salt, salt, cfn_list[i].len) ) { - e = cfn_list[i].mdfn(key, salt); - break; - } - } - - if ( i >= N_MDS ) { - e = bigcrypt(key, salt); /* (defaults to standard algorithm) */ - } - - x = x_strdup(e); /* put e in malloc()ed memory */ - _pam_overwrite(e); /* clean up */ - return x; /* this must be deleted elsewhere */ -} - -#ifndef PWDB_NO_MD_COMPAT -static char *_pam_md_compat(const char *key, const char *salt) -{ - char *x,*e=NULL; - - D(("called with key='%s', salt='%s'", key, salt)); - - if ( !strncmp("$1$", salt, 3) ) { - e = Brokencrypt_md5(key, salt); - x = x_strdup(e); /* put e in malloc()ed memory */ - _pam_overwrite(e); /* clean up */ - } else { - x = x_strdup(""); /* called from only one place so this is safe */ - } - - return x; /* this must be deleted elsewhere */ -} -#endif /* PWDB_NO_MD_COMPAT */ diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_passwd.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_passwd.-c deleted file mode 100644 index 7ed65000..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_passwd.-c +++ /dev/null @@ -1,373 +0,0 @@ -/* $Id: pam_unix_passwd.-c,v 1.3 2001/11/12 06:57:38 agmorgan Exp $ */ - -static const char rcsid_pass[] = -"$Id: pam_unix_passwd.-c,v 1.3 2001/11/12 06:57:38 agmorgan Exp $\n" -" - PAM_PWDB password module <morgan@parc.power.net>" -; - -#include "pam_unix_pwupd.-c" - -/* passwd/salt conversion macros */ - -#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.') -#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.') - -/* data tokens */ - -#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" -#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" - -/* Implementation */ - -/* - * i64c - convert an integer to a radix 64 character - */ -static int i64c(int i) -{ - if (i < 0) - return ('.'); - else if (i > 63) - return ('z'); - if (i == 0) - return ('.'); - if (i == 1) - return ('/'); - if (i >= 2 && i <= 11) - return ('0' - 2 + i); - if (i >= 12 && i <= 37) - return ('A' - 12 + i); - if (i >= 38 && i <= 63) - return ('a' - 38 + i); - return ('\0'); -} - -/* - * FUNCTION: _pam_unix_chauthtok() - * - * this function works in two passes. The first, when UNIX__PRELIM is - * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item - * or stores it as a data item. The second function obtains a new - * password (verifying if necessary, that the user types it the same a - * second time.) depending on the 'ctrl' flags this new password may - * be stored in the PAM_AUTHTOK item or a private data item. - * - * Having obtained a new password. The function updates the - * /etc/passwd (and optionally the /etc/shadow) file(s). - * - * Provision is made for the creation of a blank shadow file if none - * is available, but one is required to update the shadow file -- the - * intention being for shadow passwords to be seamlessly implemented - * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included - * in this release (.52) mostly for the purpose of discussion. - */ - -static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - unsigned int lctrl; - - /* <DO NOT free() THESE> */ - const char *user; - const char *pass_old, *pass_new; - /* </DO NOT free() THESE> */ - - D(("called")); - - /* - * First get the name of a user - */ - - retval = _unix_get_user( pamh, ctrl, "Username: ", &user ); - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "password - could not identify user"); - } - return retval; - } - - if ( on(UNIX__PRELIM, ctrl) ) { - /* - * obtain and verify the current password (OLDAUTHTOK) for - * the user. - */ - - char *Announce; - - D(("prelim check")); - - if ( _unix_blankpasswd(ctrl, user) ) { - - return PAM_SUCCESS; - - } else if ( off(UNIX__IAMROOT, ctrl) ) { - - /* instruct user what is happening */ -#define greeting "Changing password for " - Announce = (char *) malloc(sizeof(greeting)+strlen(user)); - if (Announce == NULL) { - _log_err(LOG_CRIT, "password - out of memory"); - return PAM_BUF_ERR; - } - (void) strcpy(Announce, greeting); - (void) strcpy(Announce+sizeof(greeting)-1, user); -#undef greeting - - lctrl = ctrl; - set(UNIX__OLD_PASSWD, lctrl); - retval = _unix_read_password( pamh, lctrl - , Announce - , "(current) UNIX password: " - , NULL - , _UNIX_OLD_AUTHTOK - , &pass_old ); - free(Announce); - - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_NOTICE - , "password - (old) token not obtained"); - return retval; - } - - /* verify that this is the password for this user */ - - retval = _unix_verify_password(pamh, user, pass_old, ctrl); - } else { - D(("process run by root so do nothing this time around")); - pass_old = NULL; - retval = PAM_SUCCESS; /* root doesn't have too */ - } - - if ( retval != PAM_SUCCESS ) { - D(("Authentication failed")); - pass_old = NULL; - return retval; - } - - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); - pass_old = NULL; - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); - } - - } else if ( on( UNIX__UPDATE, ctrl ) ) { - /* tpass is used below to store the _pam_md() return; it - * should be _pam_delete()'d. */ - - char *tpass=NULL; - - /* - * obtain the proposed password - */ - - D(("do update")); - - /* - * get the old token back. NULL was ok only if root [at this - * point we assume that this has already been enforced on a - * previous call to this function]. - */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - retval = pam_get_item(pamh, PAM_OLDAUTHTOK - , (const void **)&pass_old); - } else { - retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK - , (const void **)&pass_old); - if (retval == PAM_NO_MODULE_DATA) { - retval = PAM_SUCCESS; - pass_old = NULL; - } - } - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "user not authenticated"); - return retval; - } - - D(("get new password now")); - - lctrl = ctrl; - - /* - * use_authtok is to force the use of a previously entered - * password -- needed for pluggable password strength checking - */ - - if ( on(UNIX_USE_AUTHTOK, lctrl) ) { - set(UNIX_USE_FIRST_PASS, lctrl); - } - - retval = _unix_read_password( pamh, lctrl - , NULL - , "Enter new UNIX password: " - , "Retype new UNIX password: " - , _UNIX_NEW_AUTHTOK - , &pass_new ); - - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_ALERT - , "password - new password not obtained"); - } - pass_old = NULL; /* tidy up */ - return retval; - } - - D(("returned to _unix_chauthtok")); - - /* - * At this point we know who the user is and what they - * propose as their new password. Verify that the new - * password is acceptable. - */ - - if (pass_new[0] == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } - - retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "new password not acceptable"); - pass_new = pass_old = NULL; /* tidy up */ - return retval; - } - - /* - * By reaching here we have approved the passwords and must now - * rebuild the password database file. - * - * This includes the fact that the password is _not_ NULL. - */ - - /* - * First we encrypt the new password. - * - * XXX - this is where we might need some code for RADIUS types - * of password handling... no encryption needed.. - */ - - if ( on(UNIX_MD5_PASS, ctrl) ) { - - /* - * Code lifted from Marek Michalkiewicz's shadow suite. (CG) - * removed use of static variables (AGM) - */ - - struct timeval tv; - MD5_CTX ctx; - unsigned char result[16]; - char *cp = (char *)result; - unsigned char tmp[16]; - int i; - - GoodMD5Init(&ctx); - gettimeofday(&tv, (struct timezone *) 0); - GoodMD5Update(&ctx, (void *) &tv, sizeof tv); - i = getpid(); - GoodMD5Update(&ctx, (void *) &i, sizeof i); - i = clock(); - GoodMD5Update(&ctx, (void *) &i, sizeof i); - GoodMD5Update(&ctx, result, sizeof result); - GoodMD5Final(tmp, &ctx); - strcpy(cp, "$1$"); /* magic for the MD5 */ - cp += strlen(cp); - for (i = 0; i < 8; i++) - *cp++ = i64c(tmp[i] & 077); - *cp = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md(pass_new, (const char *)result); - - } else { - /* - * Salt manipulation is stolen from Rick Faith's passwd - * program. Sorry Rick :) -- alex - */ - - time_t tm; - char salt[3]; - - time(&tm); - salt[0] = bin_to_ascii(tm & 0x3f); - salt[1] = bin_to_ascii((tm >> 6) & 0x3f); - salt[2] = '\0'; - - if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) { - /* to avoid using the _extensions_ of the bigcrypt() - function we truncate the newly entered password */ - char *temp = malloc(9); - - if (temp == NULL) { - _log_err(LOG_CRIT, "out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ - return PAM_BUF_ERR; - } - - /* copy first 8 bytes of password */ - strncpy(temp, pass_new, 8); - temp[8] = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md( temp, salt ); - - _pam_delete(temp); /* tidy up */ - } else { - /* no longer need cleartext */ - pass_new = tpass = _pam_md( pass_new, salt ); - } - } - - D(("password processed")); - - /* update the password database(s) -- race conditions..? */ - - retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new); - pass_old = pass_new = NULL; - - } else { /* something has broken with the module */ - - _log_err(LOG_ALERT, "password received unknown request"); - retval = PAM_ABORT; - - } - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996. - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996, 1997. - * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_pwupd.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_pwupd.-c deleted file mode 100644 index a1fc65ff..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_pwupd.-c +++ /dev/null @@ -1,260 +0,0 @@ -/* - * $Id: pam_unix_pwupd.-c,v 1.1.1.1 2000/06/20 22:11:51 agmorgan Exp $ - * - * This file contains the routines to update the passwd databases. - */ - -/* Implementation */ - -static int unix_update_db(pam_handle_t *pamh, int ctrl, const char *user, - const char *pass_old, const char *pass_new) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - pwdb_flag flag; - int retval, i; - - D(("called.")); - - /* obtain default user record */ - - retval = pwdb_locate("user", PWDB_DEFAULT, user, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - retval = pwdb_set_entry(pw, "pass_phrase" - , pass_old, 1+strlen(pass_old) - , NULL, NULL, 0); - if (retval == PWDB_SUCCESS) - retval = pwdb_locate("user", pw->source, user - , PWDB_ID_UNKNOWN, &pw); - } - pass_old = NULL; - - if ( retval != PWDB_SUCCESS ) { - _log_err(LOG_ALERT, "cannot identify user %s (uid=%d)" - , user, getuid() ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* check that we can update all of the default databases */ - - retval = pwdb_flags("user", pw->source, &flag); - - if ( retval != PWDB_SUCCESS || ( pwdb_on(flag,PWDB_F_NOUPDATE) ) ) { - _log_err(LOG_ERR, "cannot update default database for user %s" - , user ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_PERM_DENIED; - } - - /* If there was one, we delete the "last_change" entry */ - retval = pwdb_get_entry(pw, "last_change", &pwe); - if (retval == PWDB_SUCCESS) { - (void) pwdb_entry_delete(&pwe); - pwdb_set_entry(pw, "last_change", NULL, -1, NULL, NULL, 0); - } - - /* - * next check for pam.conf specified databases: shadow etc... [In - * other words, pam.conf indicates which database the password is - * to be subsequently placed in: this is password migration]. - */ - - if ( on(UNIX__SET_DB, ctrl) ) { - const char *db_token; - pwdb_type pt = _PWDB_MAX_TYPES; - - if ( on(UNIX_UNIX, ctrl) ) { - db_token = "U"; /* XXX - should be macro */ - pt = PWDB_UNIX; - } else if ( on(UNIX_SHADOW, ctrl) ) { - db_token = "x"; /* XXX - should be macro */ - pt = PWDB_SHADOW; - } else if ( on(UNIX_RADIUS, ctrl) ) { - db_token = "R"; /* XXX - is this ok? */ - pt = PWDB_RADIUS; - } else { - _log_err(LOG_ALERT - , "cannot determine database to use for authtok"); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_ABORT; /* we're in trouble */ - } - - /* - * Attempt to update the indicated database (only) - */ - - { - pwdb_type tpt[2]; - tpt[0] = pt; - tpt[1] = _PWDB_MAX_TYPES; - - /* Can we set entry in database? */ - retval = pwdb_flags("user", tpt, &flag); - if (retval == PWDB_SUCCESS && !pwdb_on(flag,PWDB_F_NOUPDATE)) { - /* YES. This database is available.. */ - - /* Only update if it is not already in the default list */ - for (i=0; pw->source[i] != _PWDB_MAX_TYPES - && pw->source[i] != pt ; ++i); - if (pw->source[i] == _PWDB_MAX_TYPES) { - const struct pwdb *tpw=NULL; - - /* copy database entry */ - if ((retval = pwdb_new(&tpw, 10)) != PWDB_SUCCESS - || (retval = pwdb_merge(tpw, pw, PWDB_TRUE)) - != PWDB_SUCCESS) { - _log_err(LOG_CRIT, "failed to obtain new pwdb: %s" - , pwdb_strerror(retval)); - retval = PAM_ABORT; - } else - retval = PAM_SUCCESS; - - /* set db_token */ - if (retval == PAM_SUCCESS) { - retval = pwdb_set_entry(tpw, "defer_pass", db_token - , 1+strlen(db_token) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set defer_pass -> %s" - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else - retval = PAM_SUCCESS; - } - - /* update specific database */ - if (retval == PAM_SUCCESS) { - retval = pwdb_replace("user", tpt - , user, PWDB_ID_UNKNOWN, &tpw); - if (retval != PWDB_SUCCESS) { - const char *service=NULL; - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_ALERT - , "(%s) specified database failed: %s" - , service - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else { - retval = PAM_SUCCESS; - } - } - - /* clean up temporary pwdb */ - if (tpw) - (void) pwdb_delete(&tpw); - } - - /* we can properly adopt new defer_pass */ - if (retval == PAM_SUCCESS) { - /* failing here will mean we go back to former - password location */ - (void) pwdb_set_entry(pw, "defer_pass", db_token - , 1+strlen(db_token), NULL, NULL, 0); - } - } - } - } - - /* - * the password will now be placed in appropriate (perhaps original) db - */ - - retval = pwdb_get_entry(pw, "uid", &pwe); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "no uid!? (%s); %s", user, pwdb_strerror(retval)); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* insert the passwd into the 'pw' structure */ - - retval = pwdb_set_entry(pw, "passwd", pass_new, 1+strlen(pass_new) - , NULL, NULL, 0); - pass_new = NULL; - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set2 failed; %s", pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - return PAM_AUTHTOK_LOCK_BUSY; - } - - retval = pwdb_replace("user", pw->source, user - , *((uid_t *)pwe->value), &pw); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - (void) pwdb_entry_delete(&pwe); - return PAM_ABORT; - } - - if (retval != PWDB_SUCCESS) { - - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - retval = PAM_ABORT; - - } else { - /* password updated */ - - _log_err(LOG_INFO, "password for (%s/%d) changed by (%s/%d)" - , user, *((uid_t *)pwe->value), getlogin(), getuid()); - retval = PAM_SUCCESS; - } - - /* tidy up */ - - (void) pwdb_entry_delete(&pwe); - if (pw) - (void) pwdb_delete(&pw); - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996,1997. - * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/pam_unix_sess.-c b/Linux-PAM/modules/pam_pwdb/pam_unix_sess.-c deleted file mode 100644 index 395bd9bb..00000000 --- a/Linux-PAM/modules/pam_pwdb/pam_unix_sess.-c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * $Id: pam_unix_sess.-c,v 1.2 2000/12/04 19:02:34 baggins Exp $ - * - * See end for Copyright information - */ - -static const char rcsid_sess[] = -"$Id: pam_unix_sess.-c,v 1.2 2000/12/04 19:02:34 baggins Exp $\n" -" - PAM_PWDB session management. morgan@parc.power.net"; - -/* Define internal functions */ - -static int _unix_open_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void *) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)" - , service, user_name - , getlogin() == NULL ? "":getlogin(), getuid() ); - - return PAM_SUCCESS; -} - -static int _unix_close_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session closed for user %s" - , service, user_name ); - - return PAM_SUCCESS; -} - -/* - * Copyright (c) Alexander O. Yuriev, 1996. All rights reserved. - * Copyright (c) Andrew G. Morgan, 1996, <morgan@parc.power.net> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/pwdb_chkpwd.c b/Linux-PAM/modules/pam_pwdb/pwdb_chkpwd.c deleted file mode 100644 index 36c248ef..00000000 --- a/Linux-PAM/modules/pam_pwdb/pwdb_chkpwd.c +++ /dev/null @@ -1,221 +0,0 @@ -/* - * $Id: pwdb_chkpwd.c,v 1.4 2001/12/09 21:44:58 agmorgan Exp $ - * - * This program is designed to run setuid(root) or with sufficient - * privilege to read all of the unix password databases. It is designed - * to provide a mechanism for the current user (defined by this - * process' real uid) to verify their own password. - * - * The password is read from the standard input. The exit status of - * this program indicates whether the user is authenticated or not. - * - * Copyright information is located at the end of the file. - * - */ - -#include <security/_pam_aconf.h> - -#ifdef MEMORY_DEBUG -# undef exit -# undef strdup -# undef free -#endif /* MEMORY_DEBUG */ - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> - -#include <security/_pam_macros.h> - -#define MAXPASS 200 /* the maximum length of a password */ - -#define UNIX_PASSED (PWDB_SUCCESS) -#define UNIX_FAILED (PWDB_SUCCESS+1) - -#include <pwdb/pwdb_public.h> - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pwdb_chkpwd", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#define PWDB_NO_MD_COMPAT -#include "pam_unix_md.-c" - -static int _unix_verify_passwd(const char *salt, const char *p) -{ - char *pp=NULL; - int retval; - - if (p == NULL) { - if (*salt == '\0') { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } else { - pp = _pam_md(p, salt); - p = NULL; /* no longer needed here */ - - if ( strcmp( pp, salt ) == 0 ) { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } - - /* clean up */ - { - char *tp = pp; - if (pp != NULL) { - while(tp && *tp) - *tp++ = '\0'; - free(pp); - pp = tp = NULL; - } - } - - return retval; -} - -int main(int argc, char **argv) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - char pass[MAXPASS+1]; - int npass, force_failure=0; - int retval=UNIX_FAILED; - - /* - * we establish that this program is running with non-tty stdin. - * this is to discourage casual use. It does *NOT* prevent an - * intruder from repeatadly running this program to determine the - * password of the current user (brute force attack, but one for - * which the attacker must already have gained access to the user's - * account). - */ - - if ( isatty(STDIN_FILENO) ) { - _log_err(LOG_NOTICE - , "inappropriate use of PWDB helper binary [UID=%d]" - , getuid() ); - fprintf(stderr, - "This program is not designed for running in this way\n" - "-- the system administrator has been informed\n"); - exit(UNIX_FAILED); - } - - /* - * determine the current user's name: - */ - - retval = pwdb_start(); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "failed to open pwdb"); - retval = UNIX_FAILED; - } - if (retval != UNIX_FAILED) { - retval = pwdb_locate("user", PWDB_DEFAULT, PWDB_NAME_UNKNOWN, - getuid(), &pw); - } - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "could not identify user"); - while (pwdb_end() != PWDB_SUCCESS); - exit(UNIX_FAILED); - } - if (argc == 2) { - if (pwdb_get_entry(pw, "user", &pwe) == PWDB_SUCCESS) { - if (pwe == NULL) { - force_failure = 1; - } else { - if (strcmp((const char *) pwe->value, argv[1])) { - force_failure = 1; - } - pwdb_entry_delete(&pwe); - } - } - } - - /* read the password from stdin (a pipe from the pam_pwdb module) */ - - npass = read(STDIN_FILENO, pass, MAXPASS); - - if (npass < 0) { /* is it a valid password? */ - _log_err(LOG_DEBUG, "no password supplied"); - retval = UNIX_FAILED; - } else if (npass >= MAXPASS-1) { - _log_err(LOG_DEBUG, "password too long"); - retval = UNIX_FAILED; - } else if (pwdb_get_entry(pw, "passwd", &pwe) != PWDB_SUCCESS) { - _log_err(LOG_WARNING, "password not found"); - retval = UNIX_FAILED; - } else { - if (npass <= 0) { - /* the password is NULL */ - - retval = _unix_verify_passwd((const char *)(pwe->value), NULL); - } else { - /* does pass agree with the official one? */ - - pass[npass] = '\0'; /* NUL terminate */ - retval = _unix_verify_passwd((const char *)(pwe->value), pass); - } - } - - memset(pass, '\0', MAXPASS); /* clear memory of the password */ - while (pwdb_end() != PWDB_SUCCESS); - - if ((retval != UNIX_FAILED) && force_failure) { - retval = UNIX_FAILED; - } - - /* return pass or fail */ - - exit(retval); -} - -/* - * Copyright (c) Andrew G. Morgan, 1997. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_pwdb/support.-c b/Linux-PAM/modules/pam_pwdb/support.-c deleted file mode 100644 index bfa4e8a1..00000000 --- a/Linux-PAM/modules/pam_pwdb/support.-c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * $Id: support.-c,v 1.6 2004/09/15 12:06:17 kukuk Exp $ - * - * Copyright information at end of file. - */ - -/* - * here is the string to inform the user that the new passwords they - * typed were not the same. - */ - -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* type definition for the control options */ - -typedef struct { - const char *token; - unsigned int mask; /* shall assume 32 bits of flags */ - unsigned int flag; -} UNIX_Ctrls; - -/* - * macro to determine if a given flag is on - */ - -#define on(x,ctrl) (unix_args[x].flag & ctrl) - -/* - * macro to determine that a given flag is NOT on - */ - -#define off(x,ctrl) (!on(x,ctrl)) - -/* - * macro to turn on/off a ctrl flag manually - */ - -#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag) -#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag)) - -/* the generic mask */ - -#define _ALL_ON_ (~0U) - -/* end of macro definitions definitions for the control flags */ - -/* ****************************************************************** * - * ctrl flags proper.. - */ - -/* - * here are the various options recognized by the unix module. They - * are enumerated here and then defined below. Internal arguments are - * given NULL tokens. - */ - -#define UNIX__OLD_PASSWD 0 /* internal */ -#define UNIX__VERIFY_PASSWD 1 /* internal */ -#define UNIX__IAMROOT 2 /* internal */ - -#define UNIX_AUDIT 3 /* print more things than debug.. - some information may be sensitive */ -#define UNIX_USE_FIRST_PASS 4 -#define UNIX_TRY_FIRST_PASS 5 -#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */ - -#define UNIX__PRELIM 7 /* internal */ -#define UNIX__UPDATE 8 /* internal */ -#define UNIX__NONULL 9 /* internal */ -#define UNIX__QUIET 10 /* internal */ -#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */ -#define UNIX_SHADOW 12 /* signal shadow on */ -#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */ -#define UNIX__NULLOK 14 /* Null token ok */ -#define UNIX_RADIUS 15 /* wish to use RADIUS for password */ -#define UNIX__SET_DB 16 /* internal - signals redirect to db */ -#define UNIX_DEBUG 17 /* send more info to syslog(3) */ -#define UNIX_NODELAY 18 /* admin does not want a fail-delay */ -#define UNIX_UNIX 19 /* wish to use /etc/passwd for pwd */ -#define UNIX_BIGCRYPT 20 /* use DEC-C2 crypt()^x function */ -#define UNIX_LIKE_AUTH 21 /* need to auth for setcred to work */ -#define UNIX_NOREAP 22 /* don't reap child process */ -/* -------------- */ -#define UNIX_CTRLS_ 23 /* number of ctrl arguments defined */ - - -static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * ------------------ ------------------ -------------- ---------- */ - -/* UNIX__OLD_PASSWD */ { NULL, _ALL_ON_, 01 }, -/* UNIX__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 }, -/* UNIX__IAMROOT */ { NULL, _ALL_ON_, 04 }, -/* UNIX_AUDIT */ { "audit", _ALL_ON_, 010 }, -/* UNIX_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(060), 020 }, -/* UNIX_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(060), 040 }, -/* UNIX_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 0100 }, -/* UNIX__PRELIM */ { NULL, _ALL_ON_^(0600), 0200 }, -/* UNIX__UPDATE */ { NULL, _ALL_ON_^(0600), 0400 }, -/* UNIX__NONULL */ { NULL, _ALL_ON_, 01000 }, -/* UNIX__QUIET */ { NULL, _ALL_ON_, 02000 }, -/* UNIX_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 04000 }, -/* UNIX_SHADOW */ { "shadow", _ALL_ON_^(0140000), 010000 }, -/* UNIX_MD5_PASS */ { "md5", _ALL_ON_^(02000000), 020000 }, -/* UNIX__NULLOK */ { "nullok", _ALL_ON_^(01000), 0 }, -/* UNIX_RADIUS */ { "radius", _ALL_ON_^(0110000), 040000 }, -/* UNIX__SET_DB */ { NULL, _ALL_ON_, 0100000 }, -/* UNIX_DEBUG */ { "debug", _ALL_ON_, 0200000 }, -/* UNIX_NODELAY */ { "nodelay", _ALL_ON_, 0400000 }, -/* UNIX_UNIX */ { "unix", _ALL_ON_^(050000), 01000000 }, -/* UNIX_BIGCRYPT */ { "bigcrypt", _ALL_ON_^(020000), 02000000 }, -/* UNIX_LIKE_AUTH */ { "likeauth", _ALL_ON_, 04000000 }, -/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 010000000 }, -}; - -#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM_pwdb", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* this is a front-end for module-application conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl - , int type, const char *text) -{ - int retval=PAM_SUCCESS; - - if ( off(UNIX__QUIET, ctrl) ) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - - if (resp) { - _pam_drop_reply(resp, 1); - } - } - return retval; -} - -/* - * set the control flags for the UNIX module. - */ - -static int set_ctrl(int flags, int argc, const char **argv) -{ - unsigned int ctrl; - - D(("called.")); - - ctrl = UNIX_DEFAULTS; /* the default selection of options */ - - /* set some flags manually */ - - if ( getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK) ) { - set(UNIX__IAMROOT, ctrl); - } - if ( flags & PAM_UPDATE_AUTHTOK ) { - set(UNIX__UPDATE, ctrl); - } - if ( flags & PAM_PRELIM_CHECK ) { - set(UNIX__PRELIM, ctrl); - } - if ( flags & PAM_DISALLOW_NULL_AUTHTOK ) { - set(UNIX__NONULL, ctrl); - } - if ( flags & PAM_SILENT ) { - set(UNIX__QUIET, ctrl); - } - - /* now parse the arguments to this module */ - - while (argc-- > 0) { - int j; - - D(("pam_pwdb arg: %s",*argv)); - - for (j=0; j<UNIX_CTRLS_; ++j) { - if (unix_args[j].token - && ! strcmp(*argv, unix_args[j].token) ) { - break; - } - } - - if ( j >= UNIX_CTRLS_ ) { - _log_err(LOG_ERR, "unrecognized option [%s]",*argv); - } else { - ctrl &= unix_args[j].mask; /* for turning things off */ - ctrl |= unix_args[j].flag; /* for turning things on */ - } - - ++argv; /* step to next argument */ - } - - /* these are used for updating passwords in specific places */ - - if (on(UNIX_SHADOW,ctrl) || on(UNIX_RADIUS,ctrl) || on(UNIX_UNIX,ctrl)) { - set(UNIX__SET_DB, ctrl); - } - - /* auditing is a more sensitive version of debug */ - - if ( on(UNIX_AUDIT,ctrl) ) { - set(UNIX_DEBUG, ctrl); - } - - /* return the set of flags */ - - D(("done.")); - return ctrl; -} - -/* use this to free strings. ESPECIALLY password strings */ - -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - _pam_drop(xx); - return NULL; -} - -static void _cleanup(pam_handle_t *pamh, void *x, int error_status) -{ - x = _pam_delete( (char *) x ); -} - -/* ************************************************************** * - * Useful non-trivial functions * - * ************************************************************** */ - -#include "pam_unix_md.-c" - -/* - * the following is used to keep track of the number of times a user fails - * to authenticate themself. - */ - -#define FAIL_PREFIX "-UN*X-FAIL-" -#define UNIX_MAX_RETRIES 3 - -struct _pam_failed_auth { - char *user; /* user that's failed to be authenticated */ - char *name; /* attempt from user with name */ - int id; /* uid of name'd user */ - int count; /* number of failures so far */ -}; - -#ifndef PAM_DATA_REPLACE -#error "Need to get an updated libpam 0.52 or better" -#endif - -static void _cleanup_failures(pam_handle_t *pamh, void *fl, int err) -{ - int quiet; - const char *service=NULL; - struct _pam_failed_auth *failure; - - D(("called")); - - quiet = err & PAM_DATA_SILENT; /* should we log something? */ - err &= PAM_DATA_REPLACE; /* are we just replacing data? */ - failure = (struct _pam_failed_auth *) fl; - - if ( failure != NULL ) { - - if ( !quiet && !err ) { /* under advisement from Sun,may go away */ - - /* log the number of authentication failures */ - if ( failure->count > 1 ) { - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_NOTICE - , "%d more authentication failure%s; %s(uid=%d) -> " - "%s for %s service" - , failure->count-1, failure->count==2 ? "":"s" - , failure->name - , failure->id - , failure->user - , service == NULL ? "**unknown**":service - ); - if ( failure->count > UNIX_MAX_RETRIES ) { - _log_err(LOG_ALERT - , "service(%s) ignoring max retries; %d > %d" - , service == NULL ? "**unknown**":service - , failure->count - , UNIX_MAX_RETRIES ); - } - } - } - failure->user = _pam_delete(failure->user); /* tidy up */ - failure->name = _pam_delete(failure->name); /* tidy up */ - free(failure); - } -} - -/* - * verify the password of a user - */ - -#include <signal.h> -#include <sys/types.h> -#include <sys/wait.h> - -static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd, - unsigned int ctrl, const char *user) -{ - int retval, child, fds[2]; - void (*sighandler)(int) = NULL; - - D(("called.")); - /* create a pipe for the password */ - if (pipe(fds) != 0) { - D(("could not make pipe")); - return PAM_AUTH_ERR; - } - - if (off(UNIX_NOREAP, ctrl)) { - /* - * This code arranges that the demise of the child does not cause - * the application to receive a signal it is not expecting - which - * may kill the application or worse. - * - * The "noreap" module argument is provided so that the admin can - * override this behavior. - */ - sighandler = signal(SIGCHLD, SIG_DFL); - } - - /* fork */ - child = fork(); - if (child == 0) { - static char *args[] = { NULL, NULL, NULL }; - static char *envp[] = { NULL }; - - /* XXX - should really tidy up PAM here too */ - while (pwdb_end() == PWDB_SUCCESS); - - /* reopen stdin as pipe */ - close(fds[1]); - dup2(fds[0], STDIN_FILENO); - - /* exec binary helper */ - args[0] = x_strdup(CHKPWD_HELPER); - args[1] = x_strdup(user); - - execve(CHKPWD_HELPER, args, envp); - - /* should not get here: exit with error */ - D(("helper binary is not available")); - exit(PWDB_SUCCESS+1); - } else if (child > 0) { - /* wait for child */ - if (passwd != NULL) { /* send the password to the child */ - write(fds[1], passwd, strlen(passwd)+1); - passwd = NULL; - } else { - write(fds[1], "", 1); /* blank password */ - } - close(fds[0]); /* we close this after the write because we want - to avoid a possible SIGPIPE. */ - close(fds[1]); - (void) waitpid(child, &retval, 0); /* wait for helper to complete */ - retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR; - } else { - D(("fork failed")); - retval = PAM_AUTH_ERR; - } - - if (sighandler != NULL) { - (void) signal(SIGCHLD, sighandler); /* restore old signal handler */ - } - - D(("returning %d", retval)); - return retval; -} - -static int _unix_verify_password(pam_handle_t *pamh, const char *name, - const char *p, unsigned int ctrl) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - - const char *salt; - char *pp; - char *data_name; - int retval; - int verify_result; - - D(("called")); - -#ifdef HAVE_PAM_FAIL_DELAY - if ( off(UNIX_NODELAY, ctrl) ) { - D(("setting delay")); - (void) pam_fail_delay(pamh, 1000000); /* 1 sec delay for on failure */ - } -#endif - - /* locate the entry for this user */ - - D(("locating user's record")); - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - /* - * give the password to the pwdb library. It may be needed to - * access the database - */ - - retval = pwdb_set_entry( pw, "pass_phrase", p, 1+strlen(p) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "find pass; %s", pwdb_strerror(retval)); - (void) pwdb_delete(&pw); - p = NULL; - return PAM_CRED_INSUFFICIENT; - } - - retval = pwdb_locate("user", pw->source, name, PWDB_ID_UNKNOWN, &pw); - } - - if (retval != PWDB_SUCCESS) { - D(("user's record unavailable")); - if ( on(UNIX_AUDIT, ctrl) ) { - /* this might be a typo and the user has given a password - instead of a username. Careful with this. */ - _log_err(LOG_ALERT, "check pass; user (%s) unknown", name); - } else { - _log_err(LOG_ALERT, "check pass; user unknown"); - } - (void) pwdb_delete(&pw); - p = NULL; - return PAM_USER_UNKNOWN; - } - - /* - * courtesy of PWDB the password for the user is stored in - * encrypted form in the "passwd" entry of pw. - */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if (retval != PWDB_SUCCESS) { - if (geteuid()) { - /* we are not root perhaps this is the reason? Run helper */ - D(("running helper binary")); - retval = pwdb_run_helper_binary(pamh, p, ctrl, name); - } else { - retval = PAM_AUTHINFO_UNAVAIL; - _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval)); - } - (void) pwdb_delete(&pw); - p = NULL; - return retval; - } - salt = (const char *) pwe->value; - - /* - * XXX: Cristian, the above is not the case for RADIUS(?) Some - * lines should be added for RADIUS to verify the password in - * clear text... - */ - - data_name = (char *) malloc(sizeof(FAIL_PREFIX)+strlen(name)); - if ( data_name == NULL ) { - _log_err(LOG_CRIT, "no memory for data-name"); - } - strcpy(data_name, FAIL_PREFIX); - strcpy(data_name + sizeof(FAIL_PREFIX)-1, name); - - if ( !( (salt && *salt) || (p && *p) ) ) { - - D(("two null passwords to compare")); - - /* the stored password is NULL */ - pp = NULL; - if ( off(UNIX__NONULL, ctrl ) ) { /* this means we've succeeded */ - verify_result = PAM_SUCCESS; - } else { - verify_result = PAM_AUTH_ERR; - } - - } else if ( !( salt && p ) ) { - - D(("one of the two to compare are NULL")); - - pp = NULL; - verify_result = PAM_AUTH_ERR; - - } else { - - /* there is no way that p can be NULL (one can be "") */ - pp = _pam_md(p, salt); - - /* the moment of truth -- do we agree with the password? */ - D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - - if ( strcmp( pp, salt ) == 0 ) { - verify_result = PAM_SUCCESS; - } else { - _pam_delete(pp); - pp = _pam_md_compat(p, salt); - if ( strcmp( pp, salt ) == 0 ) { - verify_result = PAM_SUCCESS; - } else { - verify_result = PAM_AUTH_ERR; - } - } - - p = NULL; /* no longer needed here */ - - } - - if ( verify_result == PAM_SUCCESS ) { - - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data(pamh, data_name, NULL, _cleanup_failures); - } - - } else { - - retval = PAM_AUTH_ERR; - if (data_name != NULL) { - struct _pam_failed_auth *new=NULL; - const struct _pam_failed_auth *old=NULL; - - /* get a failure recorder */ - - new = (struct _pam_failed_auth *) - malloc(sizeof(struct _pam_failed_auth)); - - if (new != NULL) { - - new->user = x_strdup(name); - new->id = getuid(); - new->name = x_strdup(getlogin() ? getlogin():"" ); - - /* any previous failures for this user ? */ - pam_get_data(pamh, data_name, (const void **)&old ); - - if (old != NULL) { - new->count = old->count +1; - if (new->count >= UNIX_MAX_RETRIES) { - retval = PAM_MAXTRIES; - } - } else { - const char *service=NULL; - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_NOTICE - , "authentication failure; %s(uid=%d) -> " - "%s for %s service" - , new->name - , new->id - , new->user - , service == NULL ? "**unknown**":service - ); - new->count = 1; - } - - pam_set_data(pamh, data_name, new, _cleanup_failures); - - } else { - _log_err(LOG_CRIT, "no memory for failure recorder"); - } - } - - } - - (void) pwdb_entry_delete(&pwe); - (void) pwdb_delete(&pw); - salt = NULL; - _pam_delete(data_name); - _pam_delete(pp); - - D(("done [%d].", retval)); - - return retval; -} - -/* - * this function obtains the name of the current user and ensures - * that the PAM_USER item is set to this value - */ - -static int _unix_get_user(pam_handle_t *pamh, unsigned int ctrl - , const char *prompt, const char **user) -{ - int retval; - - D(("called")); - - retval = pam_get_user(pamh, user, prompt); - if (retval != PAM_SUCCESS) { - D(("trouble reading username")); - return retval; - } - - /* - * Various libraries at various times have had bugs related to - * '+' or '-' as the first character of a user name. Don't take - * any chances here. Require that the username starts with an - * alphanumeric character. - */ - - if (*user == NULL || !isalnum(**user)) { - D(("bad username")); - if (on(UNIX_DEBUG,ctrl)) { - _log_err(LOG_ERR, "bad username [%s]", *user); - } - return PAM_USER_UNKNOWN; - } - - if (retval == PAM_SUCCESS && on(UNIX_DEBUG,ctrl)) { - _log_err(LOG_DEBUG, "username [%s] obtained", *user); - } - - return retval; -} - -/* - * _unix_blankpasswd() is a quick check for a blank password - * - * returns TRUE if user does not have a password - * - to avoid prompting for one in such cases (CG) - */ - -static int _unix_blankpasswd(unsigned int ctrl, const char *name) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - int retval; - - D(("called")); - - /* - * This function does not have to be too smart if something goes - * wrong, return FALSE and let this case to be treated somewhere - * else (CG) - */ - - if ( on(UNIX__NONULL, ctrl) ) - return 0; /* will fail but don't let on yet */ - - /* find the user's database entry */ - - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL ) { - - retval = 0; - - } else { - - /* Does this user have a password? */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if ( retval != PWDB_SUCCESS || pwe == NULL ) - retval = 0; - else if ( pwe->value == NULL || ((char *)pwe->value)[0] == '\0' ) - retval = 1; - else - retval = 0; - - } - - /* tidy up */ - - if ( pw ) { - (void) pwdb_delete(&pw); - if ( pwe ) - (void) pwdb_entry_delete(&pwe); - } - - return retval; -} - -/* - * obtain a password from the user - */ - -static int _unix_read_password( pam_handle_t *pamh - , unsigned int ctrl - , const char *comment - , const char *prompt1 - , const char *prompt2 - , const char *data_name - , const char **pass ) -{ - int authtok_flag; - int retval; - const char *item; - char *token; - - D(("called")); - - /* - * make sure nothing inappropriate gets returned - */ - - *pass = token = NULL; - - /* - * which authentication token are we getting? - */ - - authtok_flag = on(UNIX__OLD_PASSWD,ctrl) ? PAM_OLDAUTHTOK:PAM_AUTHTOK ; - - /* - * should we obtain the password from a PAM item ? - */ - - if ( on(UNIX_TRY_FIRST_PASS,ctrl) || on(UNIX_USE_FIRST_PASS,ctrl) ) { - retval = pam_get_item(pamh, authtok_flag, (const void **) &item); - if (retval != PAM_SUCCESS ) { - /* very strange. */ - _log_err(LOG_ALERT - , "pam_get_item returned error to unix-read-password" - ); - return retval; - } else if (item != NULL) { /* we have a password! */ - *pass = item; - item = NULL; - return PAM_SUCCESS; - } else if (on(UNIX_USE_FIRST_PASS,ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ - } else if (on(UNIX_USE_AUTHTOK, ctrl) - && off(UNIX__OLD_PASSWD, ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* - * getting here implies we will have to get the password from the - * user directly. - */ - - { - struct pam_message msg[3],*pmsg[3]; - struct pam_response *resp; - int i, replies; - - /* prepare to converse */ - - if ( comment != NULL && off(UNIX__QUIET, ctrl) ) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - replies = 1; - - if ( prompt2 != NULL ) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - ++replies; - } - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, ctrl, i, pmsg, &resp); - - if (resp != NULL) { - - /* interpret the response */ - - if (retval == PAM_SUCCESS) { /* a good conversation */ - - token = x_strdup(resp[i-replies].resp); - if (token != NULL) { - if (replies == 2) { - - /* verify that password entered correctly */ - if (!resp[i-1].resp - || strcmp(token,resp[i-1].resp)) { - token = _pam_delete(token); /* mistyped */ - retval = PAM_AUTHTOK_RECOVER_ERR; - make_remark(pamh, ctrl - , PAM_ERROR_MSG, MISTYPED_PASS); - } - } - - } else { - _log_err(LOG_NOTICE - , "could not recover authentication token"); - } - - } - - /* - * tidy up the conversation (resp_retcode) is ignored - * -- what is it for anyway? AGM - */ - - _pam_drop_reply(resp, i); - - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } - } - - if (retval != PAM_SUCCESS) { - if ( on(UNIX_DEBUG,ctrl) ) - _log_err(LOG_DEBUG,"unable to obtain a password"); - return retval; - } - - /* 'token' is the entered password */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - - /* we store this password as an item */ - - retval = pam_set_item(pamh, authtok_flag, token); - token = _pam_delete(token); /* clean it up */ - if ( retval != PAM_SUCCESS - || (retval = pam_get_item(pamh, authtok_flag - , (const void **)&item)) - != PAM_SUCCESS ) { - - _log_err(LOG_CRIT, "error manipulating password"); - return retval; - - } - - } else { - /* - * then store it as data specific to this module. pam_end() - * will arrange to clean it up. - */ - - retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); - if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "error manipulating password data [%s]" - , pam_strerror(pamh, retval) ); - token = _pam_delete(token); - return retval; - } - item = token; - token = NULL; /* break link to password */ - } - - *pass = item; - item = NULL; /* break link to password */ - - return PAM_SUCCESS; -} - -static int _pam_unix_approve_pass(pam_handle_t *pamh - , unsigned int ctrl - , const char *pass_old - , const char *pass_new) -{ - D(("&new=%p, &old=%p",pass_old,pass_new)); - D(("new=[%s]",pass_new)); - D(("old=[%s]",pass_old)); - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG, "bad authentication token"); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - "No password supplied":"Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - AGM - */ - - return PAM_SUCCESS; -} - -/* ****************************************************************** * - * Copyright (c) Andrew G. Morgan 1996-8. - * Copyright (c) Alex O. Yuriev, 1996. - * Copyright (c) Cristian Gafton 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/Linux-PAM/modules/pam_radius/Makefile b/Linux-PAM/modules/pam_radius/Makefile deleted file mode 100644 index aa149d3e..00000000 --- a/Linux-PAM/modules/pam_radius/Makefile +++ /dev/null @@ -1,95 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10 -# -# STATIC modules are not supported -# - -include ../../Make.Rules - -TITLE=pam_radius -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/radius.conf -export CONFILE - -ifeq ($(HAVE_LIBPWDB),yes) - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o - -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/%.o : %.c -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -#ifdef STATIC -# $(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -lpwdb -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) -lpwdb -#endif - -install: all -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f *.a *.o *.so *.bak dynamic/* static/* - rm -rf dynamic static - -.c.o: - $(CC) $(CFLAGS) -c $< - -else - -include ../dont_makefile - -endif diff --git a/Linux-PAM/modules/pam_radius/README b/Linux-PAM/modules/pam_radius/README deleted file mode 100644 index 253308fd..00000000 --- a/Linux-PAM/modules/pam_radius/README +++ /dev/null @@ -1,58 +0,0 @@ - -pam_radius module: - RADIUS session module. - -WHAT IT DOES: - This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only option -supported is the use of the RADIUS server as an accounting server. There are -few things which needs to be cleared out first in the PAM project until one -will be able to use this module and expect it to magically start pppd in -response to a RADIUS server command to use PPP for this user, or to initiate -a telnet connection to another host, or to hang and call back the user using -parameters provided in the RADIUS server response. Most of these things are -better suited for the radius login application. I hope to make available -Real Soon (tm) patches for the login apps to make it work this way. - - -ARGUMENTS RECOGNIZED: - debug verbose logging - -MODULE SERVICES PROVIDED: - session _open_session and _close_session - - When opening a session, this module sends an Accounting-Start -message to the RADIUS server, which will log/update/whatever a database for -this user. On close, an Accounting-Stop message is sent to the RADIUS -server. - -This module have no other pre-requisites for making it work. One can install -a RADIUS server just for fun and use it as a centralized accounting server and -forget about wtmp/last/sac&comp :-) - -USAGE: - For the services you need this module (login for example) put - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line): - - login session required /lib/security/pam_radius.so - - Replace "login" for each service you are using this module. - - This module make extensive use of the API provided in libpwdb - 0.54preB or later. By default, it will read the radius server - configuration (hostname and secret) from /etc/raddb/server. This is - a default compiled into libpwdb, and curently there is no way to - modify this default without recompiling libpwdb. I am working on - extending the radius support from libpwdb to provide a possibility - to make this runtime-configurable. - - Also please note that libpwdb will require also the RADIUS - dictionary to be present (/etc/raddb/dictionary). - -TODO: - The work is far from complete. Deal with "real" session things. - -AUTHOR: - Cristian Gafton <gafton@redhat.com> - diff --git a/Linux-PAM/modules/pam_radius/pam_radius.c b/Linux-PAM/modules/pam_radius/pam_radius.c deleted file mode 100644 index b412edf9..00000000 --- a/Linux-PAM/modules/pam_radius/pam_radius.c +++ /dev/null @@ -1,193 +0,0 @@ -/* - * pam_radius - * Process an user session according to a RADIUS server response - * - * 1.0 - initial release - Linux ONLY - * 1.1 - revised and reorganized for libpwdb 0.54preB or higher - * - removed the conf= parameter, since we use libpwdb exclusively now - * - * See end for Copyright information - */ - -#if !(defined(linux)) -#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! -#endif - -/* Module defines */ -#define BUFFER_SIZE 1024 -#define LONG_VAL_PTR(ptr) ((*(ptr)<<24)+(*((ptr)+1)<<16)+(*((ptr)+2)<<8)+(*((ptr)+3))) - -#define PAM_SM_SESSION - -#include "pam_radius.h" - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -static time_t session_time; - -/* we need to save these from open_session to close_session, since - * when close_session will be called we won't be root anymore and - * won't be able to access again the radius server configuration file - * -- cristiang */ - -static RADIUS_SERVER rad_server; -static char hostname[BUFFER_SIZE]; -static char secret[BUFFER_SIZE]; - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_radius", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - char *user_name; - int ctrl; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "starting RADIUS user session for '%s'", - user_name); - - retval = get_server_entries(hostname, secret); - if ((retval != PWDB_RADIUS_SUCCESS) || - !strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - session_time = time(NULL); - rad_server.hostname = hostname; - rad_server.secret = secret; - retval = radius_acct_start(rad_server, user_name); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl; - char *user_name; - int retval; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "closing RADIUS user session for '%s'", - user_name); - - if (!strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - retval = radius_acct_stop(rad_server, user_name, - time(NULL) - session_time); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_radius_modstruct = { - "pam_radius", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - -/* - * Copyright (c) Cristian Gafton, 1996, <gafton@redhat.com> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_radius/pam_radius.h b/Linux-PAM/modules/pam_radius/pam_radius.h deleted file mode 100644 index 67230243..00000000 --- a/Linux-PAM/modules/pam_radius/pam_radius.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * $Id: pam_radius.h,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ - */ - -#ifndef PAM_RADIUS_H -#define PAM_RADIUS_H - -#include <security/_pam_aconf.h> - -#include <stdio.h> - -#ifndef __USE_POSIX2 -#define __USE_POSIX2 -#endif /* __USE_POSIX2 */ - -#include <stdlib.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/resource.h> - -#include <unistd.h> -#include <string.h> -#include <ctype.h> -#include <syslog.h> -#include <stdarg.h> -#include <utmp.h> -#include <time.h> -#include <netdb.h> - -#include <netinet/in.h> -#include <rpcsvc/ypclnt.h> -#include <rpc/rpc.h> - -#include <pwdb/radius.h> -#include <pwdb/pwdb_radius.h> - -/******************************************************************/ - -#endif /* PAM_RADIUS_H */ diff --git a/Linux-PAM/modules/pam_rhosts/Makefile b/Linux-PAM/modules/pam_rhosts/Makefile deleted file mode 100644 index d12e00c0..00000000 --- a/Linux-PAM/modules/pam_rhosts/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_rhosts_auth - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_rhosts/Makefile.am b/Linux-PAM/modules/pam_rhosts/Makefile.am new file mode 100644 index 00000000..d4ca7578 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/Makefile.am @@ -0,0 +1,32 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts + +TESTS = tst-pam_rhosts_auth tst-pam_rhosts + +man_MANS = pam_rhosts.8 + +XMLS = README.xml pam_rhosts.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_rhosts.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_rhosts/Makefile.in b/Linux-PAM/modules/pam_rhosts/Makefile.in new file mode 100644 index 00000000..138a1195 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/Makefile.in @@ -0,0 +1,671 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_rhosts +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_rhosts_la_LIBADD = +pam_rhosts_la_SOURCES = pam_rhosts.c +pam_rhosts_la_OBJECTS = pam_rhosts.lo +pam_rhosts_auth_la_LIBADD = +pam_rhosts_auth_la_SOURCES = pam_rhosts_auth.c +pam_rhosts_auth_la_OBJECTS = pam_rhosts_auth.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_rhosts.c pam_rhosts_auth.c +DIST_SOURCES = pam_rhosts.c pam_rhosts_auth.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts +TESTS = tst-pam_rhosts_auth tst-pam_rhosts +man_MANS = pam_rhosts.8 +XMLS = README.xml pam_rhosts.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_rhosts/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_rhosts/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_rhosts.la: $(pam_rhosts_la_OBJECTS) $(pam_rhosts_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_rhosts_la_OBJECTS) $(pam_rhosts_la_LIBADD) $(LIBS) +pam_rhosts_auth.la: $(pam_rhosts_auth_la_OBJECTS) $(pam_rhosts_auth_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_rhosts_auth_la_OBJECTS) $(pam_rhosts_auth_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rhosts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rhosts_auth.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_rhosts.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_rhosts/README b/Linux-PAM/modules/pam_rhosts/README index d2e93d1d..b1911785 100644 --- a/Linux-PAM/modules/pam_rhosts/README +++ b/Linux-PAM/modules/pam_rhosts/README @@ -1,57 +1,56 @@ -arguments recognized: +pam_rhosts — The rhosts PAM module -"no_hosts_equiv" -"no_rhosts" -"debug" -"nowarn" -"suppress" -"promiscuous" +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -.rhosts/hosts.equiv format: +DESCRIPTION -There are positive entries, when one is matched authentication -succeeds and terminates. There are negative entries, when one is -matched authentication fails and terminates. Thus order is -significant. +This module performs the standard network authentication for services, as used +by traditional implementations of rlogin and rsh etc. -Entry hosts.equiv .rhosts -<host> All users on <host> are ok Same username from <host> is ok -<host> <user> <user> from <host> is ok ditto --<host> No users from <host> are ok ditto -<host> -<user> <user> from <host> is not ok ditto +The authentication mechanism of this module is based on the contents of two +files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former +file are treated as equivalent to the localhost. Secondly, entries in the +user's own copy of the latter file is used to map "remote-host remote-user" +pairs to that user's account on the current host. Access is granted to the user +if their host is present in /etc/hosts.equiv and their remote account is +identical to their local one, or if their remote account has an entry in their +personal configuration file. -<host> can be ip (IPv4) numbers. +The module authenticates a remote user (internally specified by the item +PAM_RUSER connecting from the remote host (internally specified by the item +PAM_RHOST). Accordingly, for applications to be compatible this authentication +module they must set these items prior to calling pam_authenticate(). The +module is not capable of independently probing the network connection for such +information. -Netgroups may be used in either host or user fields, and then applies -to all hosts, or users, in the netgroup. The syntax is +OPTIONS - +@<ng> +debug -The entries + Print debug information. - <host> +@<ng> - +@<ng> +@<ng> - +@<ng> <user> +silent -means exactly what you think it does. Negative entries are of the -form + Don't print informative messages. - -@<ng> +superuser=account -When the "promiscuous" option is given the special character + may be -used as a wildcard in any field. + Handle account as root. - + Allow anyone from any host to connect. DANGEROUS. - + + Ditto. - + <user> Allow the user to connect from anywhere. DANGEROUS. - <host> + Allow any user from the host. Dangerous. - -These, perhaps more useful, forms of the + form is also disallowed -unless "promiscuous" is specified: +EXAMPLES - + -<user> Disallow the user from any host - + -@<ng> Disallow all members of the netgroup from any host +To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the +following lines to /etc/pam.d/rsh: -When "promiscuous" is not specified a '+' is handled as a negative -match. +#%PAM-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + + +AUTHOR + +pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> diff --git a/Linux-PAM/modules/pam_rhosts/README.xml b/Linux-PAM/modules/pam_rhosts/README.xml new file mode 100644 index 00000000..5d3307e7 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_rhosts.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_rhosts/pam_rhosts.8 b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8 new file mode 100644 index 00000000..0d7f4a16 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8 @@ -0,0 +1,98 @@ +.\" Title: pam_rhosts +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/28/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_rhosts \- The rhosts PAM module +.SH "SYNOPSIS" +.HP 14 +\fBpam_rhosts.so\fR +.SH "DESCRIPTION" +.PP +This module performs the standard network authentication for services, as used by traditional implementations of +\fBrlogin\fR +and +\fBrsh\fR +etc. +.PP +The authentication mechanism of this module is based on the contents of two files; +\fI/etc/hosts.equiv\fR +(or and +\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in +\fI/etc/hosts.equiv\fR +and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file. +.PP +The module authenticates a remote user (internally specified by the item +\fIPAM_RUSER\fR +connecting from the remote host (internally specified by the item +\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling +\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBsilent\fR +Don't print informative messages. +.TP 3n +\fBsuperuser=\fR\fB\fIaccount\fR\fR +Handle +\fIaccount\fR +as root. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +The remote host, remote user name or the local user name couldn't be determined or access was denied by +\fI.rhosts\fR +file. +.TP 3n +PAM_USER_UNKNOWN +User is not known to system. +.SH "EXAMPLES" +.PP +To grant a remote user access by +\fI/etc/hosts.equiv\fR +or +\fI.rhosts\fR +for +\fBrsh\fR +add the following lines to +\fI/etc/pam.d/rsh\fR: +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBrootok\fR(3), +\fBhosts.equiv\fR(5), +\fBrhosts\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> diff --git a/Linux-PAM/modules/pam_rhosts/pam_rhosts.8.xml b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8.xml new file mode 100644 index 00000000..e559f315 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8.xml @@ -0,0 +1,171 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_rhosts"> + + <refmeta> + <refentrytitle>pam_rhosts</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_rhosts-name"> + <refname>pam_rhosts</refname> + <refpurpose>The rhosts PAM module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_rhosts-cmdsynopsis"> + <command>pam_rhosts.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_rhosts-description"> + + <title>DESCRIPTION</title> + + <para> + This module performs the standard network authentication for services, + as used by traditional implementations of <command>rlogin</command> + and <command>rsh</command> etc. + </para> + <para> + The authentication mechanism of this module is based on the contents + of two files; <filename>/etc/hosts.equiv</filename> (or + and <filename>~/.rhosts</filename>. Firstly, hosts listed in the + former file are treated as equivalent to the localhost. Secondly, + entries in the user's own copy of the latter file is used to map + "<emphasis>remote-host remote-user</emphasis>" pairs to that user's + account on the current host. Access is granted to the user if their + host is present in <filename>/etc/hosts.equiv</filename> and their + remote account is identical to their local one, or if their remote + account has an entry in their personal configuration file. + </para> + <para> + The module authenticates a remote user (internally specified by the + item <parameter>PAM_RUSER</parameter> connecting from the remote + host (internally specified by the item <command>PAM_RHOST</command>). + Accordingly, for applications to be compatible this authentication + module they must set these items prior to calling + <function>pam_authenticate()</function>. The module is not capable + of independently probing the network connection for such information. + </para> + </refsect1> + + <refsect1 id="pam_rhosts-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>superuser=<replaceable>account</replaceable></option> + </term> + <listitem> + <para> + Handle <replaceable>account</replaceable> as root. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_rhosts-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_rhosts-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The remote host, remote user name or the local user name + couldn't be determined or access was denied by + <filename>.rhosts</filename> file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User is not known to system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_rhosts-examples'> + <title>EXAMPLES</title> + <para> + To grant a remote user access by <filename>/etc/hosts.equiv</filename> + or <filename>.rhosts</filename> for <command>rsh</command> add the + following lines to <filename>/etc/pam.d/rsh</filename>: + <programlisting> +#%PAM-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_rhosts-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>rootok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>hosts.equiv</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rhosts</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_rhosts-author'> + <title>AUTHOR</title> + <para> + pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_rhosts/pam_rhosts.c b/Linux-PAM/modules/pam_rhosts/pam_rhosts.c new file mode 100644 index 00000000..8e120614 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/pam_rhosts.c @@ -0,0 +1,155 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include "config.h" + +#include <pwd.h> +#include <netdb.h> +#include <string.h> +#include <syslog.h> + +#define PAM_SM_AUTH /* only defines this management group */ + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +PAM_EXTERN +int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + const char *luser = NULL; + const char *ruser = NULL, *rhost = NULL; + const char *opt_superuser = NULL; + const void *c_void; + int opt_debug = 0; + int opt_silent; + int as_root; + int retval; + + opt_silent = flags & PAM_SILENT; + + while (argc-- > 0) { + if (strcmp(*argv, "debug") == 0) + opt_debug = 1; + else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0) + opt_silent = 1; + else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0) + opt_superuser = *argv+sizeof("superuser=")-1; + else + pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv); + + ++argv; + } + + retval = pam_get_item (pamh, PAM_RHOST, &c_void); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not get the remote host name"); + return retval; + } + rhost = c_void; + + retval = pam_get_item(pamh, PAM_RUSER, &c_void); + ruser = c_void; + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not get the remote username"); + return retval; + } + + retval = pam_get_user(pamh, &luser, NULL); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not determine name of local user"); + return retval; + } + + if (rhost == NULL || ruser == NULL || luser == NULL) + return PAM_AUTH_ERR; + + if (opt_superuser && strcmp(opt_superuser, luser) == 0) + as_root = 1; + else { + struct passwd *lpwd; + + lpwd = pam_modutil_getpwnam(pamh, luser); + if (lpwd == NULL) { + if (opt_debug) + /* don't print by default, could be the users password */ + pam_syslog(pamh, LOG_DEBUG, + "user '%s' unknown to this system", luser); + return PAM_USER_UNKNOWN; + + } + as_root = (lpwd->pw_uid == 0); + } + +#ifdef HAVE_RUSEROK_AF + retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); +#else + retval = ruserok (rhost, as_root, ruser, luser); +#endif + if (retval != 0) { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", + ruser, rhost, luser); + return PAM_AUTH_ERR; + } else { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_NOTICE, "allowed access to %s@%s as %s", + ruser, rhost, luser); + return PAM_SUCCESS; + } +} + + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_rhosts_modstruct = { + "pam_rhosts", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL, +}; + +#endif diff --git a/Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c b/Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c index 979580ec..b2248ccb 100644 --- a/Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c +++ b/Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c @@ -38,76 +38,55 @@ * SUCH DAMAGE. */ -#include <security/_pam_aconf.h> +#include "config.h" -#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */ - -#ifdef __linux__ +#include <pwd.h> +#include <grp.h> +#include <ctype.h> +#include <stdarg.h> +#include <stdint.h> +#include <syslog.h> +#include <netdb.h> +#include <stdio.h> +#include <errno.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> #include <endian.h> -#endif - +#include <sys/file.h> +#include <sys/time.h> +#include <arpa/inet.h> +#include <sys/param.h> +#include <sys/socket.h> +#include <sys/signal.h> +#include <sys/stat.h> #ifdef HAVE_SYS_FSUID_H #include <sys/fsuid.h> #endif /* HAVE_SYS_FSUID_H */ - #ifdef HAVE_NET_IF_H #include <sys/if.h> #endif - #include <sys/types.h> #include <sys/uio.h> -#include <string.