diff options
Diffstat (limited to 'libpam')
-rw-r--r-- | libpam/Makefile.am | 13 | ||||
-rw-r--r-- | libpam/Makefile.in | 332 | ||||
-rw-r--r-- | libpam/include/security/pam_modules.h | 81 | ||||
-rw-r--r-- | libpam/include/security/pam_modutil.h | 13 | ||||
-rw-r--r-- | libpam/libpam.map | 5 | ||||
-rw-r--r-- | libpam/pam_account.c | 4 | ||||
-rw-r--r-- | libpam/pam_audit.c | 86 | ||||
-rw-r--r-- | libpam/pam_auth.c | 8 | ||||
-rw-r--r-- | libpam/pam_delay.c | 2 | ||||
-rw-r--r-- | libpam/pam_dispatch.c | 41 | ||||
-rw-r--r-- | libpam/pam_dynamic.c | 4 | ||||
-rw-r--r-- | libpam/pam_get_authtok.c | 23 | ||||
-rw-r--r-- | libpam/pam_handlers.c | 191 | ||||
-rw-r--r-- | libpam/pam_modutil_sanitize.c | 175 | ||||
-rw-r--r-- | libpam/pam_password.c | 4 | ||||
-rw-r--r-- | libpam/pam_private.h | 24 | ||||
-rw-r--r-- | libpam/pam_session.c | 7 | ||||
-rw-r--r-- | libpam/pam_static.c | 127 | ||||
-rw-r--r-- | libpam/pam_static_modules.h | 148 |
19 files changed, 660 insertions, 628 deletions
diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 417ca779..638bb5c4 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -18,16 +18,11 @@ include_HEADERS = include/security/_pam_compat.h \ include/security/pam_ext.h include/security/pam_modutil.h noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - pam_modutil_private.h pam_static_modules.h + pam_modutil_private.h -libpam_la_LDFLAGS = -no-undefined -version-info 83:1:83 +libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ -if STATIC_MODULES - libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \ - @LIBDB@ @LIBCRYPT@ $(NIS_LIBS) @LIBCRACK@ -lutil - AM_CFLAGS += $(NIS_CFLAGS) -endif if HAVE_VERSIONING libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map endif @@ -38,9 +33,9 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ pam_handlers.c pam_item.c \ pam_misc.c pam_password.c pam_prelude.c \ - pam_session.c pam_start.c pam_static.c pam_strerror.c \ + pam_session.c pam_start.c pam_strerror.c \ pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \ - pam_modutil_priv.c + pam_modutil_priv.c pam_modutil_sanitize.c diff --git a/libpam/Makefile.in b/libpam/Makefile.in index 6eb4f4d8..a448055c 100644 --- a/libpam/Makefile.in +++ b/libpam/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -21,6 +20,51 @@ VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -40,17 +84,14 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" -@STATIC_MODULES_TRUE@am__append_2 = $(shell ls ../modules/pam_*/*.lo) \ -@STATIC_MODULES_TRUE@ @LIBDB@ @LIBCRYPT@ $(NIS_LIBS) @LIBCRACK@ -lutil - -@STATIC_MODULES_TRUE@am__append_3 = $(NIS_CFLAGS) -@HAVE_VERSIONING_TRUE@am__append_4 = -Wl,--version-script=$(srcdir)/libpam.map +@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/libpam.map subdir = libpam -DIST_COMMON = $(include_HEADERS) $(noinst_HEADERS) \ - $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/build-aux/depcomp $(include_HEADERS) \ + $(noinst_HEADERS) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/japhar_grep_cflags.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ @@ -60,7 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.in + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -88,49 +129,100 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = -@STATIC_MODULES_TRUE@am__DEPENDENCIES_2 = $(shell ls \ -@STATIC_MODULES_TRUE@ ../modules/pam_*/*.lo) \ -@STATIC_MODULES_TRUE@ $(am__DEPENDENCIES_1) -libpam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +libpam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) am_libpam_la_OBJECTS = pam_account.lo pam_auth.lo pam_data.lo \ pam_delay.lo pam_dispatch.lo pam_end.lo pam_env.lo \ pam_get_authtok.lo pam_handlers.lo pam_item.lo pam_misc.lo \ pam_password.lo pam_prelude.lo pam_session.lo pam_start.lo \ - pam_static.lo pam_strerror.lo pam_vprompt.lo pam_syslog.lo \ - pam_dynamic.lo pam_audit.lo pam_modutil_cleanup.lo \ - pam_modutil_getpwnam.lo pam_modutil_ioloop.lo \ - pam_modutil_getgrgid.lo pam_modutil_getpwuid.lo \ - pam_modutil_getgrnam.lo pam_modutil_getspnam.lo \ - pam_modutil_getlogin.lo pam_modutil_ingroup.lo \ - pam_modutil_priv.lo + pam_strerror.lo pam_vprompt.lo pam_syslog.lo pam_dynamic.lo \ + pam_audit.lo pam_modutil_cleanup.lo pam_modutil_getpwnam.lo \ + pam_modutil_ioloop.lo pam_modutil_getgrgid.lo \ + pam_modutil_getpwuid.lo pam_modutil_getgrnam.lo \ + pam_modutil_getspnam.lo pam_modutil_getlogin.lo \ + pam_modutil_ingroup.lo pam_modutil_priv.lo \ + pam_modutil_sanitize.lo libpam_la_OBJECTS = $(am_libpam_la_OBJECTS) -libpam_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libpam_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libpam_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = SOURCES = $(libpam_la_SOURCES) DIST_SOURCES = $(libpam_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac HEADERS = $(include_HEADERS) $(noinst_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -138,6 +230,7 @@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ BROWSER = @BROWSER@ BUILD_CFLAGS = @BUILD_CFLAGS@ +BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ BUILD_LDFLAGS = @BUILD_LDFLAGS@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -148,6 +241,7 @@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -157,6 +251,7 @@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ @@ -197,6 +292,7 @@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -205,6 +301,8 @@ NIS_CFLAGS = @NIS_CFLAGS@ NIS_LIBS = @NIS_LIBS@ NM = @NM@ NMEDIT = @NMEDIT@ +NSL_CFLAGS = @NSL_CFLAGS@ +NSL_LIBS = @NSL_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ @@ -220,6 +318,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PIE_CFLAGS = @PIE_CFLAGS@ PIE_LDFLAGS = @PIE_LDFLAGS@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ POSUB = @POSUB@ RANLIB = @RANLIB@ SCONFIGDIR = @SCONFIGDIR@ @@ -228,10 +328,13 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +TIRPC_CFLAGS = @TIRPC_CFLAGS@ +TIRPC_LIBS = @TIRPC_LIBS@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ XMLCATALOG = @XMLCATALOG@ XMLLINT = @XMLLINT@ XML_CATALOG_FILE = @XML_CATALOG_FILE@ @@ -242,6 +345,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -273,11 +377,8 @@ install_sh = @install_sh@ libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ -libtirpc_CFLAGS = @libtirpc_CFLAGS@ -libtirpc_LIBS = @libtirpc_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -299,7 +400,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) \ - -DPAM_VERSION=\"$(VERSION)\" $(am__append_1) $(am__append_3) + -DPAM_VERSION=\"$(VERSION)\" $(am__append_1) CLEANFILES = *~ EXTRA_DIST = libpam.map include_HEADERS = include/security/_pam_compat.h \ @@ -308,23 +409,22 @@ include_HEADERS = include/security/_pam_compat.h \ include/security/pam_ext.h include/security/pam_modutil.h noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - pam_modutil_private.h pam_static_modules.h + pam_modutil_private.h -libpam_la_LDFLAGS = -no-undefined -version-info 83:1:83 \ - $(am__append_4) -libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ \ +libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 \ $(am__append_2) +libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ lib_LTLIBRARIES = libpam.la libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ pam_handlers.c pam_item.c \ pam_misc.c pam_password.c pam_prelude.c \ - pam_session.c pam_start.c pam_static.c pam_strerror.c \ + pam_session.c pam_start.c pam_strerror.c \ pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \ - pam_modutil_priv.c + pam_modutil_priv.c pam_modutil_sanitize.c all: all-am @@ -360,9 +460,9 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -370,6 +470,8 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) else :; fi; \ done; \ test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ } @@ -385,14 +487,17 @@ uninstall-libLTLIBRARIES: clean-libLTLIBRARIES: -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libpam.la: $(libpam_la_OBJECTS) $(libpam_la_DEPENDENCIES) - $(libpam_la_LINK) -rpath $(libdir) $(libpam_la_OBJECTS) $(libpam_la_LIBADD) $(LIBS) + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libpam.la: $(libpam_la_OBJECTS) $(libpam_la_DEPENDENCIES) $(EXTRA_libpam_la_DEPENDENCIES) + $(AM_V_CCLD)$(libpam_la_LINK) -rpath $(libdir) $(libpam_la_OBJECTS) $(libpam_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -423,35 +528,35 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ingroup.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ioloop.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_priv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_sanitize.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_password.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_prelude.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_session.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_start.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_static.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_strerror.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_syslog.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_vprompt.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo @@ -460,8 +565,11 @@ clean-libtool: -rm -rf .libs _libs install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ @@ -475,30 +583,17 @@ uninstall-includeHEADERS: @$(NORMAL_UNINSTALL) @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ - test -n "$$files" || exit 0; \ - echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(includedir)" && rm -f $$files - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) + dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ @@ -510,15 +605,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $$unique; \ fi; \ fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique @@ -527,6 +618,21 @@ GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -578,10 +684,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: @@ -667,19 +778,20 @@ uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ + install-includeHEADERS install-info install-info-am \ + install-libLTLIBRARIES install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-includeHEADERS \ + tags tags-am uninstall uninstall-am uninstall-includeHEADERS \ uninstall-libLTLIBRARIES diff --git a/libpam/include/security/pam_modules.h b/libpam/include/security/pam_modules.h index 5c516c4e..ec65e3e9 100644 --- a/libpam/include/security/pam_modules.h +++ b/libpam/include/security/pam_modules.h @@ -30,80 +30,26 @@ pam_get_data(const pam_handle_t *pamh, const char *module_data_name, extern int PAM_NONNULL((1,2)) pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt); -#ifdef PAM_STATIC - -#define PAM_EXTERN static - -struct pam_module { - const char *name; /* Name of the module */ - - /* These are function pointers to the module's key functions. */ - - int (*pam_sm_authenticate)(pam_handle_t *pamh, int flags, - int argc, const char **argv); - int (*pam_sm_setcred)(pam_handle_t *pamh, int flags, - int argc, const char **argv); - int (*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, - int argc, const char **argv); - int (*pam_sm_open_session)(pam_handle_t *pamh, int flags, - int argc, const char **argv); - int (*pam_sm_close_session)(pam_handle_t *pamh, int flags, - int argc, const char **argv); - int (*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, - int argc, const char **argv); -}; - -#else /* !PAM_STATIC */ - -#define PAM_EXTERN extern - -#endif /* PAM_STATIC */ - -/* Lots of files include pam_modules.h that don't need these - * declared. However, when they are declared static, they - * need to be defined later. So we have to protect C files - * that include these without wanting these functions defined.. */ - -#if (defined(PAM_STATIC) && defined(PAM_SM_AUTH)) || !defined(PAM_STATIC) - /* Authentication API's */ -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv); -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv); - -#endif /*(defined(PAM_STATIC) && defined(PAM_SM_AUTH)) - || !defined(PAM_STATIC)*/ - -#if (defined(PAM_STATIC) && defined(PAM_SM_ACCOUNT)) || !defined(PAM_STATIC) +int pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv); +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv); /* Account Management API's */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv); - -#endif /*(defined(PAM_STATIC) && defined(PAM_SM_ACCOUNT)) - || !defined(PAM_STATIC)*/ - -#if (defined(PAM_STATIC) && defined(PAM_SM_SESSION)) || !defined(PAM_STATIC) +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv); /* Session Management API's */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv); +int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv); -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv); - -#endif /*(defined(PAM_STATIC) && defined(PAM_SM_SESSION)) - || !defined(PAM_STATIC)*/ - -#if (defined(PAM_STATIC) && defined(PAM_SM_PASSWORD)) || !defined(PAM_STATIC) +int pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char **argv); /* Password Management API's */ -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv); - -#endif /*(defined(PAM_STATIC) && defined(PAM_SM_PASSWORD)) - || !defined(PAM_STATIC)*/ +int pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char **argv); /* The following two flags are for use across the Linux-PAM/module * interface only. The Application is not permitted to use these @@ -129,6 +75,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, #define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */ +/* PAM_EXTERN isn't needed anymore, but don't remove it to not break + lot of external code using it. */ +#define PAM_EXTERN extern /* take care of any compatibility issues */ #include <security/_pam_compat.h> diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h index 8087ba15..4ce8c552 100644 --- a/libpam/include/security/pam_modutil.h +++ b/libpam/include/security/pam_modutil.h @@ -129,6 +129,19 @@ extern int PAM_NONNULL((1,2)) pam_modutil_regain_priv(pam_handle_t *pamh, struct pam_modutil_privs *p); +enum pam_modutil_redirect_fd { + PAM_MODUTIL_IGNORE_FD, /* do not redirect */ + PAM_MODUTIL_PIPE_FD, /* redirect to a pipe */ + PAM_MODUTIL_NULL_FD, /* redirect to /dev/null */ +}; + +/* redirect standard descriptors, close all other descriptors. */ +extern int PAM_NONNULL((1)) +pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, + enum pam_modutil_redirect_fd redirect_stdin, + enum pam_modutil_redirect_fd redirect_stdout, + enum pam_modutil_redirect_fd redirect_stderr); + #ifdef __cplusplus } #endif diff --git a/libpam/libpam.map b/libpam/libpam.map index b0885d65..d6835b47 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -67,3 +67,8 @@ LIBPAM_MODUTIL_1.1.3 { pam_modutil_drop_priv; pam_modutil_regain_priv; } LIBPAM_MODUTIL_1.1; + +LIBPAM_MODUTIL_1.1.9 { + global: + pam_modutil_sanitize_helper_fds; +} LIBPAM_MODUTIL_1.1.3; diff --git a/libpam/pam_account.c b/libpam/pam_account.c index 572acc47..3a4fb1fc 100644 --- a/libpam/pam_account.c +++ b/libpam/pam_account.c @@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); -#endif - return retval; } diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c index 531746ab..97a9a929 100644 --- a/libpam/pam_audit.c +++ b/libpam/pam_audit.c @@ -6,12 +6,12 @@ Authors: Steve Grubb <sgrubb@redhat.com> */ -#include <stdio.h> -#include <syslog.h> #include "pam_private.h" #include "pam_modutil_private.h" #ifdef HAVE_LIBAUDIT +#include <stdio.h> +#include <syslog.h> #include <libaudit.h> #include <pwd.h> #include <netdb.h> @@ -25,17 +25,24 @@ static int _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, - const char *message, int retval) + const char *message, const char *grantors, int retval) { static int old_errno = -1; - int rc; - char buf[32]; + int rc = -ENOMEM; + char *buf; + const char *grantors_field = " grantors="; - snprintf(buf, sizeof(buf), "PAM:%s", message); + if (grantors == NULL) { + grantors = ""; + grantors_field = ""; + } - rc = audit_log_acct_message (audit_fd, type, NULL, buf, - (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", - -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); + if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) { + rc = audit_log_acct_message(audit_fd, type, NULL, buf, + (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", + -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); + free(buf); + } /* libaudit sets errno to his own negative error code. This can be an official errno number, but must not. It can also be a audit @@ -46,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, pamh->audit_state |= PAMAUDIT_LOGGED; if (rc < 0) { - if (rc == -EPERM && getuid() != 0) + if (rc == -EPERM) return 0; if (errno != old_errno) { old_errno = errno; @@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh) return audit_fd; } +static int +_pam_list_grantors(struct handler *hlist, int retval, char **list) +{ + *list = NULL; + + if (retval == PAM_SUCCESS) { + struct handler *h; + char *p = NULL; + size_t len = 0; + + for (h = hlist; h != NULL; h = h->next) { + if (h->grantor) { + len += strlen(h->mod_name) + 1; + } + } + + if (len == 0) { + return 0; + } + + *list = malloc(len); + if (*list == NULL) { + return -1; + } + + for (h = hlist; h != NULL; h = h->next) { + if (h->grantor) { + if (p == NULL) { + p = *list; + } else { + p = stpcpy(p, ","); + } + + p = stpcpy(p, h->mod_name); + } + } + } + + return 0; +} + int -_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) { const char *message; int type; int audit_fd; + char *grantors; if ((audit_fd=_pam_audit_open(pamh)) == -1) { return PAM_SYSTEM_ERR; @@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) retval = PAM_SYSTEM_ERR; } - if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) + if (_pam_list_grantors(h, retval, &grantors) < 0) { + /* allocation failure */ + pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); retval = PAM_SYSTEM_ERR; + } + + if (_pam_audit_writelog(pamh, audit_fd, type, message, + grantors ? grantors : "?", retval) < 0) + retval = PAM_SYSTEM_ERR; + + free(grantors); audit_close(audit_fd); return retval; @@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) * stacks having been run. Assume that this is sshd faking * things for an unknown user. */ - _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); + _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); } return 0; @@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type, return retval; } - rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); + rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval); audit_close(audit_fd); diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c index 5984fa59..1e7bc6e7 100644 --- a/libpam/pam_auth.c +++ b/libpam/pam_auth.c @@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) prelude_send_alert(pamh, retval); #endif -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); -#endif - return retval; } @@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) retval = _pam_dispatch(pamh, flags, PAM_SETCRED); -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); -#endif - D(("pam_setcred exit")); return retval; diff --git a/libpam/pam_delay.c b/libpam/pam_delay.c index cb6c9d5c..972e72b6 100644 --- a/libpam/pam_delay.c +++ b/libpam/pam_delay.c @@ -81,7 +81,7 @@ static unsigned int _pam_compute_delay(unsigned int seed, unsigned int base) /* ********************************************************************** * the following function sleeps for a random time. The actual time * slept is computed above.. It is based on the requested time but will - * differ by up to +/- 25%. + * differ by up to +/- 50%. */ void _pam_await_timer(pam_handle_t *pamh, int status) diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index eb52c824..cf632e8e 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, status = retval; } } - if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { - goto decision_made; + if ( impression == _PAM_POSITIVE ) { + if ( retval == PAM_SUCCESS ) { + h->grantor = 1; + } + + if ( action == _PAM_ACTION_DONE ) { + goto decision_made; + } } break; @@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) { if ( retval != PAM_IGNORE || cached_retval == retval ) { + if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { + h->grantor = 1; + } impression = _PAM_POSITIVE; status = retval; } @@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */ return status; } +static void _pam_clear_grantors(struct handler *h) +{ + for (; h != NULL; h = h->next) { + h->grantor = 0; + } +} + /* * This function translates the module dispatch request into a pointer * to the stack of modules that will actually be run. the @@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) { struct handler *h = NULL; - int retval, use_cached_chain; + int retval = PAM_SYSTEM_ERR, use_cached_chain; _pam_boolean resumed; IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from a module!?")); - return PAM_SYSTEM_ERR; + goto end; } /* Load all modules, resolve all symbols */ if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); - return retval; + goto end; } use_cached_chain = _PAM_PLEASE_FREEZE; @@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) break; default: pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); - return PAM_ABORT; + retval = PAM_ABORT; + goto end; } if (h == NULL) { /* there was no handlers.conf... entry; will use @@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) pam_syslog(pamh, LOG_ERR, "application failed to re-exec stack [%d:%d]", pamh->former.choice, choice); - return PAM_ABORT; + retval = PAM_ABORT; + goto end; } resumed = PAM_TRUE; } else { resumed = PAM_FALSE; + _pam_clear_grantors(h); } __PAM_TO_MODULE(pamh); @@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) pamh->former.choice = PAM_NOT_STACKED; } +end: + +#ifdef HAVE_LIBAUDIT + if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { + retval = _pam_auditlog(pamh, choice, retval, flags, h); + } +#endif + return retval; } diff --git a/libpam/pam_dynamic.c b/libpam/pam_dynamic.c index e1155e50..c063083f 100644 --- a/libpam/pam_dynamic.c +++ b/libpam/pam_dynamic.c @@ -33,8 +33,6 @@ #include "pam_private.h" -#ifndef PAM_STATIC - #ifdef PAM_SHL # include <dl.h> #elif defined(PAM_DYLD) @@ -138,5 +136,3 @@ _pam_dlerror (void) return dlerror (); #endif } - -#endif diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 31bb1627..9bfbdf0f 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -38,6 +38,8 @@ #define PROMPT _("Password: ") /* For Translators: "%s%s" could be replaced with "<service> " or "". */ +#define PROMPTCURRENT _("Current %s%spassword: ") +/* For Translators: "%s%s" could be replaced with "<service> " or "". */ #define PROMPT1 _("New %s%spassword: ") /* For Translators: "%s%s" could be replaced with "<service> " or "". */ #define PROMPT2 _("Retype new %s%spassword: ") @@ -89,12 +91,14 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, /* PAM_AUTHTOK in password stack returns new password, which needs to be verified. */ - if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) + if (pamh->choice == PAM_CHAUTHTOK) { - chpass = 1; - if (!(flags & PAM_GETAUTHTOK_NOVERIFY)) - ++chpass; - + if (item == PAM_AUTHTOK) + { + chpass = 1; + if (!