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/param.h> -#include <sys/socket.h> +#include <net/if.h> #include <netinet/in.h> -#include <netdb.h> /* This is supposed(?) to contain the following */ -int innetgr(const char *, const char *, const char *,const char *); - -#include <stdio.h> -#include <errno.h> -#include <sys/time.h> -#include <arpa/inet.h> #ifndef MAXDNAME #define MAXDNAME 256 #endif -#include <stdarg.h> -#include <ctype.h> - -#include <net/if.h> - -#include <pwd.h> -#include <grp.h> -#include <sys/file.h> -#include <sys/signal.h> -#include <sys/stat.h> -#include <stdint.h> -#include <syslog.h> #ifndef _PATH_HEQUIV #define _PATH_HEQUIV "/etc/hosts.equiv" #endif /* _PATH_HEQUIV */ +#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */ + #define PAM_SM_AUTH /* only defines this management group */ #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> - -#ifdef _ISOC9X_SOURCE -#include <inttypes.h> -#define U32 uint32_t -#else -/* to the best of my knowledge, all modern UNIX boxes have 32 bits integers */ -#define U32 unsigned int -#endif /* _ISOC9X_SOURCE */ - -/* Use the C99 type; older platforms will need this to be typedef'ed - elsewhere */ -#define U32 uint32_t - +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* * Options for this module @@ -129,19 +108,8 @@ struct _options { const char *last_error; }; -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_rhosts_auth", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static void set_option (struct _options *opts, const char *arg) +static void +set_option (const pam_handle_t *pamh, struct _options *opts, const char *arg) { if (strcmp(arg, "no_hosts_equiv") == 0) { opts->opt_no_hosts_equiv = 1; @@ -197,18 +165,19 @@ static void set_option (struct _options *opts, const char *arg) /* * All other options are ignored at the present time. */ - _pam_log(LOG_WARNING, "unrecognized option '%s'", arg); + pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", arg); } -static void set_parameters (struct _options *opts, int flags, - int argc, const char **argv) +static void +set_parameters (const pam_handle_t *pamh, struct _options *opts, + int flags, int argc, const char **argv) { opts->opt_silent = flags & PAM_SILENT; opts->opt_disallow_null_authtok = flags & PAM_DISALLOW_NULL_AUTHTOK; while (argc-- > 0) { - set_option (opts, *argv); - ++argv; + set_option (pamh, opts, *argv); + ++argv; } } @@ -217,13 +186,13 @@ static void set_parameters (struct _options *opts, int flags, * requesting the contents of the PAM_RHOST item. */ -static int pam_get_rhost(pam_handle_t *pamh, const char **rhost - , const char *prompt) +static int +pam_get_rhost (pam_handle_t *pamh, const char **rhost) { int retval; - const char *current; + const void *current; - retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t); + retval = pam_get_item (pamh, PAM_RHOST, ¤t); if (retval != PAM_SUCCESS) return retval; @@ -240,13 +209,13 @@ static int pam_get_rhost(pam_handle_t *pamh, const char **rhost * requesting the contents of the PAM_RUSER item. */ -static int pam_get_ruser(pam_handle_t *pamh, const char **ruser, - const char *prompt) +static int +pam_get_ruser(pam_handle_t *pamh, const char **ruser) { int retval; - const char *current; + const void *current; - retval = pam_get_item (pamh, PAM_RUSER, (const void **)¤t); + retval = pam_get_item (pamh, PAM_RUSER, ¤t); if (retval != PAM_SUCCESS) { return retval; } @@ -264,13 +233,14 @@ static int pam_get_ruser(pam_handle_t *pamh, const char **ruser, */ static int -__icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr +__icheckhost (pam_handle_t *pamh, struct _options *opts, u_int32_t raddr , register char *lhost, const char *rhost) { struct hostent *hp; - U32 laddr; + u_int32_t laddr; int negate=1; /* Multiply return with this to get -1 instead of 1 */ - char **pp, *user; + char **pp; + const void *user; /* Check nis netgroup. We assume that pam has done all needed paranoia checking before we are handed the rhost */ @@ -285,7 +255,7 @@ __icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr negate=-1; lhost++; } else if (strcmp("+",lhost) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); + (void) pam_get_item(pamh, PAM_USER, &user); D(("user %s has a `+' host entry", user)); if (opts->opt_promiscuous) return (1); /* asking for trouble, but ok.. */ @@ -308,7 +278,7 @@ __icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr /* Spin through ip addresses. */ for (pp = hp->h_addr_list; *pp; ++pp) - if (!memcmp (&raddr, *pp, sizeof (U32))) + if (!memcmp (&raddr, *pp, sizeof (u_int32_t))) return (negate); /* No match. */ @@ -317,16 +287,16 @@ __icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr /* Returns 1 on positive match, 0 on no match, -1 on negative match */ -static int __icheckuser(pam_handle_t *pamh, struct _options *opts - , const char *luser, const char *ruser - , const char *rhost) +static int +__icheckuser (pam_handle_t *pamh, struct _options *opts, + const char *luser, const char *ruser) { /* luser is user entry from .rhosts/hosts.equiv file ruser is user id on remote host rhost is the remote host name */ - char *user; + const void *user; /* [-+]@netgroup */ if (strncmp("+@",luser,2) == 0) @@ -341,8 +311,9 @@ static int __icheckuser(pam_handle_t *pamh, struct _options *opts /* + */ if (strcmp("+",luser) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); - _pam_log(LOG_WARNING, "user %s has a `+' user entry", user); + (void) pam_get_item(pamh, PAM_USER, &user); + pam_syslog(pamh, LOG_WARNING, "user %s has a `+' user entry", + (const char *) user); if (opts->opt_promiscuous) return(1); /* If not promiscuous we handle it as a negative match */ @@ -372,7 +343,7 @@ static int __isempty(char *p) static int __ivaliduser (pam_handle_t *pamh, struct _options *opts, - FILE *hostf, U32 raddr, + FILE *hostf, u_int32_t raddr, const char *luser, const char *ruser, const char *rhost) { register const char *user; @@ -438,7 +409,7 @@ __ivaliduser (pam_handle_t *pamh, struct _options *opts, if (! (*user)) user = luser; - ucheck=__icheckuser(pamh, opts, user, ruser, rhost); + ucheck=__icheckuser(pamh, opts, user, ruser); /* Positive 'host user' match? */ if (ucheck>0) @@ -467,7 +438,7 @@ __ivaliduser (pam_handle_t *pamh, struct _options *opts, static int pam_iruserok(pam_handle_t *pamh, - struct _options *opts, U32 raddr, int superuser, + struct _options *opts, u_int32_t raddr, int superuser, const char *ruser, const char *luser, const char *rhost) { const char *cp; @@ -476,7 +447,7 @@ pam_iruserok(pam_handle_t *pamh, FILE *hostf; uid_t uid; int answer; - char pbuf[MAXPATHLEN]; /* potential buffer overrun */ + char *fpath; if ((!superuser||opts->opt_hosts_equiv_rootok) && !opts->opt_no_hosts_equiv ) { @@ -500,7 +471,7 @@ pam_iruserok(pam_handle_t *pamh, * Identify user's local .rhosts file */ - pwd = _pammodutil_getpwnam(pamh, luser); + pwd = pam_modutil_getpwnam(pamh, luser); if (pwd == NULL) { /* * luser is assumed to be valid because of an earlier check for uid = 0 @@ -510,16 +481,11 @@ pam_iruserok(pam_handle_t *pamh, return(1); } - /* check for buffer overrun */ - if (strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE) + 2 >= MAXPATHLEN) { - if (opts->opt_debug) - _pam_log(LOG_DEBUG,"home directory for `%s' is too long", luser); - return 1; /* to dangerous to try */ + if (asprintf (&fpath, "%s%s", pwd->pw_dir, USER_RHOSTS_FILE) < 0) { + pam_syslog (pamh, LOG_ALERT, "Running out of memory"); + return 1; } - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, USER_RHOSTS_FILE); - /* * Change effective uid while _reading_ .rhosts. (not just * opening). If root and reading an NFS mounted file system, @@ -530,16 +496,16 @@ pam_iruserok(pam_handle_t *pamh, #ifdef __linux__ /* If we are on linux the better way is setfsuid */ uid = setfsuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); + hostf = fopen(fpath, "r"); #else uid = geteuid(); (void) seteuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); + hostf = fopen(fpath, "r"); #endif if (hostf == NULL) { if (opts->opt_debug) - _pam_log(LOG_DEBUG,"Could not open %s file",pbuf); + pam_syslog(pamh, LOG_DEBUG, "Could not open %s: %m", fpath); answer = 1; goto exit_function; } @@ -550,7 +516,7 @@ pam_iruserok(pam_handle_t *pamh, */ cp = NULL; - if (lstat(pbuf, &sbuf) < 0 || !S_ISREG(sbuf.st_mode)) + if (lstat(fpath, &sbuf) < 0 || !S_ISREG(sbuf.st_mode)) cp = ".rhosts not regular file"; else if (fstat(fileno(hostf), &sbuf) < 0) cp = ".rhosts fstat failed"; @@ -562,7 +528,7 @@ pam_iruserok(pam_handle_t *pamh, /* private group caveat */ if (opts->opt_private_group) { - struct group *grp = _pammodutil_getgrgid(pamh, sbuf.st_gid); + struct group *grp = pam_modutil_getgrgid(pamh, sbuf.st_gid); if (NULL == grp || NULL == grp->gr_name || strcmp(luser,grp->gr_name)) { @@ -609,6 +575,8 @@ exit_function: (void)seteuid(uid); #endif + free (fpath); + if (hostf != NULL) (void) fclose(hostf); @@ -622,7 +590,7 @@ pam_ruserok (pam_handle_t *pamh, { struct hostent *hp; int answer = 1; /* default to failure */ - U32 *addrs; + u_int32_t *addrs; int n, i; opts->last_error = (char *) 0; @@ -631,8 +599,8 @@ pam_ruserok (pam_handle_t *pamh, if (hp != NULL) { /* First of all check the address length */ if (hp->h_length != 4) { - _pam_log(LOG_ALERT, "pam_rhosts module can't work with not IPv4 " - "addresses"); + pam_syslog(pamh, LOG_ALERT, + "pam_rhosts module can't work with non-IPv4 addresses"); return 1; /* not allowed */ } @@ -678,7 +646,7 @@ static int _pam_auth_rhosts (pam_handle_t *pamh, * Look at the options and set the flags accordingly. */ memset (&opts, 0, sizeof (opts)); - set_parameters (&opts, flags, argc, argv); + set_parameters (pamh, &opts, flags, argc, argv); /* * Obtain the parameters for the various items */ @@ -686,22 +654,24 @@ static int _pam_auth_rhosts (pam_handle_t *pamh, /* get the remotehost */ D(("getting rhost")); - retval = pam_get_rhost(pamh, &rhost, NULL); + retval = pam_get_rhost(pamh, &rhost); (void) pam_set_item(pamh, PAM_RHOST, rhost); if (retval != PAM_SUCCESS) { if (opts.opt_debug) { - _pam_log(LOG_DEBUG, "could not get the remote host name"); + pam_syslog(pamh, LOG_DEBUG, + "could not get the remote host name"); } break; } /* get the remote user */ D(("getting ruser")); - retval = pam_get_ruser(pamh, &ruser, NULL); + retval = pam_get_ruser(pamh, &ruser); (void) pam_set_item(pamh, PAM_RUSER, ruser); if (retval != PAM_SUCCESS) { if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not get the remote username"); + pam_syslog(pamh, LOG_DEBUG, + "could not get the remote username"); break; } @@ -710,7 +680,8 @@ static int _pam_auth_rhosts (pam_handle_t *pamh, retval = pam_get_user(pamh, &luser, NULL); if (retval != PAM_SUCCESS) { if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not determine name of local user"); + pam_syslog(pamh, LOG_DEBUG, + "could not determine name of local user"); break; } @@ -722,11 +693,11 @@ static int _pam_auth_rhosts (pam_handle_t *pamh, if (! opts.opt_no_uid_check) { struct passwd *luser_pwd; - luser_pwd = _pammodutil_getpwnam(pamh, luser); + luser_pwd = pam_modutil_getpwnam(pamh, luser); if (luser_pwd == NULL) { if (opts.opt_debug) - _pam_log(LOG_DEBUG, "user '%s' unknown to this system", - luser); + pam_syslog(pamh, LOG_DEBUG, + "user '%s' unknown to this system", luser); retval = PAM_AUTH_ERR; break; } @@ -739,13 +710,13 @@ static int _pam_auth_rhosts (pam_handle_t *pamh, */ if (pam_ruserok (pamh, &opts, rhost, as_root, ruser, luser) != 0) { if ( !opts.opt_suppress ) { - _pam_log(LOG_WARNING, "denied to %s@%s as %s: %s", + pam_syslog(pamh, LOG_WARNING, "denied to %s@%s as %s: %s", ruser, rhost, luser, (opts.last_error==NULL) ? "access not allowed":opts.last_error); } retval = PAM_AUTH_ERR; } else { - _pam_log(LOG_NOTICE, "allowed to %s@%s as %s", + pam_syslog(pamh, LOG_NOTICE, "allowed to %s@%s as %s", ruser, rhost, luser); } break; @@ -764,9 +735,9 @@ int pam_sm_authenticate (pam_handle_t *pamh, { int retval; - if (sizeof(U32) != 4) { - _pam_log (LOG_ALERT, "pam_rhosts module can\'t work on this hardware " - "(yet)"); + if (sizeof(u_int32_t) != 4) { + pam_syslog (pamh, LOG_ALERT, + "pam_rhosts module can\'t work on this hardware (yet)"); return PAM_AUTH_ERR; } sethostent(1); @@ -775,9 +746,9 @@ int pam_sm_authenticate (pam_handle_t *pamh, return retval; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc, - const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts b/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts new file mode 100755 index 00000000..65e85a98 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_rhosts.so diff --git a/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts_auth b/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts_auth new file mode 100755 index 00000000..6b14ec51 --- /dev/null +++ b/Linux-PAM/modules/pam_rhosts/tst-pam_rhosts_auth @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_rhosts_auth.so diff --git a/Linux-PAM/modules/pam_rootok/Makefile b/Linux-PAM/modules/pam_rootok/Makefile deleted file mode 100644 index b908b115..00000000 --- a/Linux-PAM/modules/pam_rootok/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_rootok - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_rootok/Makefile.am b/Linux-PAM/modules/pam_rootok/Makefile.am new file mode 100644 index 00000000..7a97f20f --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/Makefile.am @@ -0,0 +1,33 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok + +man_MANS = pam_rootok.8 +XMLS = README.xml pam_rootok.8.xml + +TESTS = tst-pam_rootok + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +if HAVE_LIBSELINUX +AM_CFLAGS += -DWITH_SELINUX +endif +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_rootok.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_rootok.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/Linux-PAM/modules/pam_rootok/Makefile.in b/Linux-PAM/modules/pam_rootok/Makefile.in new file mode 100644 index 00000000..03128f8d --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/Makefile.in @@ -0,0 +1,667 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_LIBSELINUX_TRUE@am__append_1 = -DWITH_SELINUX +@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_rootok +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_rootok_la_LIBADD = +pam_rootok_la_SOURCES = pam_rootok.c +pam_rootok_la_OBJECTS = pam_rootok.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_rootok.c +DIST_SOURCES = pam_rootok.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok +man_MANS = pam_rootok.8 +XMLS = README.xml pam_rootok.8.xml +TESTS = tst-pam_rootok +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include \ + -I$(top_srcdir)/libpamc/include $(am__append_1) +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ $(am__append_2) +securelib_LTLIBRARIES = pam_rootok.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_rootok/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_rootok/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_rootok.la: $(pam_rootok_la_OBJECTS) $(pam_rootok_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_rootok_la_OBJECTS) $(pam_rootok_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rootok.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_rootok.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_rootok/README b/Linux-PAM/modules/pam_rootok/README index 43b92e6c..55a44756 100644 --- a/Linux-PAM/modules/pam_rootok/README +++ b/Linux-PAM/modules/pam_rootok/README @@ -1,18 +1,33 @@ -# $Id: README,v 1.2 2001/11/27 05:37:30 agmorgan Exp $ -# +pam_rootok — Gain only root access -this module is an authentication module that performs one task: if the -id of the user is '0' then it returns 'PAM_SUCCESS' with the -'sufficient' /etc/pam.conf control flag it can be used to allow -password free access to some service for 'root' +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -Recognized arguments: +DESCRIPTION - debug write a message to syslog indicating success or - failure. +pam_rootok is a PAM module that authenticates the user if their UID is 0. +Applications that are created setuid-root generally retain the UID of the user +but run with the authority of an enhanced effective-UID. It is the real UID +that is checked. -module services provided: +OPTIONS - auth _authentication and _setcred (blank) +debug + + Print debug information. + +EXAMPLES + +In the case of the su(1) application the historical usage is to permit the +superuser to adopt the identity of a lesser user without the use of a password. +To obtain this behavior with PAM the following pair of lines are needed for the +corresponding entry in the /etc/pam.d/su configuration file: + +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + + +AUTHOR + +pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. -Andrew Morgan diff --git a/Linux-PAM/modules/pam_rootok/README.xml b/Linux-PAM/modules/pam_rootok/README.xml new file mode 100644 index 00000000..6fb58cd0 --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_rootok.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rootok-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_rootok/pam_rootok.8 b/Linux-PAM/modules/pam_rootok/pam_rootok.8 new file mode 100644 index 00000000..79618050 --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/pam_rootok.8 @@ -0,0 +1,77 @@ +.\" Title: pam_rootok +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/23/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ROOTOK" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_rootok \- Gain only root access +.SH "SYNOPSIS" +.HP 14 +\fBpam_rootok.so\fR [debug] +.SH "DESCRIPTION" +.PP +pam_rootok is a PAM module that authenticates the user if their +\fIUID\fR +is +\fI0\fR. Applications that are created setuid\-root generally retain the +\fIUID\fR +of the user but run with the authority of an enhanced effective\-UID. It is the real +\fIUID\fR +that is checked. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +The +\fIUID\fR +is +\fI0\fR. +.TP 3n +PAM_AUTH_ERR +The +\fIUID\fR +is +\fBnot\fR +\fI0\fR. +.SH "EXAMPLES" +.PP +In the case of the +\fBsu\fR(1) +application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the +\fI/etc/pam.d/su\fR +configuration file: +.sp +.RS 3n +.nf +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBsu\fR(1), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_rootok/pam_rootok.8.xml b/Linux-PAM/modules/pam_rootok/pam_rootok.8.xml new file mode 100644 index 00000000..ec8dee43 --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/pam_rootok.8.xml @@ -0,0 +1,130 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_rootok"> + + <refmeta> + <refentrytitle>pam_rootok</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_rootok-name"> + <refname>pam_rootok</refname> + <refpurpose>Gain only root access</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_rootok-cmdsynopsis"> + <command>pam_rootok.so</command> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_rootok-description"> + + <title>DESCRIPTION</title> + + <para> + pam_rootok is a PAM module that authenticates the user if their + <emphasis>UID</emphasis> is <emphasis>0</emphasis>. + Applications that are created setuid-root generally retain the + <emphasis>UID</emphasis> of the user but run with the authority + of an enhanced effective-UID. It is the real <emphasis>UID</emphasis> + that is checked. + </para> + </refsect1> + + <refsect1 id="pam_rootok-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_rootok-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_rootok-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The <emphasis>UID</emphasis> is <emphasis>0</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The <emphasis>UID</emphasis> is <emphasis remap='B'>not</emphasis> + <emphasis>0</emphasis>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_rootok-examples'> + <title>EXAMPLES</title> + <para> + In the case of the <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> application the historical usage is to + permit the superuser to adopt the identity of a lesser user + without the use of a password. To obtain this behavior with PAM + the following pair of lines are needed for the corresponding entry + in the <filename>/etc/pam.d/su</filename> configuration file: + <programlisting> +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_rootok-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_rootok-author'> + <title>AUTHOR</title> + <para> + pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_rootok/pam_rootok.c b/Linux-PAM/modules/pam_rootok/pam_rootok.c index e1e09b6e..4eb34412 100644 --- a/Linux-PAM/modules/pam_rootok/pam_rootok.c +++ b/Linux-PAM/modules/pam_rootok/pam_rootok.c @@ -1,12 +1,12 @@ /* pam_rootok module */ /* - * $Id: pam_rootok.c,v 1.3 2002/05/26 23:00:28 agmorgan Exp $ + * $Id: pam_rootok.c,v 1.7 2005/12/12 14:45:02 ldv Exp $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ -#define _GNU_SOURCE +#include "config.h" #include <stdio.h> #include <unistd.h> @@ -24,26 +24,19 @@ #define PAM_SM_AUTH #include <security/pam_modules.h> +#include <security/pam_ext.h> -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-rootok", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/av_permissions.h> +#endif /* argument parsing */ #define PAM_DEBUG_ARG 01 -static int _pam_parse(int argc, const char **argv) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { int ctrl=0; @@ -55,7 +48,7 @@ static int _pam_parse(int argc, const char **argv) if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -64,28 +57,31 @@ static int _pam_parse(int argc, const char **argv) /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int ctrl; int retval = PAM_AUTH_ERR; - ctrl = _pam_parse(argc, argv); + ctrl = _pam_parse(pamh, argc, argv); if (getuid() == 0) +#ifdef WITH_SELINUX + if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0) +#endif retval = PAM_SUCCESS; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "authentication %s" - , retval==PAM_SUCCESS ? "succeeded":"failed" ); + pam_syslog(pamh, LOG_DEBUG, "authentication %s", + (retval==PAM_SUCCESS) ? "succeeded" : "failed"); } return retval; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_rootok/tst-pam_rootok b/Linux-PAM/modules/pam_rootok/tst-pam_rootok new file mode 100755 index 00000000..385ef760 --- /dev/null +++ b/Linux-PAM/modules/pam_rootok/tst-pam_rootok @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_rootok.so diff --git a/Linux-PAM/modules/pam_securetty/Makefile b/Linux-PAM/modules/pam_securetty/Makefile deleted file mode 100644 index 8ac853c5..00000000 --- a/Linux-PAM/modules/pam_securetty/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_securetty - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_securetty/Makefile.am b/Linux-PAM/modules/pam_securetty/Makefile.am new file mode 100644 index 00000000..ca97ef4d --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/Makefile.am @@ -0,0 +1,30 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_securetty + +TESTS = tst-pam_securetty + +man_MANS = pam_securetty.8 +XMLS = README.xml pam_securetty.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_securetty.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_securetty.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/Linux-PAM/modules/pam_securetty/Makefile.in b/Linux-PAM/modules/pam_securetty/Makefile.in new file mode 100644 index 00000000..763404f5 --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_securetty +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_securetty_la_LIBADD = +pam_securetty_la_SOURCES = pam_securetty.c +pam_securetty_la_OBJECTS = pam_securetty.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_securetty.c +DIST_SOURCES = pam_securetty.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_securetty +TESTS = tst-pam_securetty +man_MANS = pam_securetty.8 +XMLS = README.xml pam_securetty.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_securetty.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_securetty/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_securetty/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_securetty.la: $(pam_securetty_la_OBJECTS) $(pam_securetty_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_securetty_la_OBJECTS) $(pam_securetty_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_securetty.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_securetty.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_securetty/README b/Linux-PAM/modules/pam_securetty/README index 1df095c9..d4ee5f97 100644 --- a/Linux-PAM/modules/pam_securetty/README +++ b/Linux-PAM/modules/pam_securetty/README @@ -1,9 +1,33 @@ -pam_securetty: - Allows root logins only if the user is logging in on a - "secure" tty, as defined by the listing in /etc/securetty +pam_securetty — Limit root login to special devices - Also checks to make sure that /etc/securetty is a plain - file and not world writable. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_securetty is a PAM module that allows root logins only if the user is +logging in on a "secure" tty, as defined by the listing in /etc/securetty. +pam_securetty also checks to make sure that /etc/securetty is a plain file and +not world writable. + +This module has no effect on non-root users and requires that the application +fills in the PAM_TTY item correctly. + +For canonical usage, should be listed as a required authentication method +before any sufficient authentication methods. + +OPTIONS + +debug + + Print debug information. + +EXAMPLES + +auth required pam_securetty.so +auth required pam_unix.so + + +AUTHOR + +pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. - - Elliot Lee <sopwith@redhat.com>, Red Hat Software. - July 25, 1996. diff --git a/Linux-PAM/modules/pam_securetty/README.xml b/Linux-PAM/modules/pam_securetty/README.xml new file mode 100644 index 00000000..a8c098a0 --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_securetty.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_securetty.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_securetty-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_securetty/pam_securetty.8 b/Linux-PAM/modules/pam_securetty/pam_securetty.8 new file mode 100644 index 00000000..f72e611f --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/pam_securetty.8 @@ -0,0 +1,85 @@ +.\" Title: pam_securetty +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/04/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_SECURETTY" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_securetty \- Limit root login to special devices +.SH "SYNOPSIS" +.HP 17 +\fBpam_securetty.so\fR [debug] +.SH "DESCRIPTION" +.PP +pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in +\fI/etc/securetty\fR. pam_securetty also checks to make sure that +\fI/etc/securetty\fR +is a plain file and not world writable. +.PP +This module has no effect on non\-root users and requires that the application fills in the +\fBPAM_TTY\fR +item correctly. +.PP +For canonical usage, should be listed as a +\fBrequired\fR +authentication method before any +\fBsufficient\fR +authentication methods. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +The user is allowed to continue authentication. Either the user is not root, or the root user is trying to log in on an acceptable device. +.TP 3n +PAM_AUTH_ERR +Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the +\fI/etc/securetty\fR +file is world writable or not a normal file. +.TP 3n +PAM_INCOMPLETE +An application error occurred. pam_securetty was not able to get information it required from the application that called it. +.TP 3n +PAM_SERVICE_ERR +An error occurred while the module was determining the user's name or tty, or the module could not open +\fI/etc/securetty\fR. +.TP 3n +PAM_IGNORE +The module could not find the user name in the +\fI/etc/passwd\fR +file to verify whether the user had a UID of 0. Therefore, the results of running this module are ignored. +.SH "EXAMPLES" +.PP + +.sp +.RS 3n +.nf +auth required pam_securetty.so +auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBsecuretty\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. diff --git a/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml b/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml new file mode 100644 index 00000000..56348d78 --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml @@ -0,0 +1,167 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_securetty"> + + <refmeta> + <refentrytitle>pam_securetty</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_securetty-name"> + <refname>pam_securetty</refname> + <refpurpose>Limit root login to special devices</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_securetty-cmdsynopsis"> + <command>pam_securetty.so</command> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_securetty-description"> + + <title>DESCRIPTION</title> + + <para> + pam_securetty is a PAM module that allows root logins only if the + user is logging in on a "secure" tty, as defined by the listing + in <filename>/etc/securetty</filename>. pam_securetty also checks + to make sure that <filename>/etc/securetty</filename> is a plain + file and not world writable. + </para> + <para> + This module has no effect on non-root users and requires that the + application fills in the <emphasis remap='B'>PAM_TTY</emphasis> + item correctly. + </para> + <para> + For canonical usage, should be listed as a + <emphasis remap='B'>required</emphasis> authentication method + before any <emphasis remap='B'>sufficient</emphasis> + authentication methods. + </para> + </refsect1> + + <refsect1 id="pam_securetty-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_securetty-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_securetty-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The user is allowed to continue authentication. + Either the user is not root, or the root user is + trying to log in on an acceptable device. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication is rejected. Either root is attempting to + log in via an unacceptable device, or the + <filename>/etc/securetty</filename> file is world writable or + not a normal file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + An application error occurred. pam_securetty was not able + to get information it required from the application that + called it. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + An error occurred while the module was determining the + user's name or tty, or the module could not open + <filename>/etc/securetty</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The module could not find the user name in the + <filename>/etc/passwd</filename> file to verify whether + the user had a UID of 0. Therefore, the results of running + this module are ignored. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_securetty-examples'> + <title>EXAMPLES</title> + <para> + <programlisting> +auth required pam_securetty.so +auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_securetty-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_securetty-author'> + <title>AUTHOR</title> + <para> + pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_securetty/pam_securetty.c b/Linux-PAM/modules/pam_securetty/pam_securetty.c index 3a9ae421..9dbe9bc4 100644 --- a/Linux-PAM/modules/pam_securetty/pam_securetty.c +++ b/Linux-PAM/modules/pam_securetty/pam_securetty.c @@ -10,7 +10,7 @@ * Slight modifications AGM. 1996/12/3 */ -#define _GNU_SOURCE +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -34,26 +34,13 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> -#include <security/_pam_modutil.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ +#include <security/pam_modutil.h> +#include <security/pam_ext.h> #define PAM_DEBUG_ARG 0x0001 -static int _pam_parse(int argc, const char **argv) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { int ctrl=0; @@ -65,19 +52,21 @@ static int _pam_parse(int argc, const char **argv) if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } return ctrl; } -static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, - const char *function_name) +static int +securetty_perform_check (pam_handle_t *pamh, int ctrl, + const char *function_name) { int retval = PAM_AUTH_ERR; const char *username; - char *uttyname; + const char *uttyname; + const void *void_uttyname; char ttyfileline[256]; char ptname[256]; struct stat ttyfileinfo; @@ -86,32 +75,29 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, /* log a trail for debugging */ if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "pam_securetty called via %s function", - function_name); + pam_syslog(pamh, LOG_DEBUG, "pam_securetty called via %s function", + function_name); } retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS || username == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_WARNING, "cannot determine username"); - } + pam_syslog(pamh, LOG_WARNING, "cannot determine username"); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); } - user_pwd = _pammodutil_getpwnam(pamh, username); + user_pwd = pam_modutil_getpwnam(pamh, username); if (user_pwd == NULL) { - return PAM_IGNORE; + return PAM_USER_UNKNOWN; } else if (user_pwd->pw_uid != 0) { /* If the user is not root, securetty's does not apply to them */ return PAM_SUCCESS; } - retval = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname); + retval = pam_get_item(pamh, PAM_TTY, &void_uttyname); + uttyname = void_uttyname; if (retval != PAM_SUCCESS || uttyname == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_WARNING, "cannot determine user's tty"); - } + pam_syslog (pamh, LOG_WARNING, "cannot determine user's tty"); return PAM_SERVICE_ERR; } @@ -121,7 +107,7 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, } if (stat(SECURETTY_FILE, &ttyfileinfo)) { - _pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE); + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ @@ -130,15 +116,15 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { /* If the file is world writable or is not a normal file, return error */ - _pam_log(LOG_ERR, SECURETTY_FILE - " is either world writable or not a normal file"); + pam_syslog(pamh, LOG_ERR, + "%s is either world writable or not a normal file", + SECURETTY_FILE); return PAM_AUTH_ERR; } ttyfile = fopen(SECURETTY_FILE,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); return PAM_SERVICE_ERR; } @@ -161,13 +147,13 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, fclose(ttyfile); if (retval) { - _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", + pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", uttyname); retval = PAM_AUTH_ERR; } else { if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { - _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", + pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", username, uttyname); } retval = PAM_SUCCESS; @@ -180,36 +166,37 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl, /* --- authentication management functions --- */ PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, +int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { int ctrl; /* parse the arguments */ - ctrl = _pam_parse(argc, argv); + ctrl = _pam_parse (pamh, argc, argv); - return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__); + return securetty_perform_check(pamh, ctrl, __FUNCTION__); } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } /* --- account management functions --- */ -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int ctrl; /* parse the arguments */ - ctrl = _pam_parse(argc, argv); + ctrl = _pam_parse (pamh, argc, argv); /* take the easy route */ - return securetty_perform_check(pamh, flags, ctrl, __FUNCTION__); + return securetty_perform_check(pamh, ctrl, __FUNCTION__); } diff --git a/Linux-PAM/modules/pam_securetty/tst-pam_securetty b/Linux-PAM/modules/pam_securetty/tst-pam_securetty new file mode 100755 index 00000000..1252f798 --- /dev/null +++ b/Linux-PAM/modules/pam_securetty/tst-pam_securetty @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_securetty.so diff --git a/Linux-PAM/modules/pam_selinux/Makefile.am b/Linux-PAM/modules/pam_selinux/Makefile.am new file mode 100644 index 00000000..ee2773e9 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/Makefile.am @@ -0,0 +1,42 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ + tst-pam_selinux + +if HAVE_LIBSELINUX + TESTS = tst-pam_selinux + man_MANS = pam_selinux.8 +endif + +XMLS = README.xml pam_selinux.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include +AM_LDFLAGS = -no-undefined \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ + +pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) -L$(top_builddir)/libpam_misc -lpam_misc + +pam_selinux_la_LDFLAGS = $(AM_LDFLAGS) +if HAVE_VERSIONING + pam_selinux_la_LDFLAGS += -avoid-version -module \ + -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_selinux.la + noinst_PROGRAMS = pam_selinux_check +endif +if ENABLE_REGENERATE_MAN +noinst_DATA = README pam_selinux.8 +README: pam_selinux.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_selinux/Makefile.in b/Linux-PAM/modules/pam_selinux/Makefile.in new file mode 100644 index 00000000..05321ab8 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/Makefile.in @@ -0,0 +1,698 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -avoid-version -module \ +@HAVE_VERSIONING_TRUE@ -Wl,--version-script=$(srcdir)/../modules.map + +@HAVE_LIBSELINUX_TRUE@noinst_PROGRAMS = pam_selinux_check$(EXEEXT) +subdir = modules/pam_selinux +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_selinux_la_LIBADD = +pam_selinux_la_SOURCES = pam_selinux.c +pam_selinux_la_OBJECTS = pam_selinux.lo +pam_selinux_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_selinux_la_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_LIBSELINUX_TRUE@am_pam_selinux_la_rpath = -rpath $(securelibdir) +PROGRAMS = $(noinst_PROGRAMS) +pam_selinux_check_SOURCES = pam_selinux_check.c +pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT) +pam_selinux_check_LDADD = $(LDADD) +pam_selinux_check_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_selinux_check_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_selinux.c pam_selinux_check.c +DIST_SOURCES = pam_selinux.c pam_selinux_check.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ + tst-pam_selinux + +@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux +@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8 +XMLS = README.xml pam_selinux.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include + +AM_LDFLAGS = -no-undefined \ + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ + +pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) -L$(top_builddir)/libpam_misc -lpam_misc +pam_selinux_la_LDFLAGS = $(AM_LDFLAGS) $(am__append_1) +@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8 +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_selinux/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES) + $(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES) + @rm -f pam_selinux_check$(EXEEXT) + $(pam_selinux_check_LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-securelibLTLIBRARIES ctags distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_selinux/README b/Linux-PAM/modules/pam_selinux/README new file mode 100644 index 00000000..4268d3fb --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/README @@ -0,0 +1,61 @@ +pam_selinux — PAM module to set the default security context + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +In a nutshell, pam_selinux sets up the default security context for the next +execed shell. + +When an application opens a session using pam_selinux, the shell that gets +executed will be run in the default security context, or if the user chooses +and the pam file allows the selected security context. Also the controlling tty +will have it's security context modified to match the users. + +Adding pam_selinux into a pam file could cause other pam modules to change +their behavior if the exec another application. The close and open option help +mitigate this problem. close option will only cause the close portion of the +pam_selinux to execute, and open will only cause the open portion to run. You +can add pam_selinux to the config file twice. Add the pam_selinux close as the +executes the open pass through the modules, pam_selinux open_session will +happen last. When PAM executes the close pass through the modules pam_selinux +close_session will happen first. + +OPTIONS + +close + + Only execute the close_session portion of the module. + +debug + + Turns on debugging via syslog(3). + +multiple + + Tells pam_selinux.so to allow the user to select the security context they + will login with, if the user has more than one role. + +open + + Only execute the open_session portion of the module. + +nottys + + Do not try to setup the ttys security context. + +verbose + + attempt to inform the user when security context is set. + +EXAMPLES + +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + + +AUTHOR + +pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. + diff --git a/Linux-PAM/modules/pam_selinux/README.xml b/Linux-PAM/modules/pam_selinux/README.xml new file mode 100644 index 00000000..7e1baf55 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_selinux.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_selinux-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.8 b/Linux-PAM/modules/pam_selinux/pam_selinux.8 new file mode 100644 index 00000000..f44fc684 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.8 @@ -0,0 +1,78 @@ +.\" Title: pam_selinux +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/18/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_SELINUX" "8" "06/18/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_selinux \- PAM module to set the default security context +.SH "SYNOPSIS" +.HP 15 +\fBpam_selinux.so\fR [close] [debug] [multiple] [open] [nottys] [verbose] +.SH "DESCRIPTION" +.PP +In a nutshell, pam_selinux sets up the default security context for the next execed shell. +.PP +When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context. Also the controlling tty will have it's security context modified to match the users. +.PP +Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux close_session will happen first. +.SH "OPTIONS" +.TP 3n +\fBclose\fR +Only execute the close_session portion of the module. +.TP 3n +\fBdebug\fR +Turns on debugging via +\fBsyslog\fR(3). +.TP 3n +\fBmultiple\fR +Tells pam_selinux.so to allow the user to select the security context they will login with, if the user has more than one role. +.TP 3n +\fBopen\fR +Only execute the open_session portion of the module. +.TP 3n +\fBnottys\fR +Do not try to setup the ttys security context. +.TP 3n +\fBverbose\fR +attempt to inform the user when security context is set. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +Unable to get or set a valid context. +.TP 3n +PAM_SUCCESS +The security context was set successfull. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml b/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml new file mode 100644 index 00000000..1f00f082 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml @@ -0,0 +1,207 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_selinux"> + + <refmeta> + <refentrytitle>pam_selinux</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_selinux-name"> + <refname>pam_selinux</refname> + <refpurpose>PAM module to set the default security context</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_selinux-cmdsynopsis"> + <command>pam_selinux.so</command> + <arg choice="opt"> + close + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + multiple + </arg> + <arg choice="opt"> + open + </arg> + <arg choice="opt"> + nottys + </arg> + <arg choice="opt"> + verbose + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_selinux-description"> + <title>DESCRIPTION</title> + <para> + In a nutshell, pam_selinux sets up the default security context for the + next execed shell. + </para> + <para> + When an application opens a session using pam_selinux, the shell that + gets executed will be run in the default security context, or if the + user chooses and the pam file allows the selected security context. + Also the controlling tty will have it's security context modified to + match the users. + </para> + <para> + Adding pam_selinux into a pam file could cause other pam modules to + change their behavior if the exec another application. The close and + open option help mitigate this problem. close option will only cause + the close portion of the pam_selinux to execute, and open will only + cause the open portion to run. You can add pam_selinux to the config + file twice. Add the pam_selinux close as the executes the open pass + through the modules, pam_selinux open_session will happen last. + When PAM executes the close pass through the modules pam_selinux + close_session will happen first. + </para> + </refsect1> + + <refsect1 id="pam_selinux-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>close</option> + </term> + <listitem> + <para> + Only execute the close_session portion of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>multiple</option> + </term> + <listitem> + <para> + Tells pam_selinux.so to allow the user to select the + security context they will login with, if the user has + more than one role. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>open</option> + </term> + <listitem> + <para> + Only execute the open_session portion of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nottys</option> + </term> + <listitem> + <para> + Do not try to setup the ttys security context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>verbose</option> + </term> + <listitem> + <para> + attempt to inform the user when security context is set. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_selinux-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_selinux-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Unable to get or set a valid context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The security context was set successfull. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_selinux-examples'> + <title>EXAMPLES</title> + <programlisting> +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + </programlisting> + </refsect1> + + <refsect1 id='pam_selinux-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_selinux-author'> + <title>AUTHOR</title> + <para> + pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.c b/Linux-PAM/modules/pam_selinux/pam_selinux.c new file mode 100644 index 00000000..5aaec2e7 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.c @@ -0,0 +1,482 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default security context after login + * via PAM. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Dan Walsh <dwalsh@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include <errno.h> +#include <limits.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <syslog.h> + +#define PAM_SM_AUTH +#define PAM_SM_SESSION + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#include <selinux/flask.h> +#include <selinux/selinux.h> +#include <selinux/context.h> + +static int +send_text (pam_handle_t *pamh, const char *text, int debug) +{ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "%s", text); + return pam_info (pamh, "%s", text); +} + +/* + * This function sends a message to the user and gets the response. The caller + * is responsible for freeing the responses. + */ +static int +query_response (pam_handle_t *pamh, const char *text, + char **responses, int debug) +{ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "%s", text); + + return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text); +} + +static security_context_t +select_context (pam_handle_t *pamh, security_context_t* contextlist, + int debug) +{ + char *responses; + char *text=calloc(PATH_MAX,1); + + if (text == NULL) + return (security_context_t) strdup(contextlist[0]); + + snprintf(text, PATH_MAX, + _("Your default context is %s. \n"), contextlist[0]); + send_text(pamh,text,debug); + free(text); + query_response(pamh,_("Do you want to choose a different one? [n]"), + &responses,debug); + if (responses && ((responses[0] == 'y') || + (responses[0] == 'Y'))) + { + int choice=0; + int i; + const char *prompt=_("Enter number of choice: "); + int len=strlen(prompt); + char buf[PATH_MAX]; + + _pam_drop(responses); + for (i = 0; contextlist[i]; i++) { + len+=strlen(contextlist[i]) + 10; + } + text=calloc(len,1); + for (i = 0; contextlist[i]; i++) { + snprintf(buf, PATH_MAX, + "[%d] %s\n", i+1, contextlist[i]); + strncat(text,buf,len); + } + strcat(text,prompt); + while ((choice < 1) || (choice > i)) { + query_response(pamh,text,&responses,debug); + choice = strtol (responses, NULL, 10); + _pam_drop(responses); + } + free(text); + return (security_context_t) strdup(contextlist[choice-1]); + } + else if (responses) + _pam_drop(responses); + + return (security_context_t) strdup(contextlist[0]); +} + +static security_context_t +manual_context (pam_handle_t *pamh, const char *user, int debug) +{ + security_context_t newcon; + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); + + char *responses; + + while (1) { + query_response(pamh, + _("Would you like to enter a security context? [y] "), + &responses,debug); + if ((responses[0] == 'y') || (responses[0] == 'Y') || + (responses[0] == '\0') ) + { + if (mls_enabled) + new_context = context_new ("user:role:type:level"); + else + new_context = context_new ("user:role:type"); + _pam_drop(responses); + + /* Allow the user to enter each field of the context individually */ + if (context_user_set (new_context, user)) + { + context_free (new_context); + return NULL; + } + query_response(pamh,_("role: "),&responses,debug); + if (context_role_set (new_context, responses)) + { + _pam_drop(responses); + context_free (new_context); + return NULL; + } + _pam_drop(responses); + query_response(pamh,_("type: "),&responses,debug); + if (context_type_set (new_context, responses)) + { + _pam_drop(responses); + context_free (new_context); + return NULL; + } + _pam_drop(responses); + if (mls_enabled) + { + query_response(pamh,_("level: "),&responses,debug); + if (context_range_set (new_context, responses)) + { + _pam_drop(responses); + context_free (new_context); + return NULL; + } + _pam_drop(responses); + } + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { + newcon = strdup(context_str(new_context)); + context_free (new_context); + return newcon; + } + else + send_text(pamh,_("Not a valid security context"),debug); + } + else { + _pam_drop(responses); + return NULL; + } + } /* end while */ + + return NULL; +} + +static void +security_restorelabel_tty(const pam_handle_t *pamh, + const char *tty, security_context_t context) +{ + char ttybuf[PATH_MAX]; + const char *ptr; + + if (context==NULL) + return; + + if(strncmp("/dev/", tty, 5)) { + snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); + ptr = ttybuf; + } + else + ptr = tty; + + if (setfilecon(ptr, context) && errno != ENOENT) + { + pam_syslog(pamh, LOG_NOTICE, + "Warning! Could not relabel %s with %s, not relabeling: %m", + ptr, context); + } +} + +static security_context_t +security_label_tty(pam_handle_t *pamh, char *tty, + security_context_t usercon) +{ + char ttybuf[PATH_MAX]; + int status=0; + security_context_t newdev_context=NULL; /* The new context of a device */ + security_context_t prev_context=NULL; /* The new context of a device */ + const char *ptr; + + if(strncmp("/dev/", tty, 5)) + { + snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); + ptr = ttybuf; + } + else + ptr = tty; + + if (getfilecon(ptr, &prev_context) < 0) + { + if(errno != ENOENT) + pam_syslog(pamh, LOG_NOTICE, + "Warning! Could not get current context for %s, not relabeling: %m", + ptr); + return NULL; + } + if( security_compute_relabel(usercon,prev_context,SECCLASS_CHR_FILE, + &newdev_context)!=0) + { + pam_syslog(pamh, LOG_NOTICE, + "Warning! Could not get new context for %s, not relabeling: %m", + ptr); + pam_syslog(pamh, LOG_NOTICE, + "usercon=%s, prev_context=%s", usercon, prev_context); + freecon(prev_context); + return NULL; + } + status=setfilecon(ptr,newdev_context); + if (status) + { + pam_syslog(pamh, LOG_NOTICE, + "Warning! Could not relabel %s with %s, not relabeling: %m", + ptr,newdev_context); + freecon(prev_context); + prev_context=NULL; + } + freecon(newdev_context); + return prev_context; +} + +static security_context_t user_context=NULL; +static security_context_t prev_user_context=NULL; +static security_context_t ttyn_context=NULL; /* The current context of ttyn device */ +static int selinux_enabled=0; +static char *ttyn=NULL; + +/* Tell the user that access has been granted. */ +static void +verbose_message(pam_handle_t *pamh, char *msg, int debug) +{ + if (debug) + pam_syslog(pamh, LOG_NOTICE, msg); + + pam_info (pamh, "%s", msg); +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + /* Fail by default. */ + return PAM_AUTH_ERR; +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, debug = 0, ttys=1, has_tty=isatty(0); + int verbose=0, multiple=0, close_session=0; + int ret = 0; + security_context_t* contextlist = NULL; + int num_contexts = 0; + const void *username = NULL; + const void *tty = NULL; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "nottys") == 0) { + ttys = 0; + } + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + } + if (strcmp(argv[i], "multiple") == 0) { + multiple = 1; + } + if (strcmp(argv[i], "close") == 0) { + close_session = 1; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + /* this module is only supposed to execute close_session */ + if (close_session) + return PAM_SUCCESS; + + if (!(selinux_enabled = is_selinux_enabled()>0) ) + return PAM_SUCCESS; + + if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || + username == NULL) { + return PAM_USER_UNKNOWN; + } + num_contexts = get_ordered_context_list(username, 0, &contextlist); + if (num_contexts > 0) { + if (multiple && (num_contexts > 1) && has_tty) { + user_context = select_context(pamh,contextlist, debug); + freeconary(contextlist); + } else { + user_context = (security_context_t) strdup(contextlist[0]); + freeconary(contextlist); + } + } else { + if (has_tty) { + user_context = manual_context(pamh,username,debug); + if (user_context == NULL) { + pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", + (const char *)username); + return PAM_AUTH_ERR; + } + } else { + pam_syslog (pamh, LOG_ERR, + "Unable to get valid context for %s, No valid tty", + (const char *)username); + return PAM_AUTH_ERR; + } + } + if (getexeccon(&prev_user_context)<0) { + prev_user_context=NULL; + } + if (ttys) { + /* Get the name of the terminal. */ + if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS) { + tty = NULL; + } + + if ((tty == NULL) || (strlen(tty) == 0) || + strcmp(tty, "ssh") == 0 || strncmp(tty, "NODEV", 5) == 0) { + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDOUT_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDERR_FILENO); + } + } + } + if(ttys && tty ) { + ttyn=strdup(tty); + ttyn_context=security_label_tty(pamh,ttyn,user_context); + } + ret = setexeccon(user_context); + if (ret==0 && verbose) { + char msg[PATH_MAX]; + snprintf(msg, sizeof(msg), + _("Security Context %s Assigned"), user_context); + verbose_message(pamh, msg, debug); + } + if (ret) { + pam_syslog(pamh, LOG_ERR, + "Error! Unable to set %s executable context %s.", + (const char *)username, user_context); + freecon(user_context); + return PAM_AUTH_ERR; + } else { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", + (const char *)username, user_context); + } + freecon(user_context); + + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, debug = 0,status=0, open_session=0; + if (! (selinux_enabled )) + return PAM_SUCCESS; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "open") == 0) { + open_session = 1; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Close Session"); + + if (open_session) + return PAM_SUCCESS; + + if (ttyn) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Restore tty %s -> %s", + ttyn,ttyn_context); + + security_restorelabel_tty(pamh,ttyn,ttyn_context); + freecon(ttyn_context); + free(ttyn); + ttyn=NULL; + } + status=setexeccon(prev_user_context); + freecon(prev_user_context); + if (status) { + pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", + prev_user_context); + return PAM_AUTH_ERR; + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal"); + + return PAM_SUCCESS; +} diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux_check.8 b/Linux-PAM/modules/pam_selinux/pam_selinux_check.8 new file mode 100644 index 00000000..d6fcdff1 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/pam_selinux_check.8 @@ -0,0 +1,35 @@ +.TH pam_selinux_check 8 2002/05/23 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_selinux_check \- login program to test pam_selinux.so +.SH SYNOPSIS +.B pam_selinux_check [user] +.br + +.SH DESCRIPTION +With no arguments, +.B pam_selinux_check +will prompt for user + +.SH OPTIONS +.IP target_user +The user to login as. + +.SH DIAGNOSTICS +You must setup a /etc/pam.d/pam_selinux_check file, in order for the check to work. + +When checking if a selinux is valid, +.B pam_selinux_check +returns an exit code of 0 for success and > 0 on error: + +.nf +1: Authentication failure +.fi + +.SH SEE ALSO +pam_selinux(8) + +.SH BUGS +Let's hope not, but if you find any, please email the author. + +.SH AUTHOR +Dan Walsh <dwalsh@redhat.com> diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux_check.c b/Linux-PAM/modules/pam_selinux/pam_selinux_check.c new file mode 100644 index 00000000..30526d37 --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/pam_selinux_check.c @@ -0,0 +1,161 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default security context after login + * via PAM. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Dan Walsh <dwalsh@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/************************************************************************ + * + * All PAM code goes in this section. + * + ************************************************************************/ + +#include "config.h" + +#include <errno.h> +#include <syslog.h> +#include <unistd.h> /* for getuid(), exit(), getopt() */ +#include <signal.h> +#include <sys/wait.h> /* for wait() */ + +#include <security/pam_appl.h> /* for PAM functions */ +#include <security/pam_misc.h> /* for misc_conv PAM utility function */ + +#define SERVICE_NAME "pam_selinux_check" /* the name of this program for PAM */ + /* The file containing the context to run + * the scripts under. */ +int authenticate_via_pam( const char *user , pam_handle_t **pamh); + +/* authenticate_via_pam() + * + * in: user + * out: nothing + * return: value condition + * ----- --------- + * 1 pam thinks that the user authenticated themselves properly + * 0 otherwise + * + * this function uses pam to authenticate the user running this + * program. this is the only function in this program that makes pam + * calls. + * + */ + +int authenticate_via_pam( const char *user , pam_handle_t **pamh) { + + struct pam_conv *conv; + int result = 0; /* our result, set to 0 (not authenticated) by default */ + + /* this is a jump table of functions for pam to use when it wants to * + * communicate with the user. we'll be using misc_conv(), which is * + * provided for us via pam_misc.h. */ + struct pam_conv pam_conversation = { + misc_conv, + NULL + }; + conv = &pam_conversation; + + + /* make `p_pam_handle' a valid pam handle so we can use it when * + * calling pam functions. */ + if( PAM_SUCCESS != pam_start( SERVICE_NAME, + user, + conv, + pamh ) ) { + fprintf( stderr, _("failed to initialize PAM\n") ); + exit( -1 ); + } + + if( PAM_SUCCESS != pam_set_item(*pamh, PAM_RUSER, user)) + { + fprintf( stderr, _("failed to pam_set_item()\n") ); + exit( -1 ); + } + + /* Ask PAM to authenticate the user running this program */ + if( PAM_SUCCESS == pam_authenticate(*pamh,0) ) { + if ( PAM_SUCCESS == pam_open_session(*pamh, 0) ) + result = 1; /* user authenticated OK! */ + } + return( result ); + +} /* authenticate_via_pam() */ + +int +main (int argc, char **argv) +{ + pam_handle_t *pamh; + int childPid; + + if (argc < 1) + exit (-1); + + if (!authenticate_via_pam(argv[1],&pamh)) + exit(-1); + + childPid = fork(); + if (childPid < 0) { + /* error in fork() */ + fprintf(stderr, _("login: failure forking: %m")); + pam_close_session(pamh, 0); + /* We're done with PAM. Free `pam_handle'. */ + pam_end( pamh, PAM_SUCCESS ); + exit(0); + } + if (childPid) { + close(0); close(1); close(2); + struct sigaction sa; + memset(&sa,0,sizeof(sa)); + sa.sa_handler = SIG_IGN; + sigaction(SIGQUIT, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + while(wait(NULL) == -1 && errno == EINTR) /**/ ; + openlog("login", LOG_ODELAY, LOG_AUTHPRIV); + pam_close_session(pamh, 0); + /* We're done with PAM. Free `pam_handle'. */ + pam_end( pamh, PAM_SUCCESS ); + exit(0); + } + argv[0]=strdup ("/bin/sh"); + argv[1]=NULL; + + /* NOTE: The environment has not been sanitized. LD_PRELOAD and other fun + * things could be set. */ + execv("/bin/sh",argv); + fprintf(stderr,"Failure\n"); + return 0; +} diff --git a/Linux-PAM/modules/pam_selinux/tst-pam_selinux b/Linux-PAM/modules/pam_selinux/tst-pam_selinux new file mode 100755 index 00000000..14c3d82f --- /dev/null +++ b/Linux-PAM/modules/pam_selinux/tst-pam_selinux @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_selinux.so diff --git a/Linux-PAM/modules/pam_shells/Makefile b/Linux-PAM/modules/pam_shells/Makefile deleted file mode 100644 index f1d7ff51..00000000 --- a/Linux-PAM/modules/pam_shells/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_shells - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_shells/Makefile.am b/Linux-PAM/modules/pam_shells/Makefile.am new file mode 100644 index 00000000..03ac8b15 --- /dev/null +++ b/Linux-PAM/modules/pam_shells/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_shells + +man_MANS = pam_shells.8 +XMLS = README.xml pam_shells.8.xml + +TESTS = tst-pam_shells + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_shells.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_shells.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_shells/Makefile.in b/Linux-PAM/modules/pam_shells/Makefile.in new file mode 100644 index 00000000..f8779d1a --- /dev/null +++ b/Linux-PAM/modules/pam_shells/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_shells +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_shells_la_LIBADD = +pam_shells_la_SOURCES = pam_shells.c +pam_shells_la_OBJECTS = pam_shells.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_shells.c +DIST_SOURCES = pam_shells.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_shells +man_MANS = pam_shells.8 +XMLS = README.xml pam_shells.8.xml +TESTS = tst-pam_shells +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_shells.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_shells/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_shells/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_shells.la: $(pam_shells_la_OBJECTS) $(pam_shells_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_shells_la_OBJECTS) $(pam_shells_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_shells.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_shells.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_shells/README b/Linux-PAM/modules/pam_shells/README index aa63a827..38e6484c 100644 --- a/Linux-PAM/modules/pam_shells/README +++ b/Linux-PAM/modules/pam_shells/README @@ -1,9 +1,24 @@ -pam_shells: - Authentication is granted if the users shell is listed in - /etc/shells. +pam_shells — PAM module to check for valid login shell - Also checks to make sure that /etc/shells is a plain - file and not world writable. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_shells is a PAM module that only allows access to the system if the users +shell is listed in /etc/shells. + +It also checks if /etc/shells is a plain file and not world writable. + +OPTIONS + +This module does not recognice any options. + +EXAMPLES + +auth required pam_shells.so + + +AUTHOR + +pam_shells was written by Erik Troan <ewt@redhat.com>. - - Erik Troan <ewt@redhat.com>, Red Hat Software. - August 5, 1996. diff --git a/Linux-PAM/modules/pam_shells/README.xml b/Linux-PAM/modules/pam_shells/README.xml new file mode 100644 index 00000000..154b97b5 --- /dev/null +++ b/Linux-PAM/modules/pam_shells/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_shells.