(flags & PAM_GETAUTHTOK_NOVERIFY)) + ++chpass; + } authtok_type = get_option (pamh, "authtok_type"); if (authtok_type == NULL) { @@ -144,6 +148,10 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, PROMPT2, authtok_type, strlen (authtok_type) > 0?" ":""); } + else if (item == PAM_OLDAUTHTOK) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPTCURRENT, authtok_type, + strlen (authtok_type) > 0?" ":""); else retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", PROMPT); @@ -151,8 +159,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, if (retval != PAM_SUCCESS || resp[0] == NULL || (chpass > 1 && resp[1] == NULL)) { - /* We want to abort the password change */ - pam_error (pamh, _("Password change aborted.")); + /* We want to abort */ + if (chpass) + pam_error (pamh, _("Password change aborted.")); return PAM_AUTHTOK_ERR; } diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 02714f78..91cccadc 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -274,6 +274,66 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f return ( (x < 0) ? PAM_ABORT:PAM_SUCCESS ); } +static int +_pam_open_config_file(pam_handle_t *pamh + , const char *service + , char **path + , FILE **file) +{ + char *p; + FILE *f; + int err = 0; + + /* Absolute path */ + if (service[0] == '/') { + p = _pam_strdup(service); + if (p == NULL) { + pam_syslog(pamh, LOG_CRIT, "strdup failed"); + return PAM_BUF_ERR; + } + + f = fopen(service, "r"); + if (f != NULL) { + *path = p; + *file = f; + return PAM_SUCCESS; + } + + _pam_drop(p); + return PAM_ABORT; + } + + /* Local Machine Configuration /etc/pam.d/ */ + if (asprintf (&p, PAM_CONFIG_DF, service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + D(("opening %s", p)); + f = fopen(p, "r"); + if (f != NULL) { + *path = p; + *file = f; + return PAM_SUCCESS; + } + + /* System Configuration /usr/lib/pam.d/ */ + _pam_drop(p); + if (asprintf (&p, PAM_CONFIG_DIST_DF, service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + D(("opening %s", p)); + f = fopen(p, "r"); + if (f != NULL) { + *path = p; + *file = f; + return PAM_SUCCESS; + } + _pam_drop(p); + + return PAM_ABORT; +} + static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name , const char *service /* specific file */ , int module_type /* specific type */ @@ -284,7 +344,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name ) { FILE *f; - char *config_path = NULL; + char *path = NULL; int retval = PAM_ABORT; D(("_pam_load_conf_file called")); @@ -297,39 +357,29 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name if (config_name == NULL) { D(("no config file supplied")); - pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service); + pam_syslog(pamh, LOG_ERR, "(%s) no config name supplied", service); return PAM_ABORT; } - if (config_name[0] != '/') { - if (asprintf (&config_path, PAM_CONFIG_DF, config_name) < 0) { - pam_syslog(pamh, LOG_CRIT, "asprintf failed"); - return PAM_BUF_ERR; - } - config_name = config_path; - } - - D(("opening %s", config_name)); - f = fopen(config_name, "r"); - if (f != NULL) { + if (_pam_open_config_file(pamh, config_name, &path, &f) == PAM_SUCCESS) { retval = _pam_parse_conf_file(pamh, f, service, module_type, stack_level #ifdef PAM_READ_BOTH_CONFS , not_other #endif /* PAM_READ_BOTH_CONFS */ ); - fclose(f); if (retval != PAM_SUCCESS) pam_syslog(pamh, LOG_ERR, "_pam_load_conf_file: error reading %s: %s", - config_name, pam_strerror(pamh, retval)); + path, pam_strerror(pamh, retval)); + _pam_drop(path); + fclose(f); } else { D(("unable to open %s", config_name)); pam_syslog(pamh, LOG_ERR, - "_pam_load_conf_file: unable to open %s", + "_pam_load_conf_file: unable to open config for %s", config_name); } - _pam_drop(config_path); return retval; } @@ -396,39 +446,31 @@ int _pam_init_handlers(pam_handle_t *pamh) struct stat test_d; /* Is there a PAM_CONFIG_D directory? */ - if ( stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode) ) { - char *filename; + if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || + (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) { + char *path = NULL; int read_something=0; - D(("searching " PAM_CONFIG_D " for config files")); - if (asprintf(&filename, PAM_CONFIG_DF, pamh->service_name) < 0) { - pam_syslog(pamh, LOG_ERR, - "_pam_init_handlers: no memory; service %s", - pamh->service_name); - return PAM_BUF_ERR; - } - D(("opening %s", filename)); - f = fopen(filename, "r"); - if (f != NULL) { - /* would test magic here? */ + if (_pam_open_config_file(pamh, pamh->service_name, &path, &f) == PAM_SUCCESS) { retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ ); - fclose(f); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: error reading %s", - filename); + path); pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: [%s]", pam_strerror(pamh, retval)); } else { read_something = 1; } + _pam_drop(path); + fclose(f); } else { - D(("unable to open %s", filename)); + D(("unable to open configuration for %s", pamh->service_name)); #ifdef PAM_READ_BOTH_CONFS D(("checking %s", PAM_CONFIG)); @@ -443,14 +485,11 @@ int _pam_init_handlers(pam_handle_t *pamh) * use "other" */ } - _pam_drop(filename); if (retval == PAM_SUCCESS) { - /* now parse the PAM_DEFAULT_SERVICE_FILE */ + /* now parse the PAM_DEFAULT_SERVICE */ - D(("opening %s", PAM_DEFAULT_SERVICE_FILE)); - f = fopen(PAM_DEFAULT_SERVICE_FILE, "r"); - if (f != NULL) { + if (_pam_open_config_file(pamh, PAM_DEFAULT_SERVICE, &path, &f) == PAM_SUCCESS) { /* would test magic here? */ retval = _pam_parse_conf_file(pamh, f, PAM_DEFAULT_SERVICE, PAM_T_ANY, 0 @@ -458,22 +497,23 @@ int _pam_init_handlers(pam_handle_t *pamh) , 0 #endif /* PAM_READ_BOTH_CONFS */ ); - fclose(f); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: error reading %s", - PAM_DEFAULT_SERVICE_FILE); + path); pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: [%s]", pam_strerror(pamh, retval)); } else { read_something = 1; } + _pam_drop(path); + fclose(f); } else { - D(("unable to open %s", PAM_DEFAULT_SERVICE_FILE)); + D(("unable to open %s", PAM_DEFAULT_SERVICE)); pam_syslog(pamh, LOG_ERR, "_pam_init_handlers: no default config %s", - PAM_DEFAULT_SERVICE_FILE); + PAM_DEFAULT_SERVICE); } if (!read_something) { /* nothing read successfully */ retval = PAM_ABORT; @@ -611,6 +651,12 @@ extract_modulename(const char *mod_path) if (dot) *dot = '\0'; + if (*retval == '\0' || strcmp(retval, "?") == 0) { + /* do not allow empty module name or "?" to avoid confusing audit trail */ + _pam_drop(retval); + return NULL; + } + return retval; } @@ -619,9 +665,7 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) { int x = 0; int success; -#ifndef PAM_STATIC char *mod_full_isa_path=NULL, *isa=NULL; -#endif struct loaded_module *mod; D(("_pam_load_module: loading module `%s'", mod_path)); @@ -655,27 +699,6 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) /* Be pessimistic... */ success = PAM_ABORT; -#ifdef PAM_STATIC - /* Only load static function if function was not found dynamically. - * This code should work even if no dynamic loading is available. */ - if (success != PAM_SUCCESS) { - D(("_pam_load_module: open static handler %s", mod_path)); - mod->dl_handle = _pam_open_static_handler(pamh, mod_path); - if (mod->dl_handle == NULL) { - D(("_pam_load_module: unable to find static handler %s", - mod_path)); - if (handler_type != PAM_HT_SILENT_MODULE) - pam_syslog(pamh, LOG_ERR, - "unable to open static handler %s", mod_path); - /* Didn't find module in dynamic or static..will mark bad */ - } else { - D(("static module added successfully")); - success = PAM_SUCCESS; - mod->type = PAM_MT_STATIC_MOD; - pamh->handlers.modules_used++; - } - } -#else D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); mod->dl_handle = _pam_dlopen(mod_path); D(("_pam_load_module: _pam_dlopen'ed")); @@ -712,7 +735,6 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) mod->type = PAM_MT_DYNAMIC_MOD; pamh->handlers.modules_used++; } -#endif if (success != PAM_SUCCESS) { /* add a malformed module */ mod->dl_handle = NULL; @@ -823,16 +845,8 @@ int _pam_add_handler(pam_handle_t *pamh } /* are the modules reliable? */ - if ( -#ifdef PAM_STATIC - mod_type != PAM_MT_STATIC_MOD - && -#else - mod_type != PAM_MT_DYNAMIC_MOD - && -#endif - mod_type != PAM_MT_FAULTY_MOD - ) { + if (mod_type != PAM_MT_DYNAMIC_MOD && + mod_type != PAM_MT_FAULTY_MOD) { D(("_pam_add_handlers: illegal module library type; %d", mod_type)); pam_syslog(pamh, LOG_ERR, "internal error: module library type not known: %s;%d", @@ -842,30 +856,15 @@ int _pam_add_handler(pam_handle_t *pamh /* now identify this module's functions - for non-faulty modules */ -#ifdef PAM_STATIC - if ((mod_type == PAM_MT_STATIC_MOD) && - (func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) { - pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym); - } -#else if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func = _pam_dlsym(mod->dl_handle, sym)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym); } -#endif if (sym2) { -#ifdef PAM_STATIC - if ((mod_type == PAM_MT_STATIC_MOD) && - (func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2)) - == NULL) { - pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); - } -#else if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } -#endif } /* here func (and perhaps func2) point to the appropriate functions */ @@ -888,7 +887,9 @@ int _pam_add_handler(pam_handle_t *pamh (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); (*handler_p)->argc = argc; (*handler_p)->argv = argv; /* not a copy */ - (*handler_p)->mod_name = extract_modulename(mod_path); + if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL) + return PAM_ABORT; + (*handler_p)->grantor = 0; (*handler_p)->next = NULL; /* some of the modules have a second calling function */ @@ -920,7 +921,9 @@ int _pam_add_handler(pam_handle_t *pamh } else { (*handler_p2)->argv = NULL; /* no arguments */ } - (*handler_p2)->mod_name = extract_modulename(mod_path); + if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL) + return PAM_ABORT; + (*handler_p2)->grantor = 0; (*handler_p2)->next = NULL; } @@ -944,11 +947,9 @@ int _pam_free_handlers(pam_handle_t *pamh) while (pamh->handlers.modules_used) { D(("_pam_free_handlers: dlclose(%s)", mod->name)); free(mod->name); -#ifndef PAM_STATIC if (mod->type == PAM_MT_DYNAMIC_MOD) { _pam_dlclose(mod->dl_handle); } -#endif mod++; pamh->handlers.modules_used--; } diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c new file mode 100644 index 00000000..65f85d01 --- /dev/null +++ b/libpam/pam_modutil_sanitize.c @@ -0,0 +1,175 @@ +/* + * This file implements the following functions: + * pam_modutil_sanitize_helper_fds: + * redirects standard descriptors, closes all other descriptors. + */ + +#include "pam_modutil_private.h" +#include <security/pam_ext.h> +#include <unistd.h> +#include <fcntl.h> +#include <syslog.h> +#include <sys/resource.h> + +/* + * Creates a pipe, closes its write end, redirects fd to its read end. + * Returns fd on success, -1 otherwise. + */ +static int +redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name) +{ + int in[2]; + + if (pipe(in) < 0) { + pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m"); + return -1; + } + + close(in[1]); + + if (in[0] == fd) + return fd; + + if (dup2(in[0], fd) != fd) { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name); + fd = -1; + } + + close(in[0]); + return fd; +} + +/* + * Creates a pipe, closes its read end, redirects fd to its write end. + * Returns fd on success, -1 otherwise. + */ +static int +redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name) +{ + int out[2]; + + if (pipe(out) < 0) { + pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m"); + return -1; + } + + close(out[0]); + + if (out[1] == fd) + return fd; + + if (dup2(out[1], fd) != fd) { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name); + fd = -1; + } + + close(out[1]); + return fd; +} + +/* + * Opens /dev/null for writing, redirects