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_shells.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_shells-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_shells/pam_shells.8 b/Linux-PAM/modules/pam_shells/pam_shells.8 new file mode 100644 index 00000000..f41a1ed4 --- /dev/null +++ b/Linux-PAM/modules/pam_shells/pam_shells.8 @@ -0,0 +1,59 @@ +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "PAM_SHELLS" "8" "06/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_shells \- PAM module to check for valid login shell +.SH "SYNOPSIS" +.HP 14 +\fBpam_shells.so\fR +.SH "DESCRIPTION" +.PP +pam_shells is a PAM module that only allows access to the system if the users shell is listed in +\fI/etc/shells\fR. +.PP +It also checks if +\fI/etc/shells\fR +is a plain file and not world writable. +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR +and +\fBaccount\fR +are supported. +.SH "RETURN VALUES" +.TP +PAM_AUTH_ERR +Access to the system was denied. +.TP +PAM_SUCCESS +The users login shell was listed as valid shell in +\fI/etc/shells\fR. +.TP +PAM_SERVICE_ERR +The module was not able to get the name of the user. +.SH "EXAMPLES" +.PP +.nf +auth required pam_shells.so + +.fi +.sp +.SH "SEE ALSO" +.PP +\fBshells\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_shells was written by Erik Troan <ewt@redhat.com>. diff --git a/Linux-PAM/modules/pam_shells/pam_shells.8.xml b/Linux-PAM/modules/pam_shells/pam_shells.8.xml new file mode 100644 index 00000000..604e3572 --- /dev/null +++ b/Linux-PAM/modules/pam_shells/pam_shells.8.xml @@ -0,0 +1,117 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_shells"> + + <refmeta> + <refentrytitle>pam_shells</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_shells-name"> + <refname>pam_shells</refname> + <refpurpose>PAM module to check for valid login shell</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_shells-cmdsynopsis"> + <command>pam_shells.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_shells-description"> + + <title>DESCRIPTION</title> + + <para> + pam_shells is a PAM module that only allows access to the + system if the users shell is listed in <filename>/etc/shells</filename>. + </para> + <para> + It also checks if <filename>/etc/shells</filename> is a plain + file and not world writable. + </para> + </refsect1> + + <refsect1 id="pam_shells-options"> + + <title>OPTIONS</title> + <para> This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_shells-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option> and <option>account</option> + are supported. + </para> + </refsect1> + + <refsect1 id='pam_shells-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Access to the system was denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The users login shell was listed as valid shell in + <filename>/etc/shells</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + The module was not able to get the name of the user. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_shells-examples'> + <title>EXAMPLES</title> + <para> + <programlisting> +auth required pam_shells.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_shells-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>shells</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_shells-author'> + <title>AUTHOR</title> + <para> + pam_shells was written by Erik Troan <ewt@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_shells/pam_shells.c b/Linux-PAM/modules/pam_shells/pam_shells.c index 64359eac..89fc297e 100644 --- a/Linux-PAM/modules/pam_shells/pam_shells.c +++ b/Linux-PAM/modules/pam_shells/pam_shells.c @@ -8,7 +8,7 @@ * This code shamelessly ripped from the pam_securetty module. */ -#define _BSD_SOURCE +#include "config.h" #include <pwd.h> #include <stdarg.h> @@ -31,22 +31,10 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-shells", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static int perform_check(pam_handle_t *pamh, int flags) +static int perform_check(pam_handle_t *pamh) { int retval = PAM_AUTH_ERR; const char *userName; @@ -73,28 +61,27 @@ static int perform_check(pam_handle_t *pamh, int flags) return PAM_SERVICE_ERR; } - pw = _pammodutil_getpwnam(pamh, userName); + pw = pam_modutil_getpwnam(pamh, userName); if (!pw) { return PAM_AUTH_ERR; /* user doesn't exist */ } userShell = pw->pw_shell; if (stat(SHELL_FILE,&sb)) { - _pam_log(LOG_ERR, "%s cannot be stat'd (it probably does not exist)", - SHELL_FILE); + pam_syslog(pamh, LOG_ERR, "Cannot stat %s: %m", SHELL_FILE); return PAM_AUTH_ERR; /* must have /etc/shells */ } if ((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { - _pam_log(LOG_ERR, "%s is either world writable or not a normal file", - SHELL_FILE); + pam_syslog(pamh, LOG_ERR, + "%s is either world writable or not a normal file", + SHELL_FILE); return PAM_AUTH_ERR; } shellFile = fopen(SHELL_FILE,"r"); if (shellFile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening %s", SHELL_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SHELL_FILE); return PAM_SERVICE_ERR; } @@ -118,14 +105,15 @@ static int perform_check(pam_handle_t *pamh, int flags) /* --- authentication management functions (only) --- */ PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return perform_check(pamh, flags); + return perform_check(pamh); } PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,const char **argv) +int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } @@ -133,10 +121,10 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,const char **argv) /* --- account management functions (only) --- */ PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return perform_check(pamh, flags); + return perform_check(pamh); } #ifdef PAM_STATIC diff --git a/Linux-PAM/modules/pam_shells/tst-pam_shells b/Linux-PAM/modules/pam_shells/tst-pam_shells new file mode 100755 index 00000000..dccc33d0 --- /dev/null +++ b/Linux-PAM/modules/pam_shells/tst-pam_shells @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_shells.so diff --git a/Linux-PAM/modules/pam_stress/Makefile b/Linux-PAM/modules/pam_stress/Makefile deleted file mode 100644 index 3512c853..00000000 --- a/Linux-PAM/modules/pam_stress/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_stress - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_stress/Makefile.am b/Linux-PAM/modules/pam_stress/Makefile.am new file mode 100644 index 00000000..64fe516f --- /dev/null +++ b/Linux-PAM/modules/pam_stress/Makefile.am @@ -0,0 +1,20 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README tst-pam_stress + +TESTS = tst-pam_stress + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif +securelib_LTLIBRARIES = pam_stress.la diff --git a/Linux-PAM/modules/pam_stress/Makefile.in b/Linux-PAM/modules/pam_stress/Makefile.in new file mode 100644 index 00000000..d1dca7bc --- /dev/null +++ b/Linux-PAM/modules/pam_stress/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_stress +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_stress_la_LIBADD = +pam_stress_la_SOURCES = pam_stress.c +pam_stress_la_OBJECTS = pam_stress.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_stress.c +DIST_SOURCES = pam_stress.c +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README tst-pam_stress +TESTS = tst-pam_stress +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_stress.la +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_stress/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_stress/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_stress.la: $(pam_stress_la_OBJECTS) $(pam_stress_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_stress_la_OBJECTS) $(pam_stress_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_stress.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-securelibLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-securelibLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_stress/pam_stress.c b/Linux-PAM/modules/pam_stress/pam_stress.c index 2d361c3e..c254868f 100644 --- a/Linux-PAM/modules/pam_stress/pam_stress.c +++ b/Linux-PAM/modules/pam_stress/pam_stress.c @@ -1,11 +1,10 @@ -/* pam_stress module */ - -/* $Id: pam_stress.c,v 1.4 2004/09/22 09:37:50 kukuk Exp $ +/* + * pam_stress module * * created by Andrew Morgan <morgan@linux.kernel.org> 1996/3/12 */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdlib.h> #include <stdio.h> @@ -30,20 +29,7 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> - - -/* log errors */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-stress", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_ext.h> /* ---------- */ @@ -68,22 +54,24 @@ static void _pam_log(int err, const char *format, ...) /* some syslogging */ -static void _pam_report(int ctrl, const char *name, int flags, - int argc, const char **argv) +static void +_pam_report (const pam_handle_t *pamh, int ctrl, const char *name, + int flags, int argc, const char **argv) { if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG, "CALLED: %s", name); - _pam_log(LOG_DEBUG, "FLAGS : 0%o%s", flags, - (flags & PAM_SILENT) ? " (silent)":""); - _pam_log(LOG_DEBUG, "CTRL = 0%o",ctrl); - _pam_log(LOG_DEBUG, "ARGV :"); + pam_syslog(pamh, LOG_DEBUG, "CALLED: %s", name); + pam_syslog(pamh, LOG_DEBUG, "FLAGS : 0%o%s", + flags, (flags & PAM_SILENT) ? " (silent)":""); + pam_syslog(pamh, LOG_DEBUG, "CTRL = 0%o", ctrl); + pam_syslog(pamh, LOG_DEBUG, "ARGV :"); while (argc--) { - _pam_log(LOG_DEBUG, " \"%s\"", *argv++); + pam_syslog(pamh, LOG_DEBUG, " \"%s\"", *argv++); } } } -static int _pam_parse(int argc, const char **argv) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { int ctrl=0; @@ -120,7 +108,7 @@ static int _pam_parse(int argc, const char **argv) ctrl |= PAM_ST_REQUIRE_PWD; else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -132,18 +120,20 @@ static int converse(pam_handle_t *pamh, int nargs , struct pam_response **response) { int retval; - struct pam_conv *conv; + const void *void_conv; + const struct pam_conv *conv; - retval = pam_get_item(pamh,PAM_CONV,(const void **)&conv); + retval = pam_get_item(pamh,PAM_CONV,&void_conv); + conv = void_conv; if (retval == PAM_SUCCESS && conv) { retval = conv->conv(nargs, (const struct pam_message **) message , response, conv->appdata_ptr); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR,"(pam_stress) converse returned %d",retval); - _pam_log(LOG_ERR,"that is: %s",pam_strerror(pamh, retval)); + pam_syslog(pamh, LOG_ERR, "converse returned %d: %s", + retval, pam_strerror(pamh, retval)); } } else { - _pam_log(LOG_ERR,"(pam_stress) converse failed to get pam_conv"); + pam_syslog(pamh, LOG_ERR, "converse failed to get pam_conv"); if (retval == PAM_SUCCESS) retval = PAM_BAD_ITEM; /* conv was null */ } @@ -156,16 +146,17 @@ static int converse(pam_handle_t *pamh, int nargs static int stress_get_password(pam_handle_t *pamh, int flags , int ctrl, char **password) { + const void *pam_pass; char *pass; if ( (ctrl & (PAM_ST_TRY_PASS1|PAM_ST_USE_PASS1)) - && (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass) + && (pam_get_item(pamh,PAM_AUTHTOK,&pam_pass) == PAM_SUCCESS) - && (pass != NULL) ) { - if ((pass = strdup(pass)) == NULL) + && (pam_pass != NULL) ) { + if ((pass = strdup(pam_pass)) == NULL) return PAM_BUF_ERR; } else if ((ctrl & PAM_ST_USE_PASS1)) { - _pam_log(LOG_WARNING, "pam_stress: no forwarded password"); + pam_syslog(pamh, LOG_WARNING, "no forwarded password"); return PAM_PERM_DENIED; } else { /* we will have to get one */ struct pam_message msg[1],*pmsg[1]; @@ -185,8 +176,8 @@ static int stress_get_password(pam_handle_t *pamh, int flags if (resp) { if ((resp[0].resp == NULL) && (ctrl & PAM_ST_DEBUG)) { - _pam_log(LOG_DEBUG, - "pam_sm_authenticate: NULL authtok given"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_authenticate: NULL authtok given"); } if ((flags & PAM_DISALLOW_NULL_AUTHTOK) && resp[0].resp == NULL) { @@ -197,9 +188,13 @@ static int stress_get_password(pam_handle_t *pamh, int flags pass = resp[0].resp; /* remember this! */ resp[0].resp = NULL; - } else if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_authenticate: no error reported"); - _pam_log(LOG_DEBUG,"getting password, but NULL returned!?"); + } else { + if (ctrl & PAM_ST_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_authenticate: no error reported"); + pam_syslog(pamh, LOG_DEBUG, + "getting password, but NULL returned!?"); + } return PAM_CONV_ERR; } if (resp) @@ -213,7 +208,8 @@ static int stress_get_password(pam_handle_t *pamh, int flags /* function to clean up data items */ -static void wipe_up(pam_handle_t *pamh, void *data, int error) +static void +wipe_up (pam_handle_t *pamh UNUSED, void *data, int error UNUSED) { free(data); } @@ -229,28 +225,30 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, D(("called.")); - ctrl = _pam_parse(argc,argv); - _pam_report(ctrl, "pam_sm_authenticate", flags, argc, argv); + ctrl = _pam_parse(pamh, argc, argv); + _pam_report(pamh, ctrl, "pam_sm_authenticate", flags, argc, argv); /* try to get the username */ retval = pam_get_user(pamh, &username, "username: "); if (retval != PAM_SUCCESS || !username) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: failed to get username"); + pam_syslog(pamh, LOG_WARNING, + "pam_sm_authenticate: failed to get username"); if (retval == PAM_SUCCESS) retval = PAM_USER_UNKNOWN; /* username was null */ return retval; } else if ((ctrl & PAM_ST_DEBUG) && (retval == PAM_SUCCESS)) { - _pam_log(LOG_DEBUG, "pam_sm_authenticate: username = %s", username); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_authenticate: username = %s", username); } /* now get the password */ retval = stress_get_password(pamh,flags,ctrl,&pass); if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to get a password"); + pam_syslog(pamh, LOG_WARNING, + "pam_sm_authenticate: failed to get a password"); return retval; } @@ -261,18 +259,19 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, free(pass); pass = NULL; if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to store new password"); + pam_syslog(pamh, LOG_WARNING, + "pam_sm_authenticate: failed to store new password"); return retval; } /* if we are debugging then we print the password */ if (ctrl & PAM_ST_DEBUG) { - (void) pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass); - _pam_log(LOG_DEBUG, - "pam_st_authenticate: password entered is: [%s]\n",pass); - pass = NULL; + const void *pam_pass; + (void) pam_get_item(pamh,PAM_AUTHTOK,&pam_pass); + pam_syslog(pamh, LOG_DEBUG, + "pam_st_authenticate: password entered is: [%s]", + (const char *)pam_pass); } /* if we signal a fail for this function then fail */ @@ -287,11 +286,11 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int ctrl = _pam_parse(argc,argv); + int ctrl = _pam_parse(pamh, argc, argv); D(("called. [post parsing]")); - _pam_report(ctrl, "pam_sm_setcred", flags, argc, argv); + _pam_report(pamh, ctrl, "pam_sm_setcred", flags, argc, argv); if (ctrl & PAM_ST_FAIL_2) return PAM_CRED_ERR; @@ -305,11 +304,11 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int ctrl = _pam_parse(argc,argv); + int ctrl = _pam_parse(pamh, argc, argv); D(("called. [post parsing]")); - _pam_report(ctrl,"pam_sm_acct_mgmt", flags, argc, argv); + _pam_report(pamh, ctrl,"pam_sm_acct_mgmt", flags, argc, argv); if (ctrl & PAM_ST_FAIL_1) return PAM_PERM_DENIED; @@ -320,14 +319,15 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, return PAM_BUF_ERR; retval = pam_set_data(pamh,"stress_new_pwd",text,wipe_up); if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG, - "pam_sm_acct_mgmt: failed setting stress_new_pwd"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_acct_mgmt: failed setting stress_new_pwd"); free(text); return retval; } if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_acct_mgmt: need a new password"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_acct_mgmt: need a new password"); } return PAM_NEW_AUTHTOK_REQD; } @@ -339,23 +339,23 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { - char *username,*service; - int ctrl = _pam_parse(argc,argv); + const void *username, *service; + int ctrl = _pam_parse(pamh, argc, argv); D(("called. [post parsing]")); - _pam_report(ctrl,"pam_sm_open_session", flags, argc, argv); + _pam_report(pamh, ctrl,"pam_sm_open_session", flags, argc, argv); - if ((pam_get_item(pamh, PAM_USER, (const void **) &username) + if ((pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || !username) - || (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) + || (pam_get_item(pamh, PAM_SERVICE, &service) != PAM_SUCCESS || !service)) { - _pam_log(LOG_WARNING,"pam_sm_open_session: for whom?"); + pam_syslog(pamh, LOG_WARNING, "pam_sm_open_session: for whom?"); return PAM_SESSION_ERR; } - _pam_log(LOG_NOTICE,"pam_stress: opened [%s] session for user [%s]" - , service, username); + pam_syslog(pamh, LOG_NOTICE, "opened [%s] session for user [%s]", + (const char *)service, (const char *)username); if (ctrl & PAM_ST_FAIL_1) return PAM_SESSION_ERR; @@ -367,23 +367,23 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { - const char *username,*service; - int ctrl = _pam_parse(argc,argv); + const void *username, *service; + int ctrl = _pam_parse(pamh, argc, argv); D(("called. [post parsing]")); - _pam_report(ctrl,"pam_sm_close_session", flags, argc, argv); + _pam_report(pamh, ctrl,"pam_sm_close_session", flags, argc, argv); - if ((pam_get_item(pamh, PAM_USER, (const void **)&username) + if ((pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || !username) - || (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) + || (pam_get_item(pamh, PAM_SERVICE, &service) != PAM_SUCCESS || !service)) { - _pam_log(LOG_WARNING,"pam_sm_close_session: for whom?"); + pam_syslog(pamh, LOG_WARNING, "pam_sm_close_session: for whom?"); return PAM_SESSION_ERR; } - _pam_log(LOG_NOTICE,"pam_stress: closed [%s] session for user [%s]" - , service, username); + pam_syslog(pamh, LOG_NOTICE, "closed [%s] session for user [%s]", + (const char *)service, (const char *)username); if (ctrl & PAM_ST_FAIL_2) return PAM_SESSION_ERR; @@ -396,17 +396,17 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval; - int ctrl = _pam_parse(argc,argv); + int ctrl = _pam_parse(pamh, argc, argv); D(("called. [post parsing]")); - _pam_report(ctrl,"pam_sm_chauthtok", flags, argc, argv); + _pam_report(pamh, ctrl,"pam_sm_chauthtok", flags, argc, argv); /* this function should be called twice by the Linux-PAM library */ if (flags & PAM_PRELIM_CHECK) { /* first call */ if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: prelim check"); + pam_syslog(pamh, LOG_DEBUG, "pam_sm_chauthtok: prelim check"); } if (ctrl & PAM_ST_PRELIM) return PAM_TRY_AGAIN; @@ -415,12 +415,12 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } else if (flags & PAM_UPDATE_AUTHTOK) { /* second call */ struct pam_message msg[3],*pmsg[3]; struct pam_response *resp; - const char *text; + const void *text; char *txt=NULL; int i; if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: alter password"); + pam_syslog(pamh, LOG_DEBUG, "pam_sm_chauthtok: alter password"); } if (ctrl & PAM_ST_FAIL_1) @@ -428,7 +428,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if ( !(ctrl && PAM_ST_EXPIRED) && (flags & PAM_CHANGE_EXPIRED_AUTHTOK) - && (pam_get_data(pamh,"stress_new_pwd",(const void **)&text) + && (pam_get_data(pamh,"stress_new_pwd", &text) != PAM_SUCCESS || strcmp(text,"yes"))) { return PAM_SUCCESS; /* the token has not expired */ } @@ -441,13 +441,13 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, char *pass; if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: getting old password"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_chauthtok: getting old password"); } retval = stress_get_password(pamh,flags,ctrl,&pass); if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: no password obtained"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_chauthtok: no password obtained"); return retval; } retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass); @@ -455,8 +455,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, free(pass); pass = NULL; if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: could not set OLDAUTHTOK"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_chauthtok: could not set OLDAUTHTOK"); return retval; } } @@ -464,21 +464,21 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, /* set up for conversation */ if (!(flags & PAM_SILENT)) { - char *username; + const void *username; - if ( pam_get_item(pamh, PAM_USER, (const void **)&username) + if ( pam_get_item(pamh, PAM_USER, &username) || username == NULL ) { - _pam_log(LOG_ERR,"no username set"); + pam_syslog(pamh, LOG_ERR, "no username set"); return PAM_USER_UNKNOWN; } pmsg[0] = &msg[0]; msg[0].msg_style = PAM_TEXT_INFO; -#define _LOCAL_STRESS_COMMENT "Changing STRESS password for " - txt = (char *) malloc(sizeof(_LOCAL_STRESS_COMMENT) - +strlen(username)+1); - strcpy(txt, _LOCAL_STRESS_COMMENT); -#undef _LOCAL_STRESS_COMMENT - strcat(txt, username); + if (asprintf(&txt, _("Changing STRESS password for %s."), + (const char *)username) < 0) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + return PAM_BUF_ERR; + } + msg[0].msg = txt; i = 1; } else { @@ -487,10 +487,10 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Enter new STRESS password: "; + msg[i++].msg = _("Enter new STRESS password: "); pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Retype new STRESS password: "; + msg[i++].msg = _("Retype new STRESS password: "); resp = NULL; retval = converse(pamh,i,pmsg,&resp); @@ -503,7 +503,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } if (resp == NULL) { - _pam_log(LOG_ERR, "pam_sm_chauthtok: no response from conv"); + pam_syslog(pamh, LOG_ERR, + "pam_sm_chauthtok: no response from conv"); return PAM_CONV_ERR; } @@ -518,8 +519,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) { pmsg[0] = &msg[0]; msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = "Verification mis-typed; " - "password unchanged"; + msg[0].msg = _("Verification mis-typed; " + "password unchanged"); resp = NULL; (void) converse(pamh,1,pmsg,&resp); if (resp) { @@ -529,20 +530,22 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, return PAM_AUTHTOK_ERR; } - if (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&text) + if (pam_get_item(pamh,PAM_AUTHTOK,&text) == PAM_SUCCESS) { (void) pam_set_item(pamh,PAM_OLDAUTHTOK,text); text = NULL; } (void) pam_set_item(pamh,PAM_AUTHTOK,resp[0].resp); } else { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: problem with resp"); + pam_syslog(pamh, LOG_DEBUG, + "pam_sm_chauthtok: problem with resp"); retval = PAM_SYSTEM_ERR; } _pam_drop_reply(resp, i); /* clean up the passwords */ } else { - _pam_log(LOG_ERR,"pam_sm_chauthtok: this must be a Linux-PAM error"); + pam_syslog(pamh, LOG_ERR, + "pam_sm_chauthtok: this must be a Linux-PAM error"); return PAM_SYSTEM_ERR; } diff --git a/Linux-PAM/modules/pam_stress/tst-pam_stress b/Linux-PAM/modules/pam_stress/tst-pam_stress new file mode 100755 index 00000000..24be7560 --- /dev/null +++ b/Linux-PAM/modules/pam_stress/tst-pam_stress @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_stress.so diff --git a/Linux-PAM/modules/pam_succeed_if/Makefile b/Linux-PAM/modules/pam_succeed_if/Makefile deleted file mode 100644 index cea9be3b..00000000 --- a/Linux-PAM/modules/pam_succeed_if/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# -# $Id: Makefile,v 1.1 2004/09/24 11:42:39 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_succeed_if -MAN8=$(TITLE).8 - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_succeed_if/Makefile.am b/Linux-PAM/modules/pam_succeed_if/Makefile.am new file mode 100644 index 00000000..d97f4c1d --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if + +TESTS = tst-pam_succeed_if + +man_MANS = pam_succeed_if.8 + +XMLS = README.xml pam_succeed_if.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_succeed_if.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_succeed_if.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/Linux-PAM/modules/pam_succeed_if/Makefile.in b/Linux-PAM/modules/pam_succeed_if/Makefile.in new file mode 100644 index 00000000..a5090537 --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_succeed_if +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_succeed_if_la_LIBADD = +pam_succeed_if_la_SOURCES = pam_succeed_if.c +pam_succeed_if_la_OBJECTS = pam_succeed_if.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_succeed_if.c +DIST_SOURCES = pam_succeed_if.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if +TESTS = tst-pam_succeed_if +man_MANS = pam_succeed_if.8 +XMLS = README.xml pam_succeed_if.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_succeed_if.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_succeed_if.la: $(pam_succeed_if_la_OBJECTS) $(pam_succeed_if_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_succeed_if_la_OBJECTS) $(pam_succeed_if_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_succeed_if.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_succeed_if.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_succeed_if/README b/Linux-PAM/modules/pam_succeed_if/README index fdb278ef..4516a9d1 100644 --- a/Linux-PAM/modules/pam_succeed_if/README +++ b/Linux-PAM/modules/pam_succeed_if/README @@ -1,68 +1,124 @@ -pam_succeed_if: - Succeed or fail based on account characteristics. - - pam_succeed_if.so is designed to succeed or fail authentication based - on characteristics of the account belonging to the user being - authenticated. - - The module can be given one or more conditions as module arguments, and - authentication will succeed only if all of the conditions are met. - - Conditions are expressed in the form - - ATTRIBUTE OPERATOR VALUE - - Recognized attributes: - - LOGIN - The user's login name. - UID - The user's UID. - GID - The user's primary GID. - SHELL - The user's shell. - HOME - The user's home directory. - - Recognized operators: - - < - Arithmetic less-than. - <= - Arithmetic less-than-or-equal-to. - > - Arithmetic greater-than. - >= - Arithmetic greater-than-or-equal-to. - eq - Arithmetic equality. - = - String equality. - ne - Arithmetic inequality. - != - String inequality. - =~ - Wildcard match. - !~ - Wildcard mismatch. - ingroup - Group membership check. [*] - notingroup - Group non-membership check. [*] - - * The "ingroup" and "notingroup" operators should only be - used with the USER attribute. - - Examples: - - Deny authentication to all users except those in the wheel - group, before even asking for a password: - auth requisite pam_succeed_if.so user ingroup wheel - - Assume all users with UID less than 500 ("system users") have - valid accounts. - account sufficient pam_succeed_if.so uid < 500 - - Deny login to all nologin users. - auth requisite pam_succeed_if.so shell !~ nologin - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - use_uid perform checks on the account of the user under whose - UID the application is running instead of the user - being authenticated - quiet don't log failure or success to syslog - quiet_fail don't log failure to syslog - quiet_success don't log success to syslog - - -MODULE SERVICES PROVIDED: - authentication, account management - -AUTHOR: - Nalin Dahyabhai <nalin@redhat.com> +pam_succeed_if — test account characteristics + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_succeed_if.so is designed to succeed or fail authentication based on +characteristics of the account belonging to the user being authenticated. One +use is to select whether to load other modules based on this test. + +The module should be given one or more conditions as module arguments, and +authentication will succeed only if all of the conditions are met. + +OPTIONS + +The following flags are supported: + +debug + + Turns on debugging messages sent to syslog. + +use_uid + + Evaluate conditions using the account of the user whose UID the application + is running under instead of the user being authenticated. + +quiet + + Don't log failure or success to the system log. + +quiet_fail + + Don't log failure to the system log. + +quiet_success + + Don't log success to the system log. + +Conditions are three words: a field, a test, and a value to test for. + +Available fields are user, uid, gid, shell, home and service: + +field < number + + Field has a value numerically less than number. + +field <= number + + Field has a value numerically less than or equal to number. + +field eq number + + Field has a value numerically less equal to number. + +field >= number + + Field has a value numerically greater than or equal to number. + +field > number + + Field has a value numerically greater than number. + +field ne number + + Field has a value numerically different from number. + +field = string + + Field exactly matches the given string. + +field != string + + Field does not match the given string. + +field =~ glob + + Field matches the given glob. + +field !~ glob + + Field does not match the given glob. + +field in item:item:... + + Field is contained in the list of items separated by colons. + +field notin item:item:... + + Field is not contained in the list of items separated by colons. + +user ingroup group + + User is in given group. + +user notingroup group + + User is not in given group. + +user innetgr netgroup + + (user,host) is in given netgroup. + +user notinnetgr group + + (user,host) is not in given netgroup. + +EXAMPLES + +To emulate the behaviour of pam_wheel, except there is no fallback to group 0: + +auth required pam_succeed_if.so quiet user ingroup wheel + + +Given that the type matches, only loads the othermodule rule if the UID is over +500. Adjust the number after default to skip several rules. + +type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 +type required othermodule.so arguments... + + +AUTHOR + +Nalin Dahyabhai <nalin@redhat.com> + diff --git a/Linux-PAM/modules/pam_succeed_if/README.xml b/Linux-PAM/modules/pam_succeed_if/README.xml new file mode 100644 index 00000000..c52f00a0 --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_succeed_if.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_succeed_if-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8 b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8 index da95a033..30af456c 100644 --- a/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8 +++ b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,37 +1,143 @@ -.\" Copyright 2003, 2004 Red Hat, Inc. -.\" Written by Nalin Dahyabhai <nalin@redhat.com> -.TH pam_succeed_if 8 2004/12/27 "Linux-PAM" "System Administrator's Manual" - -.SH NAME -pam_succeed_if \- succeed or fail based on account characteristics - -.SH SYNOPSIS -.B account sufficient pam_succeed_if.so uid < 500 - -.SH DESCRIPTION -pam_succeed_if.so is designed to succeed or fail authentication based on -characteristics of the account belonging to the user being authenticated. - -The module can be given one or more conditions as module arguments, and -authentication will succeed only if all of the conditions are met. - -.SH ARGUMENTS -.IP debug +.\" Title: pam_succeed_if +.\" Author: +.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 <http://docbook.sf.net/> +.\" Date: 08/31/2006 +.\" Manual: Linux\-PAM +.\" Source: Linux\-PAM +.\" +.TH "PAM_SUCCEED_IF" "8" "08/31/2006" "Linux\-PAM" "Linux\-PAM" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_succeed_if \- test account characteristics +.SH "SYNOPSIS" +.HP 18 +\fBpam_succeed_if.so\fR [\fIflag\fR...] [\fIcondition\fR...] +.SH "DESCRIPTION" +.PP +pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated. One use is to select whether to load other modules based on this test. +.PP +The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met. +.SH "OPTIONS" +.PP +The following +\fIflag\fRs are supported: +.TP 3n +\fBdebug\fR Turns on debugging messages sent to syslog. -.IP use_uid -Evaluate conditions using the account of the user whose UID the application -is running under instead of the user being authenticated. -.IP quiet +.TP 3n +\fBuse_uid\fR +Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated. +.TP 3n +\fBquiet\fR Don't log failure or success to the system log. -.IP quiet_fail +.TP 3n +\fBquiet_fail\fR Don't log failure to the system log. -.IP quiet_success +.TP 3n +\fBquiet_success\fR Don't log success to the system log. +.PP +\fICondition\fRs are three words: a field, a test, and a value to test for. +.PP +Available fields are +\fIuser\fR, +\fIuid\fR, +\fIgid\fR, +\fIshell\fR, +\fIhome\fR +and +\fIservice\fR: +.TP 3n +\fBfield < number\fR +Field has a value numerically less than number. +.TP 3n +\fBfield <= number\fR +Field has a value numerically less than or equal to number. +.TP 3n +\fBfield eq number\fR +Field has a value numerically less equal to number. +.TP 3n +\fBfield >= number\fR +Field has a value numerically greater than or equal to number. +.TP 3n +\fBfield > number\fR +Field has a value numerically greater than number. +.TP 3n +\fBfield ne number\fR +Field has a value numerically different from number. +.TP 3n +\fBfield = string\fR +Field exactly matches the given string. +.TP 3n +\fBfield != string\fR +Field does not match the given string. +.TP 3n +\fBfield =~ glob\fR +Field matches the given glob. +.TP 3n +\fBfield !~ glob\fR +Field does not match the given glob. +.TP 3n +\fBfield in item:item:...\fR +Field is contained in the list of items separated by colons. +.TP 3n +\fBfield notin item:item:...\fR +Field is not contained in the list of items separated by colons. +.TP 3n +\fBuser ingroup group\fR +User is in given group. +.TP 3n +\fBuser notingroup group\fR +User is not in given group. +.TP 3n +\fBuser innetgr netgroup\fR +(user,host) is in given netgroup. +.TP 3n +\fBuser notinnetgr group\fR +(user,host) is not in given netgroup. +.SH "MODULE SERVICES PROVIDED" +.PP +All services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +The condition was true. +.TP 3n +PAM_AUTH_ERR +The condition was false. +.TP 3n +PAM_SERVICE_ERR +A service error occured or the arguments can't be parsed as numbers. +.SH "EXAMPLES" +.PP +To emulate the behaviour of +\fIpam_wheel\fR, except there is no fallback to group 0: +.sp +.RS 3n +.nf +auth required pam_succeed_if.so quiet user ingroup wheel + +.fi +.RE +.PP +Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. +.sp +.RS 3n +.nf +type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 +type required othermodule.so arguments... + +.fi +.RE +.SH "SEE ALSO" +.PP -.SH BUGS -Let's hope not, but if you find any, please report them via the "Bug Track" -link at http://bugzilla.redhat.com/bugzilla/ - -.SH AUTHOR +\fBglob\fR(7), +\fBpam\fR(8) +.SH "AUTHOR" +.PP Nalin Dahyabhai <nalin@redhat.com> diff --git a/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8.xml b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8.xml new file mode 100644 index 00000000..b7ad29e6 --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -0,0 +1,297 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + + +<refentry id='pam_succeed_if'> +<!-- Copyright 2003, 2004 Red Hat, Inc. --> +<!-- Written by Nalin Dahyabhai <nalin@redhat.com> --> + + <refmeta> + <refentrytitle>pam_succeed_if</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + </refmeta> + + <refnamediv id='pam_succeed_if-name'> + <refname>pam_succeed_if</refname> + <refpurpose>test account characteristics</refpurpose> + </refnamediv> + + + <refsynopsisdiv> + <cmdsynopsis id='pam_succeed_if-cmdsynopsis'> + <command>pam_succeed_if.so</command> + <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> + <arg choice='opt' rep='repeat'><replaceable>condition</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_succeed_if-description'> + <title>DESCRIPTION</title> + <para> + pam_succeed_if.so is designed to succeed or fail authentication + based on characteristics of the account belonging to the user being + authenticated. One use is to select whether to load other modules based + on this test. + </para> + + <para> + The module should be given one or more conditions as module arguments, + and authentication will succeed only if all of the conditions are met. + </para> + </refsect1> + + <refsect1 id="pam_succeed_if-options"> + <title>OPTIONS</title> + <para> + The following <emphasis>flag</emphasis>s are supported: + </para> + + <variablelist> + <varlistentry> + <term><option>debug</option></term> + <listitem> + <para>Turns on debugging messages sent to syslog.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>use_uid</option></term> + <listitem> + <para> + Evaluate conditions using the account of the user whose UID + the application is running under instead of the user being + authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet</option></term> + <listitem> + <para>Don't log failure or success to the system log.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_fail</option></term> + <listitem> + <para> + Don't log failure to the system log. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_success</option></term> + <listitem> + <para> + Don't log success to the system log. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + <emphasis>Condition</emphasis>s are three words: a field, a test, + and a value to test for. + </para> + <para> + Available fields are <emphasis>user</emphasis>, + <emphasis>uid</emphasis>, <emphasis>gid</emphasis>, + <emphasis>shell</emphasis>, <emphasis>home</emphasis> + and <emphasis>service</emphasis>: + </para> + + <variablelist> + <varlistentry> + <term><option>field < number</option></term> + <listitem> + <para>Field has a value numerically less than number.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field <= number</option></term> + <listitem> + <para> + Field has a value numerically less than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field eq number</option></term> + <listitem> + <para> + Field has a value numerically less equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field >= number</option></term> + <listitem> + <para> + Field has a value numerically greater than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field > number</option></term> + <listitem> + <para> + Field has a value numerically greater than number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field ne number</option></term> + <listitem> + <para> + Field has a value numerically different from number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field = string</option></term> + <listitem> + <para> + Field exactly matches the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field != string</option></term> + <listitem> + <para> + Field does not match the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field =~ glob</option></term> + <listitem> + <para>Field matches the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field !~ glob</option></term> + <listitem> + <para>Field does not match the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field in item:item:...</option></term> + <listitem> + <para>Field is contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field notin item:item:...</option></term> + <listitem> + <para>Field is not contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user ingroup group</option></term> + <listitem> + <para>User is in given group.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notingroup group</option></term> + <listitem> + <para>User is not in given group.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user innetgr netgroup</option></term> + <listitem> + <para>(user,host) is in given netgroup.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notinnetgr group</option></term> + <listitem> + <para>(user,host) is not in given netgroup.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_succeed_if-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services are supported. + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-return_values'> + <title>RETURN VALUES</title> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The condition was true. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The condition was false. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A service error occured or the arguments can't be + parsed as numbers. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id='pam_succeed_if-examples'> + <title>EXAMPLES</title> + <para> + To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except + there is no fallback to group 0: + </para> + <programlisting> +auth required pam_succeed_if.so quiet user ingroup wheel + </programlisting> + + <para> + Given that the type matches, only loads the othermodule rule if + the UID is over 500. Adjust the number after default to skip + several rules. + </para> + <programlisting> +type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 +type required othermodule.so arguments... + </programlisting> + </refsect1> + + <refsect1 id='pam_succeed_if-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-author'> + <title>AUTHOR</title> + <para>Nalin Dahyabhai <nalin@redhat.com></para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.c b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.c index 23974afa..4f33ba2e 100644 --- a/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.c +++ b/Linux-PAM/modules/pam_succeed_if/pam_succeed_if.c @@ -37,7 +37,7 @@ * */ -#define _GNU_SOURCE +#include "config.h" #include <sys/types.h> #include <errno.h> @@ -52,34 +52,23 @@ #include <unistd.h> #include <pwd.h> #include <grp.h> -#include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <netdb.h> -#define MODULE "pam_succeed_if" +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD -static void -log_error(int priority, const char *fmt, ...) -{ - va_list va; - char *fmt2; - fmt2 = malloc(strlen(fmt) + strlen(MODULE) + 3); - va_start(va, fmt); - if (fmt2 == NULL) { - vsyslog(LOG_AUTHPRIV | priority, fmt, va); - } else { - snprintf(fmt2, strlen(fmt) + strlen(MODULE) + 3, - "%s: %s", MODULE, fmt); - vsyslog(LOG_AUTHPRIV | priority, fmt2, va); - free(fmt2); - } - va_end(va); -} +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* Basically, run cmp(atol(left), atol(right)), returning PAM_SUCCESS if * the function returns non-zero, PAM_AUTH_ERR if it returns zero, and - * PAM_SYSTEM_ERR if the arguments can't be parsed as numbers. */ + * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */ static int -evaluate_num(const char *left, const char *right, int (*cmp)(int, int)) +evaluate_num(const pam_handle_t *pamh, const char *left, + const char *right, int (*cmp)(int, int)) { long l, r; char *p; @@ -88,20 +77,20 @@ evaluate_num(const char *left, const char *right, int (*cmp)(int, int)) errno = 0; l = strtol(left, &p, 0); if ((p == NULL) || (*p != '\0') || errno) { - log_error(LOG_INFO, "\"%s\" is not a number", left); + pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left); ret = PAM_SERVICE_ERR; } r = strtol(right, &p, 0); if ((p == NULL) || (*p != '\0') || errno) { - log_error(LOG_INFO, "\"%s\" is not a number", right); + pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right); ret = PAM_SERVICE_ERR; } if (ret != PAM_SUCCESS) { return ret; } - + return cmp(l, r) ? PAM_SUCCESS : PAM_AUTH_ERR; } @@ -139,9 +128,9 @@ ge(int i, int j) /* Test for numeric equality. */ static int -evaluate_eqn(const char *left, const char *right) +evaluate_eqn(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, eq); + return evaluate_num(pamh, left, right, eq); } /* Test for string equality. */ static int @@ -151,9 +140,9 @@ evaluate_eqs(const char *left, const char *right) } /* Test for numeric inequality. */ static int -evaluate_nen(const char *left, const char *right) +evaluate_nen(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, ne); + return evaluate_num(pamh, left, right, ne); } /* Test for string inequality. */ static int @@ -163,27 +152,27 @@ evaluate_nes(const char *left, const char *right) } /* Test for numeric less-than-ness(?) */ static int -evaluate_lt(const char *left, const char *right) +evaluate_lt(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, lt); + return evaluate_num(pamh, left, right, lt); } /* Test for numeric less-than-or-equal-ness(?) */ static int -evaluate_le(const char *left, const char *right) +evaluate_le(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, le); + return evaluate_num(pamh, left, right, le); } /* Test for numeric greater-than-ness(?) */ static int -evaluate_gt(const char *left, const char *right) +evaluate_gt(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, gt); + return evaluate_num(pamh, left, right, gt); } /* Test for numeric greater-than-or-equal-ness(?) */ static int -evaluate_ge(const char *left, const char *right) +evaluate_ge(const pam_handle_t *pamh, const char *left, const char *right) { - return evaluate_num(left, right, ge); + return evaluate_num(pamh, left, right, ge); } /* Check for file glob match. */ static int @@ -197,34 +186,57 @@ evaluate_noglob(const char *left, const char *right) { return (fnmatch(right, left, 0) != 0) ? PAM_SUCCESS : PAM_AUTH_ERR; } +/* Check for list match. */ +static int +evaluate_inlist(const char *left, const char *right) +{ + char *p; + if ((p=strstr(right, left)) == NULL) + return PAM_AUTH_ERR; + if (p == right || *(p-1) == ':') { /* ':' is a list separator */ + p += strlen(left); + if (*p == '\0' || *p == ':') { + return PAM_SUCCESS; + } + } + return PAM_AUTH_ERR; +} +/* Check for list mismatch. */ +static int +evaluate_notinlist(const char *left, const char *right) +{ + return evaluate_inlist(left, right) != PAM_SUCCESS ? PAM_SUCCESS : PAM_AUTH_ERR; +} /* Return PAM_SUCCESS if the user is in the group. */ static int evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group) { - int ret; - ret = _pammodutil_user_in_group_nam_nam(pamh, user, group); - switch (ret) { - case 1: + if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1) return PAM_SUCCESS; - break; - default: - break; - } return PAM_AUTH_ERR; } /* Return PAM_SUCCESS if the user is NOT in the group. */ static int evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) { - int ret; - ret = _pammodutil_user_in_group_nam_nam(pamh, user, group); - switch (ret) { - case 0: + if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0) + return PAM_SUCCESS; + return PAM_AUTH_ERR; +} +/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ +static int +evaluate_innetgr(const char *host, const char *user, const char *group) +{ + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; + return PAM_AUTH_ERR; +} +/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ +static int +evaluate_notinnetgr(const char *host, const char *user, const char *group) +{ + if (innetgr(group, host, user, NULL) == 0) return PAM_SUCCESS; - break; - default: - break; - } return PAM_AUTH_ERR; } @@ -261,38 +273,46 @@ evaluate(pam_handle_t *pamh, int debug, snprintf(buf, sizeof(buf), "%s", pwd->pw_dir); left = buf; } + if (strcasecmp(left, "service") == 0) { + const void *svc; + if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS) + svc = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)svc); + left = buf; + } /* If we have no idea what's going on, return an error. */ if (left != buf) { - log_error(LOG_CRIT, "unknown attribute \"%s\"", left); + pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left); return PAM_SERVICE_ERR; } if (debug) { - log_error(LOG_DEBUG, "'%s' resolves to '%s'", attribute, left); + pam_syslog(pamh, LOG_DEBUG, "'%s' resolves to '%s'", + attribute, left); } /* Attribute value < some threshold. */ if ((strcasecmp(qual, "<") == 0) || (strcasecmp(qual, "lt") == 0)) { - return evaluate_lt(left, right); + return evaluate_lt(pamh, left, right); } /* Attribute value <= some threshold. */ if ((strcasecmp(qual, "<=") == 0) || (strcasecmp(qual, "le") == 0)) { - return evaluate_le(left, right); + return evaluate_le(pamh, left, right); } /* Attribute value > some threshold. */ if ((strcasecmp(qual, ">") == 0) || (strcasecmp(qual, "gt") == 0)) { - return evaluate_gt(left, right); + return evaluate_gt(pamh, left, right); } /* Attribute value >= some threshold. */ if ((strcasecmp(qual, ">=") == 0) || (strcasecmp(qual, "ge") == 0)) { - return evaluate_ge(left, right); + return evaluate_ge(pamh, left, right); } /* Attribute value == some threshold. */ if (strcasecmp(qual, "eq") == 0) { - return evaluate_eqn(left, right); + return evaluate_eqn(pamh, left, right); } /* Attribute value = some string. */ if (strcasecmp(qual, "=") == 0) { @@ -300,7 +320,7 @@ evaluate(pam_handle_t *pamh, int debug, } /* Attribute value != some threshold. */ if (strcasecmp(qual, "ne") == 0) { - return evaluate_nen(left, right); + return evaluate_nen(pamh, left, right); } /* Attribute value != some string. */ if (strcasecmp(qual, "!=") == 0) { @@ -315,6 +335,13 @@ evaluate(pam_handle_t *pamh, int debug, (strcasecmp(qual, "noglob") == 0)) { return evaluate_noglob(left, right); } + /* Attribute value matches item in list. */ + if (strcasecmp(qual, "in") == 0) { + return evaluate_inlist(left, right); + } + if (strcasecmp(qual, "notin") == 0) { + return evaluate_notinlist(left, right); + } /* User is in this group. */ if (strcasecmp(qual, "ingroup") == 0) { return evaluate_ingroup(pamh, pwd->pw_name, right); @@ -323,14 +350,29 @@ evaluate(pam_handle_t *pamh, int debug, if (strcasecmp(qual, "notingroup") == 0) { return evaluate_notingroup(pamh, pwd->pw_name, right); } + /* (Rhost, user) is in this netgroup. */ + if (strcasecmp(qual, "innetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; + return evaluate_innetgr(rhost, pwd->pw_name, right); + } + /* (Rhost, user) is not in this group. */ + if (strcasecmp(qual, "notinnetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; + return evaluate_notinnetgr(rhost, pwd->pw_name, right); + } /* Fail closed. */ return PAM_SERVICE_ERR; } -int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { - const char *prompt; + const void *prompt; const char *user; struct passwd *pwd; int ret, i, count, use_uid, debug; @@ -338,7 +380,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) int quiet_fail, quiet_succ; /* Get the user prompt. */ - ret = pam_get_item(pamh, PAM_USER_PROMPT, (const void**) &prompt); + ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt); if ((ret != PAM_SUCCESS) || (prompt == NULL) || (strlen(prompt) == 0)) { prompt = "login: "; } @@ -366,29 +408,31 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) if (use_uid) { /* Get information about the user. */ - pwd = _pammodutil_getpwuid(pamh, getuid()); + pwd = pam_modutil_getpwuid(pamh, getuid()); if (pwd == NULL) { - log_error(LOG_CRIT, - "error retrieving information about user %ld", - (long)getuid()); - return PAM_SERVICE_ERR; + pam_syslog(pamh, LOG_CRIT, + "error retrieving information about user %lu", + (unsigned long)getuid()); + return PAM_USER_UNKNOWN; } + user = pwd->pw_name; } else { /* Get the user's name. */ ret = pam_get_user(pamh, &user, prompt); if ((ret != PAM_SUCCESS) || (user == NULL)) { - log_error(LOG_CRIT, "error retrieving user name: %s", - pam_strerror(pamh, ret)); + pam_syslog(pamh, LOG_CRIT, + "error retrieving user name: %s", + pam_strerror(pamh, ret)); return ret; } /* Get information about the user. */ - pwd = _pammodutil_getpwnam(pamh, user); + pwd = pam_modutil_getpwnam(pamh, user); if (pwd == NULL) { - log_error(LOG_CRIT, - "error retrieving information about user %s", - user); - return PAM_SERVICE_ERR; + pam_syslog(pamh, LOG_CRIT, + "error retrieving information about user %s", + user); + return PAM_USER_UNKNOWN; } } @@ -402,18 +446,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) pwd); if (ret != PAM_SUCCESS) { if(!quiet_fail) - log_error(LOG_INFO, - "requirement \"%s %s %s\" " - "not met by user \"%s\"", - left, qual, right, user); + pam_syslog(pamh, LOG_INFO, + "requirement \"%s %s %s\" " + "not met by user \"%s\"", + left, qual, right, user); break; } else if(!quiet_succ) - log_error(LOG_INFO, - "requirement \"%s %s %s\" " - "was met by user \"%s\"", - left, qual, right, user); + pam_syslog(pamh, LOG_INFO, + "requirement \"%s %s %s\" " + "was met by user \"%s\"", + left, qual, right, user); left = qual = right = NULL; } if ((i < argc) && (strcmp(argv[i], "debug") == 0)) { @@ -457,14 +501,46 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return ret; } -int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - return PAM_SUCCESS; + return PAM_IGNORE; } -int +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +/* static module data */ +#ifdef PAM_STATIC +struct pam_module _pam_succeed_if_modstruct = { + "pam_succeed_if", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok +}; +#endif diff --git a/Linux-PAM/modules/pam_succeed_if/tst-pam_succeed_if b/Linux-PAM/modules/pam_succeed_if/tst-pam_succeed_if new file mode 100755 index 00000000..f2b6dd3f --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/tst-pam_succeed_if @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_succeed_if.so diff --git a/Linux-PAM/modules/pam_tally/Makefile b/Linux-PAM/modules/pam_tally/Makefile deleted file mode 100644 index 40617a1a..00000000 --- a/Linux-PAM/modules/pam_tally/Makefile +++ /dev/null @@ -1,109 +0,0 @@ -# -# $Id: Makefile,v 1.5 2004/09/24 13:13:21 kukuk Exp $ -# -# This Makefile controls a build process of $(TITLE) module and -# application for Linux-PAM. You should not modify this Makefile -# (unless you know what you are doing!). -# -# - -include ../../Make.Rules - -TITLE=pam_tally - -# -## Additional rules for making (and moving) the application added. -## Assuming that all modules' applications are called $TITLE -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -APPSRC = $(TITLE)_app.c -APPOBJ = $(TITLE)_app.o -APPOBJD = $(addprefix dynamic/,$(APPOBJ)) -APPOBJS = $(addprefix static/,$(APPOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -APPLICATION = $(TITLE) -APPMODE = 755 - -LINK_PAMMODUTILS = -L../pammodutil -lpammodutil -L../../libpam -lpam -INCLUDE_PAMMODUTILS = -I../pammodutil/include - -LDFLAGS += $(LINK_PAMMODUTILS) -CFLAGS += $(INCLUDE_PAMMODUTILS) - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register $(APPLICATION) - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(LDFLAGS) - -$(APPLICATION): $(APPOBJD) $(TITLE).c - $(CC) $(CFLAGS) -o $@ $(APPOBJD) $(LDFLAGS) $(LOADLIBES) - -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) - -$(APPLICATION): $(APPOBJS) $(TITLE).c - $(CC) $(CFLAGS) -o $@ $(APPOBJS) $(LOADLIBES) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) - $(INSTALL) -m $(APPMODE) $(APPLICATION) $(FAKEROOT)$(SUPLEMENTED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(SUPLEMENTED)/$(TITLE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) $(APPOBJD) $(APPOBJS) core *~ - rm -f *.a *.o *.so *.bak dynamic/* static/* $(APPLICATION) - rm -rf dynamic static - -.c.o: - $(CC) $(CFLAGS) -c $< diff --git a/Linux-PAM/modules/pam_tally/Makefile.am b/Linux-PAM/modules/pam_tally/Makefile.am new file mode 100644 index 00000000..ffb88886 --- /dev/null +++ b/Linux-PAM/modules/pam_tally/Makefile.am @@ -0,0 +1,38 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally + +man_MANS = pam_tally.8 +XMLS = README.xml pam_tally.8.xml + +TESTS = tst-pam_tally + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +noinst_HEADERS = faillog.h + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + +pam_tally_la_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + pam_tally_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_tally.la +sbin_PROGRAMS = pam_tally + +pam_tally_SOURCES = pam_tally_app.c +pam_tally_LDFLAGS = -L$(top_builddir)/libpam -lpam + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_tally.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_tally/Makefile.in b/Linux-PAM/modules/pam_tally/Makefile.in new file mode 100644 index 00000000..631d79c4 --- /dev/null +++ b/Linux-PAM/modules/pam_tally/Makefile.in @@ -0,0 +1,719 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pam_tally$(EXEEXT) +subdir = modules/pam_tally +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_tally_la_LIBADD = +pam_tally_la_SOURCES = pam_tally.c +pam_tally_la_OBJECTS = pam_tally.lo +pam_tally_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_tally_la_LDFLAGS) $(LDFLAGS) -o $@ +sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(sbin_PROGRAMS) +am_pam_tally_OBJECTS = pam_tally_app.$(OBJEXT) +pam_tally_OBJECTS = $(am_pam_tally_OBJECTS) +pam_tally_LDADD = $(LDADD) +pam_tally_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_tally_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_tally.c $(pam_tally_SOURCES) +DIST_SOURCES = pam_tally.c $(pam_tally_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally +man_MANS = pam_tally.8 +XMLS = README.xml pam_tally.8.xml +TESTS = tst-pam_tally +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +noinst_HEADERS = faillog.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +pam_tally_la_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_tally.la +pam_tally_SOURCES = pam_tally_app.c +pam_tally_LDFLAGS = -L$(top_builddir)/libpam -lpam +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tally/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_tally/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_tally.la: $(pam_tally_la_OBJECTS) $(pam_tally_la_DEPENDENCIES) + $(pam_tally_la_LINK) -rpath $(securelibdir) $(pam_tally_la_OBJECTS) $(pam_tally_la_LIBADD) $(LIBS) +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ + rm -f "$(DESTDIR)$(sbindir)/$$f"; \ + done + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +pam_tally$(EXEEXT): $(pam_tally_OBJECTS) $(pam_tally_DEPENDENCIES) + @rm -f pam_tally$(EXEEXT) + $(pam_tally_LINK) $(pam_tally_OBJECTS) $(pam_tally_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally_app.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES ctags distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-sbinPROGRAMS install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man8 uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_tally.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_tally/README b/Linux-PAM/modules/pam_tally/README index c8b715bd..cfd8a468 100644 --- a/Linux-PAM/modules/pam_tally/README +++ b/Linux-PAM/modules/pam_tally/README @@ -1,116 +1,136 @@ -SUMMARY: - pam_tally.so: - - Maintains a count of attempted accesses, can reset count on success, - can deny access if too many attempts fail. - - Options: - - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * file=/where/to/keep/counts (default /var/log/faillog) - * audit (will display the username typed if the user is not found) - - (auth) - Authentication phase first checks if user should be denied access - and if not it increments attempted login counter. Then on call to - pam_setcred it resets the attempts counter if the user is NOT - magic root. - * deny=n (deny access if tally for this user exceeds n) - - * lock_time=n (always deny for n seconds after failed attempt) - - * unlock_time=n (allow access after n seconds after the last - failed attempt with exceeded tally) - - * magic_root (access attempts by root as requesting user ignore - deny and don't change counter. - Use this for su and similar services.) - - * even_deny_root_account (Root can become unavailable. BEWARE. - Note that magic root trying to gain root bypasses this, - but normal users can be locked out.) - - * per_user (If /var/log/faillog contains a non-zero - .fail_max/.fail_locktime field for this user then use it - instead of deny=n/lock_time=n parameter.) - - * no_lock_time (Don't use .fail_locktime filed in - /var/log/faillog for this user) - - * no_reset (don't reset count on successful entry, - only decrement) - - - (account) - Account phase resets attempts counter if the user is NOT magic root. - This phase can be used optionaly for services which don't call - pam_setcred correctly or if the reset should be done regardless - of the failure of the account phase of other modules. - - * magic_root (access attempts by root as requesting user - don't change counter. - Use this for su and similar services.) - - * no_reset (don't reset count on successful entry, - only decrement) - - Also checks to make sure that the counts file is a plain - file and not world writable. - - - Tim Baverstock <warwick@sable.demon.co.uk>, v0.1 5 March 1997 - - Tomas Mraz <tmraz@redhat.com>, v0.2 5 January 2005 - -LONGER: - -pam_tally comes in two parts: pam_tally.so and pam_tally. - -pam_tally.so sits in a pam config file, in the auth and account sections. - -In the auth section, it denies access if attempted logins exceed some -threshold and it increments a per-uid counter for each attempted login, -in the account section, it resets that counter to zero on successful -login. If the module isn't used in the account section it resets the counter -to zero on call to pam_setcred. - -Root is treated specially: - -1. When a process already running as root tries to access some service and the -'magic_root' flag is set, the access is `magic', and bypasses pam_tally's -checks: handy for `su'ing from root into an account otherwise blocked. -NOTE: This was changed from the previous version of pam_tally where the default -was to treat root as magic and there were the 'no_magic_root' flag. However -for most of services the current default make sense. - -2. Normally, failed attempts to access root will NOT cause the root -account to become blocked, to prevent denial-of-service: if your users aren't -given shell accounts and root may only login via `su' or at the machine -console (not telnet/rsh, etc), this is safe. If you really want root to be -blocked for some given service, use even_deny_root_account. - -pam_tally is an (optional) application which can be used to interrogate and -manipulate the counter file. It can display users' counts, set individual -counts, or clear all counts. Setting artificially high counts may be useful -for blocking users without changing their passwords. I found it useful to -clear all counts every midnight from a cron.. - -The counts file is organised as a binary-word array, indexed by uid. You -can probably make sense of it with `od', if you don't want to use the -supplied application. - -BUGS: - -pam_tally is very dependant on getpw*(): a database of usernames -would be much more flexible. - -The (4.0 Redhat) utilities seem to do funny things with uid, and I'm -not wholly sure I understood what I should have been doing anyway so -the `keep a count of current logins' bit has been #ifdef'd out and you -can only reset the counter on successful authentication, for now. - -IMPORTANT NOTICE: -In the original version of pam_tally there was a bug where the information -if the password was correct or not was leaked by returning error from -different pam management phases. This was solved by moving the denying -functionality to the auth phase. However it's necessary to update the pam -configuration by moving the required options (as deny=N) to the auth phase. +pam_tally — The login counter (tallying) module + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +This module maintains a count of attempted accesses, can reset count on +success, can deny access if too many attempts fail. + +pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM +module and the latter, a stand-alone program. pam_tally is an (optional) +application which can be used to interrogate and manipulate the counter file. +It can display users' counts, set individual counts, or clear all counts. +Setting artificially high counts may be useful for blocking users without +changing their passwords. For example, one might find it useful to clear all +counts every midnight from a cron job. The faillog(8) command can be used +instead of pam_tally to to maintain the counter file. + +Normally, failed attempts to access root will not cause the root account to +become blocked, to prevent denial-of-service: if your users aren't given shell +accounts and root may only login via su or at the machine console (not telnet/ +rsh, etc), this is safe. + +OPTIONS + +GLOBAL OPTIONS + + This can be used for auth and account services. + + onerr=[fail|succeed] + + If something weird happens (like unable to open the file), return with + PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM + error code. + + file=/path/to/counter + + File where to keep counts. Default is /var/log/faillog. + + audit + + Will display the username typed if the user is not found. + +AUTH OPTIONS + + Authentication phase first checks if user should be denied access and if + not it increments attempted login counter. Then on call to pam_setcred(3) + it resets the attempts counter. + + deny=n + + Deny access if tally for this user exceeds n. + + lock_time=n + + Always deny for n seconds after failed attempt. + + unlock_time=n + + Allow access after n seconds after failed attempt. If this option is + used the user will be locked out for the specified amount of time after + he exceeded his maximum allowed attempts. Otherwise the account is + locked until the lock is removed by a manual intervention of the system + administrator. + + magic_root + + If the module is invoked by a user with uid=0 the counter is not + incremented. The sys-admin should use this for user launched services, + like su, otherwise this argument should be omitted. + + no_lock_time + + Do not use the .fail_locktime field in /var/log/faillog for this user. + + no_reset + + Don't reset count on successful entry, only decrement. + + even_deny_root_account + + Root account can become unavailable. + + even_deny_root_account + + Root account can become unavailable. + + per_user + + If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field + for this user then use it instead of deny=n/ lock_time=n parameter. + + no_lock_time + + Don't use .fail_locktime filed in /var/log/faillog for this user. + +ACCOUNT OPTIONS + + Account phase resets attempts counter if the user is not magic root. This + phase can be used optionaly for services which don't call pam_setcred(3) + correctly or if the reset should be done regardless of the failure of the + account phase of other modules. + + magic_root + + If the module is invoked by a user with uid=0 the counter is not + incremented. The sys-admin should use this for user launched services, + like su, otherwise this argument should be omitted. + + no_reset + + Don't reset count on successful entry, only decrement. + +EXAMPLES + +Add the following line to /etc/pam.d/login to lock the account after too many +failed logins. The number of allowed fails is specified by /var/log/faillog and +needs to be set with pam_tally or faillog(8) before. + +auth required pam_securetty.so +auth required pam_tally.so per_user +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + + +AUTHOR + +pam_tally was written by Tim Baverstock and Tomas Mraz. + diff --git a/Linux-PAM/modules/pam_tally/README.xml b/Linux-PAM/modules/pam_tally/README.xml new file mode 100644 index 00000000..3c6de50e --- /dev/null +++ b/Linux-PAM/modules/pam_tally/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_tally.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_tally/pam_tally.8 b/Linux-PAM/modules/pam_tally/pam_tally.8 new file mode 100644 index 00000000..a4476b6b --- /dev/null +++ b/Linux-PAM/modules/pam_tally/pam_tally.8 @@ -0,0 +1,188 @@ +.\" Title: pam_tally +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/18/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_TALLY" "8" "06/18/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_tally \- The login counter (tallying) module +.SH "SYNOPSIS" +.HP 13 +\fBpam_tally.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] +.HP 10 +\fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] +.SH "DESCRIPTION" +.PP +This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. +.PP +pam_tally comes in two parts: +\fBpam_tally.so\fR +and +\fBpam_tally\fR. The former is the PAM module and the latter, a stand\-alone program. +\fBpam_tally\fR +is an (optional) application which can be used to interrogate and manipulate the counter file. It can display users' counts, set individual counts, or clear all counts. Setting artificially high counts may be useful for blocking users without changing their passwords. For example, one might find it useful to clear all counts every midnight from a cron job. The +\fBfaillog\fR(8) +command can be used instead of pam_tally to to maintain the counter file. +.PP +Normally, failed attempts to access +\fIroot\fR +will +\fBnot\fR +cause the root account to become blocked, to prevent denial\-of\-service: if your users aren't given shell accounts and root may only login via +\fBsu\fR +or at the machine console (not telnet/rsh, etc), this is safe. +.SH "OPTIONS" +.TP 3n +GLOBAL OPTIONS +This can be used for +\fIauth\fR +and +\fIaccount\fR +services. +.RS 3n +.TP 3n +\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR +If something weird happens (like unable to open the file), return with +\fBPAM_SUCESS\fR +if +\fBonerr=\fR\fB\fIsucceed\fR\fR +is given, else with the corresponding PAM error code. +.TP 3n +\fBfile=\fR\fB\fI/path/to/counter\fR\fR +File where to keep counts. Default is +\fI/var/log/faillog\fR. +.TP 3n +\fBaudit\fR +Will display the username typed if the user is not found. +.RE +.TP 3n +AUTH OPTIONS +Authentication phase first checks if user should be denied access and if not it increments attempted login counter. Then on call to +\fBpam_setcred\fR(3) +it resets the attempts counter. +.RS 3n +.TP 3n +\fBdeny=\fR\fB\fIn\fR\fR +Deny access if tally for this user exceeds +\fIn\fR. +.TP 3n +\fBlock_time=\fR\fB\fIn\fR\fR +Always deny for +\fIn\fR +seconds after failed attempt. +.TP 3n +\fBunlock_time=\fR\fB\fIn\fR\fR +Allow access after +\fIn\fR +seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator. +.TP 3n +\fBmagic_root\fR +If the module is invoked by a user with uid=0 the counter is not incremented. The sys\-admin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted. +.TP 3n +\fBno_lock_time\fR +Do not use the .fail_locktime field in +\fI/var/log/faillog\fR +for this user. +.TP 3n +\fBno_reset\fR +Don't reset count on successful entry, only decrement. +.TP 3n +\fBeven_deny_root_account\fR +Root account can become unavailable. +.TP 3n +\fBeven_deny_root_account\fR +Root account can become unavailable. +.TP 3n +\fBper_user\fR +If +\fI/var/log/faillog\fR +contains a non\-zero .fail_max/.fail_locktime field for this user then use it instead of +\fBdeny=\fR\fB\fIn\fR\fR/ +\fBlock_time=\fR\fB\fIn\fR\fR +parameter. +.TP 3n +\fBno_lock_time\fR +Don't use .fail_locktime filed in +\fI/var/log/faillog\fR +for this user. +.RE +.TP 3n +ACCOUNT OPTIONS +Account phase resets attempts counter if the user is +\fBnot\fR +magic root. This phase can be used optionaly for services which don't call +\fBpam_setcred\fR(3) +correctly or if the reset should be done regardless of the failure of the account phase of other modules. +.RS 3n +.TP 3n +\fBmagic_root\fR +If the module is invoked by a user with uid=0 the counter is not incremented. The sys\-admin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted. +.TP 3n +\fBno_reset\fR +Don't reset count on successful entry, only decrement. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins. +.TP 3n +PAM_SUCCESS +Everything was successfull. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to lock the account after too many failed logins. The number of allowed fails is specified by +\fI/var/log/faillog\fR +and needs to be set with pam_tally or +\fBfaillog\fR(8) +before. +.sp +.RS 3n +.nf +auth required pam_securetty.so +auth required pam_tally.so per_user +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + +.fi +.RE +.SH "FILES" +.TP 3n +\fI/var/log/faillog\fR +failure logging file +.SH "SEE ALSO" +.PP + +\fBfaillog\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tally was written by Tim Baverstock and Tomas Mraz. diff --git a/Linux-PAM/modules/pam_tally/pam_tally.8.xml b/Linux-PAM/modules/pam_tally/pam_tally.8.xml new file mode 100644 index 00000000..1261130a --- /dev/null +++ b/Linux-PAM/modules/pam_tally/pam_tally.8.xml @@ -0,0 +1,437 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_tally"> + + <refmeta> + <refentrytitle>pam_tally</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_tally-name"> + <refname>pam_tally</refname> + <refpurpose>The login counter (tallying) module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_tally-cmdsynopsis1"> + <command>pam_tally.so</command> + <arg choice="opt"> + file=<replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>] + </arg> + <arg choice="opt"> + magic_root + </arg> + <arg choice="opt"> + even_deny_root_account + </arg> + <arg choice="opt"> + deny=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + lock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + per_user + </arg> + <arg choice="opt"> + no_lock_time + </arg> + <arg choice="opt"> + no_reset + </arg> + <arg choice="opt"> + audit + </arg> + </cmdsynopsis> + <cmdsynopsis id="pam_tally-cmdsynopsis2"> + <command>pam_tally</command> + <arg choice="opt"> + --file <replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + --user <replaceable>username</replaceable> + </arg> + <arg choice="opt"> + --reset[=<replaceable>n</replaceable>] + </arg> + <arg choice="opt"> + --quiet + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_tally-description"> + + <title>DESCRIPTION</title> + + <para> + This module maintains a count of attempted accesses, can + reset count on success, can deny access if too many attempts fail. + </para> + <para> + pam_tally comes in two parts: + <emphasis remap='B'>pam_tally.so</emphasis> and + <command>pam_tally</command>. The former is the PAM module and + the latter, a stand-alone program. <command>pam_tally</command> + is an (optional) application which can be used to interrogate and + manipulate the counter file. It can display users' counts, set + individual counts, or clear all counts. Setting artificially high + counts may be useful for blocking users without changing their + passwords. For example, one might find it useful to clear all counts + every midnight from a cron job. The + <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> command can be used instead of pam_tally to to + maintain the counter file. + </para> + <para> + Normally, failed attempts to access <emphasis>root</emphasis> will + <emphasis remap='B'>not</emphasis> cause the root account to become + blocked, to prevent denial-of-service: if your users aren't given + shell accounts and root may only login via <command>su</command> or + at the machine console (not telnet/rsh, etc), this is safe. + </para> + </refsect1> + + <refsect1 id="pam_tally-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + GLOBAL OPTIONS + </term> + <listitem> + <para> + This can be used for <emphasis>auth</emphasis> and + <emphasis>account</emphasis> services. + </para> + <variablelist> + <varlistentry> + <term> + <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option> + </term> + <listitem> + <para> + If something weird happens (like unable to open the file), + return with <errorcode>PAM_SUCESS</errorcode> if + <option>onerr=<replaceable>succeed</replaceable></option> + is given, else with the corresponding PAM error code. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>file=<replaceable>/path/to/counter</replaceable></option> + </term> + <listitem> + <para> + File where to keep counts. Default is + <filename>/var/log/faillog</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>audit</option> + </term> + <listitem> + <para> + Will display the username typed if the user is not found. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + AUTH OPTIONS + </term> + <listitem> + <para> + Authentication phase first checks if user should be denied + access and if not it increments attempted login counter. Then + on call to <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> it resets the attempts counter. + </para> + <variablelist> + <varlistentry> + <term> + <option>deny=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Deny access if tally for this user exceeds + <replaceable>n</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>lock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Always deny for <replaceable>n</replaceable> seconds + after failed attempt. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Allow access after <replaceable>n</replaceable> seconds + after failed attempt. If this option is used the user will + be locked out for the specified amount of time after he + exceeded his maximum allowed attempts. Otherwise the + account is locked until the lock is removed by a manual + intervention of the system administrator. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not incremented. The sys-admin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_lock_time</option> + </term> + <listitem> + <para> + Do not use the .fail_locktime field in + <filename>/var/log/faillog</filename> for this user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_reset</option> + </term> + <listitem> + <para> + Don't reset count on successful entry, only decrement. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>even_deny_root_account</option> + </term> + <listitem> + <para> + Root account can become unavailable. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>even_deny_root_account</option> + </term> + <listitem> + <para> + Root account can become unavailable. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>per_user</option> + </term> + <listitem> + <para> + If <filename>/var/log/faillog</filename> contains a non-zero + .fail_max/.fail_locktime field for this user then use it + instead of <option>deny=<replaceable>n</replaceable></option>/ + <option>lock_time=<replaceable>n</replaceable></option> parameter. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_lock_time</option> + </term> + <listitem> + <para> + Don't use .fail_locktime filed in + <filename>/var/log/faillog</filename> for this user. + </para> + </listitem> + </varlistentry> + + </variablelist> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + ACCOUNT OPTIONS + </term> + <listitem> + <para> + Account phase resets attempts counter if the user is + <emphasis remap='B'>not</emphasis> magic root. + This phase can be used optionaly for services which don't call + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> correctly or if the reset should be done regardless + of the failure of the account phase of other modules. + </para> + <variablelist> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not incremented. The sys-admin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_reset</option> + </term> + <listitem> + <para> + Don't reset count on successful entry, only decrement. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_tally-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <option>auth</option> and <option>account</option> + services are supported. + </para> + </refsect1> + + <refsect1 id='pam_tally-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + A invalid option was given, the module was not able + to retrive the user name, no valid counter file + was found, or too many failed logins. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successfull. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + lock the account after too many failed logins. The number of + allowed fails is specified by <filename>/var/log/faillog</filename> + and needs to be set with pam_tally or <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> before. + </para> + <programlisting> +auth required pam_securetty.so +auth required pam_tally.so per_user +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + </programlisting> + </refsect1> + + <refsect1 id="pam_tally-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/log/faillog</filename></term> + <listitem> + <para>failure logging file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_tally-author'> + <title>AUTHOR</title> + <para> + pam_tally was written by Tim Baverstock and Tomas Mraz. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_tally/pam_tally.c b/Linux-PAM/modules/pam_tally/pam_tally.c index 1e48662e..66fc5f35 100644 --- a/Linux-PAM/modules/pam_tally/pam_tally.c +++ b/Linux-PAM/modules/pam_tally/pam_tally.c @@ -1,7 +1,6 @@ /* * pam_tally.c - * - * $Id: pam_tally.c,v 1.15 2005/01/24 14:04:17 t8m Exp $ + * */ @@ -11,14 +10,11 @@ * Stuff stolen from pam_rootok and pam_listfile * * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005 - * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005 + * Audit option added for Tomas patch by + * Sebastien Tricaud <toady@gscore.org> 13 January 2005 */ -#include <security/_pam_aconf.h> - -#if defined(MAIN) && defined(MEMORY_DEBUG) -# undef exit -#endif /* defined(MAIN) && defined(MEMORY_DEBUG) */ +#include "config.h" #include <stdio.h> #include <string.h> @@ -34,11 +30,6 @@ #include <sys/param.h> #include "faillog.h" -#ifndef TRUE -#define TRUE 1L -#define FALSE 0L -#endif - /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module @@ -52,7 +43,17 @@ /* #define PAM_SM_PASSWORD */ #include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#ifndef TRUE +#define TRUE 1L +#define FALSE 0L +#endif + +#ifndef HAVE_FSEEKO +#define fseeko fseek +#endif /*---------------------------------------------------------------------*/ @@ -63,8 +64,6 @@ #define TALLY_FMT "%hu" #define TALLY_HI ((tally_t)~0L) -#define UID_FMT "%hu" - #ifndef FILENAME_MAX # define FILENAME_MAX MAXPATHLEN #endif @@ -102,48 +101,51 @@ struct tally_options { /* some syslogging */ -static void _pam_log(int err, const char *format, ...) +#ifdef MAIN +#define pam_syslog tally_log +static void +tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, + const char *fmt, ...) { - va_list args; - va_start(args, format); + va_list args; -#ifdef MAIN - vfprintf(stderr,format,args); - fprintf(stderr,"\n"); -#else - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - closelog(); -#endif - va_end(args); + va_start(args, fmt); + fprintf(stderr, "%s: ", MODULE_NAME); + vfprintf(stderr, fmt, args); + fprintf(stderr,"\n"); + va_end(args); } +#endif /*---------------------------------------------------------------------*/ /* --- Support function: parse arguments --- */ -static void log_phase_no_auth( int phase, const char *argv ) +#ifndef MAIN + +static void +log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) { if ( phase != PHASE_AUTH ) { - _pam_log(LOG_ERR, - MODULE_NAME ": option %s allowed in auth phase only", argv); + pam_syslog(pamh, LOG_ERR, + "option %s allowed in auth phase only", argv); } } -static int tally_parse_args( struct tally_options *opts, int phase, - int argc, const char **argv ) +static int +tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, + int phase, int argc, const char **argv) { memset(opts, 0, sizeof(*opts)); opts->filename = DEFAULT_LOGFILE; - + for ( ; argc-- > 0; ++argv ) { if ( ! strncmp( *argv, "file=", 5 ) ) { const char *from = *argv + 5; if ( *from!='/' || strlen(from)>FILENAME_MAX-1 ) { - _pam_log(LOG_ERR, - MODULE_NAME ": filename not /rooted or too long; ", - *argv); + pam_syslog(pamh, LOG_ERR, + "filename not /rooted or too long; %s", *argv); return PAM_AUTH_ERR; } opts->filename = from; @@ -158,38 +160,38 @@ static int tally_parse_args( struct tally_options *opts, int phase, opts->ctrl |= OPT_MAGIC_ROOT; } else if ( ! strcmp( *argv, "even_deny_root_account" ) ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); opts->ctrl |= OPT_DENY_ROOT; } else if ( ! strncmp( *argv, "deny=", 5 ) ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); if ( sscanf((*argv)+5,TALLY_FMT,&opts->deny) != 1 ) { - _pam_log(LOG_ERR,"bad number supplied; %s",*argv); + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); return PAM_AUTH_ERR; } } else if ( ! strncmp( *argv, "lock_time=", 10 ) ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) { - _pam_log(LOG_ERR,"bad number supplied; %s",*argv); + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); return PAM_AUTH_ERR; } } else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) { - _pam_log(LOG_ERR,"bad number supplied; %s",*argv); + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); return PAM_AUTH_ERR; } } else if ( ! strcmp( *argv, "per_user" ) ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); opts->ctrl |= OPT_PER_USER; } else if ( ! strcmp( *argv, "no_lock_time") ) { - log_phase_no_auth(phase, *argv); + log_phase_no_auth(pamh, phase, *argv); opts->ctrl |= OPT_NO_LOCK_TIME; } else if ( ! strcmp( *argv, "no_reset" ) ) { @@ -199,13 +201,15 @@ static int tally_parse_args( struct tally_options *opts, int phase, opts->ctrl |= OPT_AUDIT; } else { - _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } return PAM_SUCCESS; } +#endif /* #ifndef MAIN */ + /*---------------------------------------------------------------------*/ /* --- Support function: get uid (and optionally username) from PAM or @@ -215,69 +219,81 @@ static int tally_parse_args( struct tally_options *opts, int phase, static char *cline_user=0; /* cline_user is used in the administration prog */ #endif -static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) - { +static int +pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) +{ const char *user = NULL; struct passwd *pw; #ifdef MAIN user = cline_user; #else - pam_get_user( pamh, &user, NULL ); + if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "pam_get_user; user?"); + return PAM_AUTH_ERR; + } #endif if ( !user || !*user ) { - _pam_log(LOG_ERR, MODULE_NAME ": pam_get_uid; user?"); + pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); return PAM_AUTH_ERR; } - if ( ! ( pw = _pammodutil_getpwnam( pamh, user ) ) ) { - opts->ctrl & OPT_AUDIT ? - _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user) : - _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user"); + if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { + opts->ctrl & OPT_AUDIT ? + pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : + pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user"); return PAM_USER_UNKNOWN; } - + if ( uid ) *uid = pw->pw_uid; if ( userp ) *userp = user; return PAM_SUCCESS; - } +} /*---------------------------------------------------------------------*/ /* --- Support functions: set/get tally data --- */ -static void _cleanup( pam_handle_t *pamh, void *data, int error_status ) - { +#ifndef MAIN + +static void +_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) +{ free(data); - } +} + -static void tally_set_data( pam_handle_t *pamh, time_t oldtime ) - { +static void +tally_set_data( pam_handle_t *pamh, time_t oldtime ) +{ time_t *data; - + if ( (data=malloc(sizeof(time_t))) != NULL ) { - *data = oldtime; + *data = oldtime; pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup); } - } +} -static int tally_get_data( pam_handle_t *pamh, time_t *oldtime ) - { +static int +tally_get_data( pam_handle_t *pamh, time_t *oldtime ) +{ int rv; const void *data; rv = pam_get_data(pamh, MODULE_NAME, &data); - if ( rv == PAM_SUCCESS && oldtime != NULL ) { + if ( rv == PAM_SUCCESS && data != NULL && oldtime != NULL ) { *oldtime = *(const time_t *)data; pam_set_data(pamh, MODULE_NAME, NULL, NULL); } else { rv = -1; - *oldtime = 0; + if (oldtime) + *oldtime = 0; } return rv; - } +} +#endif /* #ifndef MAIN */ /*---------------------------------------------------------------------*/ @@ -286,12 +302,10 @@ static int tally_get_data( pam_handle_t *pamh, time_t *oldtime ) /* If on entry *tally==TALLY_HI, tallyfile is opened READONLY */ /* Otherwise, if on entry tallyfile doesn't exist, creation is attempted. */ -static int get_tally( tally_t *tally, - uid_t uid, - const char *filename, - FILE **TALLY, - struct fail_s *fsp) - { +static int +get_tally(pam_handle_t *pamh, tally_t *tally, uid_t uid, + const char *filename, FILE **TALLY, struct fail_s *fsp) +{ struct stat fileinfo; int lstat_ret = lstat(filename,&fileinfo); @@ -301,7 +315,7 @@ static int get_tally( tally_t *tally, /* Create file, or append-open in pathological case. */ umask(oldmask); if ( !*TALLY ) { - _pam_log(LOG_ALERT, "Couldn't create %s",filename); + pam_syslog(pamh, LOG_ALERT, "Couldn't create %s", filename); return PAM_AUTH_ERR; } lstat_ret = fstat(fileno(*TALLY),&fileinfo); @@ -309,21 +323,21 @@ static int get_tally( tally_t *tally, } if ( lstat_ret ) { - _pam_log(LOG_ALERT, "Couldn't stat %s",filename); + pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename); return PAM_AUTH_ERR; } if((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { /* If the file is world writable or is not a normal file, return error */ - _pam_log(LOG_ALERT, + pam_syslog(pamh, LOG_ALERT, "%s is either world writable or not a normal file", filename); return PAM_AUTH_ERR; } if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) { - _pam_log(LOG_ALERT, "Error opening %s for update", filename); + pam_syslog(pamh, LOG_ALERT, "Error opening %s for update", filename); /* Discovering why account service fails: e/uid are target user. * @@ -333,12 +347,12 @@ static int get_tally( tally_t *tally, return PAM_AUTH_ERR; } - if ( fseek( *TALLY, uid * sizeof(struct faillog), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); + if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { + pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); fclose(*TALLY); return PAM_AUTH_ERR; } - + if ( fileinfo.st_size <= uid * sizeof(struct faillog) ) { memset(fsp, 0, sizeof(struct faillog)); @@ -355,41 +369,41 @@ static int get_tally( tally_t *tally, *tally = fsp->fs_faillog.fail_cnt; } - + return PAM_SUCCESS; - } +} /*---------------------------------------------------------------------*/ /* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */ -static int set_tally( tally_t tally, - uid_t uid, - const char *filename, - FILE **TALLY, - struct fail_s *fsp) - { - if ( tally!=TALLY_HI ) - { - if ( fseek( *TALLY, uid * sizeof(struct faillog), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); - return PAM_AUTH_ERR; - } - fsp->fs_faillog.fail_cnt = tally; - if (fwrite((char *) &fsp->fs_faillog, +static int +set_tally(pam_handle_t *pamh, tally_t tally, uid_t uid, + const char *filename, FILE **TALLY, struct fail_s *fsp) +{ + int retval = PAM_SUCCESS; + + if ( tally!=TALLY_HI ) { + if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { + pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); + retval = PAM_AUTH_ERR; + } else { + fsp->fs_faillog.fail_cnt = tally; + if (fwrite((char *) &fsp->fs_faillog, sizeof(struct faillog), 1, *TALLY)==0 ) { - _pam_log(LOG_ALERT, "tally update (fwrite) failed.", filename); - return PAM_AUTH_ERR; + pam_syslog(pamh, LOG_ALERT, "update (fwrite) failed for %s", filename); + retval = PAM_AUTH_ERR; } } - + } + if ( fclose(*TALLY) ) { - _pam_log(LOG_ALERT, "tally update (fclose) failed.", filename); + pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); return PAM_AUTH_ERR; } *TALLY=NULL; - return PAM_SUCCESS; - } + return retval; +} /*---------------------------------------------------------------------*/ @@ -397,32 +411,29 @@ static int set_tally( tally_t tally, #ifndef MAIN -#define PAM_FUNCTION(name) \ - PAM_EXTERN int name (pam_handle_t *pamh,int flags,int argc,const char **argv) - #define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS)) /*---------------------------------------------------------------------*/ /* --- tally bump function: bump tally for uid by (signed) inc --- */ -static int tally_bump (int inc, time_t *oldtime, - pam_handle_t *pamh, - uid_t uid, - const char *user, - struct tally_options *opts) { +static int +tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, + uid_t uid, const char *user, struct tally_options *opts) +{ tally_t tally = 0; /* !TALLY_HI --> Log opened for update */ FILE *TALLY = NULL; - const char + const void *remote_host = NULL, *cur_tty = NULL; struct fail_s fs, *fsp = &fs; int i; - i=get_tally( &tally, uid, opts->filename, &TALLY, fsp ); + i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); + if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } /* to remember old fail time (for locktime) */ fsp->fs_fail_time = fsp->fs_faillog.fail_time; @@ -436,10 +447,10 @@ static int tally_bump (int inc, time_t *oldtime, fsp->fs_faillog.fail_time = *oldtime; } } - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&remote_host); + (void) pam_get_item(pamh, PAM_RHOST, &remote_host); if (!remote_host) { - (void) pam_get_item(pamh, PAM_TTY, (const void **)&cur_tty); + (void) pam_get_item(pamh, PAM_TTY, &cur_tty); if (!cur_tty) { strncpy(fsp->fs_faillog.fail_line, "unknown", sizeof(fsp->fs_faillog.fail_line) - 1); @@ -455,30 +466,28 @@ static int tally_bump (int inc, time_t *oldtime, (size_t)sizeof(fsp->fs_faillog.fail_line)); fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; } - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - + if ( !(opts->ctrl & OPT_MAGIC_ROOT) || getuid() ) { /* magic_root doesn't change tally */ tally+=inc; - + if ( tally==TALLY_HI ) { /* Overflow *and* underflow. :) */ tally-=inc; - _pam_log(LOG_ALERT,"Tally %sflowed for user %s", + pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s", (inc<0)?"under":"over",user); } } - - i=set_tally( tally, uid, opts->filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } + + i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp ); + if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } return PAM_SUCCESS; -} +} -static int tally_check (time_t oldtime, - pam_handle_t *pamh, - uid_t uid, - const char *user, - struct tally_options *opts) { +static int +tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, + const char *user, struct tally_options *opts) +{ tally_t deny = opts->deny; tally_t @@ -489,17 +498,16 @@ static int tally_check (time_t oldtime, struct fail_s fs, *fsp = &fs; FILE *TALLY=0; int i; - - i=get_tally( &tally, uid, opts->filename, &TALLY, fsp ); - if (TALLY) fclose(TALLY); + + i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - + if ( !(opts->ctrl & OPT_MAGIC_ROOT) || getuid() ) { /* magic_root skips tally check */ - + /* To deny or not to deny; that is the question */ - + /* if there's .fail_max entry and per_user=TRUE then deny=.fail_max */ - + if ( (fsp->fs_faillog.fail_max) && (opts->ctrl & OPT_PER_USER) ) { deny = fsp->fs_faillog.fail_max; } @@ -510,11 +518,11 @@ static int tally_check (time_t oldtime, && !(opts->ctrl & OPT_NO_LOCK_TIME) ) { if ( lock_time + oldtime > time(NULL) ) - { - _pam_log(LOG_NOTICE, - "user %s ("UID_FMT") has time limit [%lds left]" + { + pam_syslog(pamh, LOG_NOTICE, + "user %s (%lu) has time limit [%lds left]" " since last failure.", - user,uid, + user, (unsigned long int) uid, oldtime+lock_time -time(NULL)); return PAM_AUTH_ERR; @@ -532,19 +540,19 @@ static int tally_check (time_t oldtime, ( tally > deny ) && /* tally>deny means exceeded */ ( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */ ) { - _pam_log(LOG_NOTICE,"user %s ("UID_FMT") tally "TALLY_FMT", deny "TALLY_FMT, - user, uid, tally, deny); + pam_syslog(pamh, LOG_NOTICE, + "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, + user, (unsigned long int) uid, tally, deny); return PAM_AUTH_ERR; /* Only unconditional failure */ } } - + return PAM_SUCCESS; } -static int tally_reset (pam_handle_t *pamh, - uid_t uid, - const char *user, - struct tally_options *opts) { +static int +tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) +{ tally_t tally = 0; /* !TALLY_HI --> Log opened for update */ @@ -552,25 +560,25 @@ static int tally_reset (pam_handle_t *pamh, FILE *TALLY=0; int i; - i=get_tally( &tally, uid, opts->filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - + i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); + if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } + /* resets if not magic root */ - - if ( (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) - && !(opts->ctrl & OPT_NO_RESET) ) + + if ( (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) + && !(opts->ctrl & OPT_NO_RESET) ) { tally=0; } - + if (tally == 0) { fsp->fs_faillog.fail_time = (time_t) 0; - strcpy(fsp->fs_faillog.fail_line, ""); + strcpy(fsp->fs_faillog.fail_line, ""); } - i=set_tally( tally, uid, opts->filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - + i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp); + if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } + return PAM_SUCCESS; } @@ -580,61 +588,67 @@ static int tally_reset (pam_handle_t *pamh, #ifdef PAM_SM_AUTH -PAM_FUNCTION( pam_sm_authenticate ) { +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ int rvcheck, rvbump; time_t oldtime = 0; - struct tally_options + struct tally_options options, *opts = &options; - uid_t + uid_t uid; const char *user; - - rvcheck = tally_parse_args(opts, PHASE_AUTH, argc, argv); + + rvcheck = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); - + rvcheck = pam_get_uid(pamh, &uid, &user, opts); if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); - + rvbump = tally_bump(1, &oldtime, pamh, uid, user, opts); rvcheck = tally_check(oldtime, pamh, uid, user, opts); - + tally_set_data(pamh, oldtime); - + return rvcheck != PAM_SUCCESS ? rvcheck : rvbump; } -PAM_FUNCTION( pam_sm_setcred ) { +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ int rv; time_t oldtime = 0; - struct tally_options + struct tally_options options, *opts = &options; - uid_t + uid_t uid; const char *user; - - rv = tally_parse_args(opts, PHASE_AUTH, argc, argv); + + rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); rv = pam_get_uid(pamh, &uid, &user, opts); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); - + if ( tally_get_data(pamh, &oldtime) != 0 ) /* no data found */ return PAM_SUCCESS; - + if ( (rv=tally_bump(-1, &oldtime, pamh, uid, user, opts)) != PAM_SUCCESS ) return rv; - return tally_reset(pamh, uid, user, opts); + return tally_reset(pamh, uid, opts); } #endif @@ -647,19 +661,22 @@ PAM_FUNCTION( pam_sm_setcred ) { /* To reset failcount of user on successfull login */ -PAM_FUNCTION( pam_sm_acct_mgmt ) { +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ int rv; time_t oldtime = 0; - struct tally_options + struct tally_options options, *opts = &options; - uid_t + uid_t uid; const char *user; - - rv = tally_parse_args(opts, PHASE_ACCOUNT, argc, argv); + + rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); @@ -670,11 +687,11 @@ PAM_FUNCTION( pam_sm_acct_mgmt ) { if ( tally_get_data(pamh, &oldtime) != 0 ) /* no data found */ return PAM_SUCCESS; - + if ( (rv=tally_bump(-1, &oldtime, pamh, uid, user, opts)) != PAM_SUCCESS ) return rv; - return tally_reset(pamh, uid, user, opts); -} + return tally_reset(pamh, uid, opts); +} #endif /* #ifdef PAM_SM_ACCOUNT */ @@ -717,16 +734,20 @@ static int cline_quiet = 0; * Not going to link with pamlib just for these.. :) */ -static const char * pam_errors( int i ) { +static const char * +pam_errors( int i ) +{ switch (i) { - case PAM_AUTH_ERR: return "Authentication error"; - case PAM_SERVICE_ERR: return "Service error"; - case PAM_USER_UNKNOWN: return "Unknown user"; - default: return "Unknown error"; + case PAM_AUTH_ERR: return _("Authentication error"); + case PAM_SERVICE_ERR: return _("Service error"); + case PAM_USER_UNKNOWN: return _("Unknown user"); + default: return _("Unknown error"); } } -static int getopts( int argc, char **argv ) { +static int +getopts( char **argv ) +{ const char *pname = *argv; for ( ; *argv ; (void)(*argv && ++argv) ) { if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; @@ -736,31 +757,31 @@ static int getopts( int argc, char **argv ) { else if ( !strcmp (*argv,"--reset") ) cline_reset=0; else if ( !strncmp(*argv,"--reset=",8)) { if ( sscanf(*argv+8,TALLY_FMT,&cline_reset) != 1 ) - fprintf(stderr,"%s: Bad number given to --reset=\n",pname), exit(0); + fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0); } else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; else { - fprintf(stderr,"%s: Unrecognised option %s\n",pname,*argv); + fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv); return FALSE; } } return TRUE; } -int main ( int argc, char **argv ) { - +int main ( int argc UNUSED, char **argv ) +{ struct fail_s fs, *fsp = &fs; - if ( ! getopts( argc, argv+1 ) ) { - printf("%s: [--file rooted-filename] [--user username] " - "[--reset[=n]] [--quiet]\n", + if ( ! getopts( argv+1 ) ) { + printf(_("%s: [--file rooted-filename] [--user username] " + "[--reset[=n]] [--quiet]\n"), *argv); exit(0); } umask(077); - /* + /* * Major difference between individual user and all users: * --user just handles one user, just like PAM. * --user=* handles all users, sniffing cline_filename for nonzeros @@ -772,29 +793,28 @@ int main ( int argc, char **argv ) { FILE *TALLY=0; struct tally_options opts; int i; - + memset(&opts, 0, sizeof(opts)); opts.ctrl = OPT_AUDIT; - i=pam_get_uid( NULL, &uid, NULL, &opts); - if ( i != PAM_SUCCESS ) { + i=pam_get_uid(NULL, &uid, NULL, &opts); + if ( i != PAM_SUCCESS ) { fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); exit(0); } - - i=get_tally( &tally, uid, cline_filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); + + i=get_tally(NULL, &tally, uid, cline_filename, &TALLY, fsp); + if ( i != PAM_SUCCESS ) { fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); exit(0); } - - if ( !cline_quiet ) - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",cline_user,uid, + + if ( !cline_quiet ) + printf("User %s\t(%lu)\t%s "TALLY_FMT"\n",cline_user, + (unsigned long int) uid, (cline_reset!=TALLY_HI)?"had":"has",tally); - - i=set_tally( cline_reset, uid, cline_filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); + + i=set_tally(NULL, cline_reset, uid, cline_filename, &TALLY, fsp); + if ( i != PAM_SUCCESS ) { fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); exit(0); } @@ -803,7 +823,7 @@ int main ( int argc, char **argv ) { FILE *TALLY=fopen(cline_filename, "r"); uid_t uid=0; if ( !TALLY ) perror(*argv), exit(0); - + for ( ; !feof(TALLY); uid++ ) { tally_t tally; struct passwd *pw; @@ -812,20 +832,22 @@ int main ( int argc, char **argv ) { || ! fsp->fs_faillog.fail_cnt ) { continue; } - tally = fsp->fs_faillog.fail_cnt; - + tally = fsp->fs_faillog.fail_cnt; + if ( ( pw=getpwuid(uid) ) ) { - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",pw->pw_name,uid, + printf("User %s\t(%lu)\t%s "TALLY_FMT"\n",pw->pw_name, + (unsigned long int) uid, (cline_reset!=TALLY_HI)?"had":"has",tally); } else { - printf("User [NONAME]\t("UID_FMT")\t%s "TALLY_FMT"\n",uid, + printf("User [NONAME]\t(%lu)\t%s "TALLY_FMT"\n", + (unsigned long int) uid, (cline_reset!=TALLY_HI)?"had":"has",tally); } } fclose(TALLY); if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { - fprintf(stderr,"%s: Can't reset all users to non-zero\n",*argv); + fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv); } else if ( !cline_reset ) { TALLY=fopen(cline_filename, "w"); @@ -837,4 +859,4 @@ int main ( int argc, char **argv ) { } -#endif +#endif /* #ifndef MAIN */ diff --git a/Linux-PAM/modules/pam_tally/tst-pam_tally b/Linux-PAM/modules/pam_tally/tst-pam_tally new file mode 100755 index 00000000..15291af6 --- /dev/null +++ b/Linux-PAM/modules/pam_tally/tst-pam_tally @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_tally.so diff --git a/Linux-PAM/modules/pam_time/Makefile b/Linux-PAM/modules/pam_time/Makefile deleted file mode 100644 index 4aa4e276..00000000 --- a/Linux-PAM/modules/pam_time/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: Makefile,v 1.2 2000/11/19 23:54:05 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_time -LOCAL_CONFILE=./time.conf -INSTALLED_CONFILE=$(SCONFIGD)/time.conf - -DEFS=-DDEFAULT_CONF_FILE=\"$(INSTALLED_CONFILE)\" -CFLAGS += $(DEFS) - -MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" -MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) -MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_time/Makefile.am b/Linux-PAM/modules/pam_time/Makefile.am new file mode 100644 index 00000000..6c5ae3a2 --- /dev/null +++ b/Linux-PAM/modules/pam_time/Makefile.am @@ -0,0 +1,32 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time + +man_MANS = time.conf.5 pam_time.8 +XMLS = README.xml time.conf.5.xml pam_time.8.xml + +TESTS = tst-pam_time + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_time.la +secureconf_DATA = time.conf + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_time.8.xml time.conf.5.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/Linux-PAM/modules/pam_time/Makefile.in b/Linux-PAM/modules/pam_time/Makefile.in new file mode 100644 index 00000000..9e3810bf --- /dev/null +++ b/Linux-PAM/modules/pam_time/Makefile.in @@ -0,0 +1,736 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_time +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_time_la_LIBADD = +pam_time_la_SOURCES = pam_time.c +pam_time_la_OBJECTS = pam_time.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_time.c +DIST_SOURCES = pam_time.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time +man_MANS = time.conf.5 pam_time.8 +XMLS = README.xml time.conf.5.xml pam_time.8.xml +TESTS = tst-pam_time +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_time.la +secureconf_DATA = time.conf +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_time/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_time/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_time.la: $(pam_time_la_OBJECTS) $(pam_time_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_time_la_OBJECTS) $(pam_time_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_time.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_time.8.xml time.conf.5.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_time/README b/Linux-PAM/modules/pam_time/README index 0228b907..abafd936 100644 --- a/Linux-PAM/modules/pam_time/README +++ b/Linux-PAM/modules/pam_time/README @@ -1,30 +1,33 @@ -$Id: README,v 1.2 2000/12/04 19:02:35 baggins Exp $ +pam_time — PAM module for time control access -This is a help file for the pam_time module. It explains the need for -pam_time and also the syntax of the /etc/security/time.conf file. -[a lot of the syntax is freely adapted from the porttime file of the -shadow suite.] +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -1. Introduction -=============== +DESCRIPTION -It is desirable to restrict access to a system and or specific -applications at various times of the day and on specific days or over -various terminal lines. +The pam_time PAM module does not authenticate the user, but instead it +restricts access to a system and or specific applications at various times of +the day and on specific days or over various terminal lines. This module can be +configured to deny access to (individual) users based on their name, the time +of day, the day of week, the service they are applying for and their terminal +from which they are making their request. -The pam_time module is intended to offer a configurable module that -satisfies this purpose, within the context of Linux-PAM. +By default rules for time/port access are taken from config file /etc/security/ +time.conf. -2. the /etc/security/time.conf file -=================================== +EXAMPLES -This file is the configuration script for defining time/port access -control to the system/applications. +These are some example lines which might be specified in /etc/security/ +time.conf. -Its syntax is described in the sample ./time.conf provided in this -directory. +All users except for root are denied access to console-login at all times: + +login ; tty* & !ttyp* ; !root ; !Al0000-2400 + + +Games (configured to use PAM) are only to be accessed out of working hours. +This rule does not apply to the user waster: + + +games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 -unrecognised rules are ignored (but an error is logged to syslog(3)) --------------------- -Bugs to Andrew <morgan@parc.power.net> or the list <pam-list@redhat.com> diff --git a/Linux-PAM/modules/pam_time/README.xml b/Linux-PAM/modules/pam_time/README.xml new file mode 100644 index 00000000..6c11eec1 --- /dev/null +++ b/Linux-PAM/modules/pam_time/README.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamtime SYSTEM "pam_time.8.xml"> +--> +<!-- +<!ENTITY timeconf SYSTEM "time.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_time.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_time-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_time/pam_time.8 b/Linux-PAM/modules/pam_time/pam_time.8 new file mode 100644 index 00000000..89506830 --- /dev/null +++ b/Linux-PAM/modules/pam_time/pam_time.8 @@ -0,0 +1,72 @@ +.\" Title: pam_time +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_TIME" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_time \- PAM module for time control access +.SH "SYNOPSIS" +.HP 12 +\fBpam_time.so\fR +.SH "DESCRIPTION" +.PP +The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. +.PP +By default rules for time/port access are taken from config file +\fI/etc/security/time.conf\fR. +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBaccount\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +Access was granted. +.TP 3n +PAM_ABORT +Not all relevant data could be gotten. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_PERM_DENIED +Access was not granted. +.TP 3n +PAM_USER_UNKNOWN +The user is not known to the system. +.SH "FILES" +.TP 3n +\fI/etc/security/time.conf\fR +Default configuration file +.SH "EXAMPLES" +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# apply pam_time accounting to login requests +# +login account required pam_time.so + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBtime.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8). +.SH "AUTHOR" +.PP +pam_time was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_time/pam_time.8.xml b/Linux-PAM/modules/pam_time/pam_time.8.xml new file mode 100644 index 00000000..1ec7eb0e --- /dev/null +++ b/Linux-PAM/modules/pam_time/pam_time.8.xml @@ -0,0 +1,148 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_time'> + + <refmeta> + <refentrytitle>pam_time</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_time-name'> + <refname>pam_time</refname> + <refpurpose> + PAM module for time control access + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_time-cmdsynopsis"> + <command>pam_time.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_time-description"> + <title>DESCRIPTION</title> + <para> + The pam_time PAM module does not authenticate the user, but instead + it restricts access to a system and or specific applications at + various times of the day and on specific days or over various + terminal lines. This module can be configured to deny access to + (individual) users based on their name, the time of day, the day of + week, the service they are applying for and their terminal from which + they are making their request. + </para> + <para> + By default rules for time/port access are taken from config file + <filename>/etc/security/time.conf</filename>. + </para> + </refsect1> + + <refsect1 id="pam_time-options"> + <title>OPTIONS</title> + <para>This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_time-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>account</option> service is supported. + </para> + </refsect1> + + <refsect1 id="pam_time-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Access was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Access was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_time-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/time.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_time-examples'> + <title>EXAMPLES</title> + <programlisting> +#%PAM-1.0 +# +# apply pam_time accounting to login requests +# +login account required pam_time.so + </programlisting> + </refsect1> + + <refsect1 id="pam_time-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>time.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_time-authors"> + <title>AUTHOR</title> + <para> + pam_time was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_time/pam_time.c b/Linux-PAM/modules/pam_time/pam_time.c index c04180f2..43b716f0 100644 --- a/Linux-PAM/modules/pam_time/pam_time.c +++ b/Linux-PAM/modules/pam_time/pam_time.c @@ -1,19 +1,12 @@ /* pam_time module */ /* - * $Id: pam_time.c,v 1.5 2004/09/22 09:37:50 kukuk Exp $ - * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/6/22 * (File syntax and much other inspiration from the shadow package * shadow-960129) */ -static const char rcsid[] = -"$Id: pam_time.c,v 1.5 2004/09/22 09:37:50 kukuk Exp $;\n" -"\t\tVersion 0.22 for Linux-PAM\n" -"Copyright (C) Andrew G. Morgan 1996 <morgan@linux.kernel.org>\n"; - -#include <security/_pam_aconf.h> +#include "config.h" #include <sys/file.h> #include <stdio.h> @@ -27,23 +20,18 @@ static const char rcsid[] = #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <netdb.h> -#ifdef DEFAULT_CONF_FILE -# define PAM_TIME_CONF DEFAULT_CONF_FILE /* from external define */ -#else -# define PAM_TIME_CONF "/etc/security/time.conf" -#endif #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ -#ifdef TRUE -# undef TRUE -#endif -#ifdef FALSE -# undef FALSE +#ifndef TRUE +# define TRUE 1 +#endif +#ifndef FALSE +# define FALSE 0 #endif -typedef enum { FALSE, TRUE } boolean; typedef enum { AND, OR } operator; /* @@ -57,21 +45,12 @@ typedef enum { AND, OR } operator; #include <security/_pam_macros.h> #include <security/pam_modules.h> +#include <security/pam_ext.h> /* --- static functions for checking whether the user should be let in --- */ -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_time", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - -static void shift_bytes(char *mem, int from, int by) +static void +shift_bytes(char *mem, int from, int by) { while (by-- > 0) { *mem = mem[from]; @@ -79,14 +58,15 @@ static void shift_bytes(char *mem, int from, int by) } } -static int read_field(int fd, char **buf, int *from, int *to) +static int +read_field(pam_handle_t *pamh, int fd, char **buf, int *from, int *to) { /* is buf set ? */ if (! *buf) { *buf = (char *) malloc(PAM_TIME_BUFLEN); if (! *buf) { - _log_err("out of memory"); + pam_syslog(pamh, LOG_ERR, "out of memory"); D(("no memory")); return -1; } @@ -97,7 +77,7 @@ static int read_field(int fd, char **buf, int *from, int *to) /* do we have a file open ? return error */ if (fd < 0 && *to <= 0) { - _log_err( PAM_TIME_CONF " not opened"); + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", PAM_TIME_CONF); memset(*buf, 0, PAM_TIME_BUFLEN); _pam_drop(*buf); return -1; @@ -126,7 +106,7 @@ static int read_field(int fd, char **buf, int *from, int *to) i = read(fd, *to + *buf, PAM_TIME_BUFLEN - *to); if (i < 0) { - _log_err("error reading " PAM_TIME_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_TIME_CONF); close(fd); return -1; } else if (!i) { @@ -134,7 +114,7 @@ static int read_field(int fd, char **buf, int *from, int *to) fd = -1; /* end of file reached */ } else *to += i; - + /* * contract the buffer. Delete any comments, and replace all * multiple spaces with single commas @@ -165,8 +145,9 @@ static int read_field(int fd, char **buf, int *from, int *to) *to -= j-i; ++i; } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); + pam_syslog(pamh, LOG_CRIT, + "internal error in file %s at line %d", + __FILE__, __LINE__); close(fd); return -1; } @@ -229,13 +210,13 @@ static int read_field(int fd, char **buf, int *from, int *to) /* read a member from a field */ -static int logic_member(const char *string, int *at) +static int +logic_member(const char *string, int *at) { - int len,c,to; + int c,to; int done=0; int token=0; - len=0; to=*at; do { c = string[to++]; @@ -258,7 +239,7 @@ static int logic_member(const char *string, int *at) default: if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.' || c == '/') { + || c == '-' || c == '.' || c == '/' || c == ':') { token = 1; } else if (token) { --to; @@ -274,11 +255,12 @@ static int logic_member(const char *string, int *at) typedef enum { VAL, OP } expect; -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) +static int +logic_field(pam_handle_t *pamh, const void *me, const char *x, int rule, + int (*agrees)(pam_handle_t *pamh, + const void *, const char *, int, int)) { - boolean left=FALSE, right, not=FALSE; + int left=FALSE, right, not=FALSE; operator oper=OR; int at=0, l; expect next=VAL; @@ -289,15 +271,18 @@ static boolean logic_field(const void *me, const char *x, int rule, if (next == VAL) { if (c == '!') not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); + else if (isalpha(c) || c == '*' || isdigit(c) || c == '_' + || c == '-' || c == '.' || c == '/' || c == ':') { + right = not ^ agrees(pamh, me, x+at, l, rule); if (oper == AND) left &= right; else left |= right; next = OP; } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected name (rule #%d)", + rule); return FALSE; } } else { /* OP */ @@ -309,8 +294,9 @@ static boolean logic_field(const void *me, const char *x, int rule, oper = OR; break; default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); + pam_syslog(pamh, LOG_ERR, + "garbled syntax; expected & or | (rule #%d)", + rule); D(("%c at %d",c,at)); return FALSE; } @@ -322,7 +308,9 @@ static boolean logic_field(const void *me, const char *x, int rule, return left; } -static boolean is_same(const void *A, const char *b, int len, int rule) +static int +is_same(pam_handle_t *pamh UNUSED, const void *A, const char *b, + int len, int rule UNUSED) { int i; const char *a; @@ -344,10 +332,10 @@ typedef struct { int minute; /* integer, hour*100+minute for now */ } TIME; -struct day { +static struct day { const char *d; int bit; -} static const days[11] = { +} const days[11] = { { "su", 01 }, { "mo", 02 }, { "tu", 04 }, @@ -361,7 +349,8 @@ struct day { { NULL, 0 } }; -static TIME time_now(void) +static TIME +time_now(void) { struct tm *local; time_t the_time; @@ -377,9 +366,11 @@ static TIME time_now(void) } /* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) +static int +check_time(pam_handle_t *pamh, const void *AT, const char *times, + int len, int rule) { - boolean not,pass; + int not,pass; int marked_day, time_start, time_end; const TIME *at; int i,j=0; @@ -389,7 +380,9 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) if (times == NULL) { /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); + pam_syslog(pamh, LOG_CRIT, + "internal error in file %s at line %d", + __FILE__, __LINE__); return FALSE; } @@ -413,13 +406,13 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) } j += 2; if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule); return FALSE; } marked_day ^= this_day; } if (marked_day == 0) { - _log_err("no day specified"); + pam_syslog(pamh, LOG_ERR, "no day specified"); return FALSE; } D(("day range = 0%o", marked_day)); @@ -443,7 +436,7 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); + pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule); return TRUE; } D(("times(%d to %d)", time_start,time_end)); @@ -476,8 +469,9 @@ static boolean check_time(const void *AT, const char *times, int len, int rule) return (not ^ pass); } -static int check_account(const char *service - , const char *tty, const char *user) +static int +check_account(pam_handle_t *pamh, const char *service, + const char *tty, const char *user) { int from=0,to=0,fd=-1; char *buffer=NULL; @@ -487,11 +481,11 @@ static int check_account(const char *service here_and_now = time_now(); /* find current time */ do { - boolean good=TRUE,intime; + int good=TRUE,intime; /* here we get the service name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh, fd, &buffer, &from, &to); if (!buffer || !buffer[0]) { /* empty line .. ? */ @@ -499,43 +493,51 @@ static int check_account(const char *service } ++count; - good = logic_field(service, buffer, count, is_same); + good = logic_field(pamh, service, buffer, count, is_same); D(("with service: %s", good ? "passes":"fails" )); /* here we get the terminal name field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh, fd, &buffer, &from, &to); if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no tty entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no tty entry #%d", PAM_TIME_CONF, count); continue; } - good &= logic_field(tty, buffer, count, is_same); + good &= logic_field(pamh, tty, buffer, count, is_same); D(("with tty: %s", good ? "passes":"fails" )); /* here we get the username field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh, fd, &buffer, &from, &to); if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no user entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no user entry #%d", PAM_TIME_CONF, count); continue; } - good &= logic_field(user, buffer, count, is_same); + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') + good &= innetgr (&buffer[1], NULL, user, NULL); + else + good &= logic_field(pamh, user, buffer, count, is_same); D(("with user: %s", good ? "passes":"fails" )); /* here we get the time field */ - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh, fd, &buffer, &from, &to); if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no time entry #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: no time entry #%d", PAM_TIME_CONF, count); continue; } - intime = logic_field(&here_and_now, buffer, count, check_time); + intime = logic_field(pamh, &here_and_now, buffer, count, check_time); D(("with time: %s", intime ? "passes":"fails" )); - fd = read_field(fd,&buffer,&from,&to); + fd = read_field(pamh, fd, &buffer, &from, &to); if (buffer && buffer[0]) { - _log_err(PAM_TIME_CONF "; poorly terminated rule #%d", count); + pam_syslog(pamh, LOG_ERR, + "%s: poorly terminated rule #%d", PAM_TIME_CONF, count); continue; } @@ -555,17 +557,19 @@ static int check_account(const char *service /* --- public account management functions --- */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { - const char *service=NULL, *tty=NULL; + const void *service=NULL, *void_tty=NULL; + const char *tty; const char *user=NULL; /* set service name */ - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) + if (pam_get_item(pamh, PAM_SERVICE, &service) != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); + pam_syslog(pamh, LOG_ERR, "cannot find the current service name"); return PAM_ABORT; } @@ -573,28 +577,33 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err("cannot determine the user's name"); + pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_USER_UNKNOWN; } /* set tty name */ - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS + || void_tty == NULL) { D(("PAM_TTY not set, probing stdin")); tty = ttyname(STDIN_FILENO); if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; + tty = ""; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); + pam_syslog(pamh, LOG_ERR, "couldn't set tty name"); return PAM_ABORT; } } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; + else + tty = void_tty; + + if (tty[0] == '/') { /* full path */ + const char *t; + tty++; + if ((t = strchr(tty, '/')) != NULL) { + tty = t + 1; + } } /* good, now we have the service name, the user and the terminal name */ @@ -603,7 +612,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc D(("user=%s", user)); D(("tty=%s", tty)); - return check_account(service,tty,user); + return check_account(pamh, service, tty, user); } /* end of module definition */ diff --git a/Linux-PAM/modules/pam_time/time.conf b/Linux-PAM/modules/pam_time/time.conf index d2062fdb..c7b7989c 100644 --- a/Linux-PAM/modules/pam_time/time.conf +++ b/Linux-PAM/modules/pam_time/time.conf @@ -20,7 +20,8 @@ # is a logic list of terminal names that this rule applies to. # # users -# is a logic list of users to whom this rule applies. +# is a logic list of users or a netgroup of users to whom this +# rule applies. # # NB. For these items the simple wildcard '*' may be used only once. # @@ -61,4 +62,4 @@ # # End of example file. -#