fd there. + * Returns fd on success, -1 otherwise. + */ +static int +redirect_out_null(pam_handle_t *pamh, int fd, const char *name) +{ + int null = open("/dev/null", O_WRONLY); + + if (null < 0) { + pam_syslog(pamh, LOG_ERR, "open of %s failed: %m", "/dev/null"); + return -1; + } + + if (null == fd) + return fd; + + if (dup2(null, fd) != fd) { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name); + fd = -1; + } + + close(null); + return fd; +} + +static int +redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, + int fd, const char *name) +{ + switch (mode) { + case PAM_MODUTIL_PIPE_FD: + if (redirect_out_pipe(pamh, fd, name) < 0) + return -1; + break; + case PAM_MODUTIL_NULL_FD: + if (redirect_out_null(pamh, fd, name) < 0) + return -1; + break; + case PAM_MODUTIL_IGNORE_FD: + break; + } + return fd; +} + +/* Closes all descriptors after stderr. */ +static void +close_fds(void) +{ + /* + * An arbitrary upper limit for the maximum file descriptor number + * returned by RLIMIT_NOFILE. + */ + const int MAX_FD_NO = 65535; + + /* The lower limit is the same as for _POSIX_OPEN_MAX. */ + const int MIN_FD_NO = 20; + + int fd; + struct rlimit rlim; + + if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) + fd = MAX_FD_NO; + else if (rlim.rlim_max < MIN_FD_NO) + fd = MIN_FD_NO; + else + fd = rlim.rlim_max - 1; + + for (; fd > STDERR_FILENO; --fd) + close(fd); +} + +int +pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, + enum pam_modutil_redirect_fd stdin_mode, + enum pam_modutil_redirect_fd stdout_mode, + enum pam_modutil_redirect_fd stderr_mode) +{ + if (stdin_mode != PAM_MODUTIL_IGNORE_FD && + redirect_in_pipe(pamh, STDIN_FILENO, "stdin") < 0) { + return -1; + } + + if (redirect_out(pamh, stdout_mode, STDOUT_FILENO, "stdout") < 0) + return -1; + + /* + * If stderr should not be ignored and + * redirect mode for stdout and stderr are the same, + * optimize by redirecting stderr to stdout. + */ + if (stderr_mode != PAM_MODUTIL_IGNORE_FD && + stdout_mode == stderr_mode) { + if (dup2(STDOUT_FILENO, STDERR_FILENO) != STDERR_FILENO) { + pam_syslog(pamh, LOG_ERR, + "dup2 of %s failed: %m", "stderr"); + return -1; + } + } else { + if (redirect_out(pamh, stderr_mode, STDERR_FILENO, "stderr") < 0) + return -1; + } + + close_fds(); + return 0; +} diff --git a/libpam/pam_password.c b/libpam/pam_password.c index 75db5e50..592e01fb 100644 --- a/libpam/pam_password.c +++ b/libpam/pam_password.c @@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) D(("will resume when ready", retval)); } -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); -#endif - return retval; } diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 134dc726..7ff9f758 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -24,12 +24,13 @@ /* the Linux-PAM configuration file */ -#define PAM_CONFIG "/etc/pam.conf" -#define PAM_CONFIG_D "/etc/pam.d" -#define PAM_CONFIG_DF "/etc/pam.d/%s" +#define PAM_CONFIG "/etc/pam.conf" +#define PAM_CONFIG_D "/etc/pam.d" +#define PAM_CONFIG_DF "/etc/pam.d/%s" +#define PAM_CONFIG_DIST_D "/usr/lib/pam.d" +#define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s" #define PAM_DEFAULT_SERVICE "other" /* lower case */ -#define PAM_DEFAULT_SERVICE_FILE PAM_CONFIG_D "/" PAM_DEFAULT_SERVICE #ifdef PAM_LOCKING /* @@ -55,6 +56,7 @@ struct handler { struct handler *next; char *mod_name; int stack_level; + int grantor; }; #define PAM_HT_MODULE 0 @@ -239,22 +241,10 @@ void _pam_await_timer(pam_handle_t *pamh, int status); typedef void (*voidfunc(void))(void); typedef int (*servicefn)(pam_handle_t *, int, int, char **); -#ifdef PAM_STATIC -/* The next two in ../modules/_pam_static/pam_static.c */ - -/* Return pointer to data structure used to define a static module */ -struct pam_module * _pam_open_static_handler (pam_handle_t *pamh, - const char *path); - -/* Return pointer to function requested from static module */ - -voidfunc *_pam_get_static_sym(struct pam_module *mod, const char *symname); -#else void *_pam_dlopen (const char *mod_path); servicefn _pam_dlsym (void *handle, const char *symbol); void _pam_dlclose (void *handle); const char *_pam_dlerror (void); -#endif /* For now we just use a stack and linear search for module data. */ /* If it becomes apparent that there is a lot of data, it should */ @@ -316,7 +306,7 @@ if ((pamh) == NULL) { \ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) #ifdef HAVE_LIBAUDIT -extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); +extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); #endif diff --git a/libpam/pam_session.c b/libpam/pam_session.c index 512153f2..cb393c1a 100644 --- a/libpam/pam_session.c +++ b/libpam/pam_session.c @@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) } retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); -#endif return retval; } @@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); -#ifdef HAVE_LIBAUDIT - retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); -#endif - return retval; } diff --git a/libpam/pam_static.c b/libpam/pam_static.c deleted file mode 100644 index 511026d4..00000000 --- a/libpam/pam_static.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * pam_static.c -- static module loading helper functions - * - * created by Michael K. Johnson, johnsonm@redhat.com - */ - -/* This whole file is only used for PAM_STATIC */ - -#ifdef PAM_STATIC - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "pam_private.h" - -#include "pam_static_modules.h" - -/* - * and now for the functions - */ - -/* Return pointer to data structure used to define a static module */ -struct pam_module * -_pam_open_static_handler (pam_handle_t *pamh, const char *path) -{ - int i; - const char *clpath = path; - char *lpath, *end; - - if (strchr(clpath, '/')) { - /* ignore path and leading "/" */ - clpath = strrchr(path, '/') + 1; - } - /* create copy to muck with (must free before return) */ - lpath = _pam_strdup(clpath); - /* chop .so off copy if it exists (or other extension on other - platform...) */ - end = strstr(lpath, ".so"); - if (end) { - *end = '\0'; - } - - /* now go find the module */ - for (i = 0; static_modules[i] != NULL; i++) { - D(("%s=?