\ No newline at end of file +# diff --git a/Linux-PAM/modules/pam_time/time.conf.5 b/Linux-PAM/modules/pam_time/time.conf.5 new file mode 100644 index 00000000..400344a6 --- /dev/null +++ b/Linux-PAM/modules/pam_time/time.conf.5 @@ -0,0 +1,92 @@ +.\" Title: time.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "TIME.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +time.conf \- configuration file for the pam_time module +.SH "DESCRIPTION" +.PP +The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. +.PP +For this module to function correctly there must be a correctly formatted +\fI/etc/security/time.conf\fR +file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line. +.PP +The syntax of the lines is as follows: +.PP + +\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR +.PP +In words, each rule occupies a line, terminated with a newline or the beginning of a comment; a '\fB#\fR'. It contains four fields separated with semicolons, '\fB;\fR'. +.PP +The first field, the +\fIservices\fR +field, is a logic list of PAM service names that the rule applies to. +.PP +The second field, the +\fItty\fR +field, is a logic list of terminal names that this rule applies to. +.PP +The third field, the +\fIusers\fR +field, is a logic list of users or a netgroup of users to whom this rule applies. +.PP +For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. +.PP +The +\fItimes\fR +field is used to indicate the times at which this rule applies. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday. +.PP +Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day). +.PP +For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process. +.PP +Note, currently there is no daemon enforcing the end of a session. This needs to be remedied. +.PP +Poorly formatted rules are logged as errors using +\fBsyslog\fR(3). +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/time.conf\fR. +.PP +All users except for +\fIroot\fR +are denied access to console\-login at all times: +.sp +.RS 3n +.nf +login ; tty* & !ttyp* ; !root ; !Al0000\-2400 + +.fi +.RE +.sp +.PP +Games (configured to use PAM) are only to be accessed out of working hours. This rule does not apply to the user +\fIwaster\fR: +.sp +.RS 3n +.nf + +games ; * ; !waster ; Wd0000\-2400 | Wk1800\-0800 + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam_time\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_time was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_time/time.conf.5.xml b/Linux-PAM/modules/pam_time/time.conf.5.xml new file mode 100644 index 00000000..224fda34 --- /dev/null +++ b/Linux-PAM/modules/pam_time/time.conf.5.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="time.conf"> + + <refmeta> + <refentrytitle>time.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>time.conf</refname> + <refpurpose>configuration file for the pam_time module</refpurpose> + </refnamediv> + + <refsect1 id='time.conf-description'> + <title>DESCRIPTION</title> + + <para> + The pam_time PAM module does not authenticate the user, but instead + it restricts access to a system and or specific applications at + various times of the day and on specific days or over various + terminal lines. This module can be configured to deny access to + (individual) users based on their name, the time of day, the day of + week, the service they are applying for and their terminal from which + they are making their request. + </para> + <para> + For this module to function correctly there must be a correctly + formatted <filename>/etc/security/time.conf</filename> file present. + White spaces are ignored and lines maybe extended with '\' (escaped + newlines). Text following a '#' is ignored to the end of the line. + </para> + + <para> + The syntax of the lines is as follows: + </para> + + <para> + <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable> + </para> + <para> + In words, each rule occupies a line, terminated with a newline + or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'. + It contains four fields separated with semicolons, + '<emphasis remap='B'>;</emphasis>'. + </para> + + <para> + The first field, the <replaceable>services</replaceable> field, + is a logic list of PAM service names that the rule applies to. + </para> + + <para> + The second field, the <replaceable>tty</replaceable> + field, is a logic list of terminal names that this rule applies to. + </para> + + <para> + The third field, the <replaceable>users</replaceable> + field, is a logic list of users or a netgroup of users to whom this + rule applies. + </para> + + <para> + For these items the simple wildcard '*' may be used only once. + With netgroups no wildcards or logic operators are allowed. + </para> + + <para> + The <replaceable>times</replaceable> field is used to indicate the times + at which this rule applies. The format here is a logic + list of day/time-range entries. The days are specified by a sequence of + two character entries, MoTuSa for example is Monday Tuesday and Saturday. + Note that repeated days are unset MoMo = no day, and MoWk = all weekdays + bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa + Su Wk Wd Al, the last two being week-end days and all 7 days of the week + respectively. As a final example, AlFr means all days except Friday. + </para> + <para> + Each day/time-range can be prefixed with a '!' to indicate + "anything but". + The time-range part is two 24-hour times HHMM, separated by a hyphen, + indicating the start and finish time (if the finish time is smaller + than the start time it is deemed to apply on the following day). + </para> + + <para> + For a rule to be active, ALL of service+ttys+users must be satisfied + by the applying process. + </para> + <para> + Note, currently there is no daemon enforcing the end of a session. + This needs to be remedied. + </para> + <para> + Poorly formatted rules are logged as errors using + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </refsect1> + + <refsect1 id="time.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/time.conf</filename>. + </para> + <para> + All users except for <emphasis>root</emphasis> are denied access + to console-login at all times: + <programlisting> +login ; tty* & !ttyp* ; !root ; !Al0000-2400 + </programlisting> + </para> + + <para> + Games (configured to use PAM) are only to be accessed out of + working hours. This rule does not apply to the user + <emphasis>waster</emphasis>: + <programlisting> +games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 + </programlisting> + </para> + </refsect1> + + <refsect1 id="time.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="time.conf-author"> + <title>AUTHOR</title> + <para> + pam_time was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> +</refentry> diff --git a/Linux-PAM/modules/pam_time/tst-pam_time b/Linux-PAM/modules/pam_time/tst-pam_time new file mode 100755 index 00000000..030717bb --- /dev/null +++ b/Linux-PAM/modules/pam_time/tst-pam_time @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_time.so diff --git a/Linux-PAM/modules/pam_umask/Makefile.am b/Linux-PAM/modules/pam_umask/Makefile.am new file mode 100644 index 00000000..56fa63b4 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/Makefile.am @@ -0,0 +1,32 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_umask + +man_MANS = pam_umask.8 + +XMLS = README.xml pam_umask.8.xml + +TESTS = tst-pam_umask + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_umask.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_umask.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_umask/Makefile.in b/Linux-PAM/modules/pam_umask/Makefile.in new file mode 100644 index 00000000..45dd9509 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_umask +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_umask_la_LIBADD = +pam_umask_la_SOURCES = pam_umask.c +pam_umask_la_OBJECTS = pam_umask.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_umask.c +DIST_SOURCES = pam_umask.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_umask +man_MANS = pam_umask.8 +XMLS = README.xml pam_umask.8.xml +TESTS = tst-pam_umask +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_umask.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_umask/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_umask/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_umask.la: $(pam_umask_la_OBJECTS) $(pam_umask_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_umask_la_OBJECTS) $(pam_umask_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_umask.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_umask.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_umask/README b/Linux-PAM/modules/pam_umask/README new file mode 100644 index 00000000..69003ec3 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/README @@ -0,0 +1,58 @@ +pam_umask — PAM module to set the file mode creation mask + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_umask is a PAM module to set the file mode creation mask of the current +environment. The umask affects the default permissions assigned to newly +created files. + +The PAM module tries to get the umask value from the following places in the +following order: + + â— umask= argument + + â— umask= entry of the users GECOS field + + â— pri= entry of the users GECOS field + + â— ulimit= entry of the users GECOS field + + â— UMASK= entry from /etc/default/login + + â— UMASK entry from /etc/login.defs + +OPTIONS + +debug + + Print debug information. + +silent + + Don't print informative messages. + +usergroups + + If the user is not root, and the user ID is equal to the group ID, and the + username is the same as primary group name, the umask group bits are set to + be the same as owner bits (examples: 022 -> 002, 077 -> 007). + +umask=mask + + Sets the calling process's file mode creation mask (umask) to mask & 0777. + The value is interpreted as Octal. + +EXAMPLES + +Add the following line to /etc/pam.d/login to set the user specific umask at +login: + + session optional pam_umask.so umask=0022 + + +AUTHOR + +pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. + diff --git a/Linux-PAM/modules/pam_umask/README.xml b/Linux-PAM/modules/pam_umask/README.xml new file mode 100644 index 00000000..9afbe543 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_umask.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_umask.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_umask-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_umask/pam_umask.8 b/Linux-PAM/modules/pam_umask/pam_umask.8 new file mode 100644 index 00000000..43160d63 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/pam_umask.8 @@ -0,0 +1,96 @@ +.\" Title: pam_umask +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 08/06/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_UMASK" "8" "08/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_umask \- PAM module to set the file mode creation mask +.SH "SYNOPSIS" +.HP 13 +\fBpam_umask.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] +.SH "DESCRIPTION" +.PP +pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files. +.PP +The PAM module tries to get the umask value from the following places in the following order: +.TP 3n +\(bu +umask= argument +.TP 3n +\(bu +umask= entry of the users GECOS field +.TP 3n +\(bu +pri= entry of the users GECOS field +.TP 3n +\(bu +ulimit= entry of the users GECOS field +.TP 3n +\(bu +UMASK= entry from /etc/default/login +.TP 3n +\(bu +UMASK entry from /etc/login.defs +.sp +.RE +.SH "OPTIONS" +.PP +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBsilent\fR +Don't print informative messages. +.TP 3n +\fBusergroups\fR +If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007). +.TP 3n +\fBumask=\fR\fB\fImask\fR\fR +Sets the calling process's file mode creation mask (umask) to +\fBmask\fR +& 0777. The value is interpreted as Octal. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.PP +.TP 3n +PAM_SUCCESS +The new umask was set successfull. +.TP 3n +PAM_SERVICE_ERR +No username was given. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/login\fR +to set the user specific umask at login: +.sp +.RS 3n +.nf + session optional pam_umask.so umask=0022 + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. diff --git a/Linux-PAM/modules/pam_umask/pam_umask.8.xml b/Linux-PAM/modules/pam_umask/pam_umask.8.xml new file mode 100644 index 00000000..d65e6660 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/pam_umask.8.xml @@ -0,0 +1,220 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_umask"> + + <refmeta> + <refentrytitle>pam_umask</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_umask-name"> + <refname>pam_umask</refname> + <refpurpose>PAM module to set the file mode creation mask</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_umask-cmdsynopsis"> + <command>pam_umask.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + usergroups + </arg> + <arg choice="opt"> + umask=<replaceable>mask</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_umask-description"> + + <title>DESCRIPTION</title> + + <para> + pam_umask is a PAM module to set the file mode creation mask + of the current environment. The umask affects the default + permissions assigned to newly created files. + </para> + <para> + The PAM module tries to get the umask value from the + following places in the following order: + <itemizedlist> + <listitem> + <para> + umask= argument + </para> + </listitem> + <listitem> + <para> + umask= entry of the users GECOS field + </para> + </listitem> + <listitem> + <para> + pri= entry of the users GECOS field + </para> + </listitem> + <listitem> + <para> + ulimit= entry of the users GECOS field + </para> + </listitem> + <listitem> + <para> + UMASK= entry from /etc/default/login + </para> + </listitem> + <listitem> + <para> + UMASK entry from /etc/login.defs + </para> + </listitem> + </itemizedlist> + </para> + + </refsect1> + + <refsect1 id="pam_umask-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>usergroups</option> + </term> + <listitem> + <para> + If the user is not root, and the user ID is equal to the + group ID, and the username is the same as primary group name, + the umask group bits are set to be the same as + owner bits (examples: 022 -> 002, 077 -> 007). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>umask=<replaceable>mask</replaceable></option> + </term> + <listitem> + <para> + Sets the calling process's file mode creation mask (umask) + to <option>mask</option> & 0777. The value is interpreted + as Octal. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_umask-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_umask-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new umask was set successfull. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + No username was given. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_umask-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + set the user specific umask at login: + <programlisting> + session optional pam_umask.so umask=0022 + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_umask-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_umask-author'> + <title>AUTHOR</title> + <para> + pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_umask/pam_umask.c b/Linux-PAM/modules/pam_umask/pam_umask.c new file mode 100644 index 00000000..fdeb3c51 --- /dev/null +++ b/Linux-PAM/modules/pam_umask/pam_umask.c @@ -0,0 +1,319 @@ +/* + * Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License V2, in which case the provisions of the GPL + * are required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <pwd.h> +#include <grp.h> +#include <stdio.h> +#include <ctype.h> +#include <errno.h> +#include <limits.h> +#include <string.h> +#include <stdarg.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/resource.h> +#include <syslog.h> + +#define PAM_SM_SESSION + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#define BUF_SIZE 4096 +#define LOGIN_DEFS "/etc/login.defs" +#define LOGIN_CONF "/etc/default/login" + +struct options_t { + int debug; + int usergroups; + int silent; + char *umask; +}; +typedef struct options_t options_t; + +static void +parse_option (const pam_handle_t *pamh, const char *argv, options_t *options) +{ + if (argv == NULL || argv[0] == '\0') + return; + + if (strcasecmp (argv, "debug") == 0) + options->debug = 1; + else if (strncasecmp (argv, "umask=", 6) == 0) + options->umask = strdup (&argv[6]); + else if (strcasecmp (argv, "usergroups") == 0) + options->usergroups = 1; + else if (strcasecmp (argv, "silent") == 0) + options->silent = 1; + else + pam_syslog (pamh, LOG_ERR, "Unknown option: `%s'", argv); +} + +static char * +search_key (const char *filename) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + + fp = fopen (filename, "r"); + if (NULL == fp) + return NULL; + + while (!feof (fp)) + { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline (&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim (&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + } + buf[0] = '\0'; + if (fgets (buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen (buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace ((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + if (cp[strlen (cp) - 1] == '\n') + cp[strlen (cp) - 1] = '\0'; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace ((int)*cp) || *cp == '=') + ++cp; + + if (strcasecmp (tmp, "UMASK") == 0) + { + retval = strdup (cp); + break; + } + } + fclose (fp); + + free (buf); + + return retval; +} + +static int +get_options (const pam_handle_t *pamh, options_t *options, + int argc, const char **argv) +{ + memset (options, 0, sizeof (options_t)); + /* Parse parameters for module */ + for ( ; argc-- > 0; argv++) + parse_option (pamh, *argv, options); + + if (options->umask == NULL) + options->umask = search_key (LOGIN_DEFS); + if (options->umask == NULL) + options->umask = search_key (LOGIN_CONF); + + return 0; +} + +static void +set_umask (const char *value) +{ + const char *value_orig = value; + mode_t mask; + char *endptr; + + mask = strtoul (value, &endptr, 8) & 0777; + if (((mask == 0) && (value_orig == endptr)) || + ((mask == ULONG_MAX) && (errno == ERANGE))) + return; + umask (mask); + return; +} + +/* Set the process nice, ulimit, and umask from the + password file entry. */ +static void +setup_limits_from_gecos (pam_handle_t *pamh, options_t *options, + struct passwd *pw) +{ + char *cp; + + if (options->usergroups) + { + /* if not root, and UID == GID, and username is the same as + primary group name, set umask group bits to be the same as + owner bits (examples: 022 -> 002, 077 -> 007). */ + if (pw->pw_uid != 0 && pw->pw_uid == pw->pw_gid) + { + struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid); + if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0)) + { + mode_t oldmask = umask (0777); + umask ((oldmask & ~070) | ((oldmask >> 3) & 070)); + } + } + } + + /* See if the GECOS field contains values for NICE, UMASK or ULIMIT. */ + for (cp = pw->pw_gecos; cp != NULL; cp = strchr (cp, ',')) + { + if (*cp == ',') + cp++; + + if (strncasecmp (cp, "umask=", 6) == 0) + umask (strtol (cp + 6, NULL, 8) & 0777); + else if (strncasecmp (cp, "pri=", 4) == 0) + { + errno = 0; + if (nice (strtol (cp + 4, NULL, 10)) == -1 && errno != 0) + { + if (!options->silent || options->debug) + pam_error (pamh, "nice failed: %m\n"); + pam_syslog (pamh, LOG_ERR, "nice failed: %m"); + } + } + else if (strncasecmp (cp, "ulimit=", 7) == 0) + { + struct rlimit rlimit_fsize; + rlimit_fsize.rlim_cur = 512L * strtol (cp + 7, NULL, 10); + rlimit_fsize.rlim_max = rlimit_fsize.rlim_cur; + if (setrlimit (RLIMIT_FSIZE, &rlimit_fsize) == -1) + { + if (!options->silent || options->debug) + pam_error (pamh, "setrlimit failed: %m\n"); + pam_syslog (pamh, LOG_ERR, "setrlimit failed: %m"); + } + } + } +} + + +PAM_EXTERN int +pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct passwd *pw; + options_t options; + const char *name; + int retval = PAM_SUCCESS; + + get_options (pamh, &options, argc, argv); + if (flags & PAM_SILENT) + options.silent = 1; + + /* get the user name. */ + if ((retval = pam_get_user (pamh, &name, NULL)) != PAM_SUCCESS) + { + pam_syslog (pamh, LOG_ERR, "pam_get_user failed: return %d", retval); + return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); + } + + if (name == NULL || name[0] == '\0') + { + if (name) + { + pam_syslog (pamh, LOG_ERR, "bad username [%s]", name); + return PAM_USER_UNKNOWN; + } + return PAM_SERVICE_ERR; + } + + pw = pam_modutil_getpwnam (pamh, name); + if (pw == NULL) + { + pam_syslog (pamh, LOG_ERR, "account for %s not found", name); + return PAM_USER_UNKNOWN; + } + + if (options.umask != NULL) + { + set_umask (options.umask); + free (options.umask); + } + + setup_limits_from_gecos (pamh, &options, pw); + + return retval; +} + +PAM_EXTERN int +pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_umask_modstruct = { + "pam_umask", + NULL, + NULL, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; + +#endif + +/* end of module definition */ diff --git a/Linux-PAM/modules/pam_umask/tst-pam_umask b/Linux-PAM/modules/pam_umask/tst-pam_umask new file mode 100755 index 00000000..3608a9de --- /dev/null +++ b/Linux-PAM/modules/pam_umask/tst-pam_umask @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_umask.so diff --git a/Linux-PAM/modules/pam_unix/Makefile b/Linux-PAM/modules/pam_unix/Makefile deleted file mode 100644 index 7f32e073..00000000 --- a/Linux-PAM/modules/pam_unix/Makefile +++ /dev/null @@ -1,191 +0,0 @@ -# $Id: Makefile,v 1.8 2004/11/08 08:58:37 kukuk Exp $ -# -# This Makefile controls a build process of the pam_unix modules -# for Linux-PAM. You should not modify this Makefile. -# - -include ../../Make.Rules - -######################################################################## -# some options... uncomment to take effect -######################################################################## - -# Unless someone wants to work out how to make this work with the new -# autoconf stuff, you should use a separate module for this type of thing -# pam_cracklib perhaps..? -# do you want cracklib? -#ifeq ($(HAVE_CRACKLIB),yes) -#USE_CRACKLIB=-D"USE_CRACKLIB" -#endif - -ifeq ($(shell if [ -f /usr/lib/cracklib_dict.hwm ]; then echo yes ; fi),yes) - CRACKLIB_DICTPATH=/usr/lib/cracklib_dict -else - CRACKLIB_DICTPATH=/usr/share/dict/cracklib_dict -endif -EXTRAS += -DCRACKLIB_DICTS=\"$(CRACKLIB_DICTPATH)\" - -ifeq ($(HAVE_LIBCRYPT),yes) - EXTRALS += -lcrypt -endif -ifeq ($(HAVE_LIBNSL),yes) - EXTRALS += -lnsl -endif -# do you want to use lckpwdf? -ifeq ($(WITH_LCKPWDF),yes) -USE_LCKPWDF=-D"USE_LCKPWDF" -# do you need to include the locking functions in the source? -ifeq ($(HAVE_LCKPWDF),no) - NEED_LCKPWDF=-D"NEED_LCKPWDF" -endif -endif - -ifeq ($(HAVE_LIBNSL),yes) - LIBNSL = -lnsl -endif - -ifeq ($(HAVE_LIBCRYPT),yes) - LIBCRYPT=-lcrypt -endif - -CHKPWD=unix_chkpwd - -BIGCRYPT=bigcrypt - -EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\" - -LINK_PAMMODUTILS = -L../pammodutil -lpammodutil -INCLUDE_PAMMODUTILS = -I../pammodutil/include - -######################################################################## - -CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS) \ - $(INCLUDE_PAMMODUTILS) - -LDLIBS = $(EXTRALS) $(LINK_PAMMODUTILS) - -ifdef USE_CRACKLIB -CRACKLIB = -lcrack -endif - - -LIBOBJ = pam_unix_auth.o pam_unix_acct.o pam_unix_sess.o pam_unix_passwd.o \ - support.o -LIBSRC = pam_unix_auth.c pam_unix_acct.c pam_unix_sess.c pam_unix_passwd.c \ - support.c -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -PLUS = md5_good.o md5_broken.o md5_crypt_good.o md5_crypt_broken.o \ - yppasswd_xdr.o bigcrypt.o - -ifdef DYNAMIC -LIBSHARED = pam_unix.so -endif -ifdef STATIC -LIBSTATIC = libpam_unix.o -endif - - -########################### don't edit below ####################### - -all: dirs info $(PLUS) $(LIBSHARED) $(LIBSTATIC) $(CHKPWD) $(BIGCRYPT) \ - register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o: %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -info: - @echo - @echo "*** Building pam-unix module of the framework..." - @echo - -dirs: -ifdef DYNAMIC - mkdir -p ./dynamic -endif -ifdef STATIC - mkdir -p ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static pam_unix_auth pam_unix/$(LIBSTATIC) ; \ - ./register_static pam_unix_acct "" ; \ - ./register_static pam_unix_session "" ; \ - ./register_static pam_unix_passwd "" ; \ - ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(PLUS) $(CRACKLIB) $(LDLIBS) $(LIBNSL) $(LIBCRYPT) $(NEED_LINK_LIB_C) -L../../libpam -lpam -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(PLUS) $(CRACKLIB) $(LDLIBS) $(LIBNSL) $(LIBCRYPT) -endif - -$(CHKPWD): unix_chkpwd.o md5_good.o md5_broken.o \ - md5_crypt_good.o md5_crypt_broken.o \ - bigcrypt.o - $(CC) $(CFLAGS) -o $(CHKPWD) $^ $(LDLIBS) $(LIBCRYPT) - -$(BIGCRYPT): bigcrypt_main.o bigcrypt.o - $(CC) -o $(BIGCRYPT) $^ $(LDLIBS) $(LIBCRYPT) - -unix_chkpwd.o: unix_chkpwd.c - $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -md5_good.o: md5.c - $(CC) $(CFLAGS) $(CPPFLAGS) -DHIGHFIRST -D'MD5Name(x)=Good##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_broken.o: md5.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_crypt_good.o: md5_crypt.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Good##x' \ - $(TARGET_ARCH) -c $< -o $@ - -md5_crypt_broken.o: md5_crypt.c - $(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \ - $(TARGET_ARCH) -c $< -o $@ - -install: all - mkdir -p $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - install -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) - for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session;\ - do ln -sf $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)/$$x.so ; done -endif - $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) - install -m 4555 $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(LIBSHARED) - for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session;\ - do rm -f $(FAKEROOT)$(SECUREDIR)/$$x.so ; done - rm -f $(FAKEROOT)$(SUPLEMENTED)/$(CHKPWD) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) $(CHKPWD) $(BIGCRYPT) *.o *.so core - rm -f *~ *.a *.out *.bak - rm -rf dynamic static - -.c.o: - $(CC) -c $(CFLAGS) $< - diff --git a/Linux-PAM/modules/pam_unix/Makefile.am b/Linux-PAM/modules/pam_unix/Makefile.am new file mode 100644 index 00000000..83b6c0b3 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/Makefile.am @@ -0,0 +1,61 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \ + tst-pam_unix $(XMLS) + +man_MANS = pam_unix.8 unix_chkpwd.8 +XMLS = README.xml pam_unix.8.xml + +TESTS = tst-pam_unix + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" + +if HAVE_LIBSELINUX + AM_CFLAGS += -D"WITH_SELINUX" +endif +if HAVE_LIBCRACK + AM_CFLAGS += -D"USE_CRACKLIB" +endif + +pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module \ + @LIBCRACK@ @LIBNSL@ -L$(top_builddir)/libpam -lpam \ + @LIBCRYPT@ @LIBSELINUX@ +if HAVE_VERSIONING + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_unix.la + +noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h + +sbin_PROGRAMS = unix_chkpwd + +noinst_PROGRAMS = bigcrypt + +pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + yppasswd_xdr.c md5_good.c md5_broken.c + +bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c +bigcrypt_CFLAGS = $(AM_CFLAGS) +bigcrypt_LDFLAGS = @LIBCRYPT@ + +unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c +unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ +unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -L$(top_builddir)/libpam -lpam \ + @LIBCRYPT@ @LIBSELINUX@ + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_unix.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_unix/Makefile.in b/Linux-PAM/modules/pam_unix/Makefile.in new file mode 100644 index 00000000..e3b34afb --- /dev/null +++ b/Linux-PAM/modules/pam_unix/Makefile.in @@ -0,0 +1,859 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" +@HAVE_LIBCRACK_TRUE@am__append_2 = -D"USE_CRACKLIB" +@HAVE_VERSIONING_TRUE@am__append_3 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = unix_chkpwd$(EXEEXT) +noinst_PROGRAMS = bigcrypt$(EXEEXT) +subdir = modules/pam_unix +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_unix_la_LIBADD = +am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \ + pam_unix_passwd.lo pam_unix_sess.lo support.lo yppasswd_xdr.lo \ + md5_good.lo md5_broken.lo +pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS) +pam_unix_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_unix_la_LDFLAGS) $(LDFLAGS) -o $@ +sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS) +am_bigcrypt_OBJECTS = bigcrypt-bigcrypt.$(OBJEXT) \ + bigcrypt-bigcrypt_main.$(OBJEXT) +bigcrypt_OBJECTS = $(am_bigcrypt_OBJECTS) +bigcrypt_LDADD = $(LDADD) +bigcrypt_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(bigcrypt_CFLAGS) $(CFLAGS) \ + $(bigcrypt_LDFLAGS) $(LDFLAGS) -o $@ +am_unix_chkpwd_OBJECTS = unix_chkpwd-unix_chkpwd.$(OBJEXT) \ + unix_chkpwd-md5_good.$(OBJEXT) \ + unix_chkpwd-md5_broken.$(OBJEXT) \ + unix_chkpwd-bigcrypt.$(OBJEXT) +unix_chkpwd_OBJECTS = $(am_unix_chkpwd_OBJECTS) +unix_chkpwd_LDADD = $(LDADD) +unix_chkpwd_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(unix_chkpwd_CFLAGS) \ + $(CFLAGS) $(unix_chkpwd_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ + $(unix_chkpwd_SOURCES) +DIST_SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ + $(unix_chkpwd_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \ + tst-pam_unix $(XMLS) + +man_MANS = pam_unix.8 unix_chkpwd.8 +XMLS = README.xml pam_unix.8.xml +TESTS = tst-pam_unix +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include \ + -I$(top_srcdir)/libpamc/include \ + -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" $(am__append_1) \ + $(am__append_2) +pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module @LIBCRACK@ \ + @LIBNSL@ -L$(top_builddir)/libpam -lpam @LIBCRYPT@ \ + @LIBSELINUX@ $(am__append_3) +securelib_LTLIBRARIES = pam_unix.la +noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h +pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + yppasswd_xdr.c md5_good.c md5_broken.c + +bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c +bigcrypt_CFLAGS = $(AM_CFLAGS) +bigcrypt_LDFLAGS = @LIBCRYPT@ +unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c +unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ +unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -L$(top_builddir)/libpam -lpam \ + @LIBCRYPT@ @LIBSELINUX@ + +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_unix/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_unix/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_unix.la: $(pam_unix_la_OBJECTS) $(pam_unix_la_DEPENDENCIES) + $(pam_unix_la_LINK) -rpath $(securelibdir) $(pam_unix_la_OBJECTS) $(pam_unix_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ + rm -f "$(DESTDIR)$(sbindir)/$$f"; \ + done + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +bigcrypt$(EXEEXT): $(bigcrypt_OBJECTS) $(bigcrypt_DEPENDENCIES) + @rm -f bigcrypt$(EXEEXT) + $(bigcrypt_LINK) $(bigcrypt_OBJECTS) $(bigcrypt_LDADD) $(LIBS) +unix_chkpwd$(EXEEXT): $(unix_chkpwd_OBJECTS) $(unix_chkpwd_DEPENDENCIES) + @rm -f unix_chkpwd$(EXEEXT) + $(unix_chkpwd_LINK) $(unix_chkpwd_OBJECTS) $(unix_chkpwd_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt_main.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_broken.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_good.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_acct.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_sess.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/support.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-bigcrypt.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_broken.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_good.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/yppasswd_xdr.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +bigcrypt-bigcrypt.o: bigcrypt.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -MT bigcrypt-bigcrypt.o -MD -MP -MF $(DEPDIR)/bigcrypt-bigcrypt.Tpo -c -o bigcrypt-bigcrypt.o `test -f 'bigcrypt.c' || echo '$(srcdir)/'`bigcrypt.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/bigcrypt-bigcrypt.Tpo $(DEPDIR)/bigcrypt-bigcrypt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt.c' object='bigcrypt-bigcrypt.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -c -o bigcrypt-bigcrypt.o `test -f 'bigcrypt.c' || echo '$(srcdir)/'`bigcrypt.c + +bigcrypt-bigcrypt.obj: bigcrypt.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -MT bigcrypt-bigcrypt.obj -MD -MP -MF $(DEPDIR)/bigcrypt-bigcrypt.Tpo -c -o bigcrypt-bigcrypt.obj `if test -f 'bigcrypt.c'; then $(CYGPATH_W) 'bigcrypt.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/bigcrypt-bigcrypt.Tpo $(DEPDIR)/bigcrypt-bigcrypt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt.c' object='bigcrypt-bigcrypt.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -c -o bigcrypt-bigcrypt.obj `if test -f 'bigcrypt.c'; then $(CYGPATH_W) 'bigcrypt.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt.c'; fi` + +bigcrypt-bigcrypt_main.o: bigcrypt_main.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -MT bigcrypt-bigcrypt_main.o -MD -MP -MF $(DEPDIR)/bigcrypt-bigcrypt_main.Tpo -c -o bigcrypt-bigcrypt_main.o `test -f 'bigcrypt_main.c' || echo '$(srcdir)/'`bigcrypt_main.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/bigcrypt-bigcrypt_main.Tpo $(DEPDIR)/bigcrypt-bigcrypt_main.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt_main.c' object='bigcrypt-bigcrypt_main.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -c -o bigcrypt-bigcrypt_main.o `test -f 'bigcrypt_main.c' || echo '$(srcdir)/'`bigcrypt_main.c + +bigcrypt-bigcrypt_main.obj: bigcrypt_main.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -MT bigcrypt-bigcrypt_main.obj -MD -MP -MF $(DEPDIR)/bigcrypt-bigcrypt_main.Tpo -c -o bigcrypt-bigcrypt_main.obj `if test -f 'bigcrypt_main.c'; then $(CYGPATH_W) 'bigcrypt_main.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt_main.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/bigcrypt-bigcrypt_main.Tpo $(DEPDIR)/bigcrypt-bigcrypt_main.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt_main.c' object='bigcrypt-bigcrypt_main.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bigcrypt_CFLAGS) $(CFLAGS) -c -o bigcrypt-bigcrypt_main.obj `if test -f 'bigcrypt_main.c'; then $(CYGPATH_W) 'bigcrypt_main.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt_main.c'; fi` + +unix_chkpwd-unix_chkpwd.o: unix_chkpwd.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-unix_chkpwd.o -MD -MP -MF $(DEPDIR)/unix_chkpwd-unix_chkpwd.Tpo -c -o unix_chkpwd-unix_chkpwd.o `test -f 'unix_chkpwd.c' || echo '$(srcdir)/'`unix_chkpwd.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-unix_chkpwd.Tpo $(DEPDIR)/unix_chkpwd-unix_chkpwd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='unix_chkpwd.c' object='unix_chkpwd-unix_chkpwd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-unix_chkpwd.o `test -f 'unix_chkpwd.c' || echo '$(srcdir)/'`unix_chkpwd.c + +unix_chkpwd-unix_chkpwd.obj: unix_chkpwd.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-unix_chkpwd.obj -MD -MP -MF $(DEPDIR)/unix_chkpwd-unix_chkpwd.Tpo -c -o unix_chkpwd-unix_chkpwd.obj `if test -f 'unix_chkpwd.c'; then $(CYGPATH_W) 'unix_chkpwd.c'; else $(CYGPATH_W) '$(srcdir)/unix_chkpwd.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-unix_chkpwd.Tpo $(DEPDIR)/unix_chkpwd-unix_chkpwd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='unix_chkpwd.c' object='unix_chkpwd-unix_chkpwd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-unix_chkpwd.obj `if test -f 'unix_chkpwd.c'; then $(CYGPATH_W) 'unix_chkpwd.c'; else $(CYGPATH_W) '$(srcdir)/unix_chkpwd.c'; fi` + +unix_chkpwd-md5_good.o: md5_good.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-md5_good.o -MD -MP -MF $(DEPDIR)/unix_chkpwd-md5_good.Tpo -c -o unix_chkpwd-md5_good.o `test -f 'md5_good.c' || echo '$(srcdir)/'`md5_good.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-md5_good.Tpo $(DEPDIR)/unix_chkpwd-md5_good.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='md5_good.c' object='unix_chkpwd-md5_good.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-md5_good.o `test -f 'md5_good.c' || echo '$(srcdir)/'`md5_good.c + +unix_chkpwd-md5_good.obj: md5_good.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-md5_good.obj -MD -MP -MF $(DEPDIR)/unix_chkpwd-md5_good.Tpo -c -o unix_chkpwd-md5_good.obj `if test -f 'md5_good.c'; then $(CYGPATH_W) 'md5_good.c'; else $(CYGPATH_W) '$(srcdir)/md5_good.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-md5_good.Tpo $(DEPDIR)/unix_chkpwd-md5_good.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='md5_good.c' object='unix_chkpwd-md5_good.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-md5_good.obj `if test -f 'md5_good.c'; then $(CYGPATH_W) 'md5_good.c'; else $(CYGPATH_W) '$(srcdir)/md5_good.c'; fi` + +unix_chkpwd-md5_broken.o: md5_broken.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-md5_broken.o -MD -MP -MF $(DEPDIR)/unix_chkpwd-md5_broken.Tpo -c -o unix_chkpwd-md5_broken.o `test -f 'md5_broken.c' || echo '$(srcdir)/'`md5_broken.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-md5_broken.Tpo $(DEPDIR)/unix_chkpwd-md5_broken.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='md5_broken.c' object='unix_chkpwd-md5_broken.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-md5_broken.o `test -f 'md5_broken.c' || echo '$(srcdir)/'`md5_broken.c + +unix_chkpwd-md5_broken.obj: md5_broken.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-md5_broken.obj -MD -MP -MF $(DEPDIR)/unix_chkpwd-md5_broken.Tpo -c -o unix_chkpwd-md5_broken.obj `if test -f 'md5_broken.c'; then $(CYGPATH_W) 'md5_broken.c'; else $(CYGPATH_W) '$(srcdir)/md5_broken.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-md5_broken.Tpo $(DEPDIR)/unix_chkpwd-md5_broken.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='md5_broken.c' object='unix_chkpwd-md5_broken.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-md5_broken.obj `if test -f 'md5_broken.c'; then $(CYGPATH_W) 'md5_broken.c'; else $(CYGPATH_W) '$(srcdir)/md5_broken.c'; fi` + +unix_chkpwd-bigcrypt.o: bigcrypt.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-bigcrypt.o -MD -MP -MF $(DEPDIR)/unix_chkpwd-bigcrypt.Tpo -c -o unix_chkpwd-bigcrypt.o `test -f 'bigcrypt.c' || echo '$(srcdir)/'`bigcrypt.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-bigcrypt.Tpo $(DEPDIR)/unix_chkpwd-bigcrypt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt.c' object='unix_chkpwd-bigcrypt.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-bigcrypt.o `test -f 'bigcrypt.c' || echo '$(srcdir)/'`bigcrypt.c + +unix_chkpwd-bigcrypt.obj: bigcrypt.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -MT unix_chkpwd-bigcrypt.obj -MD -MP -MF $(DEPDIR)/unix_chkpwd-bigcrypt.Tpo -c -o unix_chkpwd-bigcrypt.obj `if test -f 'bigcrypt.c'; then $(CYGPATH_W) 'bigcrypt.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/unix_chkpwd-bigcrypt.Tpo $(DEPDIR)/unix_chkpwd-bigcrypt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bigcrypt.c' object='unix_chkpwd-bigcrypt.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(unix_chkpwd_CFLAGS) $(CFLAGS) -c -o unix_chkpwd-bigcrypt.obj `if test -f 'bigcrypt.c'; then $(CYGPATH_W) 'bigcrypt.c'; else $(CYGPATH_W) '$(srcdir)/bigcrypt.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinPROGRAMS \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_unix.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_unix/README b/Linux-PAM/modules/pam_unix/README index afeee3da..3421eb31 100644 --- a/Linux-PAM/modules/pam_unix/README +++ b/Linux-PAM/modules/pam_unix/README @@ -1,37 +1,142 @@ -pam_unix comes as one module pam_unix.so. - -The following links are left for compatibility with old versions: -pam_unix_auth: authentication module providing - pam_authenticate() and pam_setcred() hooks -pam_unix_sess: session module, providing session logging -pam_unix_acct: account management, providing shadow account - managment features, password aging etc.. -pam_unix_passwd: password updating facilities providing - cracklib password strength checking facilities. - -The following options are recognized: - debug - log more debugging info - audit - a little more extreme than debug - use_first_pass - don't prompt the user for passwords - take them from PAM_ items instead - try_first_pass - don't prompt the user for the passwords - unless PAM_(OLD)AUTHTOK is unset - use_authtok - like try_first_pass, but * fail * if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't set the PAM_ items with the passwords - used by this module. - shadow - try to maintian a shadow based system. - md5 - when a user changes their password next, - encrypt it with the md5 algorithm. - bigcrypt - when a user changes their password next, - excrypt it with the DEC C2 - algorithm(0). - nodelay - used to prevent failed authentication - resulting in a delay of about 1 second. - nis - use NIS RPC for setting new password - remember=X - remember X old passwords, they are kept in - /etc/security/opasswd in MD5 crypted form - broken_shadow - ignore errors reading shadow information for - users in the account management module - - invalid arguments are logged to syslog. +pam_unix — Module for traditional password authentication + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +This is the standard Unix authentication module. It uses standard calls from +the system's libraries to retrieve and set account information as well as +authentication. Usually this is obtained from the /etc/passwd and the /etc/ +shadow file as well if shadow is enabled. + +The account component performs the task of establishing the status of the +user's account and password based on the following shadow elements: expire, +last_change, max_change, min_change, warn_change. In the case of the latter, it +may offer advice to the user on changing their password or, through the +PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have +established a new password. The entries listed above are documented in the +shadow(5) manual page. Should the user's record not contain one or more of +these entries, the corresponding shadow check is not performed. + +The authentication component performs the task of checking the users +credentials (password). The default action of this module is to not permit the +user access to a service if their official password is blank. + +A helper binary, unix_chkpwd(8), is provided to check the user's password when +it is stored in a read protected database. This binary is very simple and will +only check the password of the user invoking it. It is called transparently on +behalf of the user by the authenticating component of this module. In this way +it is possible for applications like xlock(1) to work without being +setuid-root. The module, by default, will temporarily turn off SIGCHLD handling +for the duration of execution of the helper binary. This is generally the right +thing to do, as many applications are not prepared to handle this signal from a +child they didn't know was fork()d. The noreap module argument can be used to +suppress this temporary shielding and may be needed for use with certain +applications. + +The password component of this module performs the task of updating the user's +password. + +The session component of this module logs when a user logins or leave the +system. + +Remaining arguments, supported by others functions of this module, are silently +ignored. Other arguments are logged as errors through syslog(3). + +OPTIONS + +debug + + Turns on debugging via syslog(3). + +audit + + A little more extreme than debug. + +nullok + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides + this default. + +try_first_pass + + Before prompting the user for their password, the module first tries the + previous stacked module's password in case that satisfies this module as + well. + +use_first_pass + + The argument use_first_pass forces the module to use a previous stacked + modules password and will never prompt the user - if no password is + available or the password is not appropriate, the user will be denied + access. + +nodelay + + This argument can be used to discourage the authentication component from + requesting a delay should the authentication as a whole fail. The default + action is for the module to request a delay-on-failure of the order of two + second. + +use_authtok + + When password changing enforce the module to set the new password to the + one provided by a previously stacked password module (this is used in the + example of the stacking of the pam_cracklib module documented above). + +not_set_pass + + This argument is used to inform the module that it is not to pay attention + to/make available the old or new passwords from/to other (stacked) password + modules. + +nis + + NIS RPC is used for setting new passwords. + +remember=n + + The last n passwords for each user are saved in /etc/security/opasswd in + order to force password change history and keep the user from alternating + between the same password too frequently. + +shadow + + Try to maintain a shadow based system. + +md5 + + When a user changes their password next, encrypt it with the MD5 algorithm. + +bigcrypt + + When a user changes their password next, encrypt it with the DEC C2 + algorithm. + +broken_shadow + + Ignore errors reading shadow inforation for users in the account management + module. + +Invalid arguments are logged with syslog(3). + +EXAMPLES + +An example usage for /etc/pam.d/login would be: + +# Authenticate the user +auth required pam_unix.so +# Ensure users account and password are still active +account required pam_unix.so +# Change the users password, but at first check the strength +# with pam_cracklib(8) +password required pam_cracklib.so retry=3 minlen=6 difok=3 +password required pam_unix.so use_authtok nullok md5 +session required pam_unix.so + + +AUTHOR + +pam_unix was written by various people. + diff --git a/Linux-PAM/modules/pam_unix/README.xml b/Linux-PAM/modules/pam_unix/README.xml new file mode 100644 index 00000000..7fd340b3 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_unix.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_unix.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_unix-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_unix/bigcrypt.c b/Linux-PAM/modules/pam_unix/bigcrypt.c index 6b73f3d2..d825bc71 100644 --- a/Linux-PAM/modules/pam_unix/bigcrypt.c +++ b/Linux-PAM/modules/pam_unix/bigcrypt.c @@ -24,12 +24,16 @@ * Andy Phillips <atp@mssl.ucl.ac.uk> */ +#include "config.h" + #include <string.h> #include <stdlib.h> #include <security/_pam_macros.h> +#ifdef HAVE_CRYPT_H +#include <crypt.h> +#endif -char *crypt(const char *key, const char *salt); -char *bigcrypt(const char *key, const char *salt); +#include "bigcrypt.h" /* * Max cleartext password length in segments of 8 characters this diff --git a/Linux-PAM/modules/pam_unix/bigcrypt.h b/Linux-PAM/modules/pam_unix/bigcrypt.h new file mode 100644 index 00000000..a66a96e6 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/bigcrypt.h @@ -0,0 +1 @@ +extern char *bigcrypt(const char *key, const char *salt); diff --git a/Linux-PAM/modules/pam_unix/bigcrypt_main.c b/Linux-PAM/modules/pam_unix/bigcrypt_main.c index 70819072..fab212d9 100644 --- a/Linux-PAM/modules/pam_unix/bigcrypt_main.c +++ b/Linux-PAM/modules/pam_unix/bigcrypt_main.c @@ -1,7 +1,7 @@ #include <stdio.h> #include <string.h> -extern const char *bigcrypt(const char *password, const char *salt); +#include "bigcrypt.h" int main(int argc, char **argv) diff --git a/Linux-PAM/modules/pam_unix/lckpwdf.-c b/Linux-PAM/modules/pam_unix/lckpwdf.-c index b5ff4585..7145617e 100644 --- a/Linux-PAM/modules/pam_unix/lckpwdf.-c +++ b/Linux-PAM/modules/pam_unix/lckpwdf.-c @@ -26,6 +26,9 @@ #include <fcntl.h> #include <signal.h> +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#endif #define LOCKFILE "/etc/.pwd.lock" #define TIMEOUT 15 @@ -64,6 +67,28 @@ static int lckpwdf(void) if (lockfd != -1) return -1; +#ifdef WITH_SELINUX + if(is_selinux_enabled()>0) + { + lockfd = open(LOCKFILE, O_WRONLY); + if(lockfd == -1 && errno == ENOENT) + { + security_context_t create_context; + int rc; + + if(getfilecon("/etc/passwd", &create_context)) + return -1; + rc = setfscreatecon(create_context); + freecon(create_context); + if(rc) + return -1; + lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); + if(setfscreatecon(NULL)) + return -1; + } + } + else +#endif lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); if (lockfd == -1) return -1; diff --git a/Linux-PAM/modules/pam_unix/md5_broken.c b/Linux-PAM/modules/pam_unix/md5_broken.c new file mode 100644 index 00000000..193daebb --- /dev/null +++ b/Linux-PAM/modules/pam_unix/md5_broken.c @@ -0,0 +1,4 @@ +#define MD5Name(x) Broken##x + +#include "md5.c" +#include "md5_crypt.c" diff --git a/Linux-PAM/modules/pam_unix/md5_good.c b/Linux-PAM/modules/pam_unix/md5_good.c new file mode 100644 index 00000000..131e4516 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/md5_good.c @@ -0,0 +1,5 @@ +#define HIGHFIRST +#define MD5Name(x) Good##x + +#include "md5.c" +#include "md5_crypt.c" diff --git a/Linux-PAM/modules/pam_unix/pam_unix.8 b/Linux-PAM/modules/pam_unix/pam_unix.8 new file mode 100644 index 00000000..e57de221 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/pam_unix.8 @@ -0,0 +1,143 @@ +.\" Title: pam_unix +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 09/20/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_UNIX" "8" "09/20/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_unix \- Module for traditional password authentication +.SH "SYNOPSIS" +.HP 12 +\fBpam_unix.so\fR [...] +.SH "DESCRIPTION" +.PP +This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled. +.PP +The account component performs the task of establishing the status of the user's account and password based on the following +\fIshadow\fR +elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the +\fBPAM_AUTHTOKEN_REQD\fR +return, delay giving service to the user until they have established a new password. The entries listed above are documented in the +\fBshadow\fR(5) +manual page. Should the user's record not contain one or more of these entries, the corresponding +\fIshadow\fR +check is not performed. +.PP +The authentication component performs the task of checking the users credentials (password). The default action of this module is to not permit the user access to a service if their official password is blank. +.PP +A helper binary, +\fBunix_chkpwd\fR(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like +\fBxlock\fR(1) +to work without being setuid\-root. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn't know was +\fBfork()\fRd. The +\fBnoreap\fR +module argument can be used to suppress this temporary shielding and may be needed for use with certain applications. +.PP +The password component of this module performs the task of updating the user's password. +.PP +The session component of this module logs when a user logins or leave the system. +.PP +Remaining arguments, supported by others functions of this module, are silently ignored. Other arguments are logged as errors through +\fBsyslog\fR(3). +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Turns on debugging via +\fBsyslog\fR(3). +.TP 3n +\fBaudit\fR +A little more extreme than debug. +.TP 3n +\fBnullok\fR +The default action of this module is to not permit the user access to a service if their official password is blank. The +\fBnullok\fR +argument overrides this default. +.TP 3n +\fBtry_first_pass\fR +Before prompting the user for their password, the module first tries the previous stacked module's password in case that satisfies this module as well. +.TP 3n +\fBuse_first_pass\fR +The argument +\fBuse_first_pass\fR +forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access. +.TP 3n +\fBnodelay\fR +This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The default action is for the module to request a delay\-on\-failure of the order of two second. +.TP 3n +\fBuse_authtok\fR +When password changing enforce the module to set the new password to the one provided by a previously stacked +\fBpassword\fR +module (this is used in the example of the stacking of the +\fBpam_cracklib\fR +module documented above). +.TP 3n +\fBnot_set_pass\fR +This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules. +.TP 3n +\fBnis\fR +NIS RPC is used for setting new passwords. +.TP 3n +\fBremember=\fR\fB\fIn\fR\fR +The last +\fIn\fR +passwords for each user are saved in +\fI/etc/security/opasswd\fR +in order to force password change history and keep the user from alternating between the same password too frequently. +.TP 3n +\fBshadow\fR +Try to maintain a shadow based system. +.TP 3n +\fBmd5\fR +When a user changes their password next, encrypt it with the MD5 algorithm. +.TP 3n +\fBbigcrypt\fR +When a user changes their password next, encrypt it with the DEC C2 algorithm. +.TP 3n +\fBbroken_shadow\fR +Ignore errors reading shadow inforation for users in the account management module. +.PP +Invalid arguments are logged with +\fBsyslog\fR(3). +.SH "MODULE SERVICES PROVIDED" +.PP +All service are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_IGNORE +Ignore this module. +.SH "EXAMPLES" +.PP +An example usage for +\fI/etc/pam.d/login\fR +would be: +.sp +.RS 3n +.nf +# Authenticate the user +auth required pam_unix.so +# Ensure users account and password are still active +account required pam_unix.so +# Change the users password, but at first check the strength +# with pam_cracklib(8) +password required pam_cracklib.so retry=3 minlen=6 difok=3 +password required pam_unix.so use_authtok nullok md5 +session required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_unix was written by various people. diff --git a/Linux-PAM/modules/pam_unix/pam_unix.8.xml b/Linux-PAM/modules/pam_unix/pam_unix.8.xml new file mode 100644 index 00000000..41757977 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/pam_unix.8.xml @@ -0,0 +1,342 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_unix"> + + <refmeta> + <refentrytitle>pam_unix</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_unix-name"> + <refname>pam_unix</refname> + <refpurpose>Module for traditional password authentication</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_unix-cmdsynopsis"> + <command>pam_unix.so</command> + <arg choice="opt"> + ... + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_unix-description"> + + <title>DESCRIPTION</title> + + <para> + This is the standard Unix authentication module. It uses standard + calls from the system's libraries to retrieve and set account + information as well as authentication. Usually this is obtained + from the /etc/passwd and the /etc/shadow file as well if shadow is + enabled. + </para> + + <para> + The account component performs the task of establishing the status + of the user's account and password based on the following + <emphasis>shadow</emphasis> elements: expire, last_change, max_change, + min_change, warn_change. In the case of the latter, it may offer advice + to the user on changing their password or, through the + <emphasis remap='B'>PAM_AUTHTOKEN_REQD</emphasis> return, delay + giving service to the user until they have established a new password. + The entries listed above are documented in the <citerefentry> + <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> manual page. Should the user's record not contain + one or more of these entries, the corresponding + <emphasis>shadow</emphasis> check is not performed. + </para> + + <para> + The authentication component performs the task of checking the + users credentials (password). The default action of this module + is to not permit the user access to a service if their official + password is blank. + </para> + + <para> + A helper binary, <citerefentry> + <refentrytitle>unix_chkpwd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, is provided + to check the user's password when it is stored in a read + protected database. This binary is very simple and will only + check the password of the user invoking it. It is called + transparently on behalf of the user by the authenticating + component of this module. In this way it is possible + for applications like <citerefentry> + <refentrytitle>xlock</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> to work without + being setuid-root. The module, by default, will temporarily turn + off SIGCHLD handling for the duration of execution of the helper + binary. This is generally the right thing to do, as many applications + are not prepared to handle this signal from a child they didn't know + was <function>fork()</function>d. The <option>noreap</option> module + argument can be used to suppress this temporary shielding and may be + needed for use with certain applications. + </para> + + <para> + The password component of this module performs the task of updating + the user's password. + </para> + + <para> + The session component of this module logs when a user logins + or leave the system. + </para> + + <para> + Remaining arguments, supported by others functions of this + module, are silently ignored. Other arguments are logged as + errors through <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_unix-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>audit</option> + </term> + <listitem> + <para> + A little more extreme than debug. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>nullok</option> + </term> + <listitem> + <para> + The default action of this module is to not permit the + user access to a service if their official password is blank. + The <option>nullok</option> argument overrides this default. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>try_first_pass</option> + </term> + <listitem> + <para> + Before prompting the user for their password, the module first + tries the previous stacked module's password in case that + satisfies this module as well. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_first_pass</option> + </term> + <listitem> + <para> + The argument <option>use_first_pass</option> forces the module + to use a previous stacked modules password and will never prompt + the user - if no password is available or the password is not + appropriate, the user will be denied access. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nodelay</option> + </term> + <listitem> + <para> + This argument can be used to discourage the authentication + component from requesting a delay should the authentication + as a whole fail. The default action is for the module to + request a delay-on-failure of the order of two second. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_authtok</option> + </term> + <listitem> + <para> + When password changing enforce the module to set the new + password to the one provided by a previously stacked + <option>password</option> module (this is used in the + example of the stacking of the <command>pam_cracklib</command> + module documented above). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>not_set_pass</option> + </term> + <listitem> + <para> + This argument is used to inform the module that it is not to + pay attention to/make available the old or new passwords from/to + other (stacked) password modules. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nis</option> + </term> + <listitem> + <para> + NIS RPC is used for setting new passwords. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>remember=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + The last <replaceable>n</replaceable> passwords for each + user are saved in <filename>/etc/security/opasswd</filename> + in order to force password change history and keep the user + from alternating between the same password too frequently. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>shadow</option> + </term> + <listitem> + <para> + Try to maintain a shadow based system. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>md5</option> + </term> + <listitem> + <para> + When a user changes their password next, encrypt + it with the MD5 algorithm. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>bigcrypt</option> + </term> + <listitem> + <para> + When a user changes their password next, + encrypt it with the DEC C2 algorithm. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>broken_shadow</option> + </term> + <listitem> + <para> + Ignore errors reading shadow inforation for + users in the account management module. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + Invalid arguments are logged with <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_unix-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All service are supported. + </para> + </refsect1> + + <refsect1 id='pam_unix-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + Ignore this module. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_unix-examples'> + <title>EXAMPLES</title> + <para> + An example usage for <filename>/etc/pam.d/login</filename> + would be: + <programlisting> +# Authenticate the user +auth required pam_unix.so +# Ensure users account and password are still active +account required pam_unix.so +# Change the users password, but at first check the strength +# with pam_cracklib(8) +password required pam_cracklib.so retry=3 minlen=6 difok=3 +password required pam_unix.so use_authtok nullok md5 +session required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_unix-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_unix-author'> + <title>AUTHOR</title> + <para> + pam_unix was written by various people. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_unix/pam_unix_acct.c b/Linux-PAM/modules/pam_unix/pam_unix_acct.c index 02e07ba6..cb2550df 100644 --- a/Linux-PAM/modules/pam_unix/pam_unix_acct.c +++ b/Linux-PAM/modules/pam_unix/pam_unix_acct.c @@ -14,13 +14,13 @@ * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -34,7 +34,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdlib.h> #include <stdio.h> @@ -45,6 +45,12 @@ #include <pwd.h> #include <shadow.h> #include <time.h> /* for time() */ +#include <errno.h> +#include <sys/wait.h> +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED is_selinux_enabled()>0 +#endif #include <security/_pam_macros.h> @@ -53,14 +59,130 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> -#include <security/_pam_modutil.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ +#include <security/pam_ext.h> +#include <security/pam_modutil.h> #include "support.h" - + +#ifdef WITH_SELINUX + +struct spwd spwd; + +struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user) +{ + int retval=0, child, fds[2]; + void (*sighandler)(int) = NULL; + D(("running verify_binary")); + + /* create a pipe for the messages */ + if (pipe(fds) != 0) { + D(("could not make pipe")); + pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m"); + return NULL; + } + D(("called.")); + + if (off(UNIX_NOREAP, ctrl)) { + /* + * This code arranges that the demise of the child does not cause + * the application to receive a signal it is not expecting - which + * may kill the application or worse. + * + * The "noreap" module argument is provided so that the admin can + * override this behavior. + */ + sighandler = signal(SIGCHLD, SIG_DFL); + } + + /* fork */ + child = fork(); + if (child == 0) { + size_t i=0; + struct rlimit rlim; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; + + close(0); close(1); + /* reopen stdin as pipe */ + close(fds[0]); + dup2(fds[1], STDOUT_FILENO); + + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + for (i=2; i < rlim.rlim_max; i++) { + if ((unsigned int)fds[1] != i) { + close(i); + } + } + } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + + /* exec binary helper */ + args[0] = x_strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); + args[2] = x_strdup("verify"); + + execve(CHKPWD_HELPER, args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); + /* should not get here: exit with error */ + close (fds[1]); + D(("helper binary is not available")); + exit(PAM_AUTHINFO_UNAVAIL); + } else { + close(fds[1]); + if (child > 0) { + char buf[1024]; + int rc=0; + rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + if (rc<0) { + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); + retval = PAM_AUTH_ERR; + } else { + retval = WEXITSTATUS(retval); + if (retval != PAM_AUTHINFO_UNAVAIL) { + rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1); + if(rc > 0) { + buf[rc] = '\0'; + if (sscanf(buf,"%ld:%ld:%ld:%ld:%ld:%ld", + &spwd.sp_lstchg, /* last password change */ + &spwd.sp_min, /* days until change allowed. */ + &spwd.sp_max, /* days before change required */ + &spwd.sp_warn, /* days warning for expiration */ + &spwd.sp_inact, /* days before account inactive */ + &spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR; + } + else { + pam_syslog(pamh, LOG_ERR, " ERROR %d: %m", rc); retval = PAM_AUTH_ERR; + } + } + } + } else { + pam_syslog(pamh, LOG_ERR, "Fork failed: %m"); + D(("fork failed")); + retval = PAM_AUTH_ERR; + } + close(fds[0]); + } + if (sighandler != SIG_ERR) { + (void) signal(SIGCHLD, sighandler); /* restore old signal handler */ + } + D(("Returning %d",retval)); + if (retval != PAM_SUCCESS) { + return NULL; + } + return &spwd; +} + +#endif + + /* * PAM framework looks for this entry-point to pass control to the * account management module. @@ -70,31 +192,33 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv) { unsigned int ctrl; + const void *void_uname; const char *uname; int retval, daysleft; time_t curdays; struct spwd *spent; struct passwd *pwent; - char buf[80]; + char buf[256]; D(("called.")); ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); - retval = pam_get_item(pamh, PAM_USER, (const void **) &uname); + retval = pam_get_item(pamh, PAM_USER, &void_uname); + uname = void_uname; D(("user = `%s'", uname)); if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT, pamh - ,"could not identify user (from uid=%d)" - ,getuid()); + pam_syslog(pamh, LOG_ALERT, + "could not identify user (from uid=%lu)", + (unsigned long int)getuid()); return PAM_USER_UNKNOWN; } - pwent = _pammodutil_getpwnam(pamh, uname); + pwent = pam_modutil_getpwnam(pamh, uname); if (!pwent) { - _log_err(LOG_ALERT, pamh - ,"could not identify user (from getpwnam(%s))" - ,uname); + pam_syslog(pamh, LOG_ALERT, + "could not identify user (from getpwnam(%s))", + uname); return PAM_USER_UNKNOWN; } @@ -114,7 +238,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, return PAM_CRED_INSUFFICIENT; } } - spent = _pammodutil_getspnam (pamh, uname); + spent = pam_modutil_getspnam (pamh, uname); if (save_uid == pwent->pw_uid) setreuid( save_uid, save_euid ); else { @@ -124,10 +248,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, } } else if (_unix_shadowed (pwent)) - spent = _pammodutil_getspnam (pamh, uname); + spent = pam_modutil_getspnam (pamh, uname); else return PAM_SUCCESS; +#ifdef WITH_SELINUX + if (!spent && SELINUX_ENABLED ) + spent = _unix_run_verify_binary(pamh, ctrl, uname); +#endif + if (!spent) if (on(UNIX_BROKEN_SHADOW,ctrl)) return PAM_SUCCESS; @@ -138,58 +267,75 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, curdays = time(NULL) / (60 * 60 * 24); D(("today is %d, last change %d", curdays, spent->sp_lstchg)); if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { - _log_err(LOG_NOTICE, pamh - ,"account %s has expired (account expired)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (account expired)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - "Your account has expired; please contact your system administrator"); + _("Your account has expired; please contact your system administrator")); D(("account expired")); return PAM_ACCT_EXPIRED; } if (spent->sp_lstchg == 0) { - _log_err(LOG_NOTICE, pamh - ,"expired password for user %s (root enforced)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "expired password for user %s (root enforced)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - "You are required to change your password immediately (root enforced)"); + _("You are required to change your password immediately (root enforced)")); D(("need a new password")); return PAM_NEW_AUTHTOK_REQD; } if (curdays < spent->sp_lstchg) { - _log_err(LOG_DEBUG, pamh - ,"account %s has password changed in future" - ,uname); + pam_syslog(pamh, LOG_DEBUG, + "account %s has password changed in future", + uname); return PAM_SUCCESS; } if ((curdays - spent->sp_lstchg > spent->sp_max) && (curdays - spent->sp_lstchg > spent->sp_inact) && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) && (spent->sp_max != -1) && (spent->sp_inact != -1)) { - _log_err(LOG_NOTICE, pamh - ,"account %s has expired (failed to change password)" - ,uname); + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (failed to change password)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - "Your account has expired; please contact your system administrator"); + _("Your account has expired; please contact your system administrator")); D(("account expired 2")); return PAM_ACCT_EXPIRED; } if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { - _log_err(LOG_DEBUG, pamh - ,"expired password for user %s (password aged)" - ,uname); + pam_syslog(pamh, LOG_DEBUG, + "expired password for user %s (password aged)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - "You are required to change your password immediately (password aged)"); + _("You are required to change your password immediately (password aged)")); D(("need a new password 2")); return PAM_NEW_AUTHTOK_REQD; } if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) && (spent->sp_max != -1) && (spent->sp_warn != -1)) { daysleft = (spent->sp_lstchg + spent->sp_max) - curdays; - _log_err(LOG_DEBUG, pamh - ,"password for user %s will expire in %d days" - ,uname, daysleft); - snprintf(buf, 80, "Warning: your password will expire in %d day%.2s", - daysleft, daysleft == 1 ? "" : "s"); + pam_syslog(pamh, LOG_DEBUG, + "password for user %s will expire in %d days", + uname, daysleft); +#ifdef HAVE_DNGETTEXT + snprintf (buf, sizeof (buf), + dngettext(PACKAGE, + "Warning: your password will expire in %d day", + "Warning: your password will expire in %d days", + daysleft), + daysleft); +#else + if (daysleft == 1) + snprintf(buf, sizeof (buf), + _("Warning: your password will expire in %d day"), + daysleft); + else + snprintf(buf, sizeof (buf), + /* TRANSLATORS: only used if dngettext is not support +ed */ + _("Warning: your password will expire in %d days"), + daysleft); +#endif _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); } diff --git a/Linux-PAM/modules/pam_unix/pam_unix_auth.c b/Linux-PAM/modules/pam_unix/pam_unix_auth.c index 39e0cde5..3004bee8 100644 --- a/Linux-PAM/modules/pam_unix/pam_unix_auth.c +++ b/Linux-PAM/modules/pam_unix/pam_unix_auth.c @@ -37,7 +37,7 @@ /* #define DEBUG */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -48,6 +48,7 @@ #include <ctype.h> #include <sys/types.h> #include <sys/stat.h> +#include <syslog.h> /* indicate the following groups are defined */ @@ -56,10 +57,7 @@ #define _PAM_EXTERN_FUNCTIONS #include <security/_pam_macros.h> #include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ +#include <security/pam_ext.h> #include "support.h" @@ -95,7 +93,8 @@ do { \ } while (0) -static void setcred_free (pam_handle_t * pamh, void *ptr, int err) +static void +setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED) { if (ptr) free (ptr); @@ -107,7 +106,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags { unsigned int ctrl; int retval, *ret_data = NULL; - const char *name, *p; + const char *name; + const void *p; D(("called.")); @@ -124,12 +124,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags if (retval == PAM_SUCCESS) { /* * Various libraries at various times have had bugs related to - * '+' or '-' as the first character of a user name. Don't take - * any chances here. Require that the username starts with an - * alphanumeric character. + * '+' or '-' as the first character of a user name. Don't + * allow this characters here. */ - if (name == NULL || !isalnum(*name)) { - _log_err(LOG_ERR, pamh, "bad username [%s]", name); + if (name == NULL || name[0] == '-' || name[0] == '+') { + pam_syslog(pamh, LOG_ERR, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; } @@ -157,12 +156,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags } /* get this user's authentication token */ - retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL + retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL ,_UNIX_AUTHTOK, &p); if (retval != PAM_SUCCESS) { if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]" - ,name); + pam_syslog(pamh, LOG_CRIT, + "auth could not identify password for [%s]", name); } else { D(("conversation function is not ready yet")); /* @@ -193,11 +192,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags * warned you. -- AOY */ -PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags - ,int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { int retval; - int *pretval = NULL; + const void *pretval = NULL; D(("called.")); @@ -206,9 +206,9 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags D(("recovering return code from auth call")); /* We will only find something here if UNIX_LIKE_AUTH is set -- don't worry about an explicit check of argv. */ - pam_get_data(pamh, "unix_setcred_return", (const void **) &pretval); - if(pretval) { - retval = *pretval; + if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS + && pretval) { + retval = *(const int *)pretval; pam_set_data(pamh, "unix_setcred_return", NULL, NULL); D(("recovered data indicates that old retval was %d", retval)); } diff --git a/Linux-PAM/modules/pam_unix/pam_unix_passwd.c b/Linux-PAM/modules/pam_unix/pam_unix_passwd.c index 2ea57cc6..8921d1cc 100644 --- a/Linux-PAM/modules/pam_unix/pam_unix_passwd.c +++ b/Linux-PAM/modules/pam_unix/pam_unix_passwd.c @@ -35,7 +35,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -57,6 +57,16 @@ #include <rpcsvc/yp_prot.h> #include <rpcsvc/ypclnt.h> +#include <signal.h> +#include <errno.h> +#include <sys/wait.h> +#ifdef WITH_SELINUX +static int selinux_enabled=-1; +#include <selinux/selinux.h> +static security_context_t prev_context=NULL; +#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) +#endif + #ifdef USE_CRACKLIB #include <crack.h> #endif @@ -68,16 +78,13 @@ #define PAM_SM_PASSWORD #include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - -#include <security/_pam_modutil.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> #include "yppasswd.h" #include "md5.h" #include "support.h" +#include "bigcrypt.h" #if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) extern int getrpcport(const char *host, unsigned long prognum, @@ -89,12 +96,10 @@ extern int getrpcport(const char *host, unsigned long prognum, * password changing module. */ -#ifdef NEED_LCKPWDF +#if defined(USE_LCKPWDF) && !defined(HAVE_LCKPWDF) # include "./lckpwdf.-c" #endif -extern char *bigcrypt(const char *key, const char *salt); - /* How it works: Gets in username (has to be done) from the calling program @@ -117,7 +122,7 @@ extern char *bigcrypt(const char *key, const char *salt); #define PW_TMPFILE "/etc/npasswd" #define SH_TMPFILE "/etc/nshadow" #ifndef CRACKLIB_DICTS -#define CRACKLIB_DICTS "/usr/share/dict/cracklib_dict" +#define CRACKLIB_DICTS NULL #endif #define OPW_TMPFILE "/etc/security/nopasswd" #define OLD_PASSWORDS_FILE "/etc/security/opasswd" @@ -187,29 +192,131 @@ static char *getNISserver(pam_handle_t *pamh) int port, err; if ((err = yp_get_default_domain(&domainname)) != 0) { - _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n", + pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s", yperr_string(err)); return NULL; } if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { - _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n", + pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s", yperr_string(err)); return NULL; } port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); if (port == 0) { - _log_err(LOG_WARNING, pamh, - "yppasswdd not running on NIS master host\n"); + pam_syslog(pamh, LOG_WARNING, + "yppasswdd not running on NIS master host"); return NULL; } if (port >= IPPORT_RESERVED) { - _log_err(LOG_WARNING, pamh, - "yppasswd daemon running on illegal port.\n"); + pam_syslog(pamh, LOG_WARNING, + "yppasswd daemon running on illegal port"); return NULL; } return master; } +#ifdef WITH_SELINUX + +static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, const char *fromwhat, const char *towhat) +{ + int retval, child, fds[2]; + void (*sighandler)(int) = NULL; + + D(("called.")); + /* create a pipe for the password */ + if (pipe(fds) != 0) { + D(("could not make pipe")); + return PAM_AUTH_ERR; + } + + if (off(UNIX_NOREAP, ctrl)) { + /* + * This code arranges that the demise of the child does not cause + * the application to receive a signal it is not expecting - which + * may kill the application or worse. + * + * The "noreap" module argument is provided so that the admin can + * override this behavior. + */ + sighandler = signal(SIGCHLD, SIG_DFL); + } + + /* fork */ + child = fork(); + if (child == 0) { + size_t i=0; + struct rlimit rlim; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; + + /* XXX - should really tidy up PAM here too */ + + close(0); close(1); + /* reopen stdin as pipe */ + close(fds[1]); + dup2(fds[0], STDIN_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + for (i=2; i < rlim.rlim_max; i++) { + if ((unsigned int)fds[0] != i) + close(i); + } + } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + + /* exec binary helper */ + args[0] = x_strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); + args[2] = x_strdup("shadow"); + + execve(CHKPWD_HELPER, args, envp); + + /* should not get here: exit with error */ + D(("helper binary is not available")); + exit(PAM_AUTHINFO_UNAVAIL); + } else if (child > 0) { + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; + if (fromwhat) + pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); + else + pam_modutil_write(fds[1], "", 1); + if (towhat) { + pam_modutil_write(fds[1], towhat, strlen(towhat)+1); + } + else + pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + if (rc<0) { + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); + retval = PAM_AUTH_ERR; + } else { + retval = WEXITSTATUS(retval); + } + } else { + D(("fork failed")); + close(fds[0]); + close(fds[1]); + retval = PAM_AUTH_ERR; + } + + if (sighandler != SIG_ERR) { + (void) signal(SIGCHLD, sighandler); /* restore old signal handler */ + } + + return retval; +} +#endif + static int check_old_password(const char *forwho, const char *newpass) { static char buf[16384]; @@ -270,37 +377,58 @@ static int save_old_password(pam_handle_t *pamh, } oldmask = umask(077); + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t passwd_context=NULL; + if (getfilecon("/etc/passwd",&passwd_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(passwd_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(passwd_context)) { + freecon(passwd_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(passwd_context); + } +#endif pwfile = fopen(OPW_TMPFILE, "w"); umask(oldmask); if (pwfile == NULL) { - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } opwfile = fopen(OLD_PASSWORDS_FILE, "r"); if (opwfile == NULL) { fclose(pwfile); - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } - if (fstat (fileno (opwfile), &st) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } - if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } - if (fchmod (fileno (pwfile), st.st_mode) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { @@ -337,13 +465,13 @@ static int save_old_password(pam_handle_t *pamh, fclose(opwfile); if (!found) { - pwd = _pammodutil_getpwnam(pamh, forwho); + pwd = pam_modutil_getpwnam(pamh, forwho); if (pwd == NULL) { err = 1; } else { pass = crypt_md5_wrapper(oldpass); - snprintf(nbuf, sizeof(nbuf), "%s:%d:1:%s\n", - forwho, pwd->pw_uid, pass); + snprintf(nbuf, sizeof(nbuf), "%s:%lu:1:%s\n", + forwho, (unsigned long)pwd->pw_uid, pass); _pam_delete(pass); if (fputs(nbuf, pwfile) < 0) { err = 1; @@ -352,19 +480,31 @@ static int save_old_password(pam_handle_t *pamh, } if (fclose(pwfile)) { - D(("error writing entries to old passwords file: %s\n", - strerror(errno))); + D(("error writing entries to old passwords file: %m")); err = 1; } +done: if (!err) { - if (!rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) { - return PAM_SUCCESS; - } + if (rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) + err = 1; + } +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + if (!err) { + return PAM_SUCCESS; + } else { + unlink(OPW_TMPFILE); + return PAM_AUTHTOK_ERR; } - - unlink(OPW_TMPFILE); - return PAM_AUTHTOK_ERR; } static int _update_passwd(pam_handle_t *pamh, @@ -377,38 +517,59 @@ static int _update_passwd(pam_handle_t *pamh, int oldmask; oldmask = umask(077); +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t passwd_context=NULL; + if (getfilecon("/etc/passwd",&passwd_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(passwd_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(passwd_context)) { + freecon(passwd_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(passwd_context); + } +#endif pwfile = fopen(PW_TMPFILE, "w"); umask(oldmask); if (pwfile == NULL) { - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } opwfile = fopen("/etc/passwd", "r"); if (opwfile == NULL) { fclose(pwfile); - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } - if (fstat (fileno (opwfile), &st) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } - if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } - if (fchmod (fileno (pwfile), st.st_mode) == -1) - { - fclose (opwfile); - fclose (pwfile); - } + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } - tmpent = fgetpwent (opwfile); + tmpent = fgetpwent(opwfile); while (tmpent) { if (!strcmp(tmpent->pw_name, forwho)) { /* To shut gcc up */ @@ -422,7 +583,7 @@ static int _update_passwd(pam_handle_t *pamh, err = 0; } if (putpwent(tmpent, pwfile)) { - D(("error writing entry to password file: %s\n", strerror(errno))); + D(("error writing entry to password file: %m")); err = 1; break; } @@ -431,19 +592,33 @@ static int _update_passwd(pam_handle_t *pamh, fclose(opwfile); if (fclose(pwfile)) { - D(("error writing entries to password file: %s\n", strerror(errno))); + D(("error writing entries to password file: %m")); err = 1; } +done: if (!err) { - if (!rename(PW_TMPFILE, "/etc/passwd")) { - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); - return PAM_SUCCESS; - } + if (!rename(PW_TMPFILE, "/etc/passwd")) + pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); + else + err = 1; + } +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + if (!err) { + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); + return PAM_AUTHTOK_ERR; } - - unlink(PW_TMPFILE); - return PAM_AUTHTOK_ERR; } static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) @@ -459,37 +634,58 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) return PAM_USER_UNKNOWN; } oldmask = umask(077); + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t shadow_context=NULL; + if (getfilecon("/etc/shadow",&shadow_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(shadow_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(shadow_context)) { + freecon(shadow_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(shadow_context); + } +#endif pwfile = fopen(SH_TMPFILE, "w"); umask(oldmask); if (pwfile == NULL) { - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } opwfile = fopen("/etc/shadow", "r"); if (opwfile == NULL) { fclose(pwfile); - return PAM_AUTHTOK_ERR; + err = 1; + goto done; } - if (fstat (fileno (opwfile), &st) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } - if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } - if (fchmod (fileno (pwfile), st.st_mode) == -1) - { - fclose (opwfile); - fclose (pwfile); - return PAM_AUTHTOK_ERR; - } + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } stmpent = fgetspent(opwfile); while (stmpent) { @@ -502,7 +698,7 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) } if (putspent(stmpent, pwfile)) { - D(("error writing entry to shadow file: %s\n", strerror(errno))); + D(("error writing entry to shadow file: %m")); err = 1; break; } @@ -512,26 +708,45 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) fclose(opwfile); if (fclose(pwfile)) { - D(("error writing entries to shadow file: %s\n", strerror(errno))); + D(("error writing entries to shadow file: %m")); err = 1; } + done: if (!err) { - if (!rename(SH_TMPFILE, "/etc/shadow")) { - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); - return PAM_SUCCESS; - } + if (!rename(SH_TMPFILE, "/etc/shadow")) + pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); + else + err = 1; + } + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; } +#endif - unlink(SH_TMPFILE); - return PAM_AUTHTOK_ERR; + if (!err) { + return PAM_SUCCESS; + } else { + unlink(SH_TMPFILE); + return PAM_AUTHTOK_ERR; + } } -static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, +static int _do_setpass(pam_handle_t* pamh, const char *forwho, + const char *fromwhat, char *towhat, unsigned int ctrl, int remember) { struct passwd *pwd = NULL; int retval = 0; + int unlocked = 0; + char *master = NULL; D(("called")); @@ -542,35 +757,19 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, goto done; } - if (_unix_comesfromsource(pamh, forwho, 1, 0)) { - /* first, save old password */ - if (save_old_password(pamh, forwho, fromwhat, remember)) { - retval = PAM_AUTHTOK_ERR; - goto done; - } - if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { - retval = _update_shadow(pamh, forwho, towhat); - if (retval == PAM_SUCCESS) - if (!_unix_shadowed(pwd)) - retval = _update_passwd(pamh, forwho, "x"); - } else { - retval = _update_passwd(pamh, forwho, towhat); - } - } else if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { + if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { + if ((master=getNISserver(pamh)) != NULL) { struct timeval timeout; struct yppasswd yppwd; CLIENT *clnt; - char *master; int status; - int err = 0; + enum clnt_stat err; /* Unlock passwd file to avoid deadlock */ #ifdef USE_LCKPWDF ulckpwdf(); #endif - /* Make RPC call to NIS server */ - if ((master = getNISserver(pamh)) == NULL) - return PAM_TRY_AGAIN; + unlocked = 1; /* Initialize password information */ yppwd.newpw.pw_passwd = pwd->pw_passwd; @@ -580,7 +779,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, yppwd.newpw.pw_gecos = pwd->pw_gecos; yppwd.newpw.pw_dir = pwd->pw_dir; yppwd.newpw.pw_shell = pwd->pw_shell; - yppwd.oldpass = fromwhat ? fromwhat : ""; + yppwd.oldpass = fromwhat ? strdup (fromwhat) : strdup (""); yppwd.newpw.pw_passwd = towhat; D(("Set password %s for %s", yppwd.newpw.pw_passwd, forwho)); @@ -600,29 +799,73 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, (xdrproc_t) xdr_int, (char *) &status, timeout); + free (yppwd.oldpass); + if (err) { - clnt_perrno(err); - retval = PAM_TRY_AGAIN; + _make_remark(pamh, ctrl, PAM_TEXT_INFO, + clnt_sperrno(err)); } else if (status) { D(("Error while changing NIS password.\n")); - retval = PAM_TRY_AGAIN; } D(("The password has%s been changed on %s.", (err || status) ? " not" : "", master)); - _log_err(LOG_NOTICE, pamh, "password%s changed for %s on %s", + pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s", (err || status) ? " not" : "", pwd->pw_name, master); auth_destroy(clnt->cl_auth); clnt_destroy(clnt); - if ((err || status) != 0) { + if (err || status) { + _make_remark(pamh, ctrl, PAM_TEXT_INFO, + _("NIS password could not be changed.")); retval = PAM_TRY_AGAIN; } #ifdef DEBUG sleep(5); #endif - return retval; + } else { + retval = PAM_TRY_AGAIN; + } } + if (_unix_comesfromsource(pamh, forwho, 1, 0)) { +#ifdef USE_LCKPWDF + if(unlocked) { + int i = 0; + /* These values for the number of attempts and the sleep time + are, of course, completely arbitrary. + My reading of the PAM docs is that, once pam_chauthtok() has been + called with PAM_UPDATE_AUTHTOK, we are obliged to take any + reasonable steps to make sure the token is updated; so retrying + for 1/10 sec. isn't overdoing it. */ + while((retval = lckpwdf()) != 0 && i < 100) { + usleep(1000); + i++; + } + if(retval != 0) { + return PAM_AUTHTOK_LOCK_BUSY; + } + } +#endif + /* first, save old password */ + if (save_old_password(pamh, forwho, fromwhat, remember)) { + retval = PAM_AUTHTOK_ERR; + goto done; + } + if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { + retval = _update_shadow(pamh, forwho, towhat); +#ifdef WITH_SELINUX + if (retval != PAM_SUCCESS && SELINUX_ENABLED) + retval = _unix_run_shadow_binary(pamh, ctrl, forwho, fromwhat, towhat); +#endif + if (retval == PAM_SUCCESS) + if (!_unix_shadowed(pwd)) + retval = _update_passwd(pamh, forwho, "x"); + } else { + retval = _update_passwd(pamh, forwho, towhat); + } + } + + done: #ifdef USE_LCKPWDF ulckpwdf(); @@ -631,7 +874,7 @@ done: return retval; } -static int _unix_verify_shadow(const char *user, unsigned int ctrl) +static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl) { struct passwd *pwd = NULL; /* Password and shadow password */ struct spwd *spwdent = NULL; /* file entries for the user */ @@ -650,6 +893,10 @@ static int _unix_verify_shadow(const char *user, unsigned int ctrl) spwdent = getspnam(user); endspent(); +#ifdef WITH_SELINUX + if (spwdent == NULL && SELINUX_ENABLED ) + spwdent = _unix_run_verify_binary(pamh, ctrl, user); +#endif if (spwdent == NULL) return PAM_AUTHINFO_UNAVAIL; } else { @@ -674,10 +921,22 @@ static int _unix_verify_shadow(const char *user, unsigned int ctrl) if (off(UNIX__IAMROOT, ctrl)) { /* Get the current number of days since 1970 */ curdays = time(NULL) / (60 * 60 * 24); - if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) - && (spwdent->sp_min != -1)) + if (curdays < spwdent->sp_lstchg) { + pam_syslog(pamh, LOG_DEBUG, + "account %s has password changed in future", + user); + curdays = spwdent->sp_lstchg; + } + if ((curdays - spwdent->sp_lstchg < spwdent->sp_min) + && (spwdent->sp_min != -1)) + /* + * The last password change was too recent. + */ retval = PAM_AUTHTOK_ERR; - else if ((curdays > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact)) + else if ((curdays - spwdent->sp_lstchg > spwdent->sp_max) + && (curdays - spwdent->sp_lstchg > spwdent->sp_inact) + && (curdays - spwdent->sp_lstchg > + spwdent->sp_max + spwdent->sp_inact) && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1) && (spwdent->sp_lstchg != 0)) /* @@ -700,7 +959,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh ,const char *pass_old ,const char *pass_new) { - const char *user; + const void *user; const char *remark = NULL; int retval = PAM_SUCCESS; @@ -710,10 +969,10 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, pamh, "bad authentication token"); + pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); } _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - "No password supplied" : "Password unchanged"); + _("No password supplied") : _("Password unchanged")); return PAM_AUTHTOK_ERR; } /* @@ -721,27 +980,27 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh * checking this would be the place - AGM */ - retval = pam_get_item(pamh, PAM_USER, (const void **) &user); + retval = pam_get_item(pamh, PAM_USER, &user); if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ERR, pamh, "Can not get username"); + pam_syslog(pamh, LOG_ERR, "Can not get username"); return PAM_AUTHTOK_ERR; } } if (off(UNIX__IAMROOT, ctrl)) { #ifdef USE_CRACKLIB - remark = FascistCheck(pass_new, CRACKLIB_DICTS); + remark = FascistCheck (pass_new, CRACKLIB_DICTS); D(("called cracklib [%s]", remark)); #else if (strlen(pass_new) < 6) - remark = "You must choose a longer password"; + remark = _("You must choose a longer password"); D(("length check [%s]", remark)); #endif if (on(UNIX_REMEMBER_PASSWD, ctrl)) { if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) - remark = "Password has been already used. Choose another."; + remark = _("Password has been already used. Choose another."); if (retval == PAM_ABORT) { - _log_err(LOG_ERR, pamh, "can't open %s file to check old passwords", + pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords", OLD_PASSWORDS_FILE); return retval; } @@ -764,7 +1023,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, /* <DO NOT free() THESE> */ const char *user; - char *pass_old, *pass_new; + const void *pass_old, *pass_new; /* </DO NOT free() THESE> */ D(("called.")); @@ -778,20 +1037,19 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (retval == PAM_SUCCESS) { /* * Various libraries at various times have had bugs related to - * '+' or '-' as the first character of a user name. Don't take - * any chances here. Require that the username starts with an - * alphanumeric character. + * '+' or '-' as the first character of a user name. Don't + * allow them. */ - if (user == NULL || !isalnum(*user)) { - _log_err(LOG_ERR, pamh, "bad username [%s]", user); + if (user == NULL || user[0] == '-' || user[0] == '+') { + pam_syslog(pamh, LOG_ERR, "bad username [%s]", user); return PAM_USER_UNKNOWN; } if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, "username [%s] obtained", + pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", user); } else { if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "password - could not identify user"); return retval; } @@ -805,23 +1063,23 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * getpwnam() doesn't tell you *where* the information it gives you * came from, nor should it. That's our job. */ - if (_unix_comesfromsource(pamh, user, 1, 1) == 0) { - _log_err(LOG_DEBUG, pamh, - "user \"%s\" does not exist in /etc/passwd or NIS", - user); + if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) { + pam_syslog(pamh, LOG_DEBUG, + "user \"%s\" does not exist in /etc/passwd%s", + user, on(UNIX_NIS, ctrl) ? " or NIS" : ""); return PAM_USER_UNKNOWN; } else { struct passwd *pwd; _unix_getpwnam(pamh, user, 1, 1, &pwd); if (pwd == NULL) { - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "user \"%s\" has corrupted passwd entry", user); return PAM_USER_UNKNOWN; } if (!_unix_shadowed(pwd) && (strchr(pwd->pw_passwd, '*') != NULL)) { - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "user \"%s\" does not have modifiable password", user); return PAM_USER_UNKNOWN; @@ -846,32 +1104,27 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (_unix_blankpasswd(pamh, ctrl, user)) { return PAM_SUCCESS; } else if (off(UNIX__IAMROOT, ctrl)) { - /* instruct user what is happening */ -#define greeting "Changing password for " - Announce = (char *) malloc(sizeof(greeting) + strlen(user)); - if (Announce == NULL) { - _log_err(LOG_CRIT, pamh, + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) { + pam_syslog(pamh, LOG_CRIT, "password - out of memory"); return PAM_BUF_ERR; } - (void) strcpy(Announce, greeting); - (void) strcpy(Announce + sizeof(greeting) - 1, user); -#undef greeting lctrl = ctrl; set(UNIX__OLD_PASSWD, lctrl); retval = _unix_read_password(pamh, lctrl ,Announce - ,"(current) UNIX password: " + ,_("(current) UNIX password: ") ,NULL ,_UNIX_OLD_AUTHTOK - ,(const char **) &pass_old); + ,&pass_old); free(Announce); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh - ,"password - (old) token not obtained"); + pam_syslog(pamh, LOG_NOTICE, + "password - (old) token not obtained"); return retval; } /* verify that this is the password for this user */ @@ -891,14 +1144,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); pass_old = NULL; if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); } - retval = _unix_verify_shadow(user, ctrl); + retval = _unix_verify_shadow(pamh,user, ctrl); if (retval == PAM_AUTHTOK_ERR) { if (off(UNIX__IAMROOT, ctrl)) _make_remark(pamh, ctrl, PAM_ERROR_MSG, - "You must wait longer to change your password"); + _("You must wait longer to change your password")); else retval = PAM_SUCCESS; } @@ -925,10 +1178,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (off(UNIX_NOT_SET_PASS, ctrl)) { retval = pam_get_item(pamh, PAM_OLDAUTHTOK - ,(const void **) &pass_old); + ,&pass_old); } else { retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK - ,(const void **) &pass_old); + ,&pass_old); if (retval == PAM_NO_MODULE_DATA) { retval = PAM_SUCCESS; pass_old = NULL; @@ -937,7 +1190,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, D(("pass_old [%s]", pass_old)); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user not authenticated"); + pam_syslog(pamh, LOG_NOTICE, "user not authenticated"); return retval; } @@ -958,15 +1211,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _unix_read_password(pamh, lctrl ,NULL - ,"Enter new UNIX password: " - ,"Retype new UNIX password: " + ,_("Enter new UNIX password: ") + ,_("Retype new UNIX password: ") ,_UNIX_NEW_AUTHTOK - ,(const char **) &pass_new); + ,&pass_new); if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ALERT, pamh - ,"password - new password not obtained"); + pam_syslog(pamh, LOG_ALERT, + "password - new password not obtained"); } pass_old = NULL; /* tidy up */ return retval; @@ -979,14 +1232,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * password is acceptable. */ - if (pass_new[0] == '\0') { /* "\0" password = NULL */ + if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ pass_new = NULL; } retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); } if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "new password not acceptable"); pass_new = pass_old = NULL; /* tidy up */ return retval; @@ -1011,7 +1264,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (pass_old) { retval = _unix_verify_password(pamh, user, pass_old, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user password changed by another process"); + pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -1019,9 +1272,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, } } - retval = _unix_verify_shadow(user, ctrl); + retval = _unix_verify_shadow(pamh, user, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user not authenticated 2"); + pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -1030,7 +1283,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "new password not acceptable 2"); pass_new = pass_old = NULL; /* tidy up */ #ifdef USE_LCKPWDF @@ -1074,7 +1327,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, char *temp = malloc(9); if (temp == NULL) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "out of memory for password"); pass_new = pass_old = NULL; /* tidy up */ #ifdef USE_LCKPWDF @@ -1106,7 +1359,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, _pam_delete(tpass); pass_old = pass_new = NULL; } else { /* something has broken with the module */ - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "password received unknown request"); retval = PAM_ABORT; } diff --git a/Linux-PAM/modules/pam_unix/pam_unix_sess.c b/Linux-PAM/modules/pam_unix/pam_unix_sess.c index a29a7085..b7af4503 100644 --- a/Linux-PAM/modules/pam_unix/pam_unix_sess.c +++ b/Linux-PAM/modules/pam_unix/pam_unix_sess.c @@ -1,5 +1,5 @@ /* - * $Id: pam_unix_sess.c,v 1.5 2005/03/23 14:35:21 t8m Exp $ + * $Id: pam_unix_sess.c,v 1.9 2006/06/17 16:44:58 kukuk Exp $ * * Copyright Alexander O. Yuriev, 1996. All rights reserved. * Copyright Jan Rêkorajski, 1999. All rights reserved. @@ -36,7 +36,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -53,11 +53,8 @@ #include <security/_pam_macros.h> #include <security/pam_modules.h> -#include <security/_pam_modutil.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ +#include <security/pam_ext.h> +#include <security/pam_modutil.h> #include "support.h" @@ -80,23 +77,23 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "open_session - error recovering service"); return PAM_SESSION_ERR; } - login_name = _pammodutil_getlogin(pamh); + login_name = pam_modutil_getlogin(pamh); if (login_name == NULL) { login_name = ""; } - _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)", - user_name, login_name, getuid()); + pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)", + user_name, login_name, (unsigned long)getuid()); return PAM_SUCCESS; } @@ -114,19 +111,19 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "close_session - error recovering service"); return PAM_SESSION_ERR; } - _log_err(LOG_INFO, pamh, "session closed for user %s" - ,user_name); + pam_syslog(pamh, LOG_INFO, "session closed for user %s", + user_name); return PAM_SUCCESS; } diff --git a/Linux-PAM/modules/pam_unix/support.c b/Linux-PAM/modules/pam_unix/support.c index 1584f2f1..954f2c73 100644 --- a/Linux-PAM/modules/pam_unix/support.c +++ b/Linux-PAM/modules/pam_unix/support.c @@ -1,10 +1,8 @@ -/* - * $Id: support.c,v 1.25 2005/01/10 09:45:37 kukuk Exp $ - * +/* * Copyright information at end of file. */ -#define _BSD_SOURCE +#include "config.h" #include <stdlib.h> #include <unistd.h> @@ -19,94 +17,34 @@ #include <errno.h> #include <signal.h> #include <ctype.h> +#include <syslog.h> +#include <sys/resource.h> #include <rpcsvc/ypclnt.h> #include <security/_pam_macros.h> #include <security/pam_modules.h> -#include <security/_pam_modutil.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> #include "md5.h" #include "support.h" - -extern char *crypt(const char *key, const char *salt); -extern char *bigcrypt(const char *key, const char *salt); - -/* syslogging function for errors and other information */ - -void _log_err(int err, pam_handle_t *pamh, const char *format,...) -{ - char *service = NULL; - char logname[256]; - va_list args; - - pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (service) { - strncpy(logname, service, sizeof(logname)); - logname[sizeof(logname) - 1 - strlen("(pam_unix)")] = '\0'; - strncat(logname, "(pam_unix)", strlen("(pam_unix)")); - } else { - strncpy(logname, "pam_unix", sizeof(logname) - 1); - } - - va_start(args, format); - openlog(logname, LOG_CONS | LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include "bigcrypt.h" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED is_selinux_enabled()>0 +#else +#define SELINUX_ENABLED 0 +#endif /* this is a front-end for module-application conversations */ -static int converse(pam_handle_t * pamh, int ctrl, int nargs - ,struct pam_message **message - ,struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - if (retval == PAM_SUCCESS) { - - retval = conv->conv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, pamh, "conversation failure [%s]" - ,pam_strerror(pamh, retval)); - } - } else if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_ERR, pamh - ,"couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - } - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -int _make_remark(pam_handle_t * pamh, unsigned int ctrl - ,int type, const char *text) +int _make_remark(pam_handle_t * pamh, unsigned int ctrl, + int type, const char *text) { int retval = PAM_SUCCESS; if (off(UNIX__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - - if (resp) { - _pam_drop_reply(resp, 1); - } + retval = pam_prompt(pamh, type, NULL, "%s", text); } return retval; } @@ -157,7 +95,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, } if (j >= UNIX_CTRLS_) { - _log_err(LOG_ERR, pamh, + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", *argv); } else { ctrl &= unix_args[j].mask; /* for turning things off */ @@ -193,7 +131,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, return ctrl; } -static void _cleanup(pam_handle_t * pamh, void *x, int error_status) +static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED) { _pam_delete(x); } @@ -225,10 +163,10 @@ struct _pam_failed_auth { static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) { int quiet; - const char *service = NULL; - const char *ruser = NULL; - const char *rhost = NULL; - const char *tty = NULL; + const void *service = NULL; + const void *ruser = NULL; + const void *rhost = NULL; + const void *tty = NULL; struct _pam_failed_auth *failure; D(("called")); @@ -244,32 +182,32 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) /* log the number of authentication failures */ if (failure->count > 1) { (void) pam_get_item(pamh, PAM_SERVICE, - (const void **)&service); + &service); (void) pam_get_item(pamh, PAM_RUSER, - (const void **)&ruser); + &ruser); (void) pam_get_item(pamh, PAM_RHOST, - (const void **)&rhost); + &rhost); (void) pam_get_item(pamh, PAM_TTY, - (const void **)&tty); - _log_err(LOG_NOTICE, pamh, + &tty); + pam_syslog(pamh, LOG_NOTICE, "%d more authentication failure%s; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " "%s%s", failure->count - 1, failure->count == 2 ? "" : "s", failure->name, failure->uid, failure->euid, - tty ? tty : "", ruser ? ruser : "", - rhost ? rhost : "", + tty ? (const char *)tty : "", ruser ? (const char *)ruser : "", + rhost ? (const char *)rhost : "", (failure->user && failure->user[0] != '\0') ? " user=" : "", failure->user ); if (failure->count > UNIX_MAX_RETRIES) { - _log_err(LOG_ALERT, pamh - ,"service(%s) ignoring max retries; %d > %d" - ,service == NULL ? "**unknown**" : service - ,failure->count - ,UNIX_MAX_RETRIES); + pam_syslog(pamh, LOG_ALERT, + "service(%s) ignoring max retries; %d > %d", + service == NULL ? "**unknown**" : (const char *)service, + failure->count, + UNIX_MAX_RETRIES); } } } @@ -282,7 +220,7 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) /* * _unix_getpwnam() searches only /etc/passwd and NIS to find user information */ -static void _unix_cleanup(pam_handle_t *pamh, void *data, int error_status) +static void _unix_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) { free(data); } @@ -327,7 +265,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, i = yp_match(domain, "passwd.byname", name, strlen(name), &userinfo, &len); yp_unbind(domain); - if ((i == YPERR_SUCCESS) && (len < sizeof(buf))) { + if ((i == YPERR_SUCCESS) && ((size_t)len < sizeof(buf))) { strncpy(buf, userinfo, sizeof(buf) - 1); buf[sizeof(buf) - 1] = '\0'; matched = 1; @@ -391,7 +329,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, memset(*ret, '\0', buflen); (*ret)->pw_uid = strtol(suid, &p, 10); - if ((strlen(sgid) == 0) || (*p != '\0')) { + if ((strlen(suid) == 0) || (*p != '\0')) { free(*ret); *ret = NULL; return matched; @@ -467,13 +405,13 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) /* UNIX passwords area */ /* Get password file entry... */ - pwd = _pammodutil_getpwnam (pamh, name); + pwd = pam_modutil_getpwnam (pamh, name); if (pwd != NULL) { if (strcmp( pwd->pw_passwd, "*NP*" ) == 0) - { /* NIS+ */ + { /* NIS+ */ uid_t save_euid, save_uid; - + save_euid = geteuid(); save_uid = getuid(); if (save_uid == pwd->pw_uid) @@ -488,8 +426,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) return 0; } } - - spwdent = _pammodutil_getspnam (pamh, name); + + spwdent = pam_modutil_getspnam (pamh, name); if (save_uid == pwd->pw_uid) setreuid( save_uid, save_euid ); else { @@ -502,7 +440,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) * ...and shadow password file entry for this user, * if shadowing is enabled */ - spwdent = _pammodutil_getspnam(pamh, name); + spwdent = pam_modutil_getspnam(pamh, name); } if (spwdent) salt = x_strdup(spwdent->sp_pwdp); @@ -562,18 +500,39 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, /* fork */ child = fork(); if (child == 0) { + int i=0; + struct rlimit rlim; static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; /* XXX - should really tidy up PAM here too */ + close(0); close(1); /* reopen stdin as pipe */ close(fds[1]); dup2(fds[0], STDIN_FILENO); + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + for (i=2; i < (int)rlim.rlim_max; i++) { + if (fds[0] != i) + close(i); + } + } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ - args[0] = x_strdup(CHKPWD_HELPER); + args[0] = strdup(CHKPWD_HELPER); args[1] = x_strdup(user); + if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ + args[2]=strdup("nullok"); + } else { + args[2]=strdup("nonull"); + } execve(CHKPWD_HELPER, args, envp); @@ -583,11 +542,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, } else if (child > 0) { /* wait for child */ /* if the stored password is NULL */ - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ - write(fds[1], "nullok\0\0", 8); - } else { - write(fds[1], "nonull\0\0", 8); - } + int rc=0; if (passwd != NULL) { /* send the password to the child */ write(fds[1], passwd, strlen(passwd)+1); passwd = NULL; @@ -596,14 +551,21 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, } close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); - (void) waitpid(child, &retval, 0); /* wait for helper to complete */ - retval = (retval == 0) ? PAM_SUCCESS:PAM_AUTH_ERR; + rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + if (rc<0) { + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); + retval = PAM_AUTH_ERR; + } else { + retval = WEXITSTATUS(retval); + } } else { D(("fork failed")); + close(fds[0]); + close(fds[1]); retval = PAM_AUTH_ERR; } - if (sighandler != NULL) { + if (sighandler != SIG_ERR) { (void) signal(SIGCHLD, sighandler); /* restore old signal handler */ } @@ -621,6 +583,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name char *data_name; int retval; + D(("called")); #ifdef HAVE_PAM_FAIL_DELAY @@ -635,13 +598,13 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name D(("locating user's record")); /* UNIX passwords area */ - pwd = _pammodutil_getpwnam (pamh, name); /* Get password file entry... */ + pwd = pam_modutil_getpwnam (pamh, name); /* Get password file entry... */ if (pwd != NULL) { if (strcmp( pwd->pw_passwd, "*NP*" ) == 0) - { /* NIS+ */ + { /* NIS+ */ uid_t save_euid, save_uid; - + save_euid = geteuid(); save_uid = getuid(); if (save_uid == pwd->pw_uid) @@ -655,8 +618,8 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name return PAM_CRED_INSUFFICIENT; } } - - spwdent = _pammodutil_getspnam (pamh, name); + + spwdent = pam_modutil_getspnam (pamh, name); if (save_uid == pwd->pw_uid) setreuid( save_uid, save_euid ); else { @@ -669,7 +632,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name * ...and shadow password file entry for this user, * if shadowing is enabled */ - spwdent = _pammodutil_getspnam (pamh, name); + spwdent = pam_modutil_getspnam (pamh, name); } if (spwdent) salt = x_strdup(spwdent->sp_pwdp); @@ -679,7 +642,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name)); if (data_name == NULL) { - _log_err(LOG_CRIT, pamh, "no memory for data-name"); + pam_syslog(pamh, LOG_CRIT, "no memory for data-name"); } else { strcpy(data_name, FAIL_PREFIX); strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); @@ -687,15 +650,11 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name retval = PAM_SUCCESS; if (pwd == NULL || salt == NULL || !strcmp(salt, "x") || ((salt[0] == '#') && (salt[1] == '#') && !strcmp(salt + 2, name))) { - if (geteuid()) { + + if (pwd != NULL && (geteuid() || SELINUX_ENABLED)) { /* we are not root perhaps this is the reason? Run helper */ D(("running helper binary")); retval = _unix_run_helper_binary(pamh, p, ctrl, name); - if (pwd == NULL && !on(UNIX_AUDIT,ctrl) - && retval != PAM_SUCCESS) - { - name = NULL; - } } else { D(("user's record unavailable")); p = NULL; @@ -706,12 +665,12 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "check pass; user (%s) unknown", name); } else { name = NULL; if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { - _log_err(LOG_ALERT, pamh, + pam_syslog(pamh, LOG_ALERT, "check pass; user unknown"); } else { /* don't log failure as another pam module can succeed */ @@ -730,7 +689,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name D(("user has empty password - access denied")); retval = PAM_AUTH_ERR; } - } else if (!p || (*salt == '*') || (salt_len < 13)) { + } else if (!p || (*salt == '*')) { retval = PAM_AUTH_ERR; } else { if (!strncmp(salt, "$1$", 3)) { @@ -739,24 +698,24 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name _pam_delete(pp); pp = Brokencrypt_md5(p, salt); } - } else { + } else if (*salt != '$' && salt_len >= 13) { pp = bigcrypt(p, salt); + if (strlen(pp) > salt_len) { + pp[salt_len] = '\0'; + } + } else { + /* + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt nows about it? We should try it. + */ + pp = x_strdup (crypt(p, salt)); } p = NULL; /* no longer needed here */ /* the moment of truth -- do we agree with the password? */ D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - /* - * Note, we are comparing the bigcrypt of the password with - * the contents of the password field. If the latter was - * encrypted with regular crypt (and not bigcrypt) it will - * have been truncated for storage relative to the output - * of bigcrypt here. As such we need to compare only the - * stored string with the subset of bigcrypt's result. - * Bug 521314: The strncmp comparison is for legacy support. - */ - if (strncmp(pp, salt, salt_len) == 0) { + if (strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } else { retval = PAM_AUTH_ERR; @@ -780,8 +739,10 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (new != NULL) { const char *login_name; + const void *void_old; + - login_name = _pammodutil_getlogin(pamh); + login_name = pam_modutil_getlogin(pamh); if (login_name == NULL) { login_name = ""; } @@ -792,7 +753,11 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name new->name = x_strdup(login_name); /* any previous failures for this user ? */ - pam_get_data(pamh, data_name, (const void **) &old); + if (pam_get_data(pamh, data_name, &void_old) + == PAM_SUCCESS) + old = void_old; + else + old = NULL; if (old != NULL) { new->count = old->count + 1; @@ -800,29 +765,29 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name retval = PAM_MAXTRIES; } } else { - const char *service=NULL; - const char *ruser=NULL; - const char *rhost=NULL; - const char *tty=NULL; + const void *service=NULL; + const void *ruser=NULL; + const void *rhost=NULL; + const void *tty=NULL; (void) pam_get_item(pamh, PAM_SERVICE, - (const void **)&service); + &service); (void) pam_get_item(pamh, PAM_RUSER, - (const void **)&ruser); + &ruser); (void) pam_get_item(pamh, PAM_RHOST, - (const void **)&rhost); + &rhost); (void) pam_get_item(pamh, PAM_TTY, - (const void **)&tty); + &tty); - _log_err(LOG_NOTICE, pamh, + pam_syslog(pamh, LOG_NOTICE, "authentication failure; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " "%s%s", new->name, new->uid, new->euid, - tty ? tty : "", - ruser ? ruser : "", - rhost ? rhost : "", + tty ? (const char *)tty : "", + ruser ? (const char *)ruser : "", + rhost ? (const char *)rhost : "", (new->user && new->user[0] != '\0') ? " user=" : "", new->user @@ -833,7 +798,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name pam_set_data(pamh, data_name, new, _cleanup_failures); } else { - _log_err(LOG_CRIT, pamh, + pam_syslog(pamh, LOG_CRIT, "no memory for failure recorder"); } } @@ -862,10 +827,10 @@ int _unix_read_password(pam_handle_t * pamh ,const char *prompt1 ,const char *prompt2 ,const char *data_name - ,const char **pass) + ,const void **pass) { int authtok_flag; - int retval; + int retval = PAM_SUCCESS; char *token; D(("called")); @@ -887,17 +852,17 @@ int _unix_read_password(pam_handle_t * pamh */ if (on(UNIX_TRY_FIRST_PASS, ctrl) || on(UNIX_USE_FIRST_PASS, ctrl)) { - retval = pam_get_item(pamh, authtok_flag, (const void **) pass); + retval = pam_get_item(pamh, authtok_flag, pass); if (retval != PAM_SUCCESS) { /* very strange. */ - _log_err(LOG_ALERT, pamh - ,"pam_get_item returned error to unix-read-password" + pam_syslog(pamh, LOG_ALERT, + "pam_get_item returned error to unix-read-password" ); return retval; } else if (*pass != NULL) { /* we have a password! */ return PAM_SUCCESS; } else if (on(UNIX_USE_FIRST_PASS, ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ + return PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */ } else if (on(UNIX_USE_AUTHTOK, ctrl) && off(UNIX__OLD_PASSWD, ctrl)) { return PAM_AUTHTOK_ERR; @@ -909,77 +874,62 @@ int _unix_read_password(pam_handle_t * pamh */ { - struct pam_message msg[3], *pmsg[3]; - struct pam_response *resp; - int i, replies; - - /* prepare to converse */ + int replies=1; + char *resp[2] = { NULL, NULL }; if (comment != NULL && off(UNIX__QUIET, ctrl)) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; + retval = pam_info(pamh, "%s", comment); } - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - replies = 1; + if (retval == PAM_SUCCESS) { + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, + &resp[0], "%s", prompt1); - if (prompt2 != NULL) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - ++replies; + if (retval == PAM_SUCCESS && prompt2 != NULL) { + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, + &resp[1], "%s", prompt2); + ++replies; + } } - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, ctrl, i, pmsg, &resp); - - if (resp != NULL) { + if (resp[0] != NULL && resp[replies-1] != NULL) { /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ - token = x_strdup(resp[i - replies].resp); + token = resp[0]; if (token != NULL) { if (replies == 2) { - /* verify that password entered correctly */ - if (!resp[i - 1].resp - || strcmp(token, resp[i - 1].resp)) { - _pam_delete(token); /* mistyped */ - retval = PAM_AUTHTOK_RECOVER_ERR; - _make_remark(pamh, ctrl - ,PAM_ERROR_MSG, MISTYPED_PASS); + if (strcmp(token, resp[replies - 1])) { + /* mistyped */ + retval = PAM_AUTHTOK_RECOVERY_ERR; + _make_remark(pamh, ctrl, + PAM_ERROR_MSG, MISTYPED_PASS); } } } else { - _log_err(LOG_NOTICE, pamh - ,"could not recover authentication token"); + pam_syslog(pamh, LOG_NOTICE, + "could not recover authentication token"); } } - /* - * tidy up the conversation (resp_retcode) is ignored - * -- what is it for anyway? AGM - */ - - _pam_drop_reply(resp, i); } else { retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR : retval; + ? PAM_AUTHTOK_RECOVERY_ERR : retval; } + + resp[0] = NULL; + if (replies > 1) + _pam_delete(resp[1]); } if (retval != PAM_SUCCESS) { + _pam_delete(token); + if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, + pam_syslog(pamh, LOG_DEBUG, "unable to obtain a password"); return retval; } @@ -992,12 +942,11 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_set_item(pamh, authtok_flag, token); _pam_delete(token); /* clean it up */ if (retval != PAM_SUCCESS - || (retval = pam_get_item(pamh, authtok_flag - ,(const void **) pass)) + || (retval = pam_get_item(pamh, authtok_flag, pass)) != PAM_SUCCESS) { *pass = NULL; - _log_err(LOG_CRIT, pamh, "error manipulating password"); + pam_syslog(pamh, LOG_CRIT, "error manipulating password"); return retval; } @@ -1009,9 +958,9 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, pamh - ,"error manipulating password data [%s]" - ,pam_strerror(pamh, retval)); + pam_syslog(pamh, LOG_CRIT, + "error manipulating password data [%s]", + pam_strerror(pamh, retval)); _pam_delete(token); return retval; } @@ -1055,13 +1004,13 @@ int _unix_shadowed(const struct passwd *pwd) * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE diff --git a/Linux-PAM/modules/pam_unix/support.h b/Linux-PAM/modules/pam_unix/support.h index 39abadd5..1eb662fc 100644 --- a/Linux-PAM/modules/pam_unix/support.h +++ b/Linux-PAM/modules/pam_unix/support.h @@ -1,5 +1,5 @@ /* - * $Id: support.h,v 1.8 2004/10/06 13:42:36 kukuk Exp $ + * $Id: support.h,v 1.12 2005/09/26 14:27:09 t8m Exp $ */ #ifndef _PAM_UNIX_SUPPORT_H @@ -110,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0}, /* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000}, /* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000}, -/* UNIX_NIS */ {"nis", _ALL_ON_^(010000), 0200000}, +/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000}, /* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(020000), 0400000}, /* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000}, /* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, @@ -129,7 +129,6 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = _pam_drop(xx); \ } -extern void _log_err(int err, pam_handle_t *pamh, const char *format,...); extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text); extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc, @@ -149,7 +148,8 @@ extern int _unix_read_password(pam_handle_t * pamh ,const char *prompt1 ,const char *prompt2 ,const char *data_name - ,const char **pass); + ,const void **pass); extern int _unix_shadowed(const struct passwd *pwd); +extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/Linux-PAM/modules/pam_unix/tst-pam_unix b/Linux-PAM/modules/pam_unix/tst-pam_unix new file mode 100755 index 00000000..22922800 --- /dev/null +++ b/Linux-PAM/modules/pam_unix/tst-pam_unix @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_unix.so diff --git a/Linux-PAM/modules/pam_unix/unix_chkpwd.8 b/Linux-PAM/modules/pam_unix/unix_chkpwd.8 new file mode 100644 index 00000000..02ccfe4a --- /dev/null +++ b/Linux-PAM/modules/pam_unix/unix_chkpwd.8 @@ -0,0 +1,80 @@ +.\" Copyright (C) 2003 International Business Machines Corporation +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" +.SH NAME +unix_chkpwd \- helper binary that verifies the password of the current user +.SH "SYNOPSIS" +.ad l +.hy 0 + +/sbin/unix_chkpwd [\fIusername\fR] +.sp +.ad +.hy +.SH "DESCRIPTION" +.PP +\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies +the password of the current user. It is not intended to be run directly from +the command line and logs a security violation if done so. + +It is typically installed setuid root or setgid shadow. + +.SH "OPTIONS" +.PP +unix_pwdchk optionally takes the following argument: +.TP +\fIusername\fR +The username of the user whose password you want to check: this must match the current user id. + +.SH "INPUTS" +.PP +unix_pwdchk expects the following inputs via stdin: +.TP +\fIoption\fR +Either nullok or nonull, depending on whether the user can have an empty password. +.TP +\fIpassword\fR +The password to verify. + +.SH "RETURN CODES" +.PP +\fBunix_chkpwd\fR has the following return codes: +.TP +1 +unix_chkpwd was inappropriately called from the command line or the password is incorrect. + +.TP +0 +The password is correct. + +.SH "HISTORY" +Written by Andrew Morgan + +.SH "SEE ALSO" + +.PP +\fBpam\fR(8) + +.SH AUTHOR +Emily Ratliff. + diff --git a/Linux-PAM/modules/pam_unix/unix_chkpwd.c b/Linux-PAM/modules/pam_unix/unix_chkpwd.c index be32348f..87d29256 100644 --- a/Linux-PAM/modules/pam_unix/unix_chkpwd.c +++ b/Linux-PAM/modules/pam_unix/unix_chkpwd.c @@ -1,6 +1,4 @@ /* - * $Id: unix_chkpwd.c,v 1.11 2004/11/16 14:27:42 toady Exp $ - * * This program is designed to run setuid(root) or with sufficient * privilege to read all of the unix password databases. It is designed * to provide a mechanism for the current user (defined by this @@ -13,13 +11,7 @@ * */ -#include <security/_pam_aconf.h> - -#ifdef MEMORY_DEBUG -# undef exit -# undef strdup -# undef free -#endif /* MEMORY_DEBUG */ +#include "config.h" #include <stdarg.h> #include <stdio.h> @@ -28,21 +20,27 @@ #include <syslog.h> #include <unistd.h> #include <sys/types.h> +#include <sys/stat.h> #include <pwd.h> #include <shadow.h> #include <signal.h> +#include <time.h> +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) +static security_context_t prev_context=NULL; +static int selinux_enabled=-1; +#else +#define SELINUX_ENABLED 0 +#endif #define MAXPASS 200 /* the maximum length of a password */ +#include <security/_pam_types.h> #include <security/_pam_macros.h> #include "md5.h" - -extern char *crypt(const char *key, const char *salt); -extern char *bigcrypt(const char *key, const char *salt); - -#define UNIX_PASSED 0 -#define UNIX_FAILED 1 +#include "bigcrypt.h" /* syslogging function for errors and other information */ @@ -51,7 +49,7 @@ static void _log_err(int err, const char *format,...) va_list args; va_start(args, format); - openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTH); + openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTHPRIV); vsyslog(err, format, args); va_end(args); closelog(); @@ -112,13 +110,40 @@ static void setup_signals(void) (void) sigaction(SIGQUIT, &action, NULL); } +static int _verify_account(const char * const uname) +{ + struct spwd *spent; + struct passwd *pwent; + + pwent = getpwnam(uname); + if (!pwent) { + _log_err(LOG_ALERT, "could not identify user (from getpwnam(%s))", uname); + return PAM_USER_UNKNOWN; + } + + spent = getspnam( uname ); + if (!spent) { + _log_err(LOG_ALERT, "could not get username from shadow (%s))", uname); + return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username from shadow */ + } + printf("%ld:%ld:%ld:%ld:%ld:%ld", + spent->sp_lstchg, /* last password change */ + spent->sp_min, /* days until change allowed. */ + spent->sp_max, /* days before change required */ + spent->sp_warn, /* days warning for expiration */ + spent->sp_inact, /* days before account inactive */ + spent->sp_expire); /* date when account expires */ + + return PAM_SUCCESS; +} + static int _unix_verify_password(const char *name, const char *p, int nullok) { struct passwd *pwd = NULL; struct spwd *spwdent = NULL; char *salt = NULL; char *pp = NULL; - int retval = UNIX_FAILED; + int retval = PAM_AUTH_ERR; int salt_len; /* UNIX passwords area */ @@ -156,28 +181,39 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) if (pwd == NULL || salt == NULL) { _log_err(LOG_ALERT, "check pass; user unknown"); p = NULL; - return retval; + return PAM_USER_UNKNOWN; } salt_len = strlen(salt); - if (salt_len == 0) - return (nullok == 0) ? UNIX_FAILED : UNIX_PASSED; - else if (p == NULL || strlen(p) == 0) - return UNIX_FAILED; + if (salt_len == 0) { + return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; + } + if (p == NULL || strlen(p) == 0) { + return PAM_AUTHTOK_ERR; + } /* the moment of truth -- do we agree with the password? */ - retval = UNIX_FAILED; + retval = PAM_AUTH_ERR; if (!strncmp(salt, "$1$", 3)) { pp = Goodcrypt_md5(p, salt); if (strcmp(pp, salt) == 0) { - retval = UNIX_PASSED; + retval = PAM_SUCCESS; } else { pp = Brokencrypt_md5(p, salt); if (strcmp(pp, salt) == 0) - retval = UNIX_PASSED; + retval = PAM_SUCCESS; + } + } else if (*salt == '$') { + /* + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt nows about it? We should try it. + */ + pp = x_strdup (crypt(p, salt)); + if (strcmp(pp, salt) == 0) { + retval = PAM_SUCCESS; } } else if ((*salt == '*') || (salt_len < 13)) { - retval = UNIX_FAILED; + retval = PAM_AUTH_ERR; } else { pp = bigcrypt(p, salt); /* @@ -190,7 +226,7 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) * Bug 521314: the strncmp comparison is for legacy support. */ if (strncmp(pp, salt, salt_len) == 0) { - retval = UNIX_PASSED; + retval = PAM_SUCCESS; } } p = NULL; /* no longer needed here */ @@ -220,17 +256,178 @@ static char *getuidname(uid_t uid) strncpy(username, pw->pw_name, sizeof(username)); username[sizeof(username) - 1] = '\0'; - + return username; } +#define SH_TMPFILE "/etc/nshadow" +static int _update_shadow(const char *forwho) +{ + struct spwd *spwdent = NULL, *stmpent = NULL; + FILE *pwfile, *opwfile; + int err = 1; + int oldmask; + struct stat st; + char pass[MAXPASS + 1]; + char towhat[MAXPASS + 1]; + int npass=0; + + /* read the password from stdin (a pipe from the pam_unix module) */ + + npass = read(STDIN_FILENO, pass, MAXPASS); + + if (npass < 0) { /* is it a valid password? */ + + _log_err(LOG_DEBUG, "no password supplied"); + return PAM_AUTHTOK_ERR; + + } else if (npass >= MAXPASS) { + + _log_err(LOG_DEBUG, "password too long"); + return PAM_AUTHTOK_ERR; + + } else { + /* does pass agree with the official one? */ + int retval=0; + pass[npass] = '\0'; /* NUL terminate */ + retval = _unix_verify_password(forwho, pass, 0); + if (retval != PAM_SUCCESS) { + return retval; + } + } + + /* read the password from stdin (a pipe from the pam_unix module) */ + + npass = read(STDIN_FILENO, towhat, MAXPASS); + + if (npass < 0) { /* is it a valid password? */ + + _log_err(LOG_DEBUG, "no new password supplied"); + return PAM_AUTHTOK_ERR; + + } else if (npass >= MAXPASS) { + + _log_err(LOG_DEBUG, "new password too long"); + return PAM_AUTHTOK_ERR; + + } + + towhat[npass] = '\0'; /* NUL terminate */ + spwdent = getspnam(forwho); + if (spwdent == NULL) { + return PAM_USER_UNKNOWN; + } + oldmask = umask(077); + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t shadow_context=NULL; + if (getfilecon("/etc/shadow",&shadow_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(shadow_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(shadow_context)) { + freecon(shadow_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(shadow_context); + } +#endif + pwfile = fopen(SH_TMPFILE, "w"); + umask(oldmask); + if (pwfile == NULL) { + err = 1; + goto done; + } + + opwfile = fopen("/etc/shadow", "r"); + if (opwfile == NULL) { + fclose(pwfile); + err = 1; + goto done; + } + + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + stmpent = fgetspent(opwfile); + while (stmpent) { + + if (!strcmp(stmpent->sp_namp, forwho)) { + stmpent->sp_pwdp = towhat; + stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); + err = 0; + D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); + } + + if (putspent(stmpent, pwfile)) { + D(("error writing entry to shadow file: %m")); + err = 1; + break; + } + + stmpent = fgetspent(opwfile); + } + fclose(opwfile); + + if (fclose(pwfile)) { + D(("error writing entries to shadow file: %m")); + err = 1; + } + + done: + if (!err) { + if (rename(SH_TMPFILE, "/etc/shadow")) + err = 1; + } + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + + if (!err) { + return PAM_SUCCESS; + } else { + unlink(SH_TMPFILE); + return PAM_AUTHTOK_ERR; + } +} + int main(int argc, char *argv[]) { char pass[MAXPASS + 1]; - char option[8]; + char *option; int npass, nullok; int force_failure = 0; - int retval = UNIX_FAILED; + int retval = PAM_AUTH_ERR; char *user; /* @@ -247,8 +444,7 @@ int main(int argc, char *argv[]) * account). */ - if (isatty(STDIN_FILENO)) { - + if (isatty(STDIN_FILENO) || argc != 3 ) { _log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); @@ -256,36 +452,45 @@ int main(int argc, char *argv[]) ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); sleep(10); /* this should discourage/annoy the user */ - return UNIX_FAILED; + return PAM_SYSTEM_ERR; } /* - * determine the current user's name is + * Determine what the current user's name is. + * On a SELinux enabled system with a strict policy leaving the + * existing check prevents shadow password authentication from working. + * We must thus skip the check if the real uid is 0. */ - user = getuidname(getuid()); - if (argc == 2) { - /* if the caller specifies the username, verify that user - matches it */ - if (strcmp(user, argv[1])) { - force_failure = 1; - } + if (SELINUX_ENABLED && getuid() == 0) { + user=argv[1]; + } + else { + user = getuidname(getuid()); + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { + return PAM_AUTH_ERR; + } } - /* read the nullok/nonull option */ + option=argv[2]; - npass = read(STDIN_FILENO, option, 8); + if (strncmp(argv[2], "verify", 8) == 0) { + /* Get the account information from the shadow file */ + return _verify_account(argv[1]); + } - if (npass < 0) { - _log_err(LOG_DEBUG, "no option supplied"); - return UNIX_FAILED; - } else { - option[7] = '\0'; - if (strncmp(option, "nullok", 8) == 0) - nullok = 1; - else - nullok = 0; + if (strncmp(option, "shadow", 8) == 0) { + /* Attempting to change the password */ + return _update_shadow(argv[1]); } + /* read the nullok/nonull option */ + if (strncmp(option, "nullok", 8) == 0) + nullok = 1; + else + nullok = 0; + /* read the password from stdin (a pipe from the pam_unix module) */ npass = read(STDIN_FILENO, pass, MAXPASS); @@ -317,10 +522,11 @@ int main(int argc, char *argv[]) /* return pass or fail */ - if ((retval != UNIX_PASSED) || force_failure) { - return UNIX_FAILED; + if ((retval != PAM_SUCCESS) || force_failure) { + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); + return PAM_AUTH_ERR; } else { - return UNIX_PASSED; + return PAM_SUCCESS; } } @@ -339,13 +545,13 @@ int main(int argc, char *argv[]) * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE diff --git a/Linux-PAM/modules/pam_unix/yppasswd_xdr.c b/Linux-PAM/modules/pam_unix/yppasswd_xdr.c index b1a60b4c..bf3f2fc6 100644 --- a/Linux-PAM/modules/pam_unix/yppasswd_xdr.c +++ b/Linux-PAM/modules/pam_unix/yppasswd_xdr.c @@ -10,7 +10,7 @@ * editied manually. */ -#include <security/_pam_aconf.h> +#include "config.h" #include <rpc/rpc.h> #include <rpcsvc/yp_prot.h> diff --git a/Linux-PAM/modules/pam_userdb/Makefile b/Linux-PAM/modules/pam_userdb/Makefile deleted file mode 100644 index 4da7310d..00000000 --- a/Linux-PAM/modules/pam_userdb/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). - -# $Id: Makefile,v 1.6 2004/09/14 14:22:40 kukuk Exp $ -# Created by Cristian Gafton <gafton@redhat.com> - -include ../../Make.Rules - -TITLE=pam_userdb - -ifeq ($(HAVE_NDBM_H),yes) - WHICH_DB=ndbm - ifeq ($(HAVE_LIBNDBM),yes) - MODULE_SIMPLE_EXTRALIBS = -lndbm - endif -else -ifeq ($(HAVE_LIBDB),yes) - WHICH_DB=db - MODULE_SIMPLE_EXTRALIBS = -ldb -else - WHICH_DB=none -endif -endif - -ifeq ($(HAVE_LIBCRYPT),yes) - MODULE_SIMPLE_EXTRALIBS += -lcrypt -endif - -ifeq ($(WHICH_DB),none) - -include ../dont_makefile - -else - -MODULE_SIMPLE_EXTRAFILES = conv - -include ../Simple.Rules - -endif diff --git a/Linux-PAM/modules/pam_userdb/Makefile.am b/Linux-PAM/modules/pam_userdb/Makefile.am new file mode 100644 index 00000000..a442ef83 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/Makefile.am @@ -0,0 +1,34 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) create.pl tst-pam_userdb + +man_MANS = pam_userdb.8 +XMLS = README.xml pam_userdb.