%s\n", lpath, static_modules[i]->name)); - if (static_modules[i]->name && - ! strcmp(static_modules[i]->name, lpath)) { - break; - } - } - - if (static_modules[i] == NULL) { - pam_syslog (pamh, LOG_ERR, "no static module named %s", lpath); - } - - free(lpath); - return (static_modules[i]); -} - -/* Return pointer to function requested from static module - * Can't just return void *, because ANSI C disallows casting a - * pointer to a function to a void *... - * This definition means: - * _pam_get_static_sym is a function taking two arguments and - * returning a pointer to a function which takes no arguments - * and returns void... */ -voidfunc *_pam_get_static_sym(struct pam_module *mod, const char *symname) { - - if (! strcmp(symname, "pam_sm_authenticate")) { - return ((voidfunc *)mod->pam_sm_authenticate); - } else if (! strcmp(symname, "pam_sm_setcred")) { - return ((voidfunc *)mod->pam_sm_setcred); - } else if (! strcmp(symname, "pam_sm_acct_mgmt")) { - return ((voidfunc *)mod->pam_sm_acct_mgmt); - } else if (! strcmp(symname, "pam_sm_open_session")) { - return ((voidfunc *)mod->pam_sm_open_session); - } else if (! strcmp(symname, "pam_sm_close_session")) { - return ((voidfunc *)mod->pam_sm_close_session); - } else if (! strcmp(symname, "pam_sm_chauthtok")) { - return ((voidfunc *)mod->pam_sm_chauthtok); - } - /* getting to this point is an error */ - return ((voidfunc *)NULL); -} - -#else /* ! PAM_STATIC */ - -typedef int blarg; - -#endif /* ! PAM_STATIC */ - -/* - * Copyright (C) 1995 by Red Hat Software, Michael K. Johnson - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h deleted file mode 100644 index 698989bd..00000000 --- a/libpam/pam_static_modules.h +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* Pointers to static module data. */ - -extern struct pam_module _pam_access_modstruct; -extern struct pam_module _pam_cracklib_modstruct; -extern struct pam_module _pam_debug_modstruct; -extern struct pam_module _pam_deny_modstruct; -extern struct pam_module _pam_echo_modstruct; -extern struct pam_module _pam_env_modstruct; -extern struct pam_module _pam_exec_modstruct; -extern struct pam_module _pam_faildelay_modstruct; -extern struct pam_module _pam_filter_modstruct; -extern struct pam_module _pam_ftp_modstruct; -extern struct pam_module _pam_group_modstruct; -extern struct pam_module _pam_issue_modstruct; -#ifdef HAVE_KEY_MANAGEMENT -extern struct pam_module _pam_keyinit_modstruct; -#endif -extern struct pam_module _pam_lastlog_modstruct; -extern struct pam_module _pam_limits_modstruct; -extern struct pam_module _pam_listfile_modstruct; -extern struct pam_module _pam_localuser_modstruct; -extern struct pam_module _pam_loginuid_modstruct; -extern struct pam_module _pam_mail_modstruct; -extern struct pam_module _pam_mkhomedir_modstruct; -extern struct pam_module _pam_motd_modstruct; -#ifdef HAVE_UNSHARE -extern struct pam_module _pam_namespace_modstruct; -#endif -extern struct pam_module _pam_nologin_modstruct; -extern struct pam_module _pam_permit_modstruct; -extern struct pam_module _pam_pwhistory_modstruct; -extern struct pam_module _pam_rhosts_modstruct; -extern struct pam_module _pam_rootok_modstruct; -extern struct pam_module _pam_securetty_modstruct; -#ifdef WITH_SELINUX -extern struct pam_module _pam_selinux_modstruct; -extern struct pam_module _pam_sepermit_modstruct; -#endif -extern struct pam_module _pam_shells_modstruct; -extern struct pam_module _pam_stress_modstruct; -extern struct pam_module _pam_succeed_if_modstruct; -extern struct pam_module _pam_tally_modstruct; -extern struct pam_module _pam_tally2_modstruct; -extern struct pam_module _pam_time_modstruct; -extern struct pam_module _pam_timestamp_modstruct; -#ifdef HAVE_AUDIT_TTY_STATUS -extern struct pam_module _pam_tty_audit_modstruct; -#endif -extern struct pam_module _pam_umask_modstruct; -extern struct pam_module _pam_unix_modstruct; -extern struct pam_module _pam_userdb_modstruct; -extern struct pam_module _pam_warn_modstruct; -extern struct pam_module _pam_wheel_modstruct; -extern struct pam_module _pam_xauth_modstruct; - -/* and here is a structure that connects libpam to the above static - modules. */ - -static struct pam_module *static_modules[] = { - &_pam_access_modstruct, -#ifdef HAVE_LIBCRACK - &_pam_cracklib_modstruct, -#endif - &_pam_debug_modstruct, - &_pam_deny_modstruct, - &_pam_echo_modstruct, - &_pam_env_modstruct, - &_pam_exec_modstruct, - &_pam_faildelay_modstruct, - &_pam_filter_modstruct, - &_pam_ftp_modstruct, - &_pam_group_modstruct, - &_pam_issue_modstruct, -#ifdef HAVE_KEY_MANAGEMENT - &_pam_keyinit_modstruct, -#endif - &_pam_lastlog_modstruct, - &_pam_limits_modstruct, - &_pam_listfile_modstruct, - &_pam_localuser_modstruct, - &_pam_loginuid_modstruct, - &_pam_mail_modstruct, - &_pam_mkhomedir_modstruct, - &_pam_motd_modstruct, -#ifdef HAVE_UNSHARE - &_pam_namespace_modstruct, -#endif - &_pam_nologin_modstruct, - &_pam_permit_modstruct, - &_pam_pwhistory_modstruct, - &_pam_rhosts_modstruct, - &_pam_rootok_modstruct, - &_pam_securetty_modstruct, -#ifdef WITH_SELINUX - &_pam_selinux_modstruct, - &_pam_sepermit_modstruct, -#endif - &_pam_shells_modstruct, - &_pam_stress_modstruct, - &_pam_succeed_if_modstruct, - &_pam_tally_modstruct, - &_pam_tally2_modstruct, - &_pam_time_modstruct, - &_pam_timestamp_modstruct, -#ifdef HAVE_AUDIT_TTY_STATUS - &_pam_tty_audit_modstruct, -#endif - &_pam_umask_modstruct, - &_pam_unix_modstruct, - &_pam_userdb_modstruct, - &_pam_warn_modstruct, - &_pam_wheel_modstruct, - &_pam_xauth_modstruct, - NULL -}; |