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBDB@ @LIBCRYPT@ +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_LIBDB + securelib_LTLIBRARIES = pam_userdb.la + TESTS = tst-pam_userdb +endif + +noinst_HEADERS = pam_userdb.h + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_userdb.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_userdb/Makefile.in b/Linux-PAM/modules/pam_userdb/Makefile.in new file mode 100644 index 00000000..1c439359 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/Makefile.in @@ -0,0 +1,671 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_userdb +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_userdb_la_LIBADD = +pam_userdb_la_SOURCES = pam_userdb.c +pam_userdb_la_OBJECTS = pam_userdb.lo +@HAVE_LIBDB_TRUE@am_pam_userdb_la_rpath = -rpath $(securelibdir) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_userdb.c +DIST_SOURCES = pam_userdb.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) create.pl tst-pam_userdb +man_MANS = pam_userdb.8 +XMLS = README.xml pam_userdb.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam @LIBDB@ @LIBCRYPT@ \ + $(am__append_1) +@HAVE_LIBDB_TRUE@securelib_LTLIBRARIES = pam_userdb.la +@HAVE_LIBDB_TRUE@TESTS = tst-pam_userdb +noinst_HEADERS = pam_userdb.h +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_userdb/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_userdb/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_userdb.la: $(pam_userdb_la_OBJECTS) $(pam_userdb_la_DEPENDENCIES) + $(LINK) $(am_pam_userdb_la_rpath) $(pam_userdb_la_OBJECTS) $(pam_userdb_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_userdb.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_userdb.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_userdb/README b/Linux-PAM/modules/pam_userdb/README index 1cab7b74..8e1a5ffd 100644 --- a/Linux-PAM/modules/pam_userdb/README +++ b/Linux-PAM/modules/pam_userdb/README @@ -1,61 +1,74 @@ -pam_userdb: - Look up users in a .db database and verify their password against - what is contained in that database. The database will have been - created using db_load. - -RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or - failure. - - db=[path] use the [path] database for performing lookup. There - is no default; the module will return PAM_IGNORE if - no database is provided. Some versions of DB will - automatically append ".db" to whatever pathname you - supply here. - - crypt=[mode] indicates whether encrypted or plaintext passwords - are stored in the database. If [mode] is "crypt", - passwords should be stored in the database in - crypt(3) form. If [mode] is "none" or any other - value, passwords should be stored in the database in - plaintext. - - icase make the password verification to be case insensitive - (ie when working with registration numbers and such) - only works with plaintext password storage. - - dump dump all the entries in the database to the log (eek, - don't do this by default!) - - use_authtok use the authentication token previously obtained by - another module that did the conversation with the - application. If this token can not be obtained then - the module will try to converse again. This option can - be used for stacking different modules that need to - deal with the authentication tokens. - - unknown_ok do not return error when checking for a user that is - not in the database. This can be used to stack more - than one pam_userdb module that will check a - username/password pair in more than a database. - - key_only the username and password are concatenated together - in the database hash as 'username-password' with a - random value. if the concatenation of the username and - password with a dash in the middle returns any result, - the user is valid. this is useful in cases where - the username may not be unique but the username and - password pair are. - -MODULE SERVICES PROVIDED: - auth _authentication and _setcred (blank) - -EXAMPLE USE: - auth sufficient pam_userdb.so icase db=/tmp/dbtest.db - -AUTHOR: - Cristian Gafton <gafton@redhat.com> - - - -$Id: README,v 1.3 2004/09/28 13:48:47 kukuk Exp $ +pam_userdb — PAM module to authenticate against a db database + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_userdb module is used to verify a username/password pair against values +stored in a Berkeley DB database. The database is indexed by the username, and +the data fields corresponding to the username keys are the passwords. + +OPTIONS + +crypt=[crypt|none] + + Indicates whether encrypted or plaintext passwords are stored in the + database. If it is crypt, passwords should be stored in the database in + crypt(3) form. If none is selected, passwords should be stored in the + database as plaintext. + +db=/path/database + + Use the /path/database database for performing lookup. There is no default; + the module will return PAM_IGNORE if no database is provided. + +debug + + Print debug information. + +dump + + Dump all the entries in the database to the log. Don't do this by default! + +icase + + Make the password verification to be case insensitive (ie when working with + registration numbers and such). Only works with plaintext password storage. + +try_first_pass + + Use the authentication token previously obtained by another module that did + the conversation with the application. If this token can not be obtained + then the module will try to converse. This option can be used for stacking + different modules that need to deal with the authentication tokens. + +use_first_pass + + Use the authentication token previously obtained by another module that did + the conversation with the application. If this token can not be obtained + then the module will fail. This option can be used for stacking different + modules that need to deal with the authentication tokens. + +unknown_ok + + Do not return error when checking for a user that is not in the database. + This can be used to stack more than one pam_userdb module that will check a + username/password pair in more than a database. + +key_only + + The username and password are concatenated together in the database hash as + 'username-password' with a random value. if the concatenation of the + username and password with a dash in the middle returns any result, the + user is valid. this is useful in cases where the username may not be unique + but the username and password pair are. + +EXAMPLES + +auth sufficient pam_userdb.so icase db=/etc/dbtest.db + + +AUTHOR + +pam_userdb was written by Cristian Gafton >gafton@redhat.com<. + diff --git a/Linux-PAM/modules/pam_userdb/README.xml b/Linux-PAM/modules/pam_userdb/README.xml new file mode 100644 index 00000000..b22c09e7 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_userdb/conv.c b/Linux-PAM/modules/pam_userdb/conv.c deleted file mode 100644 index de5d12f2..00000000 --- a/Linux-PAM/modules/pam_userdb/conv.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Conversation related functions - */ - -/* $Id */ -/* Copyright at the end of the file */ - -#include <stdlib.h> -#include <string.h> - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -#include "pam_userdb.h" - -/* - * dummy conversation function sending exactly one prompt - * and expecting exactly one response from the other party - */ -static int converse(pam_handle_t *pamh, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - const struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv ) ; - if (retval == PAM_SUCCESS) - retval = conv->conv(1, (const struct pam_message **)message, - response, conv->appdata_ptr); - - return retval; /* propagate error status */ -} - - -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - _pam_drop(xx); - return NULL; -} - -/* - * This is a conversation function to obtain the user's password - */ -int conversation(pam_handle_t *pamh) -{ - struct pam_message msg[2],*pmsg[2]; - struct pam_response *resp; - int retval; - char * token = NULL; - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "Password: "; - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, pmsg, &resp); - - if (resp != NULL) { - const char * item; - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token = x_strdup(resp[0].resp); - if (token == NULL) { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* set the auth token */ - retval = pam_set_item(pamh, PAM_AUTHTOK, token); - token = _pam_delete(token); /* clean it up */ - if ( (retval != PAM_SUCCESS) || - (retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)) - != PAM_SUCCESS ) { - return retval; - } - - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - return retval; -} - -/* - * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1999 - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/Linux-PAM/modules/pam_userdb/pam_userdb.8 b/Linux-PAM/modules/pam_userdb/pam_userdb.8 new file mode 100644 index 00000000..b1ad6677 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/pam_userdb.8 @@ -0,0 +1,104 @@ +.\" Title: pam_userdb +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/07/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_USERDB" "8" "06/07/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_userdb \- PAM module to authenticate against a db database +.SH "SYNOPSIS" +.HP 14 +\fBpam_userdb.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] +.SH "DESCRIPTION" +.PP +The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords. +.SH "OPTIONS" +.TP 3n +\fBcrypt=[crypt|none]\fR +Indicates whether encrypted or plaintext passwords are stored in the database. If it is +\fBcrypt\fR, passwords should be stored in the database in +\fBcrypt\fR(3) +form. If +\fBnone\fR +is selected, passwords should be stored in the database as plaintext. +.TP 3n +\fBdb=\fR\fB\fI/path/database\fR\fR +Use the +\fI/path/database\fR +database for performing lookup. There is no default; the module will return +\fBPAM_IGNORE\fR +if no database is provided. +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBdump\fR +Dump all the entries in the database to the log. Don't do this by default! +.TP 3n +\fBicase\fR +Make the password verification to be case insensitive (ie when working with registration numbers and such). Only works with plaintext password storage. +.TP 3n +\fBtry_first_pass\fR +Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will try to converse. This option can be used for stacking different modules that need to deal with the authentication tokens. +.TP 3n +\fBuse_first_pass\fR +Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will fail. This option can be used for stacking different modules that need to deal with the authentication tokens. +.TP 3n +\fBunknown_ok\fR +Do not return error when checking for a user that is not in the database. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database. +.TP 3n +\fBkey_only\fR +The username and password are concatenated together in the database hash as 'username\-password' with a random value. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid. this is useful in cases where the username may not be unique but the username and password pair are. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR +and +\fBaccount\fR +are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +Authentication failure. +.TP 3n +PAM_AUTHTOK_RECOVERY_ERR +Authentication information cannot be recovered. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_CONV_ERR +Conversation failure. +.TP 3n +PAM_SERVICE_ERR +Error in service module. +.TP 3n +PAM_SUCCESS +Success. +.TP 3n +PAM_USER_UNKNOWN +User not known to the underlying authentication module. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +auth sufficient pam_userdb.so icase db=/etc/dbtest.db + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBcrypt\fR(3), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_userdb was written by Cristian Gafton >gafton@redhat.com<. diff --git a/Linux-PAM/modules/pam_userdb/pam_userdb.8.xml b/Linux-PAM/modules/pam_userdb/pam_userdb.8.xml new file mode 100644 index 00000000..70b416b3 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/pam_userdb.8.xml @@ -0,0 +1,292 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_userdb"> + + <refmeta> + <refentrytitle>pam_userdb</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_userdb-name"> + <refname>pam_userdb</refname> + <refpurpose>PAM module to authenticate against a db database</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_userdb-cmdsynopsis"> + <command>pam_userdb.so</command> + <arg choice="plain"> + db=<replaceable>/path/database</replaceable> + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + crypt=[crypt|none] + </arg> + <arg choice="opt"> + icase + </arg> + <arg choice="opt"> + dump + </arg> + <arg choice="opt"> + try_first_pass + </arg> + <arg choice="opt"> + use_first_pass + </arg> + <arg choice="opt"> + unknown_ok + </arg> + <arg choice="opt"> + key_only + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_userdb-description"> + + <title>DESCRIPTION</title> + + <para> + The pam_userdb module is used to verify a username/password pair + against values stored in a Berkeley DB database. The database is + indexed by the username, and the data fields corresponding to the + username keys are the passwords. + </para> + </refsect1> + + <refsect1 id="pam_userdb-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>crypt=[crypt|none]</option> + </term> + <listitem> + <para> + Indicates whether encrypted or plaintext passwords are stored + in the database. If it is <option>crypt</option>, passwords + should be stored in the database in + <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> form. If <option>none</option> is selected, + passwords should be stored in the database as plaintext. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>db=<replaceable>/path/database</replaceable></option> + </term> + <listitem> + <para> + Use the <filename>/path/database</filename> database for + performing lookup. There is no default; the module will + return <emphasis remap='B'>PAM_IGNORE</emphasis> if no + database is provided. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>dump</option> + </term> + <listitem> + <para> + Dump all the entries in the database to the log. + Don't do this by default! + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>icase</option> + </term> + <listitem> + <para> + Make the password verification to be case insensitive + (ie when working with registration numbers and such). + Only works with plaintext password storage. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>try_first_pass</option> + </term> + <listitem> + <para> + Use the authentication token previously obtained by + another module that did the conversation with the + application. If this token can not be obtained then + the module will try to converse. This option can + be used for stacking different modules that need to + deal with the authentication tokens. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_first_pass</option> + </term> + <listitem> + <para> + Use the authentication token previously obtained by + another module that did the conversation with the + application. If this token can not be obtained then + the module will fail. This option can be used for + stacking different modules that need to deal with + the authentication tokens. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unknown_ok</option> + </term> + <listitem> + <para> + Do not return error when checking for a user that is + not in the database. This can be used to stack more + than one pam_userdb module that will check a + username/password pair in more than a database. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>key_only</option> + </term> + <listitem> + <para> + The username and password are concatenated together + in the database hash as 'username-password' with a + random value. if the concatenation of the username and + password with a dash in the middle returns any result, + the user is valid. this is useful in cases where + the username may not be unique but the username and + password pair are. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_userdb-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option> and <option>account</option> + are supported. + </para> + </refsect1> + + <refsect1 id='pam_userdb-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para>Authentication failure.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + Authentication information cannot be recovered. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Error in service module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known to the underlying authentication module. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_userdb-examples'> + <title>EXAMPLES</title> + <programlisting> +auth sufficient pam_userdb.so icase db=/etc/dbtest.db + </programlisting> + </refsect1> + + <refsect1 id='pam_userdb-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_userdb-author'> + <title>AUTHOR</title> + <para> + pam_userdb was written by Cristian Gafton >gafton@redhat.com<. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_userdb/pam_userdb.c b/Linux-PAM/modules/pam_userdb/pam_userdb.c index 86c7238b..a796b15e 100644 --- a/Linux-PAM/modules/pam_userdb/pam_userdb.c +++ b/Linux-PAM/modules/pam_userdb/pam_userdb.c @@ -1,12 +1,11 @@ /* pam_userdb module */ /* - * $Id: pam_userdb.c,v 1.7 2004/09/28 13:48:47 kukuk Exp $ * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 * See the end of the file for Copyright Information */ -#include <security/_pam_aconf.h> +#include "config.h" #include <stdio.h> #include <stdlib.h> @@ -18,6 +17,9 @@ #include <sys/stat.h> #include <fcntl.h> #include <errno.h> +#ifdef HAVE_CRYPT_H +#include <crypt.h> +#endif #include "pam_userdb.h" @@ -43,23 +45,46 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> +#include <security/pam_ext.h> +#include <security/_pam_macros.h> -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) +/* + * Conversation function to obtain the user's password + */ +static int +obtain_authtok(pam_handle_t *pamh) { - va_list args; + char *resp; + const void *item; + int retval; + + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, _("Password: ")); + + if (retval != PAM_SUCCESS) + return retval; + + if (resp == NULL) + return PAM_CONV_ERR; + + /* set the auth token */ + retval = pam_set_item(pamh, PAM_AUTHTOK, resp); + + /* clean it up */ + _pam_overwrite(resp); + _pam_drop(resp); + + if ( (retval != PAM_SUCCESS) || + (retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) + != PAM_SUCCESS ) { + return retval; + } - va_start(args, format); - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); + return retval; } static int -_pam_parse (int argc, const char **argv, - char **database, char **cryptmode) +_pam_parse (pam_handle_t *pamh, int argc, const char **argv, + const char **database, const char **cryptmode) { int ctrl; @@ -81,25 +106,29 @@ _pam_parse (int argc, const char **argv, ctrl |= PAM_UNKNOWN_OK_ARG; else if (!strcasecmp(*argv, "key_only")) ctrl |= PAM_KEY_ONLY_ARG; + else if (!strcasecmp(*argv, "use_first_pass")) + ctrl |= PAM_USE_FPASS_ARG; + else if (!strcasecmp(*argv, "try_first_pass")) + ctrl |= PAM_TRY_FPASS_ARG; else if (!strncasecmp(*argv,"db=", 3)) { - *database = strdup((*argv) + 3); - if ((*database == NULL) || (strlen (*database) == 0)) - _pam_log(LOG_ERR, - "pam_parse: could not parse argument \"%s\"", - *argv); + *database = (*argv) + 3; + if (**database == '\0') { + *database = NULL; + pam_syslog(pamh, LOG_ERR, + "db= specification missing argument - ignored"); + } } else if (!strncasecmp(*argv,"crypt=", 6)) { - *cryptmode = strdup((*argv) + 6); - if ((*cryptmode == NULL) || (strlen (*cryptmode) == 0)) - _pam_log(LOG_ERR, - "pam_parse: could not parse argument \"%s\"", - *argv); + *cryptmode = (*argv) + 6; + if (**cryptmode == '\0') + pam_syslog(pamh, LOG_ERR, + "crypt= specification missing argument - ignored"); } else { - _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -117,7 +146,7 @@ _pam_parse (int argc, const char **argv, * -2 = System error */ static int -user_lookup (const char *database, const char *cryptmode, +user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, const char *user, const char *pass, int ctrl) { DBM *dbm; @@ -126,19 +155,20 @@ user_lookup (const char *database, const char *cryptmode, /* Open the DB file. */ dbm = dbm_open(database, O_RDONLY, 0644); if (dbm == NULL) { - _pam_log(LOG_ERR, "user_lookup: could not open database `%s'", - database); + pam_syslog(pamh, LOG_ERR, + "user_lookup: could not open database `%s': %m", database); return -2; } /* dump out the database contents for debugging */ if (ctrl & PAM_DUMP_ARG) { - _pam_log(LOG_INFO, "Database dump:"); + pam_syslog(pamh, LOG_INFO, "Database dump:"); for (key = dbm_firstkey(dbm); key.dptr != NULL; key = dbm_nextkey(dbm)) { data = dbm_fetch(dbm, key); - _pam_log(LOG_INFO, "key[len=%d] = `%s', data[len=%d] = `%s'", - key.dsize, key.dptr, data.dsize, data.dptr); + pam_syslog(pamh, LOG_INFO, + "key[len=%d] = `%s', data[len=%d] = `%s'", + key.dsize, key.dptr, data.dsize, data.dptr); } } @@ -146,9 +176,10 @@ user_lookup (const char *database, const char *cryptmode, memset(&key, 0, sizeof(key)); memset(&data, 0, sizeof(data)); if (ctrl & PAM_KEY_ONLY_ARG) { - key.dptr = malloc(strlen(user) + 1 + strlen(pass) + 1); - sprintf(key.dptr, "%s-%s", user, pass); - key.dsize = strlen(key.dptr); + if (asprintf(&key.dptr, "%s-%s", user, pass) < 0) + key.dptr = NULL; + else + key.dsize = strlen(key.dptr); } else { key.dptr = x_strdup(user); key.dsize = strlen(user); @@ -161,8 +192,9 @@ user_lookup (const char *database, const char *cryptmode, } if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "password in database is [%p]`%s', len is %d", - data.dptr, (char *) data.dptr, data.dsize); + pam_syslog(pamh, LOG_INFO, + "password in database is [%p]`%.*s', len is %d", + data.dptr, data.dsize, (char *) data.dptr, data.dsize); } if (data.dptr != NULL) { @@ -174,7 +206,7 @@ user_lookup (const char *database, const char *cryptmode, return 0; /* found it, data contents don't matter */ } - if (strncasecmp(cryptmode, "crypt", 5) == 0) { + if (cryptmode && strncasecmp(cryptmode, "crypt", 5) == 0) { /* crypt(3) password storage */ @@ -196,7 +228,7 @@ user_lookup (const char *database, const char *cryptmode, } else { compare = -2; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "crypt() returned NULL"); + pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); } }; @@ -208,18 +240,19 @@ user_lookup (const char *database, const char *cryptmode, * default to plaintext password storage */ - if (strlen(pass) != data.dsize) { - compare = 1; /* wrong password len -> wrong password */ - } else if (ctrl & PAM_ICASE_ARG) { + if (strlen(pass) != (size_t)data.dsize) { + compare = 1; /* wrong password len -> wrong password */ + } else if (ctrl & PAM_ICASE_ARG) { compare = strncasecmp(data.dptr, pass, data.dsize); - } else { + } else { compare = strncmp(data.dptr, pass, data.dsize); - } + } - if (strncasecmp(cryptmode, "none", 4) && ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "invalid value for crypt parameter: %s", - cryptmode); - _pam_log(LOG_INFO, "defaulting to plaintext password mode"); + if (cryptmode && strncasecmp(cryptmode, "none", 4) + && (ctrl & PAM_DEBUG_ARG)) { + pam_syslog(pamh, LOG_INFO, "invalid value for crypt parameter: %s", + cryptmode); + pam_syslog(pamh, LOG_INFO, "defaulting to plaintext password mode"); } } @@ -233,8 +266,7 @@ user_lookup (const char *database, const char *cryptmode, int saw_user = 0; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "error returned by dbm_fetch: %s", - strerror(errno)); + pam_syslog(pamh, LOG_INFO, "error returned by dbm_fetch: %m"); } /* probably we should check dbm_error() here */ @@ -257,7 +289,7 @@ user_lookup (const char *database, const char *cryptmode, /* if we have the divider where we expect it to be... */ if (key.dptr[strlen(user)] == '-') { saw_user = 1; - if (key.dsize == strlen(user) + 1 + strlen(pass)) { + if ((size_t)key.dsize == strlen(user) + 1 + strlen(pass)) { if (ctrl & PAM_ICASE_ARG) { /* compare the password portion (case insensitive)*/ compare = strncasecmp(key.dptr + strlen(user) + 1, @@ -290,91 +322,86 @@ user_lookup (const char *database, const char *cryptmode, /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { const char *username; - const char *password; - char *database = NULL; - char *cryptmode = NULL; + const void *password; + const char *database = NULL; + const char *cryptmode = NULL; int retval = PAM_AUTH_ERR, ctrl; /* parse arguments */ - ctrl = _pam_parse(argc, argv, &database, &cryptmode); - if ((database == NULL) || (strlen(database) == 0)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the database name"); + ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode); + if (database == NULL) { + pam_syslog(pamh, LOG_ERR, "can not get the database name"); return PAM_SERVICE_ERR; } /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); + pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_SERVICE_ERR; } - /* Converse just to be sure we have a password */ - retval = conversation(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); - return PAM_CONV_ERR; - } - - /* Check if we got a password. The docs say that if we didn't have one, - * and use_authtok was specified as an argument, that we converse with the - * user anyway, so check for one and handle a failure for that case. If - * use_authtok wasn't specified, then we've already asked once and needn't - * do so again. */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &password); - if ((retval != PAM_SUCCESS) && ((ctrl & PAM_USE_AUTHTOK_ARG) != 0)) { - retval = conversation(pamh); + if ((ctrl & PAM_USE_FPASS_ARG) == 0 && (ctrl & PAM_TRY_FPASS_ARG) == 0) { + /* Converse to obtain a password */ + retval = obtain_authtok(pamh); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); - return PAM_CONV_ERR; + pam_syslog(pamh, LOG_ERR, "can not obtain password from user"); + return retval; } } - /* Get the password */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "Could not retrieve user's password"); - return -2; + /* Check if we got a password */ + retval = pam_get_item(pamh, PAM_AUTHTOK, &password); + if (retval != PAM_SUCCESS || password == NULL) { + if ((ctrl & PAM_TRY_FPASS_ARG) != 0) { + /* Converse to obtain a password */ + retval = obtain_authtok(pamh); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "can not obtain password from user"); + return retval; + } + retval = pam_get_item(pamh, PAM_AUTHTOK, &password); + } + if (retval != PAM_SUCCESS || password == NULL) { + pam_syslog(pamh, LOG_ERR, "can not recover user password"); + return PAM_AUTHTOK_RECOVERY_ERR; + } } if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_INFO, "Verify user `%s' with password `%s'", - username, password); + pam_syslog(pamh, LOG_INFO, "Verify user `%s' with a password", + username); /* Now use the username to look up password in the database file */ - retval = user_lookup(database, cryptmode, username, password, ctrl); + retval = user_lookup(pamh, database, cryptmode, username, password, ctrl); switch (retval) { case -2: /* some sort of system error. The log was already printed */ return PAM_SERVICE_ERR; case -1: /* incorrect password */ - _pam_log(LOG_WARNING, - "user `%s' denied access (incorrect password)", - username); + pam_syslog(pamh, LOG_WARNING, + "user `%s' denied access (incorrect password)", + username); return PAM_AUTH_ERR; case 1: /* the user does not exist in the database */ if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "user `%s' not found in the database", - username); + pam_syslog(pamh, LOG_NOTICE, + "user `%s' not found in the database", username); return PAM_USER_UNKNOWN; case 0: /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' granted acces", username); + pam_syslog(pamh, LOG_NOTICE, "user '%s' granted access", username); return PAM_SUCCESS; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "internal module error (retval = %d, user = `%s'", retval, username); return PAM_SERVICE_ERR; @@ -384,34 +411,34 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, return PAM_IGNORE; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { const char *username; - char *database = NULL; - char *cryptmode = NULL; + const char *database = NULL; + const char *cryptmode = NULL; int retval = PAM_AUTH_ERR, ctrl; /* parse arguments */ - ctrl = _pam_parse(argc, argv, &database, &cryptmode); + ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); + pam_syslog(pamh, LOG_ERR,"can not get the username"); return PAM_SERVICE_ERR; } /* Now use the username to look up password in the database file */ - retval = user_lookup(database, cryptmode, username, "", ctrl); + retval = user_lookup(pamh, database, cryptmode, username, "", ctrl); switch (retval) { case -2: /* some sort of system error. The log was already printed */ @@ -427,10 +454,10 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_USER_UNKNOWN; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, - "internal module error (retval = %d, user = `%s'", - retval, username); - return PAM_SERVICE_ERR; + pam_syslog(pamh, LOG_ERR, + "internal module error (retval = %d, user = `%s'", + retval, username); + return PAM_SERVICE_ERR; } return PAM_SUCCESS; diff --git a/Linux-PAM/modules/pam_userdb/pam_userdb.h b/Linux-PAM/modules/pam_userdb/pam_userdb.h index af03676b..5a3396a2 100644 --- a/Linux-PAM/modules/pam_userdb/pam_userdb.h +++ b/Linux-PAM/modules/pam_userdb/pam_userdb.h @@ -1,7 +1,7 @@ #ifndef _PAM_USERSDB_H #define _PAM_USERSDB_H -/* $Id: pam_userdb.h,v 1.2 2004/09/28 13:48:47 kukuk Exp $ */ +/* $Id: pam_userdb.h,v 1.4 2005/09/18 13:04:57 kukuk Exp $ */ /* Header files */ #include <security/pam_appl.h> @@ -10,9 +10,10 @@ #define PAM_DEBUG_ARG 0x0001 #define PAM_ICASE_ARG 0x0002 #define PAM_DUMP_ARG 0x0004 -#define PAM_USE_AUTHTOK_ARG 0x0008 #define PAM_UNKNOWN_OK_ARG 0x0010 #define PAM_KEY_ONLY_ARG 0x0020 +#define PAM_USE_FPASS_ARG 0x0040 +#define PAM_TRY_FPASS_ARG 0x0080 /* Useful macros */ #define x_strdup(s) ( (s) ? strdup(s):NULL ) @@ -22,9 +23,6 @@ #define MODULE_NAME "pam_userdb" #endif /* MODULE_NAME */ -/* function prototypes */ -int conversation(pam_handle_t *); - #endif /* _PAM_USERSDB_H */ /* diff --git a/Linux-PAM/modules/pam_userdb/tst-pam_userdb b/Linux-PAM/modules/pam_userdb/tst-pam_userdb new file mode 100755 index 00000000..5d5eb195 --- /dev/null +++ b/Linux-PAM/modules/pam_userdb/tst-pam_userdb @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_userdb.so diff --git a/Linux-PAM/modules/pam_warn/Makefile b/Linux-PAM/modules/pam_warn/Makefile deleted file mode 100644 index b1420538..00000000 --- a/Linux-PAM/modules/pam_warn/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:06 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_warn - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_warn/Makefile.am b/Linux-PAM/modules/pam_warn/Makefile.am new file mode 100644 index 00000000..6ecc1362 --- /dev/null +++ b/Linux-PAM/modules/pam_warn/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn + +man_MANS = pam_warn.8 +XMLS = README.xml pam_warn.8.xml + +TESTS = tst-pam_warn + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_warn.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_warn.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_warn/Makefile.in b/Linux-PAM/modules/pam_warn/Makefile.in new file mode 100644 index 00000000..aa0c0adf --- /dev/null +++ b/Linux-PAM/modules/pam_warn/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_warn +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_warn_la_LIBADD = +pam_warn_la_SOURCES = pam_warn.c +pam_warn_la_OBJECTS = pam_warn.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_warn.c +DIST_SOURCES = pam_warn.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn +man_MANS = pam_warn.8 +XMLS = README.xml pam_warn.8.xml +TESTS = tst-pam_warn +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_warn.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_warn/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_warn/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_warn.la: $(pam_warn_la_OBJECTS) $(pam_warn_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_warn_la_OBJECTS) $(pam_warn_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_warn.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_warn.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_warn/README b/Linux-PAM/modules/pam_warn/README index 3c4bde8a..d9619b53 100644 --- a/Linux-PAM/modules/pam_warn/README +++ b/Linux-PAM/modules/pam_warn/README @@ -1,26 +1,36 @@ -# $Id: README,v 1.1.1.1 2000/06/20 22:12:10 agmorgan Exp $ -# +pam_warn — PAM module which logs all PAM items if called + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION -This module is an authentication module that does not authenticate. -Instead it always returns PAM_IGNORE, indicating that it does not want -to affect the authentication process. +pam_warn is a PAM module that logs the service, terminal, user, remote user and +remote host to syslog(3). The items are not probed for, but instead obtained +from the standard PAM items. The module always returns PAM_IGNORE, indicating +that it does not want to affect the authentication process. -Its purpose is to log a message to the syslog indicating the -pam_item's available at the time it was invoked. It is a diagnostic -tool. +OPTIONS -Recognized arguments: +This module does not recognice any options. - <none> +EXAMPLES + +#%PAM-1.0 +# +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so -module services provided: - auth _authenticate and _setcred (blank) - acct _acct_mgmt [mapped to _authenticate] - session _open_session and - _close_session [mapped to _authenticate ] - password _chauthtok [mapped to _authenticate] +AUTHOR +pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. -Andrew Morgan -1996/11/14 diff --git a/Linux-PAM/modules/pam_warn/README.xml b/Linux-PAM/modules/pam_warn/README.xml new file mode 100644 index 00000000..4367c28f --- /dev/null +++ b/Linux-PAM/modules/pam_warn/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_warn.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_warn.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_warn-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_warn/pam_warn.8 b/Linux-PAM/modules/pam_warn/pam_warn.8 new file mode 100644 index 00000000..4e2c67c5 --- /dev/null +++ b/Linux-PAM/modules/pam_warn/pam_warn.8 @@ -0,0 +1,67 @@ +.\" Title: pam_warn +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_WARN" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_warn \- PAM module which logs all PAM items if called +.SH "SYNOPSIS" +.HP 12 +\fBpam_warn.so\fR +.SH "DESCRIPTION" +.PP +pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to +\fBsyslog\fR(3). The items are not probed for, but instead obtained from the standard PAM items. The module always returns +\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process. +.SH "OPTIONS" +.PP +This module does not recognice any options. +.SH "MODULE SERVICES PROVIDED" +.PP +The services +\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR +are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_IGNORE +This module always returns PAM_IGNORE. +.SH "EXAMPLES" +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so + +.fi +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. diff --git a/Linux-PAM/modules/pam_warn/pam_warn.8.xml b/Linux-PAM/modules/pam_warn/pam_warn.8.xml new file mode 100644 index 00000000..1aa70f59 --- /dev/null +++ b/Linux-PAM/modules/pam_warn/pam_warn.8.xml @@ -0,0 +1,104 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_warn"> + + <refmeta> + <refentrytitle>pam_warn</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + <refnamediv id="pam_warn-name"> + <refname>pam_warn</refname> + <refpurpose>PAM module which logs all PAM items if called</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis id="pam_warn-cmdsynopsis"> + <command>pam_warn.so</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_warn-description"> + <title>DESCRIPTION</title> + <para> + pam_warn is a PAM module that logs the service, terminal, user, + remote user and remote host to + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. The items are not probed for, but instead obtained + from the standard PAM items. The module always returns + <emphasis remap='B'>PAM_IGNORE</emphasis>, indicating that it + does not want to affect the authentication process. + </para> + </refsect1> + + <refsect1 id="pam_warn-options"> + <title>OPTIONS</title> + <para>This module does not recognice any options.</para> + </refsect1> + + <refsect1 id="pam_warn-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The services <option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option> are supported. + </para> + </refsect1> + + <refsect1 id='pam_warn-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + This module always returns PAM_IGNORE. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_warn-examples'> + <title>EXAMPLES</title> + <programlisting> +#%PAM-1.0 +# +# If we don't have config entries for a service, the +# OTHER entries are used. To be secure, warn and deny +# access to everything. +other auth required pam_warn.so +other auth required pam_deny.so +other account required pam_warn.so +other account required pam_deny.so +other password required pam_warn.so +other password required pam_deny.so +other session required pam_warn.so +other session required pam_deny.so + </programlisting> + </refsect1> + + <refsect1 id='pam_warn-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_warn-author'> + <title>AUTHOR</title> + <para> + pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_warn/pam_warn.c b/Linux-PAM/modules/pam_warn/pam_warn.c index 90170c01..8c3b9d69 100644 --- a/Linux-PAM/modules/pam_warn/pam_warn.c +++ b/Linux-PAM/modules/pam_warn/pam_warn.c @@ -1,12 +1,12 @@ /* pam_warn module */ /* - * $Id: pam_warn.c,v 1.2 2002/05/29 04:44:43 agmorgan Exp $ + * $Id: pam_warn.c,v 1.6 2005/09/17 08:59:04 t8m Exp $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ -#define _BSD_SOURCE +#include "config.h" #include <stdio.h> #include <unistd.h> @@ -24,28 +24,18 @@ #define PAM_SM_PASSWORD #include <security/pam_modules.h> +#include <security/pam_ext.h> /* some syslogging */ #define OBTAIN(item, value, default_value) do { \ - (void) pam_get_item(pamh, item, (const void **) &value); \ + (void) pam_get_item(pamh, item, &value); \ value = value ? value : default_value ; \ } while (0) -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-warn", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - static void log_items(pam_handle_t *pamh, const char *function) { - const char *service=NULL, *user=NULL, *terminal=NULL, + const void *service=NULL, *user=NULL, *terminal=NULL, *rhost=NULL, *ruser=NULL; OBTAIN(PAM_SERVICE, service, "<unknown>"); @@ -54,23 +44,27 @@ static void log_items(pam_handle_t *pamh, const char *function) OBTAIN(PAM_RUSER, ruser, "<unknown>"); OBTAIN(PAM_RHOST, rhost, "<unknown>"); - _pam_log(LOG_NOTICE, "function=[%s] service=[%s] terminal=[%s] user=[%s]" - " ruser=[%s] rhost=[%s]\n", - function, service, terminal, user, ruser, rhost); + pam_syslog(pamh, LOG_NOTICE, + "function=[%s] service=[%s] terminal=[%s] user=[%s]" + " ruser=[%s] rhost=[%s]\n", function, + (const char *) service, (const char *) terminal, + (const char *) user, (const char *) ruser, + (const char *) rhost); } /* --- authentication management functions (only) --- */ PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; } PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; @@ -79,30 +73,32 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) /* password updating functions */ PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv) +int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; } PAM_EXTERN int -pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; } PAM_EXTERN int -pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; } PAM_EXTERN int -pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { log_items(pamh, __FUNCTION__); return PAM_IGNORE; diff --git a/Linux-PAM/modules/pam_warn/tst-pam_warn b/Linux-PAM/modules/pam_warn/tst-pam_warn new file mode 100755 index 00000000..0b48365a --- /dev/null +++ b/Linux-PAM/modules/pam_warn/tst-pam_warn @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_warn.so diff --git a/Linux-PAM/modules/pam_wheel/Makefile b/Linux-PAM/modules/pam_wheel/Makefile deleted file mode 100644 index 67947f81..00000000 --- a/Linux-PAM/modules/pam_wheel/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# -# $Id: Makefile,v 1.2 2000/11/19 23:54:06 agmorgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27 -# - -include ../../Make.Rules - -TITLE=pam_wheel - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_wheel/Makefile.am b/Linux-PAM/modules/pam_wheel/Makefile.am new file mode 100644 index 00000000..82a98305 --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel + +man_MANS = pam_wheel.8 +XMLS = README.xml pam_wheel.8.xml + +TESTS = tst-pam_wheel + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_wheel.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_wheel.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_wheel/Makefile.in b/Linux-PAM/modules/pam_wheel/Makefile.in new file mode 100644 index 00000000..2dd057d3 --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_wheel +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_wheel_la_LIBADD = +pam_wheel_la_SOURCES = pam_wheel.c +pam_wheel_la_OBJECTS = pam_wheel.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_wheel.c +DIST_SOURCES = pam_wheel.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel +man_MANS = pam_wheel.8 +XMLS = README.xml pam_wheel.8.xml +TESTS = tst-pam_wheel +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_wheel.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_wheel/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_wheel/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_wheel.la: $(pam_wheel_la_OBJECTS) $(pam_wheel_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_wheel_la_OBJECTS) $(pam_wheel_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_wheel.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_wheel.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_wheel/README b/Linux-PAM/modules/pam_wheel/README index 2cd156c0..6a2b21c5 100644 --- a/Linux-PAM/modules/pam_wheel/README +++ b/Linux-PAM/modules/pam_wheel/README @@ -1,39 +1,61 @@ +pam_wheel — Only permit root access to members of group wheel -pam_wheel: - only permit root authentication to members of wheel group - -RECOGNIZED ARGUMENTS: - debug Write a message to syslog indicating success or - failure. - - use_uid The check for wheel membership will be done against - the current uid instead of the original one - (useful when jumping with su from one account to - another for example). - - trust The pam_wheel module will return PAM_SUCCESS instead - of PAM_IGNORE if the user is a member of the wheel - group (thus with a little play stacking the modules - the wheel members may be able to su to root without - being prompted for a passwd). - - deny Reverse the sense of the auth operation: if the user - is trying to get UID 0 access and is a member of the - wheel group, deny access (well, kind of nonsense, but - for use in conjunction with 'group' argument... :-) - Conversely, if the user is not in the group, return - PAM_IGNORE (unless 'trust' was also specified, in - which case we return PAM_SUCCESS). - - group=xxxx Instead of checking the wheel or GID 0 groups, use - the xxxx group to perform the authentification. - - root_only The check for wheel membership is done only - if the uid of requested account is 0. - -MODULE SERVICES PROVIDED: - auth _authentication, _setcred (blank) and _acct_mgmt - -AUTHOR: - Cristian Gafton <gafton@redhat.com> +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_wheel PAM module is used to enforce the so-called wheel group. By +default it permits root access to the system if the applicant user is a member +of the wheel group. If no group with this name exist, the module is using the +group with the group-ID 0. + +OPTIONS + +debug + + Print debug information. + +deny + + Reverse the sense of the auth operation: if the user is trying to get UID 0 + access and is a member of the wheel group (or the group of the group + option), deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless trust was also specified, in which case we return + PAM_SUCCESS). + +group=name + + Instead of checking the wheel or GID 0 groups, use the name group to + perform the authentication. + +root_only + + The check for wheel membership is done only. + +trust + + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the + user is a member of the wheel group (thus with a little play stacking the + modules the wheel members may be able to su to root without being prompted + for a passwd). + +use_uid + + The check for wheel membership will be done against the current uid instead + of the original one (useful when jumping with su from one account to + another for example). + +EXAMPLES + +The root account gains access by default (rootok), only wheel members can +become root (wheel) but Unix authenticate non-root applicants. + +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + + +AUTHOR + +pam_wheel was written by Cristian Gafton <gafton@redhat.com>. diff --git a/Linux-PAM/modules/pam_wheel/README.xml b/Linux-PAM/modules/pam_wheel/README.xml new file mode 100644 index 00000000..9e33d7ff --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_wheel.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_wheel/pam_wheel.8 b/Linux-PAM/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 00000000..ae29c37e --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,101 @@ +.\" Title: pam_wheel +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_wheel \- Only permit root access to members of group wheel +.SH "SYNOPSIS" +.HP 13 +\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +.SH "DESCRIPTION" +.PP +The pam_wheel PAM module is used to enforce the so\-called +\fIwheel\fR +group. By default it permits root access to the system if the applicant user is a member of the +\fIwheel\fR +group. If no group with this name exist, the module is using the group with the group\-ID +\fB0\fR. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBdeny\fR +Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the +\fBgroup\fR +option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless +\fBtrust\fR +was also specified, in which case we return PAM_SUCCESS). +.TP 3n +\fBgroup=\fR\fB\fIname\fR\fR +Instead of checking the wheel or GID 0 groups, use the +\fB\fIname\fR\fR +group to perform the authentication. +.TP 3n +\fBroot_only\fR +The check for wheel membership is done only. +.TP 3n +\fBtrust\fR +The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). +.TP 3n +\fBuse_uid\fR +The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +Authentication failure. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +The return value should be ignored by PAM dispatch. +.TP 3n +PAM_PERM_DENY +Permission denied. +.TP 3n +PAM_SERVICE_ERR +Cannot determine the user name. +.TP 3n +PAM_SUCCESS +Success. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. +.sp +.RS 3n +.nf +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_wheel was written by Cristian Gafton <gafton@redhat.com>. diff --git a/Linux-PAM/modules/pam_wheel/pam_wheel.8.xml b/Linux-PAM/modules/pam_wheel/pam_wheel.8.xml new file mode 100644 index 00000000..bf8b7349 --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/pam_wheel.8.xml @@ -0,0 +1,242 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_wheel"> + + <refmeta> + <refentrytitle>pam_wheel</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_wheel-name"> + <refname>pam_wheel</refname> + <refpurpose>Only permit root access to members of group wheel</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_wheel-cmdsynopsis"> + <command>pam_wheel.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + deny + </arg> + <arg choice="opt"> + group=<replaceable>name</replaceable> + </arg> + <arg choice="opt"> + root_only + </arg> + <arg choice="opt"> + trust + </arg> + <arg choice="opt"> + use_uid + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_wheel-description"> + <title>DESCRIPTION</title> + <para> + The pam_wheel PAM module is used to enforce the so-called + <emphasis>wheel</emphasis> group. By default it permits root + access to the system if the applicant user is a member of the + <emphasis>wheel</emphasis> group. If no group with this name exist, + the module is using the group with the group-ID + <emphasis remap='B'>0</emphasis>. + </para> + </refsect1> + + <refsect1 id="pam_wheel-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>deny</option> + </term> + <listitem> + <para> + Reverse the sense of the auth operation: if the user + is trying to get UID 0 access and is a member of the + wheel group (or the group of the <option>group</option> option), + deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless <option>trust</option> was also specified, + in which case we return PAM_SUCCESS). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>group=<replaceable>name</replaceable></option> + </term> + <listitem> + <para> + Instead of checking the wheel or GID 0 groups, use + the <option><replaceable>name</replaceable></option> group + to perform the authentication. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>root_only</option> + </term> + <listitem> + <para> + The check for wheel membership is done only. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>trust</option> + </term> + <listitem> + <para> + The pam_wheel module will return PAM_SUCCESS instead + of PAM_IGNORE if the user is a member of the wheel group + (thus with a little play stacking the modules the wheel + members may be able to su to root without being prompted + for a passwd). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_uid</option> + </term> + <listitem> + <para> + The check for wheel membership will be done against + the current uid instead of the original one (useful when + jumping with su from one account to another for example). + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_wheel-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + The <emphasis remap='B'>auth</emphasis> and + <emphasis remap='B'>account</emphasis> services are supported. + </para> + </refsect1> + + <refsect1 id='pam_wheel-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The return value should be ignored by PAM dispatch. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENY</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Cannot determine the user name. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_wheel-examples'> + <title>EXAMPLES</title> + <para> + The root account gains access by default (rootok), only wheel + members can become root (wheel) but Unix authenticate non-root + applicants. + <programlisting> +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_wheel-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_wheel-author'> + <title>AUTHOR</title> + <para> + pam_wheel was written by Cristian Gafton <gafton@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_wheel/pam_wheel.c b/Linux-PAM/modules/pam_wheel/pam_wheel.c index 92cd44b9..ca0e171d 100644 --- a/Linux-PAM/modules/pam_wheel/pam_wheel.c +++ b/Linux-PAM/modules/pam_wheel/pam_wheel.c @@ -21,7 +21,7 @@ * a wheel member. */ -#define _BSD_SOURCE +#include "config.h" #include <stdio.h> #include <unistd.h> @@ -43,23 +43,10 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> -#include <security/_pam_modutil.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Wheel", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} +#include <security/pam_modutil.h> +#include <security/pam_ext.h> /* checks if a user is on a list of members of the GID 0 group */ - static int is_on_list(char * const *list, const char *member) { while (list && *list) { @@ -78,8 +65,9 @@ static int is_on_list(char * const *list, const char *member) #define PAM_DENY_ARG 0x0010 #define PAM_ROOT_ONLY_ARG 0x0020 -static int _pam_parse(int argc, const char **argv, char *use_group, - size_t group_length) +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv, + char *use_group, size_t group_length) { int ctrl=0; @@ -103,15 +91,15 @@ static int _pam_parse(int argc, const char **argv, char *use_group, else if (!strncmp(*argv,"group=",6)) strncpy(use_group,*argv+6,group_length-1); else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } return ctrl; } -static int perform_check(pam_handle_t *pamh, int flags, int ctrl, - const char *use_group) +static int +perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) { const char *username = NULL; const char *fromsu; @@ -122,15 +110,15 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG,"can not get the username"); + pam_syslog(pamh, LOG_DEBUG, "can not get the username"); } return PAM_SERVICE_ERR; } - pwd = _pammodutil_getpwnam (pamh, username); + pwd = pam_modutil_getpwnam (pamh, username); if (!pwd) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_NOTICE,"unknown user %s",username); + pam_syslog(pamh, LOG_NOTICE, "unknown user %s", username); } return PAM_USER_UNKNOWN; } @@ -140,24 +128,24 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, return PAM_IGNORE; } } - + if (ctrl & PAM_USE_UID_ARG) { - tpwd = _pammodutil_getpwuid (pamh, getuid()); + tpwd = pam_modutil_getpwuid (pamh, getuid()); if (!tpwd) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_NOTICE, "who is running me ?!"); + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } return PAM_SERVICE_ERR; } fromsu = tpwd->pw_name; } else { - fromsu = _pammodutil_getlogin(pamh); + fromsu = pam_modutil_getlogin(pamh); if (fromsu) { - tpwd = _pammodutil_getpwnam (pamh, fromsu); + tpwd = pam_modutil_getpwnam (pamh, fromsu); } if (!fromsu || !tpwd) { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_NOTICE, "who is running me ?!"); + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } return PAM_SERVICE_ERR; } @@ -166,21 +154,22 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu */ - + if (!use_group[0]) { - if ((grp = _pammodutil_getgrnam (pamh, "wheel")) == NULL) { - grp = _pammodutil_getgrgid (pamh, 0); + if ((grp = pam_modutil_getgrnam (pamh, "wheel")) == NULL) { + grp = pam_modutil_getgrgid (pamh, 0); } } else { - grp = _pammodutil_getgrnam (pamh, use_group); + grp = pam_modutil_getgrnam (pamh, use_group); } if (!grp || (!grp->gr_mem && (tpwd->pw_gid != grp->gr_gid))) { if (ctrl & PAM_DEBUG_ARG) { if (!use_group[0]) { - _pam_log(LOG_NOTICE,"no members in a GID 0 group"); + pam_syslog(pamh, LOG_NOTICE, "no members in a GID 0 group"); } else { - _pam_log(LOG_NOTICE,"no members in '%s' group", use_group); + pam_syslog(pamh, LOG_NOTICE, + "no members in '%s' group", use_group); } } if (ctrl & PAM_DENY_ARG) { @@ -193,7 +182,7 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, return PAM_AUTH_ERR; } } - + /* * test if the user is a member of the group, or if the * user has the "wheel" (sic) group as its primary group. @@ -228,12 +217,13 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, if (ctrl & PAM_DEBUG_ARG) { if (retval == PAM_IGNORE) { - _pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'", - fromsu, username); + pam_syslog(pamh, LOG_NOTICE, + "Ignoring access request '%s' for '%s'", + fromsu, username); } else { - _pam_log(LOG_NOTICE, "Access %s to '%s' for '%s'", - (retval != PAM_SUCCESS) ? "denied":"granted", - fromsu, username); + pam_syslog(pamh, LOG_NOTICE, "Access %s to '%s' for '%s'", + (retval != PAM_SUCCESS) ? "denied":"granted", + fromsu, username); } } @@ -242,35 +232,35 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, /* --- authentication management functions --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { char use_group[BUFSIZ]; int ctrl; - ctrl = _pam_parse(argc, argv, use_group, sizeof(use_group)); + ctrl = _pam_parse(pamh, argc, argv, use_group, sizeof(use_group)); - return perform_check(pamh, flags, ctrl, use_group); + return perform_check(pamh, ctrl, use_group); } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { char use_group[BUFSIZ]; int ctrl; - ctrl = _pam_parse(argc, argv, use_group, sizeof(use_group)); + ctrl = _pam_parse(pamh, argc, argv, use_group, sizeof(use_group)); - return perform_check(pamh, flags, ctrl, use_group); + return perform_check(pamh, ctrl, use_group); } #ifdef PAM_STATIC diff --git a/Linux-PAM/modules/pam_wheel/tst-pam_wheel b/Linux-PAM/modules/pam_wheel/tst-pam_wheel new file mode 100755 index 00000000..4bf5d6a6 --- /dev/null +++ b/Linux-PAM/modules/pam_wheel/tst-pam_wheel @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_wheel.so diff --git a/Linux-PAM/modules/pam_xauth/Makefile b/Linux-PAM/modules/pam_xauth/Makefile deleted file mode 100644 index 385466a2..00000000 --- a/Linux-PAM/modules/pam_xauth/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -include ../../Make.Rules - -TITLE=pam_xauth -MAN8=pam_xauth.8 - -include ../Simple.Rules diff --git a/Linux-PAM/modules/pam_xauth/Makefile.am b/Linux-PAM/modules/pam_xauth/Makefile.am new file mode 100644 index 00000000..8f1d56b0 --- /dev/null +++ b/Linux-PAM/modules/pam_xauth/Makefile.am @@ -0,0 +1,31 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth + +man_MANS = pam_xauth.8 +XMLS = README.xml pam_xauth.8.xml + +TESTS = tst-pam_xauth + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_xauth.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_xauth.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/Linux-PAM/modules/pam_xauth/Makefile.in b/Linux-PAM/modules/pam_xauth/Makefile.in new file mode 100644 index 00000000..944d6778 --- /dev/null +++ b/Linux-PAM/modules/pam_xauth/Makefile.in @@ -0,0 +1,665 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_xauth +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_xauth_la_LIBADD = +pam_xauth_la_SOURCES = pam_xauth.c +pam_xauth_la_OBJECTS = pam_xauth.lo +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_xauth.c +DIST_SOURCES = pam_xauth.c +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth +man_MANS = pam_xauth.8 +XMLS = README.xml pam_xauth.8.xml +TESTS = tst-pam_xauth +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) +securelib_LTLIBRARIES = pam_xauth.la +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_xauth/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_xauth/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_xauth.la: $(pam_xauth_la_OBJECTS) $(pam_xauth_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_xauth_la_OBJECTS) $(pam_xauth_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_xauth.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_xauth.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/Linux-PAM/modules/pam_xauth/README b/Linux-PAM/modules/pam_xauth/README index dd65292f..1e134d70 100644 --- a/Linux-PAM/modules/pam_xauth/README +++ b/Linux-PAM/modules/pam_xauth/README @@ -1,41 +1,90 @@ -pam_xauth: - Forward xauth cookies from user to user, normally used by su, sudo, or - userhelper. - - Primitive access control is provided by ~/.xauth/export in the invoking - user's home directory and ~/.xauth/import in the target user's home - directory. - - If a user has a ~/.xauth/import file, the user will only receive cookies - from users listed in the file. If there is no ~/.xauth/import file, - the user will accept cookies from any other user. - - If a user has a .xauth/export file, the user will only forward cookies - to users listed in the file. If there is no ~/.xauth/export file, and - the invoking user is not "root", the user will forward cookies to - any other user. If there is no ~/.xauth/export file, and the invoking - user is "root", the user will NOT forward cookies to other users. - - Both the import and export files support wildcards (such as "*"). Both - the import and export files can be empty, signifying that no users are - allowed. - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - xauthpath= the path to the xauth program, by default - /usr/X11R6/bin/xauth - systemuser= highest user id assigned to system users, defaults - to 499 (pam_xauth will refuse to forward creds to - target users with id equal to or below this number, - except for root and possibly another specified user) - targetuser= a target user id which is excepted from the systemuser - checks - - -MODULE SERVICES PROVIDED: - session open session copies xauth cookie to new user - close session deletes copied xauth cookie - -AUTHOR: - Nalin Dahyabhai <nalin@redhat.com>, based on original version by - Michael K. Johnson <johnsonm@redhat.com> +pam_xauth — PAM module to forward xauth keys between users + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +The pam_xauth PAM module is designed to forward xauth keys (sometimes referred +to as "cookies") between users. + +Without pam_xauth, when xauth is enabled and a user uses the su(1) command to +assume another user's priviledges, that user is no longer able to access the +original user's X display because the new user does not have the key needed to +access the display. pam_xauth solves the problem by forwarding the key from the +user running su (the source user) to the user whose identity the source user is +assuming (the target user) when the session is created, and destroying the key +when the session is torn down. + +This means, for example, that when you run su(1) from an xterm sesssion, you +will be able to run X programs without explicitly dealing with the xauth(1) +xauth command or ~/.Xauthority files. + +pam_xauth will only forward keys if xauth can list a key connected to the +$DISPLAY environment variable. + +Primitive access control is provided by ~/.xauth/export in the invoking user's +home directory and ~/.xauth/import in the target user's home directory. + +If a user has a ~/.xauth/import file, the user will only receive cookies from +users listed in the file. If there is no ~/.xauth/import file, the user will +accept cookies from any other user. + +If a user has a .xauth/export file, the user will only forward cookies to users +listed in the file. If there is no ~/.xauth/export file, and the invoking user +is not root, the user will forward cookies to any other user. If there is no ~ +/.xauth/export file, and the invoking user is root, the user will not forward +cookies to other users. + +Both the import and export files support wildcards (such as *). Both the import +and export files can be empty, signifying that no users are allowed. + +OPTIONS + +debug + + Print debug information. + +xauthpath=/path/to/xauth + + Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, + /usr/bin/xauth, or /usr/bin/X11/xauth by default). + +systemuser=UID + + Specify the highest UID which will be assumed to belong to a "system" user. + pam_xauth will refuse to forward credentials to users with UID less than or + equal to this number, except for root and the "targetuser", if specified. + +targetuser=UID + + Specify a single target UID which is exempt from the systemuser check. + +EXAMPLES + +Add the following line to /etc/pam.d/su to forward xauth keys between users +when calling su: + +session optional pam_xauth.so + + +IMPLEMENTATION DETAILS + +pam_xauth will work only if it is used from a setuid application in which the +getuid() call returns the id of the user running the application, and for which +PAM can supply the name of the account that the user is attempting to assume. +The typical application of this type is su(1). The application must call both +pam_open_session() and pam_close_session() with the ruid set to the uid of the +calling user and the euid set to root, and must have provided as the PAM_USER +item the name of the target user. + +pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then +calls xauth as the target user to merge the key into the a temporary database +and later remove the database. + +pam_xauth cannot be told to not remove the keys when the session is closed. + +AUTHOR + +pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original +version by Michael K. Johnson <johnsonm@redhat.com>. + diff --git a/Linux-PAM/modules/pam_xauth/README.xml b/Linux-PAM/modules/pam_xauth/README.xml new file mode 100644 index 00000000..adefbd98 --- /dev/null +++ b/Linux-PAM/modules/pam_xauth/README.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_xauth.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_xauth-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-implementation"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/> + </section> + +</article> diff --git a/Linux-PAM/modules/pam_xauth/pam_xauth.8 b/Linux-PAM/modules/pam_xauth/pam_xauth.8 index 9acb7249..85f5dbf3 100644 --- a/Linux-PAM/modules/pam_xauth/pam_xauth.8 +++ b/Linux-PAM/modules/pam_xauth/pam_xauth.8 @@ -1,82 +1,141 @@ -.\" Copyright 2001,2003 Red Hat, Inc. -.\" Written by Nalin Dahyabhai <nalin@redhat.com>, based on the original -.\" version by Michael K. Johnson -.TH pam_xauth 8 2003/7/24 "Red Hat Linux" "System Administrator's Manual" -.SH NAME -pam_xauth \- forward xauth keys between users -.SH SYNOPSIS -.B session optional /lib/security/pam_xauth.so \fIarguments\fP -.SH DESCRIPTION -pam_xauth.so is designed to forward xauth keys (sometimes referred -to as "cookies") between users. - -Without pam_xauth, when xauth is enabled and a user uses the \fBsu\fP command -to assume another user's priviledges, that user is no longer able to access -the original user's X display because the new user does not have the key -needed to access the display. pam_xauth solves the problem by forwarding the -key from the user running su (the source user) to the user whose -identity the source user is assuming (the target user) when the session -is created, and destroying the key when the session is torn down. - -This means, for example, that when you run \fBsu\fP from an xterm sesssion, -you will be able to run X programs without explicitly dealing with the +.\" Title: pam_xauth +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_XAUTH" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_xauth \- PAM module to forward xauth keys between users +.SH "SYNOPSIS" +.HP 13 +\fBpam_xauth.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] +.SH "DESCRIPTION" +.PP +The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users. +.PP +Without pam_xauth, when xauth is enabled and a user uses the +\fBsu\fR(1) +command to assume another user's priviledges, that user is no longer able to access the original user's X display because the new user does not have the key needed to access the display. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down. +.PP +This means, for example, that when you run +\fBsu\fR(1) +from an xterm sesssion, you will be able to run X programs without explicitly dealing with the +\fBxauth\fR(1) xauth command or ~/.Xauthority files. - -pam_xauth will only forward keys if xauth can list a key connected -to the $DISPLAY environment variable. - -Primitive access control is provided by \fB~/.xauth/export\fP in the invoking -user's home directory and \fB~/.xauth/import\fP in the target user's home -directory. - -If a user has a \fB~/.xauth/import\fP file, the user will only receive cookies -from users listed in the file. If there is no \fB~/.xauth/import\fP file, -the user will accept cookies from any other user. - -If a user has a \fB.xauth/export\fP file, the user will only forward cookies -to users listed in the file. If there is no \fB~/.xauth/export\fP file, and -the invoking user is not \fBroot\fP, the user will forward cookies to -any other user. If there is no \fB~/.xauth/export\fP file, and the invoking -user is \fBroot\fP, the user will \fInot\fP forward cookies to other users. - -Both the import and export files support wildcards (such as \fI*\fP). Both -the import and export files can be empty, signifying that no users are allowed. - -.SH ARGUMENTS -.IP debug -Turns on debugging messages sent to syslog. -.IP xauthpath=\fI/usr/X11R6/bin/xauth\fP -Specify the path the xauth program (the default is /usr/X11R6/bin/xauth). -.IP systemuser=\fInumber\fP -Specify the highest UID which will be assumed to belong to a "system" user. -pam_xauth will refuse to forward credentials to users with UID less than or -equal to this number, except for root and the "targetuser", if specified. -.IP targetuser=\fInumber\fP +.PP +pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable. +.PP +Primitive access control is provided by +\fI~/.xauth/export\fR +in the invoking user's home directory and +\fI~/.xauth/import\fR +in the target user's home directory. +.PP +If a user has a +\fI~/.xauth/import\fR +file, the user will only receive cookies from users listed in the file. If there is no +\fI~/.xauth/import\fR +file, the user will accept cookies from any other user. +.PP +If a user has a +\fI.xauth/export\fR +file, the user will only forward cookies to users listed in the file. If there is no +\fI~/.xauth/export\fR +file, and the invoking user is not +\fBroot\fR, the user will forward cookies to any other user. If there is no +\fI~/.xauth/export\fR +file, and the invoking user is +\fBroot\fR, the user will +\fInot\fR +forward cookies to other users. +.PP +Both the import and export files support wildcards (such as +\fI*\fR). Both the import and export files can be empty, signifying that no users are allowed. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +Specify the path the xauth program (it is expected in +\fI/usr/X11R6/bin/xauth\fR, +\fI/usr/bin/xauth\fR, or +\fI/usr/bin/X11/xauth\fR +by default). +.TP 3n +\fBsystemuser=\fR\fB\fIUID\fR\fR +Specify the highest UID which will be assumed to belong to a "system" user. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified. +.TP 3n +\fBtargetuser=\fR\fB\fIUID\fR\fR Specify a single target UID which is exempt from the systemuser check. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_PERM_DENIED +Permission denied by import/export file. +.TP 3n +PAM_SESSION_ERR +Cannot determine user name, UID or access users home directory. +.TP 3n +PAM_SUCCESS +Success. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +Add the following line to +\fI/etc/pam.d/su\fR +to forward xauth keys between users when calling su: +.sp +.RS 3n +.nf +session optional pam_xauth.so + +.fi +.RE +.sp .SH "IMPLEMENTATION DETAILS" -pam_xauth will work \fIonly\fP if it is used from a setuid application -in which the getuid() call returns the id of the user running the -application, and for which PAM can supply the name of the account that -the user is attempting to assume. The typical application of this -type is \fBsu\fP. The application must call both pam_open_session() and -pam_close_session() with the ruid set to the uid of the calling user -and the euid set to root, and must have provided as the PAM_USER item -the name of the target user. - -pam_xauth calls \fBxauth\fP as the source user to extract the key for -$DISPLAY, then calls xauth as the target user to merge the key -into the a temporary database and later remove the database. - -pam_xauth cannot be told not to remove the keys when the session -is closed. +.PP +pam_xauth will work +\fIonly\fR +if it is used from a setuid application in which the +\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume. The typical application of this type is +\fBsu\fR(1). The application must call both +\fBpam_open_session\fR() and +\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user. +.PP +pam_xauth calls +\fBxauth\fR(1) +the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database. +.PP +pam_xauth cannot be told to not remove the keys when the session is closed. +.SH "FILES" +.TP 3n +\fI~/.xauth/import\fR +XXX +.TP 3n +\fI~/.xauth/export\fR +XXX .SH "SEE ALSO" -\fI/usr/share/doc/pam*/html/index.html\fP -.SH FILES -\fI~/.xauth/import\fP -\fI~/.xauth/export\fP -.SH BUGS -Let's hope not, but if you find any, please report them via the "Bug Track" -link at http://bugzilla.redhat.com/bugzilla/ -.SH AUTHOR -Nalin Dahyabhai <nalin@redhat.com>, based on original version by -Michael K. Johnson <johnsonm@redhat.com> +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original version by Michael K. Johnson <johnsonm@redhat.com>. diff --git a/Linux-PAM/modules/pam_xauth/pam_xauth.8.xml b/Linux-PAM/modules/pam_xauth/pam_xauth.8.xml new file mode 100644 index 00000000..94453d00 --- /dev/null +++ b/Linux-PAM/modules/pam_xauth/pam_xauth.8.xml @@ -0,0 +1,293 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_xauth"> + + <refmeta> + <refentrytitle>pam_xauth</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_xauth-name"> + <refname>pam_xauth</refname> + <refpurpose>PAM module to forward xauth keys between users</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_xauth-cmdsynopsis"> + <command>pam_xauth.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + xauthpath=<replaceable>/path/to/xauth</replaceable> + </arg> + <arg choice="opt"> + systemuser=<replaceable>UID</replaceable> + </arg> + <arg choice="opt"> + targetuser=<replaceable>UID</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_xauth-description"> + <title>DESCRIPTION</title> + <para> + The pam_xauth PAM module is designed to forward xauth keys + (sometimes referred to as "cookies") between users. + </para> + <para> + Without pam_xauth, when xauth is enabled and a user uses the + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> command to assume another user's priviledges, + that user is no longer able to access the original user's X display + because the new user does not have the key needed to access the + display. pam_xauth solves the problem by forwarding the key from + the user running su (the source user) to the user whose identity the + source user is assuming (the target user) when the session is created, + and destroying the key when the session is torn down. + </para> + <para> + This means, for example, that when you run + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> from an xterm sesssion, you will be able to run + X programs without explicitly dealing with the + <citerefentry> + <refentrytitle>xauth</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> xauth command or ~/.Xauthority files. + </para> + <para> + pam_xauth will only forward keys if xauth can list a key connected + to the $DISPLAY environment variable. + </para> + <para> + Primitive access control is provided by + <filename>~/.xauth/export</filename> in the invoking user's home + directory and <filename>~/.xauth/import</filename> in the target + user's home directory. + </para> + <para> + If a user has a <filename>~/.xauth/import</filename> file, the user + will only receive cookies from users listed in the file. If there is + no <filename>~/.xauth/import</filename> file, the user will accept + cookies from any other user. + </para> + <para> + If a user has a <filename>.xauth/export</filename> file, the user will + only forward cookies to users listed in the file. If there is no + <filename>~/.xauth/export</filename> file, and the invoking user is + not <emphasis remap='B'>root</emphasis>, the user will forward cookies + to any other user. If there is no <filename>~/.xauth/export</filename> + file, and the invoking user is <emphasis remap='B'>root</emphasis>, + the user will <emphasis remap='I'>not</emphasis> forward cookies to + other users. + </para> + <para> + Both the import and export files support wildcards (such as + <emphasis remap='I'>*</emphasis>). Both the import and export files + can be empty, signifying that no users are allowed. + </para> + </refsect1> + + <refsect1 id="pam_xauth-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>xauthpath=<replaceable>/path/to/xauth</replaceable></option> + </term> + <listitem> + <para> + Specify the path the xauth program (it is expected in + <filename>/usr/X11R6/bin/xauth</filename>, + <filename>/usr/bin/xauth</filename>, or + <filename>/usr/bin/X11/xauth</filename> by default). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>systemuser=<replaceable>UID</replaceable></option> + </term> + <listitem> + <para> + Specify the highest UID which will be assumed to belong to a + "system" user. pam_xauth will refuse to forward credentials to + users with UID less than or equal to this number, except for + root and the "targetuser", if specified. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>targetuser=<replaceable>UID</replaceable></option> + </term> + <listitem> + <para> + Specify a single target UID which is exempt from the + systemuser check. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_xauth-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <emphasis remap='B'>session</emphasis> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_xauth-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied by import/export file. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Cannot determine user name, UID or access users home directory. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_xauth-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/su</filename> to + forward xauth keys between users when calling su: + <programlisting> +session optional pam_xauth.so + </programlisting> + </para> + </refsect1> + + <refsect1 id="pam_xauth-implementation"> + <title>IMPLEMENTATION DETAILS</title> + <para> + pam_xauth will work <emphasis remap='I'>only</emphasis> if it is + used from a setuid application in which the + <function>getuid</function>() call returns the id of the user + running the application, and for which PAM can supply the name + of the account that the user is attempting to assume. The typical + application of this type is + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>. + The application must call both <function>pam_open_session</function>() + and <function>pam_close_session</function>() with the ruid set to the + uid of the calling user and the euid set to root, and must have + provided as the PAM_USER item the name of the target user. + </para> + <para> + pam_xauth calls + <citerefentry> + <refentrytitle>xauth</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> the source user to extract the key for $DISPLAY, + then calls xauth as the target user to merge the key into the a + temporary database and later remove the database. + </para> + <para> + pam_xauth cannot be told to not remove the keys when the session + is closed. + </para> + </refsect1> + + <refsect1 id="pam_lastlog-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>~/.xauth/import</filename></term> + <listitem> + <para>XXX</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>~/.xauth/export</filename></term> + <listitem> + <para>XXX</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id='pam_xauth-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_xauth-author'> + <title>AUTHOR</title> + <para> + pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, + based on original version by + Michael K. Johnson <johnsonm@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/Linux-PAM/modules/pam_xauth/pam_xauth.c b/Linux-PAM/modules/pam_xauth/pam_xauth.c index 2bf72eb6..3772bd06 100644 --- a/Linux-PAM/modules/pam_xauth/pam_xauth.c +++ b/Linux-PAM/modules/pam_xauth/pam_xauth.c @@ -33,9 +33,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* "$Id: pam_xauth.c,v 1.4 2005/03/14 09:42:28 kukuk Exp $" */ - -#include "../../_pam_aconf.h" +#include "config.h" #include <sys/types.h> #include <sys/fsuid.h> #include <sys/wait.h> @@ -52,17 +50,29 @@ #include <syslog.h> #include <unistd.h> +#define PAM_SM_SESSION + #include <security/pam_modules.h> #include <security/_pam_macros.h> -#include <security/_pam_modutil.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> #define DATANAME "pam_xauth_cookie_file" -#define XAUTHBIN "/usr/X11R6/bin/xauth" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" #define XAUTHDEF ".Xauthority" #define XAUTHTMP ".xauthXXXXXX" +/* Possible paths to xauth executable */ +static const char * const xauthpaths[] = { +#ifdef PAM_PATH_XAUTH + PAM_PATH_XAUTH, +#endif + "/usr/X11R6/bin/xauth", + "/usr/bin/xauth", + "/usr/bin/X11/xauth" +}; + /* Run a given command (with a NULL-terminated argument list), feeding it the * given input on stdin, and storing any output it generates. */ static int @@ -100,6 +110,7 @@ run_coprocess(const char *input, char **output, if (child == 0) { /* We're the child. */ + size_t j; char *args[10]; const char *tmp; /* Drop privileges. */ @@ -121,15 +132,15 @@ run_coprocess(const char *input, char **output, /* Convert the varargs list into a regular array of strings. */ va_start(ap, command); args[0] = strdup(command); - for (i = 1; i < ((sizeof(args) / sizeof(args[0])) - 1); i++) { + for (j = 1; j < ((sizeof(args) / sizeof(args[0])) - 1); j++) { tmp = va_arg(ap, const char*); if (tmp == NULL) { break; } - args[i] = strdup(tmp); + args[j] = strdup(tmp); } /* Run the command. */ - execvp(command, args); + execv(command, args); /* Never reached. */ exit(1); } @@ -139,12 +150,12 @@ run_coprocess(const char *input, char **output, close(opipe[1]); /* Send input to the process (if we have any), then send an EOF. */ if (input) { - (void)_pammodutil_write(ipipe[1], input, strlen(input)); + (void)pam_modutil_write(ipipe[1], input, strlen(input)); } close(ipipe[1]); /* Read data output until we run out of stuff to read. */ - i = _pammodutil_read(opipe[0], buf, sizeof(buf)); + i = pam_modutil_read(opipe[0], buf, sizeof(buf)); while ((i != 0) && (i != -1)) { char *tmp; /* Resize the buffer to hold the data. */ @@ -166,7 +177,7 @@ run_coprocess(const char *input, char **output, buffer[buffer_size + i] = '\0'; buffer_size += i; /* Try to read again. */ - i = _pammodutil_read(opipe[0], buf, sizeof(buf)); + i = pam_modutil_read(opipe[0], buf, sizeof(buf)); } /* No more data. Clean up and return data. */ close(opipe[0]); @@ -177,9 +188,9 @@ run_coprocess(const char *input, char **output, /* Free a data item. */ static void -cleanup(pam_handle_t *pamh, void *data, int err) +cleanup (pam_handle_t *pamh UNUSED, void *data, int err UNUSED) { - free(data); + free (data); } /* Check if we want to allow export to the other user, or import from the @@ -195,17 +206,18 @@ check_acl(pam_handle_t *pamh, int i; uid_t euid; /* Check this user's <sense> file. */ - pwd = _pammodutil_getpwnam(pamh, this_user); + pwd = pam_modutil_getpwnam(pamh, this_user); if (pwd == NULL) { - syslog(LOG_ERR, "pam_xauth: error determining " - "home directory for '%s'", this_user); + pam_syslog(pamh, LOG_ERR, + "error determining home directory for '%s'", + this_user); return PAM_SESSION_ERR; } /* Figure out what that file is really named. */ i = snprintf(path, sizeof(path), "%s/.xauth/%s", pwd->pw_dir, sense); - if ((i >= sizeof(path)) || (i < 0)) { - syslog(LOG_ERR, "pam_xauth: name of user's home directory " - "is too long"); + if ((i >= (int)sizeof(path)) || (i < 0)) { + pam_syslog(pamh, LOG_ERR, + "name of user's home directory is too long"); return PAM_SESSION_ERR; } euid = geteuid(); @@ -226,9 +238,9 @@ check_acl(pam_handle_t *pamh, } if (fnmatch(buf, other_user, 0) == 0) { if (debug) { - syslog(LOG_DEBUG, "pam_xauth: %s %s " - "allowed by %s", - other_user, sense, path); + pam_syslog(pamh, LOG_DEBUG, + "%s %s allowed by %s", + other_user, sense, path); } fclose(fp); return PAM_SUCCESS; @@ -236,8 +248,8 @@ check_acl(pam_handle_t *pamh, } /* If there's no match in the file, we fail. */ if (debug) { - syslog(LOG_DEBUG, "pam_xauth: %s not listed in %s", - other_user, path); + pam_syslog(pamh, LOG_DEBUG, "%s not listed in %s", + other_user, path); } fclose(fp); return PAM_PERM_DENIED; @@ -247,20 +259,22 @@ check_acl(pam_handle_t *pamh, case ENOENT: if (noent_code == PAM_SUCCESS) { if (debug) { - syslog(LOG_DEBUG, "%s does not exist, " - "ignoring", path); + pam_syslog(pamh, LOG_DEBUG, + "%s does not exist, ignoring", + path); } } else { if (debug) { - syslog(LOG_DEBUG, "%s does not exist, " - "failing", path); + pam_syslog(pamh, LOG_DEBUG, + "%s does not exist, failing", + path); } } return noent_code; default: if (debug) { - syslog(LOG_ERR, "%s opening %s", - strerror(errno), path); + pam_syslog(pamh, LOG_ERR, + "error opening %s: %m", path); } return PAM_PERM_DENIED; } @@ -268,14 +282,15 @@ check_acl(pam_handle_t *pamh, } int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { - char xauthpath[] = XAUTHBIN; char *cookiefile = NULL, *xauthority = NULL, *cookie = NULL, *display = NULL, *tmp = NULL; - const char *user, *xauth = xauthpath; + const char *user, *xauth = NULL; struct passwd *tpwd, *rpwd; int fd, i, debug = 0; + int retval = PAM_SUCCESS; uid_t systemuser = 499, targetuser = 0, euid; /* Parse arguments. We don't understand many, so no sense in breaking @@ -294,8 +309,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) if ((strlen(argv[i] + 11) > 0) && (*tmp == '\0')) { targetuser = l; } else { - syslog(LOG_WARNING, "pam_xauth: invalid value " - "for targetuser (`%s')", argv[i] + 11); + pam_syslog(pamh, LOG_WARNING, + "invalid value for targetuser (`%s')", + argv[i] + 11); } continue; } @@ -304,53 +320,71 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) if ((strlen(argv[i] + 11) > 0) && (*tmp == '\0')) { systemuser = l; } else { - syslog(LOG_WARNING, "pam_xauth: invalid value " - "for systemuser (`%s')", argv[i] + 11); + pam_syslog(pamh, LOG_WARNING, + "invalid value for systemuser (`%s')", + argv[i] + 11); } continue; } - syslog(LOG_WARNING, "pam_xauth: unrecognized option `%s'", - argv[i]); + pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'", + argv[i]); + } + + if (xauth == NULL) { + size_t j; + for (j = 0; j < sizeof(xauthpaths)/sizeof(xauthpaths[0]); j++) { + if (access(xauthpaths[j], X_OK) == 0) { + xauth = xauthpaths[j]; + break; + } + } + if (xauth == NULL) { + /* xauth executable not found - nothing to do */ + return PAM_SUCCESS; + } } /* If DISPLAY isn't set, we don't really care, now do we? */ if ((display = getenv("DISPLAY")) == NULL) { if (debug) { - syslog(LOG_DEBUG, "pam_xauth: user has no DISPLAY," - " doing nothing"); + pam_syslog(pamh, LOG_DEBUG, + "user has no DISPLAY, doing nothing"); } return PAM_SUCCESS; } /* Read the target user's name. */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_xauth: error determining target " - "user's name"); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_ERR, + "error determining target user's name"); + retval = PAM_SESSION_ERR; + goto cleanup; } - rpwd = _pammodutil_getpwuid(pamh, getuid()); + rpwd = pam_modutil_getpwuid(pamh, getuid()); if (rpwd == NULL) { - syslog(LOG_ERR, "pam_xauth: error determining invoking " - "user's name"); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_ERR, + "error determining invoking user's name"); + retval = PAM_SESSION_ERR; + goto cleanup; } /* Get the target user's UID and primary GID, which we'll need to set * on the xauthority file we create later on. */ - tpwd = _pammodutil_getpwnam(pamh, user); + tpwd = pam_modutil_getpwnam(pamh, user); if (tpwd == NULL) { - syslog(LOG_ERR, "pam_xauth: error determining target " - "user's UID"); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_ERR, + "error determining target user's UID"); + retval = PAM_SESSION_ERR; + goto cleanup; } if (debug) { - syslog(LOG_DEBUG, "pam_xauth: requesting user %lu/%lu, " - "target user %lu/%lu", - (unsigned long) rpwd->pw_uid, - (unsigned long) rpwd->pw_gid, - (unsigned long) tpwd->pw_uid, - (unsigned long) tpwd->pw_gid); + pam_syslog(pamh, LOG_DEBUG, + "requesting user %lu/%lu, target user %lu/%lu", + (unsigned long) rpwd->pw_uid, + (unsigned long) rpwd->pw_gid, + (unsigned long) tpwd->pw_uid, + (unsigned long) tpwd->pw_gid); } /* If the UID is a system account (and not the superuser), forget @@ -359,10 +393,12 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) (tpwd->pw_uid != targetuser) && (tpwd->pw_uid <= systemuser)) { if (debug) { - syslog(LOG_DEBUG, "pam_xauth: not forwarding cookies " - "to user ID %ld", (long) tpwd->pw_uid); + pam_syslog(pamh, LOG_DEBUG, + "not forwarding cookies to user ID %lu", + (unsigned long) tpwd->pw_uid); } - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } /* Check that both users are amenable to this. By default, this @@ -372,15 +408,17 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) * if .xauth/export does not exist * import(user=*): if <ruser> is listed in .xauth/import, or * if .xauth/import does not exist */ - i = (getuid() != 0) ? PAM_SUCCESS : PAM_PERM_DENIED; + i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); if (i != PAM_SUCCESS) { - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } i = PAM_SUCCESS; i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); if (i != PAM_SUCCESS) { - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } /* Figure out where the source user's .Xauthority file is. */ @@ -390,30 +428,26 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) cookiefile = malloc(strlen(rpwd->pw_dir) + 1 + strlen(XAUTHDEF) + 1); if (cookiefile == NULL) { - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } strcpy(cookiefile, rpwd->pw_dir); strcat(cookiefile, "/"); strcat(cookiefile, XAUTHDEF); } if (debug) { - syslog(LOG_DEBUG, "pam_xauth: reading keys from `%s'", - cookiefile); + pam_syslog(pamh, LOG_DEBUG, "reading keys from `%s'", + cookiefile); } /* Read the user's .Xauthority file. Because the current UID is * the original user's UID, this will only fail if something has * gone wrong, or we have no cookies. */ if (debug) { - syslog(LOG_DEBUG, "pam_xauth: running \"%s %s %s %s %s\" as " - "%lu/%lu", - xauth, - "-f", - cookiefile, - "nlist", - display, - (unsigned long) getuid(), - (unsigned long) getgid()); + pam_syslog(pamh, LOG_DEBUG, + "running \"%s %s %s %s %s\" as %lu/%lu", + xauth, "-f", cookiefile, "nlist", display, + (unsigned long) getuid(), (unsigned long) getgid()); } if (run_coprocess(NULL, &cookie, getuid(), getgid(), @@ -450,14 +484,15 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) } } if (debug) { - syslog(LOG_DEBUG, "pam_xauth: " - "no key for `%s', trying" - " `%s'", display, t); + pam_syslog(pamh, LOG_DEBUG, + "no key for `%s', " + "trying `%s'", + display, t); } /* Read the cookie for this display. */ if (debug) { - syslog(LOG_DEBUG, - "pam_xauth: running " + pam_syslog(pamh, LOG_DEBUG, + "running " "\"%s %s %s %s %s\" as " "%lu/%lu", xauth, @@ -481,29 +516,23 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) /* Check that we got a cookie, this time for real. */ if ((cookie == NULL) || (strlen(cookie) == 0)) { if (debug) { - syslog(LOG_DEBUG, "pam_xauth: no key"); + pam_syslog(pamh, LOG_DEBUG, "no key"); } - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } /* Generate the environment variable * "XAUTHORITY=<homedir>/filename". */ - xauthority = malloc(strlen(XAUTHENV) + 1 + - strlen(tpwd->pw_dir) + 1 + - strlen(XAUTHTMP) + 1); - if (xauthority == NULL) { + if (asprintf(&xauthority, "%s=%s/%s", + XAUTHENV, tpwd->pw_dir, XAUTHTMP) < 0) { + xauthority = NULL; if (debug) { - syslog(LOG_DEBUG, "pam_xauth: no free memory"); + pam_syslog(pamh, LOG_DEBUG, "out of memory"); } - free(cookiefile); - free(cookie); - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } - strcpy(xauthority, XAUTHENV); - strcat(xauthority, "="); - strcat(xauthority, tpwd->pw_dir); - strcat(xauthority, "/"); - strcat(xauthority, XAUTHTMP); /* Generate a new file to hold the data. */ euid = geteuid(); @@ -511,18 +540,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); setfsuid(euid); if (fd == -1) { - syslog(LOG_ERR, "pam_xauth: error creating " - "temporary file `%s': %s", - xauthority + strlen(XAUTHENV) + 1, - strerror(errno)); - free(cookiefile); - free(cookie); - free(xauthority); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_ERR, + "error creating temporary file `%s': %m", + xauthority + strlen(XAUTHENV) + 1); + retval = PAM_SESSION_ERR; + goto cleanup; } /* Set permissions on the new file and dispose of the * descriptor. */ - fchown(fd, tpwd->pw_uid, tpwd->pw_gid); + if (fchown(fd, tpwd->pw_uid, tpwd->pw_gid) < 0) + pam_syslog (pamh, LOG_ERR, "fchown: %m"); close(fd); /* Get a copy of the filename to save as a data item for @@ -532,74 +559,73 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) /* Save the filename. */ if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_xauth: error saving name of " - "temporary file `%s'", cookiefile); + pam_syslog(pamh, LOG_ERR, + "error saving name of temporary file `%s'", + cookiefile); unlink(cookiefile); - free(xauthority); - free(cookiefile); - free(cookie); - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto cleanup; } - /* Unset any old XAUTHORITY variable in the environment. */ - if (getenv (XAUTHENV)) - unsetenv (XAUTHENV); - /* Set the new variable in the environment. */ if (pam_putenv (pamh, xauthority) != PAM_SUCCESS) - syslog (LOG_DEBUG, "pam_xauth: can't set environment variable '%s'", - xauthority); + pam_syslog(pamh, LOG_ERR, + "can't set environment variable '%s'", + xauthority); putenv (xauthority); /* The environment owns this string now. */ /* set $DISPLAY in pam handle to make su - work */ { - char *d = (char *) malloc (strlen ("DISPLAY=") + - strlen (display) + 1); - if (d == NULL) + char *d; + + if (asprintf(&d, "DISPLAY=%s", display) < 0) { - syslog (LOG_DEBUG, "pam_xauth: memory exhausted\n"); - return PAM_SESSION_ERR; + pam_syslog(pamh, LOG_DEBUG, "out of memory"); + cookiefile = NULL; + retval = PAM_SESSION_ERR; + goto cleanup; } - strcpy (d, "DISPLAY="); - strcat (d, display); if (pam_putenv (pamh, d) != PAM_SUCCESS) - syslog (LOG_DEBUG, - "pam_xauth: can't set environment variable '%s'", - d); + pam_syslog (pamh, LOG_DEBUG, + "can't set environment variable '%s'", d); free (d); } /* Merge the cookie we read before into the new file. */ if (debug) { - syslog(LOG_DEBUG, "pam_xauth: writing key `%s' to " - "temporary file `%s'", cookie, cookiefile); + pam_syslog(pamh, LOG_DEBUG, + "writing key `%s' to temporary file `%s'", + cookie, cookiefile); } if (debug) { - syslog(LOG_DEBUG, - "pam_xauth: running \"%s %s %s %s %s\" as " - "%lu/%lu", - xauth, - "-f", - cookiefile, - "nmerge", - "-", - (unsigned long) tpwd->pw_uid, - (unsigned long) tpwd->pw_gid); + pam_syslog(pamh, LOG_DEBUG, + "running \"%s %s %s %s %s\" as %lu/%lu", + xauth, "-f", cookiefile, "nmerge", "-", + (unsigned long) tpwd->pw_uid, + (unsigned long) tpwd->pw_gid); } run_coprocess(cookie, &tmp, tpwd->pw_uid, tpwd->pw_gid, xauth, "-f", cookiefile, "nmerge", "-", NULL); /* We don't need to keep a copy of these around any more. */ - free(cookie); - cookie = NULL; + cookiefile = NULL; + free(tmp); } - return PAM_SUCCESS; +cleanup: + /* Unset any old XAUTHORITY variable in the environment. */ + if (retval != PAM_SUCCESS && getenv (XAUTHENV)) + unsetenv (XAUTHENV); + free(cookiefile); + free(cookie); + free(xauthority); + return retval; } int -pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { void *cookiefile; int i, debug = 0; @@ -620,7 +646,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) if (strncmp(argv[i], "targetuser=", 11) == 0) { continue; } - syslog(LOG_WARNING, "pam_xauth: unrecognized option `%s'", + pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'", argv[i]); } @@ -630,7 +656,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) /* We'll only try to remove the file once. */ if (strlen((char*)cookiefile) > 0) { if (debug) { - syslog(LOG_DEBUG, "pam_xauth: removing `%s'", + pam_syslog(pamh, LOG_DEBUG, "removing `%s'", (char*)cookiefile); } unlink((char*)cookiefile); @@ -639,3 +665,16 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) } return PAM_SUCCESS; } + +/* static module data */ +#ifdef PAM_STATIC +struct pam_module _pam_xauth_modstruct = { + "pam_xauth", + NULL, + NULL, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif diff --git a/Linux-PAM/modules/pam_xauth/tst-pam_xauth b/Linux-PAM/modules/pam_xauth/tst-pam_xauth new file mode 100755 index 00000000..32948963 --- /dev/null +++ b/Linux-PAM/modules/pam_xauth/tst-pam_xauth @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_xauth.so diff --git a/Linux-PAM/modules/pammodutil/Makefile b/Linux-PAM/modules/pammodutil/Makefile deleted file mode 100644 index bad1bf62..00000000 --- a/Linux-PAM/modules/pammodutil/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -# -# $Id: Makefile,v 1.4 2004/09/24 13:13:22 kukuk Exp $ -# -# - -include ../../Make.Rules - -LIBNAME=libpammodutil - -# --------------------------------------------- - -dummy: all - -# --------------------------------------------- - -CFLAGS += $(PIC) $(STATIC) $(MOREFLAGS) \ - -DLIBPAM_VERSION_MAJOR=$(MAJOR_REL) \ - -DLIBPAM_VERSION_MINOR=$(MINOR_REL) - -# all the object files we care about -LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o \ - modutil_getspnam.o modutil_getgrnam.o modutil_getgrgid.o \ - modutil_ingroup.o modutil_getlogin.o modutil_ioloop.o - -# static library name -LIBSTATIC = $(LIBNAME).a - -SLIBOBJECTS = $(addprefix static/,$(LIBOBJECTS) $(STATICOBJ)) - -# --------------------------------------------- -## rules - -all: dirs $(LIBSTATIC) ../../Make.Rules - -dirs: - $(MKDIR) static - -static/%.o : %.c - $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -$(LIBSTATIC): $(SLIBOBJECTS) - ar cr $@ $(SLIBOBJECTS) - $(RANLIB) $@ - -install: - @echo "at this time, we're not installing $(LIBSTATIC)" - -remove: - @echo "at this time, there is nothing to remove" - -clean: - rm -f a.out core *~ static/*.o - rm -f *.a *.o - if [ -d dynamic ]; then rmdir dynamic ; fi - if [ -d static ]; then rmdir static ; fi diff --git a/Linux-PAM/modules/pammodutil/README b/Linux-PAM/modules/pammodutil/README deleted file mode 100644 index ea44f310..00000000 --- a/Linux-PAM/modules/pammodutil/README +++ /dev/null @@ -1,15 +0,0 @@ -$Id: README,v 1.1 2001/12/09 22:15:12 agmorgan Exp $ - -This is a libarary of routines for use by modules. The routines seem -to have a common use for modules, but are not part of libpam and never -will be. They are also a convenient layer of abstraction for providing -thread-safe functions that may require use of pam_handle_t 'data' -items to make their thread-safeness tied to the use of a single -pam_handle_t per thread. - -Functions provided so far are all listed in - - include/security/_pam_modutil.h - -. - diff --git a/Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h b/Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h deleted file mode 100644 index ec0c8964..00000000 --- a/Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h +++ /dev/null @@ -1,66 +0,0 @@ -#ifndef _PAM_MODUTIL_H -#define _PAM_MODUTIL_H - -/* - * $Id: _pam_modutil.h,v 1.4 2004/09/24 13:13:22 kukuk Exp $ - * - * This file is a list of handy libc wrappers that attempt to provide some - * thread-safe and other convenient functionality to modules in a form that - * is common, but not dynamically linked with yet another dynamic pam - * library extension. - * - * A number of these functions reserve space in a pam_[sg]et_data item. - * In all cases, the name of the item is prefixed with "_pammodutil_*". - * - * On systems that simply can't support thread safe programming, these - * functions don't support it either - sorry. - * - * Copyright (c) 2001-2002 Andrew Morgan <morgan@kernel.org> - */ - -#include <pwd.h> -#include <grp.h> -#include <shadow.h> -#include <sys/types.h> - -extern struct passwd *_pammodutil_getpwnam(pam_handle_t *pamh, - const char *user); - -extern struct passwd *_pammodutil_getpwuid(pam_handle_t *pamh, - uid_t uid); - -extern struct group *_pammodutil_getgrnam(pam_handle_t *pamh, - const char *group); - -extern struct group *_pammodutil_getgrgid(pam_handle_t *pamh, - gid_t gid); - -extern struct spwd *_pammodutil_getspnam(pam_handle_t *pamh, - const char *user); - -extern int _pammodutil_user_in_group_nam_nam(pam_handle_t *pamh, - const char *user, - const char *group); - -extern int _pammodutil_user_in_group_nam_gid(pam_handle_t *pamh, - const char *user, - gid_t group); - -extern int _pammodutil_user_in_group_uid_nam(pam_handle_t *pamh, - uid_t user, - const char *group); - -extern int _pammodutil_user_in_group_uid_gid(pam_handle_t *pamh, - uid_t user, - gid_t group); - -extern void _pammodutil_cleanup(pam_handle_t *pamh, void *data, - int error_status); - -extern const char *_pammodutil_getlogin(pam_handle_t *pamh); - -extern int _pammodutil_read(int fd, char *buffer, int count); - -extern int _pammodutil_write(int fd, const char *buffer, int count); - -#endif /* _PAM_MODUTIL_H */ diff --git a/Linux-PAM/modules/pammodutil/modutil_cleanup.c b/Linux-PAM/modules/pammodutil/modutil_cleanup.c deleted file mode 100644 index 5477481f..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_cleanup.c +++ /dev/null @@ -1,16 +0,0 @@ -/* - * $Id: modutil_cleanup.c,v 1.1 2001/12/09 22:15:12 agmorgan Exp $ - * - * This function provides a common pam_set_data() friendly version of free(). - */ - -#include "pammodutil.h" - -void _pammodutil_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ - if (data) { - /* junk it */ - (void) free(data); - } -} - diff --git a/Linux-PAM/modules/pammodutil/modutil_getgrgid.c b/Linux-PAM/modules/pammodutil/modutil_getgrgid.c deleted file mode 100644 index f97a9239..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getgrgid.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * $Id: modutil_getgrgid.c,v 1.3 2005/03/30 14:59:41 kukuk Exp $ - * - * This function provides a thread safer version of getgrgid() for use - * with PAM modules that care about this sort of thing. - * - * XXX - or at least it should provide a thread-safe alternative. - */ - -#include "pammodutil.h" - -#include <errno.h> -#include <limits.h> -#include <grp.h> -#include <pthread.h> -#include <stdio.h> -#include <stdlib.h> - -static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; -static void _pammodutil_lock(void) -{ - pthread_mutex_lock(&_pammodutil_mutex); -} -static void _pammodutil_unlock(void) -{ - pthread_mutex_unlock(&_pammodutil_mutex); -} - -static int intlen(int number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -static int longlen(long number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -struct group *_pammodutil_getgrgid(pam_handle_t *pamh, gid_t gid) -{ -#ifdef HAVE_GETGRGID_R - - void *buffer=NULL; - size_t length = PWD_INITIAL_LENGTH; - - do { - int status; - void *new_buffer; - struct group *result = NULL; - - new_buffer = realloc(buffer, sizeof(struct group) + length); - if (new_buffer == NULL) { - - D(("out of memory")); - - /* no memory for the user - so delete the memory */ - if (buffer) { - free(buffer); - } - return NULL; - } - buffer = new_buffer; - - /* make the re-entrant call to get the grp structure */ - errno = 0; - status = getgrgid_r(gid, buffer, - sizeof(struct group) + (char *) buffer, - length, &result); - if (!status && (result == buffer)) { - char *data_name; - const void *ignore; - int i; - - data_name = malloc(strlen("_pammodutil_getgrgid") + 1 + - longlen((long)gid) + 1 + intlen(INT_MAX) + 1); - if ((pamh != NULL) && (data_name == NULL)) { - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - free(buffer); - return NULL; - } - - if (pamh != NULL) { - for (i = 0; i < INT_MAX; i++) { - sprintf(data_name, "_pammodutil_getgrgid_%ld_%d", - (long) gid, i); - _pammodutil_lock(); - status = PAM_NO_MODULE_DATA; - if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { - status = pam_set_data(pamh, data_name, - result, _pammodutil_cleanup); - } - _pammodutil_unlock(); - if (status == PAM_SUCCESS) { - break; - } - } - } else { - status = PAM_SUCCESS; - } - - free(data_name); - - if (status == PAM_SUCCESS) { - D(("success")); - return result; - } - - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - - free(buffer); - return NULL; - - } else if (errno != ERANGE && errno != EINTR) { - /* no sense in repeating the call */ - break; - } - - length <<= 2; - - } while (length < PWD_ABSURD_PWD_LENGTH); - - D(("grp structure took %u bytes or so of memory", - length+sizeof(struct group))); - - free(buffer); - return NULL; - -#else /* ie. ifndef HAVE_GETGRGID_R */ - - /* - * Sorry, there does not appear to be a reentrant version of - * getgrgid(). So, we use the standard libc function. - */ - - return getgrgid(gid); - -#endif /* def HAVE_GETGRGID_R */ -} diff --git a/Linux-PAM/modules/pammodutil/modutil_getgrnam.c b/Linux-PAM/modules/pammodutil/modutil_getgrnam.c deleted file mode 100644 index 0727618c..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getgrnam.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * $Id: modutil_getgrnam.c,v 1.3 2005/03/30 14:59:41 kukuk Exp $ - * - * This function provides a thread safer version of getgrnam() for use - * with PAM modules that care about this sort of thing. - * - * XXX - or at least it should provide a thread-safe alternative. - */ - -#include "pammodutil.h" - -#include <errno.h> -#include <limits.h> -#include <grp.h> -#include <pthread.h> -#include <stdio.h> -#include <stdlib.h> - -static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; -static void _pammodutil_lock(void) -{ - pthread_mutex_lock(&_pammodutil_mutex); -} -static void _pammodutil_unlock(void) -{ - pthread_mutex_unlock(&_pammodutil_mutex); -} - -static int intlen(int number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -struct group *_pammodutil_getgrnam(pam_handle_t *pamh, const char *group) -{ -#ifdef HAVE_GETGRNAM_R - - void *buffer=NULL; - size_t length = PWD_INITIAL_LENGTH; - - do { - int status; - void *new_buffer; - struct group *result = NULL; - - new_buffer = realloc(buffer, sizeof(struct group) + length); - if (new_buffer == NULL) { - - D(("out of memory")); - - /* no memory for the group - so delete the memory */ - if (buffer) { - free(buffer); - } - return NULL; - } - buffer = new_buffer; - - /* make the re-entrant call to get the grp structure */ - errno = 0; - status = getgrnam_r(group, buffer, - sizeof(struct group) + (char *) buffer, - length, &result); - if (!status && (result == buffer)) { - char *data_name; - const void *ignore; - int i; - - data_name = malloc(strlen("_pammodutil_getgrnam") + 1 + - strlen(group) + 1 + intlen(INT_MAX) + 1); - if ((pamh != NULL) && (data_name == NULL)) { - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - free(buffer); - return NULL; - } - - if (pamh != NULL) { - for (i = 0; i < INT_MAX; i++) { - sprintf(data_name, "_pammodutil_getgrnam_%s_%d", group, i); - _pammodutil_lock(); - status = PAM_NO_MODULE_DATA; - if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { - status = pam_set_data(pamh, data_name, - result, _pammodutil_cleanup); - } - _pammodutil_unlock(); - if (status == PAM_SUCCESS) { - break; - } - } - } else { - status = PAM_SUCCESS; - } - - free(data_name); - - if (status == PAM_SUCCESS) { - D(("success")); - return result; - } - - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - - free(buffer); - return NULL; - - } else if (errno != ERANGE && errno != EINTR) { - /* no sense in repeating the call */ - break; - } - - length <<= 2; - - } while (length < PWD_ABSURD_PWD_LENGTH); - - D(("grp structure took %u bytes or so of memory", - length+sizeof(struct group))); - - free(buffer); - return NULL; - -#else /* ie. ifndef HAVE_GETGRNAM_R */ - - /* - * Sorry, there does not appear to be a reentrant version of - * getgrnam(). So, we use the standard libc function. - */ - - return getgrnam(group); - -#endif /* def HAVE_GETGRNAM_R */ -} diff --git a/Linux-PAM/modules/pammodutil/modutil_getlogin.c b/Linux-PAM/modules/pammodutil/modutil_getlogin.c deleted file mode 100644 index 0e4a48d8..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getlogin.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * $Id: modutil_getlogin.c,v 1.4 2004/11/08 10:57:15 t8m Exp $ - * - * A central point for invoking getlogin(). Hopefully, this is a - * little harder to spoof than all the other versions that are out - * there. - */ - -#include "pammodutil.h" - -#include <stdlib.h> -#include <unistd.h> -#include <utmp.h> - -#define _PAMMODUTIL_GETLOGIN "_pammodutil_getlogin" - -const char *_pammodutil_getlogin(pam_handle_t *pamh) -{ - int status; - char *logname; - const char *curr_tty; - char *curr_user; - struct utmp *ut, line; - - status = pam_get_data(pamh, _PAMMODUTIL_GETLOGIN, - (const void **) &logname); - if (status == PAM_SUCCESS) { - return logname; - } - - status = pam_get_item(pamh, PAM_TTY, (const void **) &curr_tty); - if ((status != PAM_SUCCESS) || (curr_tty == NULL)) { - curr_tty = ttyname(0); - } - - if ((curr_tty == NULL) || memcmp(curr_tty, "/dev/", 5)) { - return NULL; - } - - curr_tty += 5; /* strlen("/dev/") */ - logname = NULL; - - setutent(); - strncpy(line.ut_line, curr_tty, sizeof(line.ut_line)); - - if ((ut = getutline(&line)) == NULL) { - goto clean_up_and_go_home; - } - - curr_user = calloc(sizeof(line.ut_user)+1, 1); - if (curr_user == NULL) { - goto clean_up_and_go_home; - } - - strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user)); - /* calloc already zeroed the memory */ - - status = pam_set_data(pamh, _PAMMODUTIL_GETLOGIN, curr_user, - _pammodutil_cleanup); - if (status != PAM_SUCCESS) { - free(curr_user); - goto clean_up_and_go_home; - } - - logname = curr_user; - -clean_up_and_go_home: - - endutent(); - - return logname; -} diff --git a/Linux-PAM/modules/pammodutil/modutil_getpwnam.c b/Linux-PAM/modules/pammodutil/modutil_getpwnam.c deleted file mode 100644 index eb359544..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getpwnam.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * $Id: modutil_getpwnam.c,v 1.4 2005/03/30 14:59:41 kukuk Exp $ - * - * This function provides a thread safer version of getpwnam() for use - * with PAM modules that care about this sort of thing. - * - * XXX - or at least it should provide a thread-safe alternative. - */ - -#include "pammodutil.h" - -#include <errno.h> -#include <limits.h> -#include <pthread.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> - -static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; -static void _pammodutil_lock(void) -{ - pthread_mutex_lock(&_pammodutil_mutex); -} -static void _pammodutil_unlock(void) -{ - pthread_mutex_unlock(&_pammodutil_mutex); -} - -static int intlen(int number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -struct passwd *_pammodutil_getpwnam(pam_handle_t *pamh, const char *user) -{ -#ifdef HAVE_GETPWNAM_R - - void *buffer=NULL; - size_t length = PWD_INITIAL_LENGTH; - - do { - int status; - void *new_buffer; - struct passwd *result = NULL; - - new_buffer = realloc(buffer, sizeof(struct passwd) + length); - if (new_buffer == NULL) { - - D(("out of memory")); - - /* no memory for the user - so delete the memory */ - if (buffer) { - free(buffer); - } - return NULL; - } - buffer = new_buffer; - - /* make the re-entrant call to get the pwd structure */ - errno = 0; - status = getpwnam_r(user, buffer, - sizeof(struct passwd) + (char *) buffer, - length, &result); - if (!status && (result == buffer)) { - char *data_name; - const void *ignore; - int i; - - data_name = malloc(strlen("_pammodutil_getpwnam") + 1 + - strlen(user) + 1 + intlen(INT_MAX) + 1); - if ((pamh != NULL) && (data_name == NULL)) { - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - free(buffer); - return NULL; - } - - if (pamh != NULL) { - for (i = 0; i < INT_MAX; i++) { - sprintf(data_name, "_pammodutil_getpwnam_%s_%d", user, i); - _pammodutil_lock(); - status = PAM_NO_MODULE_DATA; - if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { - status = pam_set_data(pamh, data_name, - result, _pammodutil_cleanup); - } - _pammodutil_unlock(); - if (status == PAM_SUCCESS) { - break; - } - } - } else { - status = PAM_SUCCESS; - } - - free(data_name); - - if (status == PAM_SUCCESS) { - D(("success")); - return result; - } - - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - - free(buffer); - return NULL; - - } else if (errno != ERANGE && errno != EINTR) { - /* no sense in repeating the call */ - break; - } - - length <<= 2; - - } while (length < PWD_ABSURD_PWD_LENGTH); - - D(("pwd structure took %u bytes or so of memory", - length+sizeof(struct passwd))); - - free(buffer); - return NULL; - -#else /* ie. ifndef HAVE_GETPWNAM_R */ - - /* - * Sorry, there does not appear to be a reentrant version of - * getpwnam(). So, we use the standard libc function. - */ - - return getpwnam(user); - -#endif /* def HAVE_GETPWNAM_R */ -} diff --git a/Linux-PAM/modules/pammodutil/modutil_getpwuid.c b/Linux-PAM/modules/pammodutil/modutil_getpwuid.c deleted file mode 100644 index 8ba20d17..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getpwuid.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * $Id: modutil_getpwuid.c,v 1.4 2005/03/30 14:59:41 kukuk Exp $ - * - * This function provides a thread safer version of getpwuid() for use - * with PAM modules that care about this sort of thing. - * - * XXX - or at least it should provide a thread-safe alternative. - */ - -#include "pammodutil.h" - -#include <errno.h> -#include <limits.h> -#include <pthread.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> - -static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; -static void _pammodutil_lock(void) -{ - pthread_mutex_lock(&_pammodutil_mutex); -} -static void _pammodutil_unlock(void) -{ - pthread_mutex_unlock(&_pammodutil_mutex); -} - -static int intlen(int number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -static int longlen(long number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -struct passwd *_pammodutil_getpwuid(pam_handle_t *pamh, uid_t uid) -{ -#ifdef HAVE_GETPWUID_R - - void *buffer=NULL; - size_t length = PWD_INITIAL_LENGTH; - - do { - int status; - void *new_buffer; - struct passwd *result = NULL; - - new_buffer = realloc(buffer, sizeof(struct passwd) + length); - if (new_buffer == NULL) { - - D(("out of memory")); - - /* no memory for the user - so delete the memory */ - if (buffer) { - free(buffer); - } - return NULL; - } - buffer = new_buffer; - - /* make the re-entrant call to get the pwd structure */ - errno = 0; - status = getpwuid_r(uid, buffer, - sizeof(struct passwd) + (char *) buffer, - length, &result); - if (!status && (result == buffer)) { - char *data_name; - const void *ignore; - int i; - - data_name = malloc(strlen("_pammodutil_getpwuid") + 1 + - longlen((long) uid) + 1 + intlen(INT_MAX) + 1); - if ((pamh != NULL) && (data_name == NULL)) { - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - free(buffer); - return NULL; - } - - if (pamh != NULL) { - for (i = 0; i < INT_MAX; i++) { - sprintf(data_name, "_pammodutil_getpwuid_%ld_%d", - (long) uid, i); - _pammodutil_lock(); - status = PAM_NO_MODULE_DATA; - if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { - status = pam_set_data(pamh, data_name, - result, _pammodutil_cleanup); - } - _pammodutil_unlock(); - if (status == PAM_SUCCESS) { - break; - } - } - } else { - status = PAM_SUCCESS; - } - - free(data_name); - - if (status == PAM_SUCCESS) { - D(("success")); - return result; - } - - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - - free(buffer); - return NULL; - - } else if (errno != ERANGE && errno != EINTR) { - /* no sense in repeating the call */ - break; - } - - length <<= 2; - - } while (length < PWD_ABSURD_PWD_LENGTH); - - D(("pwd structure took %u bytes or so of memory", - length+sizeof(struct passwd))); - - free(buffer); - return NULL; - -#else /* ie. ifndef HAVE_GETPWUID_R */ - - /* - * Sorry, there does not appear to be a reentrant version of - * getpwuid(). So, we use the standard libc function. - */ - - return getpwuid(uid); - -#endif /* def HAVE_GETPWUID_R */ -} diff --git a/Linux-PAM/modules/pammodutil/modutil_getspnam.c b/Linux-PAM/modules/pammodutil/modutil_getspnam.c deleted file mode 100644 index e966bb52..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_getspnam.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * $Id: modutil_getspnam.c,v 1.3 2005/03/30 14:59:41 kukuk Exp $ - * - * This function provides a thread safer version of getspnam() for use - * with PAM modules that care about this sort of thing. - * - * XXX - or at least it should provide a thread-safe alternative. - */ - -#include "pammodutil.h" - -#include <errno.h> -#include <limits.h> -#include <pthread.h> -#include <shadow.h> -#include <stdio.h> -#include <stdlib.h> - -static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; -static void _pammodutil_lock(void) -{ - pthread_mutex_lock(&_pammodutil_mutex); -} -static void _pammodutil_unlock(void) -{ - pthread_mutex_unlock(&_pammodutil_mutex); -} - -static int intlen(int number) -{ - int len = 2; - while (number != 0) { - number /= 10; - len++; - } - return len; -} - -struct spwd *_pammodutil_getspnam(pam_handle_t *pamh, const char *user) -{ -#ifdef HAVE_GETSPNAM_R - - void *buffer=NULL; - size_t length = PWD_INITIAL_LENGTH; - - do { - int status; - void *new_buffer; - struct spwd *result = NULL; - - new_buffer = realloc(buffer, sizeof(struct spwd) + length); - if (new_buffer == NULL) { - - D(("out of memory")); - - /* no memory for the user - so delete the memory */ - if (buffer) { - free(buffer); - } - return NULL; - } - buffer = new_buffer; - - /* make the re-entrant call to get the spwd structure */ - errno = 0; - status = getspnam_r(user, buffer, - sizeof(struct spwd) + (char *) buffer, - length, &result); - if (!status && (result == buffer)) { - char *data_name; - const void *ignore; - int i; - - data_name = malloc(strlen("_pammodutil_getspnam") + 1 + - strlen(user) + 1 + intlen(INT_MAX) + 1); - if ((pamh != NULL) && (data_name == NULL)) { - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - free(buffer); - return NULL; - } - - if (pamh != NULL) { - for (i = 0; i < INT_MAX; i++) { - sprintf(data_name, "_pammodutil_getspnam_%s_%d", user, i); - _pammodutil_lock(); - status = PAM_NO_MODULE_DATA; - if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { - status = pam_set_data(pamh, data_name, - result, _pammodutil_cleanup); - } - _pammodutil_unlock(); - if (status == PAM_SUCCESS) { - break; - } - } - } else { - status = PAM_SUCCESS; - } - - free(data_name); - - if (status == PAM_SUCCESS) { - D(("success")); - return result; - } - - D(("was unable to register the data item [%s]", - pam_strerror(pamh, status))); - - free(buffer); - return NULL; - - } else if (errno != ERANGE && errno != EINTR) { - /* no sense in repeating the call */ - break; - } - - length <<= 2; - - } while (length < PWD_ABSURD_PWD_LENGTH); - - D(("spwd structure took %u bytes or so of memory", - length+sizeof(struct spwd))); - - free(buffer); - return NULL; - -#else /* ie. ifndef HAVE_GETSPNAM_R */ - - /* - * Sorry, there does not appear to be a reentrant version of - * getspnam(). So, we use the standard libc function. - */ - - return getspnam(user); - -#endif /* def HAVE_GETSPNAM_R */ -} diff --git a/Linux-PAM/modules/pammodutil/modutil_ingroup.c b/Linux-PAM/modules/pammodutil/modutil_ingroup.c deleted file mode 100644 index e1f88b81..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_ingroup.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - * $Id: modutil_ingroup.c,v 1.1 2004/09/24 13:14:14 kukuk Exp $ - * - * This function provides common methods for checking if a user is in a - * specified group. - */ - -#include "pammodutil.h" -#include "include/security/_pam_modutil.h" -#include <pwd.h> -#include <grp.h> - -#ifdef HAVE_GETGROUPLIST -static int checkgrouplist(const char *user, gid_t primary, gid_t target) -{ - gid_t *grouplist = NULL; - int agroups, ngroups, i; - ngroups = agroups = 3; - do { - grouplist = malloc(sizeof(gid_t) * agroups); - if (grouplist == NULL) { - return 0; - } - ngroups = agroups; - i = getgrouplist(user, primary, grouplist, &ngroups); - if ((i < 0) || (ngroups < 1)) { - agroups *= 2; - free(grouplist); - } else { - for (i = 0; i < ngroups; i++) { - if (grouplist[i] == target) { - free(grouplist); - return 1; - } - } - free(grouplist); - } - } while (((i < 0) || (ngroups < 1)) && (agroups < 10000)); - return 0; -} -#endif - -static int _pammodutil_user_in_group_common(pam_handle_t *pamh, - struct passwd *pwd, - struct group *grp) -{ - int i; - - if (pwd == NULL) { - return 0; - } - if (grp == NULL) { - return 0; - } - - if (pwd->pw_gid == grp->gr_gid) { - return 1; - } - - for (i = 0; (grp->gr_mem != NULL) && (grp->gr_mem[i] != NULL); i++) { - if (strcmp(pwd->pw_name, grp->gr_mem[i]) == 0) { - return 1; - } - } - -#ifdef HAVE_GETGROUPLIST - if (checkgrouplist(pwd->pw_name, pwd->pw_gid, grp->gr_gid)) { - return 1; - } -#endif - - return 0; -} - -int _pammodutil_user_in_group_nam_nam(pam_handle_t *pamh, - const char *user, const char *group) -{ - struct passwd *pwd; - struct group *grp; - - pwd = _pammodutil_getpwnam(pamh, user); - grp = _pammodutil_getgrnam(pamh, group); - - return _pammodutil_user_in_group_common(pamh, pwd, grp); -} - -int _pammodutil_user_in_group_nam_gid(pam_handle_t *pamh, - const char *user, gid_t group) -{ - struct passwd *pwd; - struct group *grp; - - pwd = _pammodutil_getpwnam(pamh, user); - grp = _pammodutil_getgrgid(pamh, group); - - return _pammodutil_user_in_group_common(pamh, pwd, grp); -} - -int _pammodutil_user_in_group_uid_nam(pam_handle_t *pamh, - uid_t user, const char *group) -{ - struct passwd *pwd; - struct group *grp; - - pwd = _pammodutil_getpwuid(pamh, user); - grp = _pammodutil_getgrnam(pamh, group); - - return _pammodutil_user_in_group_common(pamh, pwd, grp); -} - -int _pammodutil_user_in_group_uid_gid(pam_handle_t *pamh, - uid_t user, gid_t group) -{ - struct passwd *pwd; - struct group *grp; - - pwd = _pammodutil_getpwuid(pamh, user); - grp = _pammodutil_getgrgid(pamh, group); - - return _pammodutil_user_in_group_common(pamh, pwd, grp); -} diff --git a/Linux-PAM/modules/pammodutil/modutil_ioloop.c b/Linux-PAM/modules/pammodutil/modutil_ioloop.c deleted file mode 100644 index 37ac76fc..00000000 --- a/Linux-PAM/modules/pammodutil/modutil_ioloop.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * $Id: modutil_ioloop.c,v 1.2 2004/09/24 09:18:22 kukuk Exp $ - * - * These functions provides common methods for ensure a complete read or - * write occurs. It handles EINTR and partial read/write returns. - */ - -#include <unistd.h> -#include <errno.h> - -#include <security/pam_modules.h> -#include "include/security/_pam_modutil.h" - -int _pammodutil_read(int fd, char *buffer, int count) -{ - int block, offset = 0; - - while (count > 0) { - block = read(fd, &buffer[offset], count); - - if (block < 0) { - if (errno == EINTR) continue; - return block; - } - if (block == 0) return offset; - - offset += block; - count -= block; - } - - return offset; -} - -int _pammodutil_write(int fd, const char *buffer, int count) -{ - int block, offset = 0; - - while (count > 0) { - block = write(fd, &buffer[offset], count); - - if (block < 0) { - if (errno == EINTR) continue; - return block; - } - if (block == 0) return offset; - - offset += block; - count -= block; - } - - return offset; -} diff --git a/Linux-PAM/modules/pammodutil/pammodutil.h b/Linux-PAM/modules/pammodutil/pammodutil.h deleted file mode 100644 index 2b80c852..00000000 --- a/Linux-PAM/modules/pammodutil/pammodutil.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef PAMMODUTIL_H -#define PAMMODUTIL_H - -/* - * $Id: pammodutil.h,v 1.2 2005/03/30 10:42:54 t8m Exp $ - * - * Copyright (c) 2001 Andrew Morgan <morgan@kernel.org> - */ - -#include <security/_pam_aconf.h> -#include <security/_pam_macros.h> -#include <security/pam_modules.h> -#include <security/_pam_modutil.h> - -#define PWD_INITIAL_LENGTH 0x100 -#define PWD_ABSURD_PWD_LENGTH 0x8000 - -/* This is a simple cleanup, it just free()s the 'data' memory */ -extern void _pammodutil_cleanup(pam_handle_t *pamh, void *data, - int error_status); - -#endif /* PAMMODUTIL_H */ diff --git a/Linux-PAM/modules/register_static b/Linux-PAM/modules/register_static deleted file mode 100755 index f3aebb60..00000000 --- a/Linux-PAM/modules/register_static +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -if [ `basename $PWD` != "modules" ]; then - echo "$0 must be run from the .../modules directory" - exit 1 -fi - -merge_line () -{ - if [ $# != 3 ]; then - echo "usage: merge_line token filename 'new line'" - fi - if [ -f $2 ]; then -# remove any existing entry... - grep -v "$1" $2 > tmp.$2 - rm -f $2 - mv {tmp.,}$2 - fi - cat << EOT >> $2 -$3 -EOT - -} - - -if [ $# -ne 2 ]; then - - cat << EOT 2>&1 -$0: this script takes TWO arguments: - the 'alphanumeric label' of the module and the location of - its object file from the .../modules/ directory -EOT - exit 1 - -else - echo " - *> registering static module: $1 ($2) <* -" - merge_line "$1" _static_module_list "\ -extern struct pam_module _$1_modstruct;" - - merge_line "$1" _static_module_entry " &_$1_modstruct," - if [ -n "$2" ]; then - merge_line "$2" _static_module_objects "../modules/$2" - fi - -fi - -exit 0 |